[jchw]

It's not always that clear cut, though; after all, wouldn't this argument apply to e.g. laws requiring seatbelts? One could argue that in this early-ish stage of electronic data, vendors that hold very sensitive data are being irresponsible. Not just about not requiring more secure authentication, but also for pushing less secure authentication like SMS-based authentication factors.

[KRAKRISMOTT]

The car makes an annoying beep beep sound, but it doesn't force the user to use a seatbelt. The onus and responsibility is ultimately on the end user.

[jchw]

The inability of the car to safely enforce this is probably the main reason why this works this way. The responsibility is split, though: cars are required to be designed in ways that discourage or prohibit some unsafe behaviors entirely. Not too different from services requiring 2FA: doesn't mean the TOTP secret is necessarily stored safely.

[ImPostingOnHN]

A friend of mine rented a larger, newer Jeep SUV when in town. It would not go into gear unless seatbelts were buckled. It was awful - not a future I want to live in. I'd rather have the choice than have it made for me in the name of safety.

> Not too different from services requiring 2FA

That is another practice I find awful for the above reason.

[serf]

Another underlying problem with that kind of gatekeeping are the dangerous scenarios that can happen when the Jeep decides erroneously not to start due to a sensor anomaly.

It's a virtue that a car continues to operate when all the warning signs and buzzers are going off; this means that the human in charge is left in ultimate control of the situation and there doesn't need to be any complex umbrella structuring of liability -- this allows a driver to safely drive away from a dangerous tidal wave/assault/lava flow/whatever even if their seat belt sensor is broken ; this is very important for numerous reasons.

[dizhn]

There are cars from the 90s that put the seat belt on automatically when you close the door. It looks awful but it works.

[Tagbert]

You are assuming that all users consider this data to be especially sensitive as opposed to something that your body leaves about wherever you go.