[JustSomeNobody]

Article doesn't talk about what they're doing to mitigate the problem. Well, except tell the reader to change their passwords. So are online retailers just hoping the problem goes away?

[kevin_b_er]

They have to balance user attention and user friction. Online retailers want your purchase to be as smooth as possible. There's some studies on how someone won't spend much time on a website if it loads slow. The same can apply to purchase decisions. They need it as impulsive as possible. So annoying things like 2 factor authentication, in their mind, might make a customer give up their purchase.

So things are insecure because that's what customers want to satisfy their relatively low attention spans and impatience. And the retailers optimize for that.

[JustSomeNobody]

Makes sense, nobody like slow pages. However, don't most people have the browser save their password? So couldn't the online retailer have some sort of exponential delay (to a limit) after so many failed attempts? Surely that would affect few real customers.

[wild_preference]

What is being delayed? Just an IP address or the entire account? Neither really work.

[mullen]

The only way I see this problem going away is when regular retailers start supporting software and hardware two factor authenticators.

I use Google Authenticator on any website that supports it and it does not impact the customer experience at all and it really improves security.

[QUFB]

Agreed, but keep account recovery in mind.

Account recovery is a major pain point for any site that supports TOTP 2FA. If you're not using a TOTP application that supports cloud backup (like Authy), when you lose or replace your mobile device the existing TOTP tokens are useless as they can't be recovered. This results in some type of account recovery process to reintroduce the 2FA tokens. Often these recovery processes introduce additional security issues that are equivalent to not supporting 2FA at all, or they might require costly human intervention.

Don't get me started on SMS 2FA.

[drchickensalad]

I'd like to get you started on SMS 2fa. I deal with this a lot at work and would like as much information as possible!

[jandrese]

SMS is terribly insecure. Using it as a security system is a bad idea.

SMS verification is more for discouraging bots from making accounts by making it expensive--you need to buy a cell phone. Every SMS verification system refuses to send to VoIP type accounts for this reason.

[jsoverson]

Couple this with the fact that mobile services are also subject to credential stuffing attacks constantly and, for the services that allow you to read SMS messages online, the attackers who take over your mobile account also gain a critical piece of your 2FA protection.

[davchana]

Exactly that's why I have disabled my Google email recovery via phone number. Only possibilities are Auth via an existing signed-in device, Google Auth, or backup codes.

[davchana]

I always save that TOTP Token or QR code in my seperate keepass database, so that if my Google Auth app breaks for any reason, I can install it fresh & re-scan those QRs from keepass.