[bernierocks]

Ring was hacked because the victims used the same password across multiple websites and those other websites had data breaches.

You can't really do anything about this, no matter how great your security is.

I suppose Ring could enforce 2FA across the entire platform, but many people wouldn't accept this and they would lose customers.

I use a password manager and don't reuse any password for any site and have 2FA enabled on all of my important accounts. The problem is that most people don't want to be inconvenienced.

[peacemakr_io]

I find punching in a username + password extremely inconvenient, and this is why I never create new accounts from scratch.

OpenIDConnect is integrated across several platforms, and allows for us to centralize authN and authZ behind a single secure trusted Identity Provider, such as google auth, facebook auth, github auth - whatever make the most sense for your audience. It's the same idea as password-manager, a single trusted login, but better, because there's no password-management nonsense.

I'd argue is not the failure of user, but, the failure of the tech community.

So what I am hearing from you is "user authentication" is your greatest security challenge?

[bernierocks]

"google auth, facebook auth, github auth"

So you now have a handful of failure points. I also am against the idea of building my entire user base off of someone else's platform. It's just asking for trouble down the road.

"I find punching in a username + password extremely inconvenient, and this is why I never create new accounts from scratch."

Security is really never convenient. You need to have a good balance between the two. A password manager is pretty convenient, even my non-tech savvy parents can use one.

"So what I am hearing from you is "user authentication" is your greatest security challenge?"

No. I was making a comment about the recent Ring hacks and how if you are a startup and the exact situation happens, there isn't much you can do beyond telling users to use different passwords or forcing a password change.

Even if you have the most secure encryption in place and all the best security procedures, if your users pick terrible passwords (or another site gets hacked and they use the same password), they will get their accounts hacked.