For example, someone has lost their password, email access, phone number, and 2FA app. Make them wait a month to regain account access.
If any time during that month, the account is used or logged into, cancel the takeover request. During the month, every day send an email to all points of contact on the account letting them know what will happen.
It's a trade-off of the harm of unauthorized access to a dormant account Vs blocking someone from accessing their data (that is probably not backed up, and probably took considerable effort to create).
Have an account-level setting to disable such a process, for the people who might be offline for extended periods.
Nope. No backups, no sympathy, simple as that.
2FA is worthless if you start to put holes in it like that.
So if you value your data, make backups - preferably locally the old-fashioned way, e.g. HDDs stored in at least two different locations or at least using several different cloud providers (which have their own infrastructure and aren't just relying on AWS/GCP/Azure/etc.).
There's no such thing as a "trade-off" when it comes to cyber security - either commit to it fully or just don't use 2FA at all.
Personally, I think 2FA that doesn't rely on physical devices (phones, keys, smart cards, etc.) is unreliable and sketchy anyways.
If you can't spare a few hundred bucks on a NAS that you can just put in a storage unit or bank vault if need be, you data can't be that valuable anyway.
This is a really garbage opinion. Long tail reliability situations like this is a major blocking point to large scale adoption of many things. No one wants to use something where the consequence of making a mistake is "well I guess you're f*cked now". You're ignoring the entire usability side of computing and innovation.
> 2FA is worthless if you start to put holes in it like that.
No, it is not. 2FA can still prevent 99% of takeover attempts. There are other ways to verify identity (especially within a social network, where real life people know other real life people), but these companies simply do not want to put the effort it. And I can't really blame them: it would be a large investment to verify the identity of a given, every day person. This could be something that can be paid for in order to regain access in order to cover the elevated review necessary.
Trust me, if Nat Friedman somehow loses his email and 2fac at the same time, I can bet you that they would someone find a way to verify his identity and let him back in to his Github account (or honestly any other account).
> There's no such thing as a "trade-off" when it comes to cyber security
This is false. Almost every part of cyber-security is a trade-off between security and usability. If you want the most secure system, just turn everything off. Totally secure. But also totally un-useable.
> If you can't spare a few hundred bucks on a NAS that you can just put in a storage unit or bank vault if need be, you data can't be that valuable anyway.
Not everyone has the privilege to spend a "few hundred bucks on a NAS" and pay for it to be securely stored somewhere.
Wow wow wow, so you're basically saying that users who are capable enough to even need/use decentralised version control systems are too dumb and incompetent to setup Time Machine, Timeshift, or File History? Really?
> There are other ways to verify identity (especially within a social network, where real life people know other real life people), but these companies simply do not want to put the effort it.
So you are suggesting that instead of keeping one piece of information (e.g. a second e-mail address or just a token generator, which can be an app), you instead share your entire private life with these companies? Oh, and by the way - how would you even protect your social media accounts then? 2FA all the way down?
> Trust me, if Nat Friedman somehow loses his email and 2fac at the same time, I can bet you that they would someone find a way to verify his identity and let him back in to his Github account (or honestly any other account).
Trust me, the CEO running the show is in an entirely different category than most of the 50 million other accounts and you (in this case GH) don't even want to have all this sensitive personal information.
The less info you have, the less impact a data leak on the provider's side can have. Why would anyone trust GH with their personal information more than any other tech company?
Mission critical data belongs in multiple location. Full stop. Losing access to a GH account should never be more than an inconvenience if your livelihood depends on it or you value your personal data.
> This is false. Almost every part of cyber-security is a trade-off between security and usability. If you want the most secure system, just turn everything off. Totally secure. But also totally un-useable.
I'm not talking about security in general. I'm specifically talking about deliberately weakening a security measure (here: 2FA) for no reason at all.
Do you leave your house key under the doormat? Do you keep a post-it note with all your passwords taped to the back of your phone - you know, just in case you forget one and for convenience?
> Not everyone has the privilege to spend a "few hundred bucks on a NAS" and pay for it to be securely stored somewhere.
A USB drive is not a privilege and if you can't afford a data storage solution I seriously wonder why you have a need for a distributed version control system in a (semi-)professional environment.
Data has become more important than ever, yet people still fail to understand to treat it like they would other valuables. 20 bucks for a protective case for your phone - no problem. 50 bucks for a half decent 1TB portable USB HDD to backup their most important and irreplaceable data - only the privileged and tech gurus can afford that...
Nah mate, think again. It just doesn't make sense to put all your eggs in one basket (allegedly 10s of thousands of proverbial eggs in this case) and then whine about forgetting to change 2FA, having no backups whatsoever, and mixing private and work accounts all at the same time.
This is one of those things that you should learn from and the least you can do is to have a cheap external HDD and a recent backup of your most important stuff.
For your personal stuff, sure. But when engineering a service, you should care about everyones stuff, not just those who are careful.
You should design your service to try to help those users who use the same password they did on myspace in 2004 and write it on a sticky note on their desk. Engineer for those who shared their password with their now-hated ex.
Even if the user takes massive security risks, the service should still try to maximize the users ability to use the service, while minimizing an attackers use/access to the service.
Let me put it in HN terms. One person grousing how they lost their account due to their own fault is a minor HN comment in the middle of a thread. A person complaining that Github customer service assisted an attacker in account compromise is a front page thread by itself, probably picked up by mainstream news. Does that make Github's decision easier to make?
And as the GP says, what role would 2fa play in that scenario?
Those can't be helped. We're not talking about Geocities or MySpace here - we're talking about a service that hosts a distributed version control system aimed at experienced users with a technical background.
The target audience is strictly not your average consumer and even then you shouldn't insult the intelligence of your users.
2FA is intended to protect all users of the service and users do have a choice when it comes to selecting their 2nd factor. Doesn't have to be an e-mail or phone. It can be an app-generated token as well.
And loosing everything at once is tragic (hence: keep backups!), but suggesting that the locksmith should be allowed to just open the door if you ask nicely and the owners don't show up within an hour would be just as ridiculous as allowing to circumvent 2FA.
There are always trade-offs. No security is absolute, but that doesn't mean all security is worthless. And as a rule all security measures come with some associated cost/inconvenience. What trade-offs make sense will depend on many factors, such as the value of your data (both to you and to a potential attacker), the threat models you're concerned about, the people who need access to your "secure" data, etc.
I'm not talking about absolutely secure measures here, I'm talking about watered down security measures.
Just like encryption that has backdoors, weakening 2FA by providing ways around it by design makes it completely worthless. And remember that this doesn't just apply to one user - it affects all users of a platform at the same time if you allow nonsense like this.
There's no trade-off to be had there - you either offer a more secure identification method or you don't.
To put it in a different and simpler context: a safety gate has to have certain properties. If you remove one or more of these, it ceases to be a safety gate and becomes a regular door. A reinforced door with a cheap lock is just as insecure as a cardboard door with a security lock and a second key under the doormat or hidden under a rock outside invalidates the usefulness of even a vault door...
I do agree with your take on account takeover in case of lost credentials.
> Nope. No backups, no sympathy, simple as that.
My two sim-cards were lost at the same time. Impossible, right? Now I cannot access my Github account anymore. Perfect security. Nothing important is lost and backups are there. But what about the account itself?
That's generally a suitable backup in my view.
