I’ve been going through updating all of my accounts (passwords, 2FA, etc.), and I’ve noticed that there are a lot of sites that don’t offer any form of MFA.

I can understand smaller services that might not have the bandwidth, but surely larger organisations are able to get this setup?

  • RegalPotoo@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    ·
    6 months ago
    • it takes engineering time which is not a trivial cost - accounts and identity for large orgs tend to be a lot more complex than you might think - there will likely be a few different identity stores, and multiple systems that query those stores; making sure every possible permutation works correctly can be a bit undertaking
    • It adds additional load to their support teams which is very expensive

    The support one is a real killer for a lot of places; I’ve worked with a place that had a few million paying customers, and ~half of those were in a tier where a single 30 minute support call would completely negate any revenue that that customer would bring in for the year. Email support was slightly less expensive, but would still be a significant proportion of your annual profit

    • Corroded
      link
      fedilink
      English
      arrow-up
      2
      ·
      6 months ago

      I was going to mention the support aspect. I believe some TOTP 2FA applications have automatic online backups by default but some don’t and require users to make their own backups. I can only imagine how challenging it would be to deal with users who have locked themselves out of their account due to their 2FA setup.

      I had to go through that with itch.io a while back and had to verify my most recent purchases to recover my account. It was nice I was able to get it back but that in itself could be a security concern.