As far as I know, 2FA (other than SMS being insecure) is very important. However, I want to share my scenario where not enabling 2FA might be an acceptable risk.
I have a Bitwarden account with my unique email address and password. I do not disclose my unique email address with anyone because the first part of the email address is secret only to me and that only Bitwarden knows my email address. Sure, I do not share my password with anyone, but I’m not talking about passwords; I’m talking about email addresses. The reason why I mention this is because I make use of unique email addresses for almost every websites on which I have created an account for and I can track whether my email address appears in a data breach or not.
So since I use unique email addresses for every site I had an account with, I could consider that not having 2FA for my Bitwarden account is an acceptable risk because I have a very complicated email address. However, if I do not use unique email addresses, even if I use unique passwords, it does make sense to make use of 2FA.
I manage unique email addresses using both my password manager (Bitwarden) and Google Groups for Google Workspace. No plus addresses and catchall email is used.
With that said, besides unique email addresses (remember, I’m not talking about strong, unique passwords), are there any reason why anyone won’t need to use 2FA in general?
Update as of May 20, 5:37 AM EDT: Added “in general” for clarity.
Well I guess if you use highlly secure high entropy passwords everywhere, you could probably do it without both 2FA and the “complicated” email addresses and still be pretty secure. But if a service leaks your password, you would be glad you had 2FA active Also, unlike passwords, email addresses respective usernames are not cosidered a secret and will not be stored in the same secure way as passwords. And they will likely be used for other things too. Most services will for example put it to their CRM system in order to send you newsleters etc. Anyway my point is, that the the sercvice you subscribed to “knows” your email addresss / username and employees are probably able to see it in clear text somewhere.
It is definitely more secure to use simple usernames with 2FA than complicated usernames
without 2FA, given you are using the same strong password in both cases. And it’s also much easier to manage in everyday life
Btw. There is a reason why it’s called 2FA and not 3FA. The reason is that the username isn’t considered as a security or secure factor.
That makes sense. My password manager (Bitwarden) manages strong and unique passwords and I have not ran into security issues so far. If a data breach occurs, I can simply change my unique email address and password and then delete the old compromised email address. If an organization irresponsibly manages customer data such as email addresses due to a database misconfiguration or falls for a phishing attack a couple of times, i can delete my email address and take my business elsewhere.
Now granted, I do use the same username for forums with the exception for my bank account (I have a unique online ID which I won’t disclose), I do consider email addresses to be more secure than usernames given that once I create a unique email address for the particular site, the only way an attacker can attempt to log into my account is through an email address and not a username. And this is why with Bitwarden as an example, merely logging into my password manager account with my unique email address and unique password is an acceptable risk if I do not enable 2FA for my account.
Sure, an email address is only shown in plain text in a database, but I do feel more secure regarding having unique email addresses for every business/forum that I signed up for but only if a business has a clean track record of keeping customer data safe from security breaches.
And this is why I am asking if there are any reasons not to use 2FA. It all comes down to risk management.
Yeah sure unique email addresses can make sense but they do not have to be very complex like a password imho. A robot that tries usernames from a leaked database doesn’t care how complicated it is But maybe there is a small advantage in case of random brute force attacks, but I don’t think that these random brute force attacks are a real threat, except maybe if you use admin as your username and password123 as your password
I think it’s fine not using 2FA for accounts like for example this forum. I would still use a reasonable secure and unique password though. For things like banking, email or everything where personal files and information can be accessed, like e.g. Google Workspace, M365 or if you are selfhosting, your Nextcloud or whatever product you are using, should of course get all the factors available.
However as I already said, I don’t consider the usename as a security factor. So in case of my Nextcloud I use my first name, in combination with a strong and complicated password and 2FA. Of course there are other midigations in place to slowdown bruteforce attacks and block IPs that had multiple faild login attempts. So I really don’t think that I would gain any security with a random username.