Should 2FA be mandatory?

Do you think that making 2FA, or really some form of MFA, mandatory would be a good decision?

For everything? Just for critical stuff? Should it be opt-out? Or is it just good as it is right now?

I would like to read all your opinions in detaill.

Everyone should decide for themselves what they do (i.e. whether they want to use it), it should only be “mandatory” for banking / critical stuff.
Basically, I don’t really care as long as we get away from SMS MFA.
Also, I think it would be cool if more services would implement security keys (YubiKey etc.).
Overall, MFA in general is a great thing :+1:.

1 Like

It depends on the following factors:

  1. Do you have the necessary hardware? Everyone doesn’t have a Yubikey or a cell phone for SMS or TOTP codes.
  2. Recovery options: If you cannot recover your account because you lost your 2FA device, then you shouldn’t enable it in the first place. Many services today provide some form of recovery options if you lose your 2FA device.
  3. How important is your account? Most accounts contain sensitive enough data that 2FA is needed, but something like a free VPN account or free ebook account may not need 2FA.

Passwords are not only becoming easier to brute force, but also easier to steal and copy through network based attacks, so 2FA is highly recommended to enable if you can.

1 Like