I think that as a regular consumer there is not enough training on how to manage secrets. There is a lack of transparency about the implications of enabling/ignoring security settings. I should not have to be a certified security expert to manage my account properly.
The deeper issue is the situation is kafkaesque. Imagine explaining to a stereotypical elderly grandparent (with minimal computer experience) that you need to configure a 2FA TOTP on your mobile phone and save backup codes in a secure location. BTW don’t lose your phone or you will need to initiate a complex recovery procedure. Oh BTW you need to memorize a 20 character length passphrase along with the 30 other websites you use. Perhaps you could use a password manager, but it will need a 20 character length password and 2FA TOTP as well. Oh make sure you certify the password hashing function and iteration count follows current NIST-800 guidelines. It will need to reauthenticate periodically so don’t forget your password manager’s passphrase. Be sure to make it a sentence and sprinkle in a number and punctuation mark or two.
Oh Back to your original account: It might prompt you to log with a previously known authenticated mobile app at random. There is also a random AI agent scoring how secure your device is and can cancel you at anytime. Oh BTW if you want have extra protection buy this $30 hardware key we don’t advertise. Actually buy two hardware keys and keep one offsite just in case. Don’t use that key use this one. We might drop the other key for unknown reasons. The key might be exploitable since it has Bluetooth so keep it shielded in a faraday cage at all times.
The security policy can change at anytime with no warning or requirements notification update. Do not contact customer service, because you are not a customer but a product being sold at data mining auction. Instead you will need to plead your case on Twitter, Reddit, or Hacker News and pray someone working at the company sees it and is willing to help.
The deeper issue is the situation is kafkaesque. Imagine explaining to a stereotypical elderly grandparent (with minimal computer experience) that you need to configure a 2FA TOTP on your mobile phone and save backup codes in a secure location. BTW don’t lose your phone or you will need to initiate a complex recovery procedure. Oh BTW you need to memorize a 20 character length passphrase along with the 30 other websites you use. Perhaps you could use a password manager, but it will need a 20 character length password and 2FA TOTP as well. Oh make sure you certify the password hashing function and iteration count follows current NIST-800 guidelines. It will need to reauthenticate periodically so don’t forget your password manager’s passphrase. Be sure to make it a sentence and sprinkle in a number and punctuation mark or two.
Oh Back to your original account: It might prompt you to log with a previously known authenticated mobile app at random. There is also a random AI agent scoring how secure your device is and can cancel you at anytime. Oh BTW if you want have extra protection buy this $30 hardware key we don’t advertise. Actually buy two hardware keys and keep one offsite just in case. Don’t use that key use this one. We might drop the other key for unknown reasons. The key might be exploitable since it has Bluetooth so keep it shielded in a faraday cage at all times.
The security policy can change at anytime with no warning or requirements notification update. Do not contact customer service, because you are not a customer but a product being sold at data mining auction. Instead you will need to plead your case on Twitter, Reddit, or Hacker News and pray someone working at the company sees it and is willing to help.