We implemented 2FA on our logins in the past year. I'm also looking at implementing U2F. We'll probably add this once there is enough of a user base.
IMHO the UX for all this stuff is very confusing to non technical users. People lose their phones, don't print out the codes, or simply don't understand how this works and do silly things like trying to use codes from the wrong account.
Since introducing 2FA , requests of people to reset their 2fa are a very regular thing for our support people. Especially when it concerns paying users, saying no is not really an option. So, resets are a common thing. I've since educated our people to at least not do this blindly but obviously, social engineering is a big problem with all this stuff. If this happens to us, you can bet it is an extremely regular thing for basically everything that has 2fa.
But my biggest worry with this stuff on my own accounts is somebody talking support into resetting 2FA on my accounts. I can do everything right and still get compromised because some underpayed support contractor falls for some social engineering hack.
>IMHO the UX for all this stuff is very confusing to non technical users
It's quite confusing for technical users as well. Google has or is in the process of deprecating TOTP, and will make new users/accounts to use something else based on their android app (which is quite likely proprietary and/or tied to gms, push notifications etc.) if they don't use hardware keys. Or they'll force you to use SMS, which is also worse than TOTP. I think it is still possible to use TOTP if you jump through some hoops, but this is yet another case of some rubbish policy.
Ref: https://github.com/andOTP/andOTP/issues/219
It would be great if sites had an option to remove reset support for your account permanently. One that is literally impossible to reset. But I'm not sure how to do that without implementing complete user data encryption.
> It would be great if sites had an option to remove reset support for your account permanently.
That falls apart pretty quick when you attach things like recurring billing to your account. Nobody is perfect and at some point somebody, somewhere is going to want to cancel that billing but not have access to their account and checked your "never reset this account" box.
How do you deal with that very real edge case? Especially since that edge case can easily escalate to a lawsuit depending on the account in question.
You empower support to be convinced over the phone to cancel recurring billing, but not to reset 2FA.
That way in the very worst case if support gets socially engineered into removing the credit card details from the account the customer will get mildly annoyed as they have to login and reset it, but their whole account won't be taken over.
Great point, I wonder if you can solve this with manual identification like taking a picture of your face holding up a driver's license and paper saying you consent up password change?
Will it work in Firefox? Because I've see too many implementations that only work in Chrome. My Yubikey is still collecting dust in the drawer because of this.
IMO a good balance between never resetting 2FA and resetting 2FA with a simple call to tech support: The customer calls in to reset it, you then wait 24 hours, and attempt to contact them through all known contacts for them at the end of 24hrs. If they then approve the reset OR you can't contact them (i.e. lost phone) THEN reset it. Sorry if I wasn't very clear.
But that's only really a concern for your email provider, right? Like, as long as I know that resetting my login on service X will trigger an email, then I'm okay with it.
And if you're the email provider, you probably already have my phone number anyway and could/should send a text message to notify me about anything like this.
IMHO the UX for all this stuff is very confusing to non technical users. People lose their phones, don't print out the codes, or simply don't understand how this works and do silly things like trying to use codes from the wrong account.
Since introducing 2FA , requests of people to reset their 2fa are a very regular thing for our support people. Especially when it concerns paying users, saying no is not really an option. So, resets are a common thing. I've since educated our people to at least not do this blindly but obviously, social engineering is a big problem with all this stuff. If this happens to us, you can bet it is an extremely regular thing for basically everything that has 2fa.
But my biggest worry with this stuff on my own accounts is somebody talking support into resetting 2FA on my accounts. I can do everything right and still get compromised because some underpayed support contractor falls for some social engineering hack.