Reassess the definition of "2FA" to include things that are better than _just passwords_ #7064
Description
- I have searched open issues and pull requests. The issue I'm creating is not a duplicate of an existing open issue or pull request.
Information about the feature to be added:
There are a lot of complex ideas to unpack here, but I'll try to be brief. These are, I believe, fundamental truths about authentication.
- The human mind is the worst place for storing passwords.
- The human mind is the worst tool for generating passwords.
- Using single-factor auth which avoids passwords is better than using passwords as that single factor.
Therefore, I would like to respectfully request that the definition of "2FA" used by this site evolve from the literal definition to something that allows sites to do better things, even if it's still technically single factor.
-
One of these examples is Passkeys, which can be used in place of username + password.
-
Another of these is "passwordless" authentication. I've seen the Contribution Guide, and understand the use of the literal definition of two-factor, but this is something I'd request we redefine.
-
There is no perfect "silver bullet" here, and I'm not asking we try to synthesize one.
-
Maybe separate passwordless-via-email (where most email providers have a web-facing password login, and therefore are some definition of "less secure") from passwordless-via-app (using a phone/tablet is more personal, and does not have a web-facing password login, and therefore is some definition of "more secure").
-
Are we trying to list sites with literal multi-factor authentication, or are we trying to provide information that can inform and enable users to make themselves more secure?
If it's the former, then nevermind. But if it's the latter, I'd love to see a more comprehensive "better than the status quo" listing that includes secure alternatives to literal 2FA (where 2FA is one solution to the problem, but not treated as the only solution to the problem).
Thanks for considering.