[tptacek]

Yes. For obvious reasons, people are more prone to lose 2FA authenticators (be they code generators or hardware keys) than passwords. Both passwords and 2FA mechanisms are customers of account recovery, which is the process that kicks in when you can't log in. Security questions are a particularly bad account recovery system. Reset emails are somewhat better.

Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.

To get a general sense of where we're at as an industry with this, look at the process for what happens when you lose an AWS 2FA secret:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

[4oh9do]

> Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.

Your reading of the FTC text seems to be that you think the FTC has conflated account recovery with 2FA, but I don't think that's the case. Instead, my read is that they're suggesting that password breaches can be rendered moot points by requiring 2FA for accounts, so that the compromise of a password would not require an account reset in the first place.

[tptacek]

I'm reading the plain language of the agreement, which requires the replacement of security questions and answers, and is not in fact a manifesto about the insecurity of passwords writ large.

But technical language aside: a requirement that CafePress fully adopt 2FA also doesn't make sense, because its users will not fully adopt 2FA. The users that can't 2FA are the interesting case here, and the thing I'm calling out.