A homeless person has a vastly different cybersecurity paradigm, specifically, they don’t need much in the way of cybersecurity. Nobody is stealing a homeless person’s identity.

Given that, just let them disable it, and let them just use a password. It’s fine to rate limit them if they forget the password a few times, but let them keep trying to log in until they remember it.

Homeless people have no physically secure place to store their possessions. The reason so many of them lose cell phones is because they get stolen or destroyed. It's not because they're incapable of "keeping track" of them.

The great thing about something like an email service is that password guessing can be extremely rate limited. You miss three guesses and you can't log in for several hours. So an easily remembered password is perfectly fine unless it is blindingly obvious. As a homeless person loosing access to a phone on a regular basis, I am going to be comfortable with the risk that the Gmail password hashes might get leaked. I think others would be quite comfortable with that risk as well...

Just because 2FA "solves" the extremely narrowly defined problem, doesn't mean it is the best solution or even something that people can and will actually use. Upon those metrics alone, 2FA is usually one of the worst "solutions" to the problem.

It is clearly failing for this use case.

Security can't be seen as a one-size-fits all threat models. That will never be satisfactory, as requirements vary.

For most people in most scenarios 2FA is a net positive.

But denial of service is also a component of evaluating threat models. Here we're discussing cases where 2FA causes denial of service which is worse than any risk of getting the account stolen by password guessing.

Well, it isn't solving this one. Option to opt out would be nice.

> aren't capable of keeping track of a physical device for more than N weeks?

Bit ignorant of you. They could be just plainly stolen by someone else. A piece of rag working as a tent doesn't exactly have best physical security...

> I'm not unsympathetic to the problems of the homeless ant the burdens 2FA entails, but I'm also not willing to ignore the huge problems the 2FA solves, and realizing there will often be a tradeoff between making it very difficult to hack into accounts and making it easy for people with mental and other problems access their accounts.

It's not either or.

At some point, this becomes a problem better suited to the government.

Imagine you have a loved one who has dementia or is homeless and incapable of administering their digital accounts with traditional authentication methods. You want to take over their accounts.

You will need to present evidence that:

- they are indeed incapacitated

- they are who they say they are, aside from you vouching for them

- you are who you say you are

- you legitimately represent this person

- there isn’t somebody else who has a better claim at representing that person

I personally don’t want any tech company in the position to sort through all of that on a case-by-case basis and decide which accounts to unlock or transfer ownership to. Let the government or the courts figure that out.

I’m with you that an average person is probably using at least dozens of services that need credentials, but these people are probably not login on Amazon or checking their 401k online for instance, nd can probably get by with a a very limited set of stuff to remember.

Remembering one good password is not too onerous. Easier, it seems, that keeping any physical object in your possession if you're homeless. (I would assume that most losses are not due to cognitive failure, but instead are things like thefts when one is asleep.)

I think what this actually calls for though is a way to prove your identity by talking to an actual human. Something that used to be the standard before tech companies declared that it was too inefficient.

I think pointless password rules are at the heart of this problem for many non-technical people who probably haven't been operating with a password storage solution and might not be used to that system or trust it.

Every platform has their own special requirements for passwords: some require a mix of capital and uppercase letters, some require numbers, some require a special symbol, some require a special symbol but no not that one, some restrict you from entering 3 of the same character in a row, some passwords have a short max character limit, some prevent certain characters like spaces, some require you to change it every so often, etc. Eventually, the password is forgotten or confused with another because of these pointless password rules.

I called them pointless password rules because they reduce the possible number of combinations required for an attacker to guess the password because any guessing program knows what can't possibly be valid combinations.

Homeless people aren't stupid and strong password don't have to be incredibly hard to remember. I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.

There is literally nothing more important than your email. Even stuff like your bank account has secondary means of recovery, whereas if you lose access to your email you're pretty much fucked.

Security questions are probably enough, at least for people who can’t handle 2FA.

In any case, I'm sure those involved would prefer the option of remembering a password to not having that option and getting locked out forever. Seems like a good solution. There may be better ones you can implement once this one is, always room for improvement you know

with spaces, punctuation, some sort of capilatiozation scheme (cap every last letter, or every other ,etc) and throw a number in there.

lot easier to remember than 32 random bits.

purposely misspelling something, adding spaces, and your own cap scheme make it a secure password.