|
|
|
|
|
|
by nindalf
2727 days ago
|
|
|
A. OP's original problem is that users aren't noting down the secret when they're requested to. B. Manual review works, unless there is a sufficient incentive to break it. Here's an example of PlayStation Network struggling with hackers disabling 2FA via customer support - https://waypoint.vice.com/en_us/article/43ebpd/the-long-weir... C. If a user is resetting 2FA then most likely they've lost the device on which they had the authenticator app installed. If they still had access to it, authorizing them to perform a 2FA reset would be trivial. D. Reset via email is the most commonly used one. It's scalable, unlike manual review. Less secure, arguably. > This is the most tricky issue about 2FA: who's going to authenticate the authentication system 100% agree here. It's a hard problem. |
|
|
In my example, there is a sufficient incentive for an attacker to break into a server though the 2FA loophole, since there are valuable assets hosted on it. This is why my hosting provider requires users to obtain and submit all the paperwork, which must be corresponded to the address in payment information.
I'd summarize the disadvantage of manual review as low-efficiency: as a casual player, I would feel ridiculous that a company requires my utility bills and passport to reset my gaming account. I'm sure a rigorous identity check was not performed your the PSN example. Poor scalability: the number of accounts is much higher in a game than in a professional service like hosting or payment. Humans need to do all the works. And prone to social engineering.