4 comments

[ 5.9 ms ] story [ 17.7 ms ] thread
I'm the author of the guide (and did this recent update to it), so feel free to ask me any questions you might have. Comments or corrections also welcome.
What do you think about MFA, password-less SMS or email based login. It seems there are a lot of varying opions on the topic.

This could be an additional topic to add to your guide. Thanks.

That is something I didn't get a chance to add to the guide this time. I'm going to be adding more information to the guide later this year or next.

Passwordless login is an interesting topic and it seems like other companies are pushing it hard. When it is done via an app on your phone, it appears to be more secure than via SMS. Similarly, email based login is only as secure as someone's email. Both of these methods of authentication rely on third-parties to implement the security well, which is not always the case.

As for MFA, both SMS and code based MFA are good solutions. SMS is a little less secure because phones can be cloned. The new Webauthn specification looks interesting and hopefully that will improve web based authentication considerably. Finally, the best solution currently still seems to be MFA devices like USB sticks.

The main issue with MFA is that it can be cumbersome for users to setup. The simplest version is SMS, which requires very little knowledge to setup correctly. However, this is also the least secure.

Always tradeoffs with security unfortunately.

This renders really weird on FF on windows. Lots of long images. (Yes, some people still use FF and Windows.)

Liked the references section, and appreciated some of the finder details (the origin check, for example).