E-mail and phone are critical attack verctors when associated with your online accounts
I think that there should be no e-mail associated with accounts.
Email accounts are another point of failure and attack vector.
Also phone numbers should not be associated with accounts, this is a huge security flaw.
The best way to secure an account is with long passphrase, non-phone-number 2FA (with Google Authenticator or hardware device using public key cryptography) and/or PGP key.
Passphrase recovery should not be possible or really hard and uncomfortable (you need to fly to the office in person with your passport and 3 witnesses + 1 year waiting period).
Comments
Post a Comment