As I said before, I am concerned about whether a blogging service has two-factor authentication. Of the three services I introduced — Bearblog, Pika and Pagecord, they all don’t have this but Pagecord has at least email authentication for every log in.
I emailed Pika and got a reply very quickly, they said a few users have asked for this, and while they have this in mind, but won’t have plan to implement in the short run.
I just wonder if I am a few who are serious about Internet security, and I decided to check if my different accounts including here have 2FA, and I couldn’t find anyone without it and even through email. They are Squarespace, Reddit, Google, Meta, Apple, Strava.
I just don’t understand when the owners are also users, why don’t they care about the security? They can be hacked just in case…
If they follow what Pagecord is doing: username > check mail and click the link > done without password. It will be secure and convenient for regular users and they won’t lose their accounts. Not as secure as true 2FA but better than simply password.
In general, Pika’s customers don’t think it’s necessary, so you’re very much in the minority amongst Pika users.
I would guess (and it is a guess) that only a small percentage of people switch on MFA when it’s optional. it’s why the big names have made it mandatory for all users.
I looked at omg.lol’s https://home.omg.lol help section because this is a blogging service I’m considering. They use only passkeys, apparently, unless I’m misreading. So, that’s interesting.
And I almost forgot to mention, they are participating in the St. Jude Fundraiser through today.
I would wager that the cost to implement pales in comparison to the cost of support for users that have issues with it.
There are existing libraries and out of the box solutions for the part of actually handling the authentication. There are no existing libraries and out of the box solutions for supporting cranky users who don’t know why they have to have their phone to login.
IMO, security can vary depending on what needs to be protected. For example my bank has my financial information, and Apple and Google store my credit card information. So I expect them to require strong passwords and 2FA.
OTOH everything on this site, except my email address, is public so requiring a simple username and password is OK with me.
If a website doesn’t meet my personal standards, I find another that does.
For me it’s someone who hack can take over by, like deleting your content and even your account, or changing your password and even worse, spreading contents he likes to impact your reputation.
I once got notifications more than often that someone tried to login my Meta social media account. One of the people whom I know faced similar issues on Gmail and knew who did that. It’s not surprising if people who are friendly to you (and even friends) can do that thing. Chances are rare, but just in case because on the Internet people can hide themselves to a certain extent.
My only social media experience has been a Twitter account, which I check for DMs a few times a year since it became X. I can’t control the website, only choose when or if I use it. Just like every other site/service on the Internet.
A sufficiently-secure password solves those problems rather well, unless you have a reason to believe somebody is capable of man-in-the-middle-ing your credentials.
I would wager most platform hacks aren’t guessed passwords. They’re targeting security vulnerabilities and/or infrastructure-level access that allow them to do things without having to log in in the first place.
You’re assuming that the service is handling your password properly. There are still sites/companies out there that are not managing credentials securely on the back end.
The most common attacks are based on credentials stolen from other sites as so many people STILL use the same username and password across multiple sites.
