Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You can check against HIBP on login the same as you check on password reset. If password is compromised on HIBP, force a 2FA and a password reset

Ideally MFA should be based on the accounts / sessions risk and not mandatory



That's another step in the right direction, but 23andMe is the kind of service that people create an account for and then don't use for years at a time. Still not a complete solution.

And I agree that mandatory 2FA isn't a good answer either. As someone who uses long, random passwords on all websites, I like to be able to choose whether to add 2FA on top.


It's a mitigation. If 23andme can't show that they at least mitigated the problem then they're going to find themselves in hot water.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: