Either make me create a password and then let me into my account or let me use my phone number/email to verify. It’s becoming too much to get into every day stuff. If I have biometrics on there is zero reason for anything else.

Basically the current security system is overdoing it. I suggest getting rid of passwords all together OR only requiring one or the other. Like it I forget my password or I forget my phone I can use the other but JFC its a hassle.

  • pishadoot@sh.itjust.worksEnglish
    12·
    27 days ago

    Multi Factor Authentication (MFA) : using multiple authentication factors to validate a user is who they say they are and grant access

    Auth factors:

    Something you know: is in your head. Password, PIN, etc

    Something you have: credit card, hardware token (yubikey, mag stripe, etc), software token (auth, MS authenticator, etc)

    Something you are: biometrics.

    Somewhere you are: location based (IP, geo location, geo fence, etc)

    Any one method is vulnerable to compromise. By using two separate FACTORS (aka MFA) you vastly reduce risk that you will be compromised.

    Using a password and PIN is NOT MFA because they’re both the same auth factor.

    Using just a token is NOT MFA because it’s only one auth factor.

    • HobbitFoot @thelemmy.clubEnglish
      13·
      27 days ago

      I get that only using a token isn’t MFA. I’m just questioning why MFA is a thing if the major issue is really bad password security.

      • pishadoot@sh.itjust.worksEnglish
        4·
        27 days ago

        Bad password security is a human problem (can be back end bad practices also, but mostly human) whereas only using one auth factor is a security design problem. Again, MFA bad, single auth not good (but sometimes sufficient)

        Also many people aren’t comfortable with auth apps yet and way less are comfortable with hardware tokens.

        Passwords, while often implemented poorly by humans, aren’t something you can easily LOSE like your phone or a set of keys.

        Many logins don’t really need very good security, like who cares if my lemmy login gets compromised I don’t want MFA here. Some might, I don’t. I still use a password manager but still, just a password is fine.

        I dropped a credit union because they don’t allow MFA for online banking at ALL however, which is outrageous in 2025.