new | ask | show | jobs
perching_aix 4 days ago  [ - ]

Whether they are "serious enough" is a perceived attribute, so it is on them to evaluate, not on any one of us. Depending, it could mean a blank check, or a perpetual zero. The way HN is architected (as described prior), and it being a community space, it makes no sense to me not to do it in general, and even considering costs, I'm not aware of e.g. TOTP 2FA being particularly expensive to implement at all.

Certainly, not doing anything will always be the more frugal option, and people are not trading on here, so financial losses of people are not a concern. The platform isn't monetized either. Considering finances is important, but reversing the arrow and using it as a definitive reason to not do something is not necessarily a good idea.

Regarding the threat scenarios, MFA would indeed help the most against credential reuse based attacks, or in cases of improper credential storage and leakage, but it would also help prevent account takeovers in cases of device compromise. Consider token theft leading to compromised HN user account and email for example - MFA involving an independent other factor would allow for recovery and prevent a complete hijack.

raesene9 4 days ago  [ - ]

yes it would help against some attack scenarios, no argument there. The question is, do HN regard it as sufficiently important. Changing the codebase to implement MFA would at the least require some development effort/additional code, which has a cost. Whilst I'm not privy to HNs development budget, given that it doesn't seem to change much, my guess is they're not spending a lot at the moment...

MFA can also add a support cost, where a user loses their MFA token. If you allow e-mail only reset, you lose some security benefits, if you use backup tokens, you run the risk that people don't store those securely/can't remember where they put them after a longer period.

As there's no major direct impact to HN that MFA would mitigate, the other question is, is there a reputational impact to consider?

I'd say the answer to that is no, in that all the users here seem fine with using the site in its current form :)

Other forum sites (e.g. reddit) do offer MFA, but I've never seen someone comment that they use reddit and not HN due to the relative availability of that feature, providing at least some indication that it's not a huge factor in people's decision to use a specific site.