by cmsellers » Tue Jul 27, 2021 2:31 am
So there's a website I'd started getting my non-baking chocolate from, an order every few weeks since I discovered it. I use the past perfect because one of their execs had a bright idea that probably put an end to that.
See, I tried to log in and it tried to send me a two-factor authentication code. I was struck by the fact that A. I'm using the same IP address as always, and B. I definitely hadn't set up two-factor authentication.
"Oh well, I figure. I'll log on and then disable it in settings."
Put the code in, and it takes me to the next page: they're setting up two-factor and it's mandatory.
Fuck that noise!
I sent them an email telling them that they've lost a reliable customer for as long as this policy remains in place.
I feel like some executive (though this seems to be a fairly small company), just learned that two-factor authentication is vastly more secure and decided to require it.
The problem is, security isn't free; it comes at the cost of UX and accessibility. Part of good cybersecurity is knowing when that tradeoff is worthwhile. When the most sensitive information you have is my home address (which is public record anyways), and you make your money by selling things that are nearly replaceable, mandatory two-factor is not a worthwhile tradeoff, in fact I'd say that even opt-out two-factor isn't. I feel like I need to draw the line now. If every online storefront got this bright idea, it'd be a damn nightmare.