I don't really understand this reasoning.
HN allows for creating a user. HN requires every post and comment to be created by a user. HN displays the user for each post and comment. HN allows for browsing users' post and comment history. HN allows for flagging posts and comments, but only by users. HN allows for voting on posts and comments, but only by users. HN also has some baseline guardrails for fresh accounts. Very clearly, the concept of user accounts is central to the overall architecture of the site.
And you ask if it is in HN's interest to ensure people's user accounts remain in their control? Literally all mutative actions you can take on HN are bound to a user that I can tell, with that covering all content submission actions. They even turn on captchas from time to time for combating bots. [0] How could it not be in their interest to ensure people can properly secure their user accounts?
And if I further extend this thinking, why even perform proper password practices at all (hashing and salting)? Heck, why even check passwords, or even have user accounts at all?
So in my thinking, this is not a reasonable question to ponder. What is, is that maybe the added friction of more elaborate security practices would deter users, or at least that's what [0] suggests to me. But then the importance of user account security or the benefit of 2FA really isn't even a question, it's accepted to be more secure, it's more a choice of giving up on it in favor of some perceived other rationale.
TBF I didn't ask if it was in their interests, I asked if the consequences of a password related attack were serious enough to warrant the expense of implementing MFA.
Let's look at some common attacks :-
- Single user has their password compromised (e.g. by a keylogger). Here the impact to HN is minimal, the user may lose their account if they can't get through some kind of reset process to get access to it. MFA may protect against this, depending on the MFA type and the attacker.
- Attacker compromises HN service to get the password database. MFA's not really helping HN here at all and assuming that they're using good password storage processes the attacker probably isn't retrieving the passwords anyway.
- Attacker uses a supply chain attack to get MITM access to user data via code execution on HNs server(s). Here MFA isn't helping at all.
It's important to recognize that secure is not a binary state, it's a set of mitigations that can be applied to various risks. Not every site will want to use all of them.
Implementing mechanisms has a direct cost (development and maintenance of the mechanism) and also an indirect cost (friction for users), each service will decide whether a specific mitigation is worth it for them to implement on that basis.
Whether they are "serious enough" is a perceived attribute, so it is on them to evaluate, not on any one of us. Depending, it could mean a blank check, or a perpetual zero. The way HN is architected (as described prior), and it being a community space, it makes no sense to me not to do it in general, and even considering costs, I'm not aware of e.g. TOTP 2FA being particularly expensive to implement at all.
Certainly, not doing anything will always be the more frugal option, and people are not trading on here, so financial losses of people are not a concern. The platform isn't monetized either. Considering finances is important, but reversing the arrow and using it as a definitive reason to not do something is not necessarily a good idea.
Regarding the threat scenarios, MFA would indeed help the most against credential reuse based attacks, or in cases of improper credential storage and leakage, but it would also help prevent account takeovers in cases of device compromise. Consider token theft leading to compromised HN user account and email for example - MFA involving an independent other factor would allow for recovery and prevent a complete hijack.
yes it would help against some attack scenarios, no argument there. The question is, do HN regard it as sufficiently important. Changing the codebase to implement MFA would at the least require some development effort/additional code, which has a cost. Whilst I'm not privy to HNs development budget, given that it doesn't seem to change much, my guess is they're not spending a lot at the moment...
MFA can also add a support cost, where a user loses their MFA token. If you allow e-mail only reset, you lose some security benefits, if you use backup tokens, you run the risk that people don't store those securely/can't remember where they put them after a longer period.
As there's no major direct impact to HN that MFA would mitigate, the other question is, is there a reputational impact to consider?
I'd say the answer to that is no, in that all the users here seem fine with using the site in its current form :)
Other forum sites (e.g. reddit) do offer MFA, but I've never seen someone comment that they use reddit and not HN due to the relative availability of that feature, providing at least some indication that it's not a huge factor in people's decision to use a specific site.