> After disclosing the breach, 23andMe reset all customer passwords, and then required all customers to use multi-factor authentication, which was only optional before the breach.
Often on discussions about 2FA and IP address checks on HN, there is a sizable contingent that is frustrated with how ever more security impacts how they want to use the product such as people wanting to be able not to own a smartphone while still doing online banking or using their credit cards overseas.
Add in all the people who struggle to use 2FA of any kind. At my first employer, I was there when they implemented it and it basically destroyed an entire week of productivity as so many people struggled to grasp how to set up a token in the authenticator app and use the token. I would be curious to know what the stats are on how 2FA impacts use and churn of users.
I can definitely understand this argument - imagining my dad setting up even SMS-based 2FA makes me shudder. However, for information this sensitive, it would have been smarter (imo) to strongly encourage 2FA, along with tutorials on how to set it up (articles, videos), and finally to add an option to not use it with a BIG SCARY WARNING and a consent checkbox.
Ultimately, companies like this are making the choice of information safety vs profits - it’s a tale as old as the free market.
> After disclosing the breach, 23andMe reset all customer passwords, and then required all customers to use multi-factor authentication, which was only optional before the breach.