hot take: end users will be more likely to adopt security keys (or device attested passkey which = security key). Physical security, out-of-bounds cryptography to defeat AitM attacks (fake landing pages where six digit codes are stolen and silently used in perpetuity by the bad actor)
source: my job is to try to get end users to put strong MFA on all the things.
As someone who consults in the IT Security space, It’s bad out there. Contractors and BYOD companies are downright sheepish in asking their outsourced employees to do anything security-related to their devices. The biggest attack vector is allowed unfettered remote access (and therefore the whole company and any bad actors are also granted unfettered remote access)
I still can’t get over how quickly companies-at-large have abandoned VPN Servers (removing network trust from the list of options as well)
I’m down to managed browsers via IdP, and I just can’t wait for the objections to that as well. People out here offering their faces to leopards. Certificate-based MFA on all the things IMO - passwords shouldnt matter (but six digit MFA codes aren’t immune to fake landing pages and siphoned MFA tokens that don’t expire)
We’re all far too dumb to be sharing our thoughts so widely and easily. The internet needs to go.
The age of accelerated enshitification is upon us (has been for a minute)