I do agree that 2FA needs to be a bigger priority for us, in order to ensure your account here is not hijacked once they have your password. Understand that accounts are being compromised on other forum sites as well as through keyloggers living on folks hacked devices. It wont prevent your other accounts from being compromised, but they wont be able to abuse your arfcom account for nefarious actions.

I would recommend people have security on their devices and scan them regularly. Your account here is less of a risk than folks getting into your bank accounts or more sensitive data!

I'd be good with a two factor login

I mean we only share phone numbers and home addresses in the EE?

just what we need to a breach and everyone who has sold something address is public to a bunch of thieves

Yubikeys are great

Asking for the ability isn’t mandating its use.  Most all places that have it, it’s an option.

A site CAN do very "2FA-like" even "3FA-like" security, without third party apps or extra devices.

And sorry, but the stand-alone physical RSA token fob, or anything like that is dead... dead... dead... don't bother.

It's like your gunsafe, you're generally not trying for "impenetrable" simply "not worth the trouble" to a putative thief.

So, consider how the "You have ONE free article left..." paywalls at sites like the NYT & WSJ work. And furthermore, if you've ever mucked about to see what it takes to actually appear as a "new" unique visitor to such a site, from the same PC or device, and physical access point to the Internet...

Private/incognito tab in the same browser? Doesn't work.

Different browsers, even security/privacy focused ones? Don't work.

Visit the site with TOR or something? They won't even load. Or, you get a redirect to their TOR service page, with uncensored news articles the third-world despotic government doesn't want people in their nation to see.

A VM? Doesn't work.

A VPN? Doesn't work...

A few, or all of them in combination? Maybe that works, and that combination now has "Three free articles remain..." again.

If a dying newspaper can have you nearly dead-nutz to rights ID'd just to try and funnel the 1% of potential clickers that'll subscribe with a credit card # and are either too wealthy to care, or just too disorganized & lazy to ever cancel... some site like Arfcom can too.

People, even moderately tech-savvy ones, have no clue just how fingerprinted they are on their PC's and other devices, by CPU S/N's from when the movie industry was all pissed about DRM, before streaming made a bunch of it irrelevant, chipset ID'S, Windows, iOS, & Android unique ID strings, IMEI, wifi SSID (and old, previous, inactive SSID's), and just last known & identified stop in a tracetoute through an ISP.

You'd THINK this rises to the level of your PC, desktop OS, Browser, or iOS & Android having to give a permission request warning saying: "Arfcom wants to know your location data & wifi info. Yes/No..." But it does not.

Because anybody you have given those permissions to previously, if you really dig into the fine print, there's usually something like: "...and our partners..." in the EULA wall-o-text.

That means if you don't click "Yes" Arfcom or whoever can possibly just get the data through a paid API hook from Google, Apple, Meta, Amazon, or wherever else instead.

Evading ALL or enough of it is possible, but it leans a LOT more "Edward Snowden" than "Joe Sixpack" to do it. And it leans heavily away from some "Please do the needful" scammer in India or E. Europe, that's hoping to spam, collect whatever points or useful stuff to scrape, as automated and scripted as possible. They'll just look elsewhere.

And if Joe Sixpack actual Arfcom user's "fingerprint" changes, say they got a new smartphone, it's their very first time trying Apple or Android, after years on the other, they've got a new carrier, aren't on their home wifi SSID, and haven't migrated any browser data or accounts in yet... and looks like a completely new "fingerprint" Arfcom can then do the "Is this really you?" code authentication with SMS to a phone number, or an email.

Combined with "weak" 2FA like that, and only used occasionally as-needed, it would cover 99.999% of Arfcom's user security needs.

The surface area of back-end attacks, like SQL injection, site staff getting phished or social-engineered, or some new day-zero vulnerability in a low level chipset management or maintenance protocol that the rackspace Arfcom runs on appears, that's a different animal altogether than user account security.

didn't say it was required

see my post above.  For those with 200k +collections who post or sell in the ee that want additional security on their account would be nice

Even if it's made optional (and it should be - we're an internet forum, not a bank), I'm still hesitant to throw my own support behind it, unless there's a solid support plan in place.

Every place I've ever implemented it professionally, was backed up by paid employees who's job it was to answer the phone, work helpdesk tickets, etc, etc - and had the authority (and security permissions) to actually resolve the problem. We...really don't have that right now.

A lot of guys don't really appreciate how absolutely non-tech savvy many of our users are (if you could read the emails sent to accounts@, you'd be nodding your heads in aggressive agreement ). And that's fine (we're a big tent), but they're really hard to support when your start throwing things like MFA at them, and it goes wrong. Even if it's optional, a non-trivial number of users are GOING to turn it on (because moar securitah!!!) and...fuck something up. They'll switch phones, with no OTP backups. They won't safely store recovery keys. They'll goof up in ways I can't even think of right now, but will still need help signing back in just the same, and will need support. And we need to be able to reliably give it to them.

We're just not staffed for that, IMHO. And asking volunteer staff members to do it (they'd need to be trained up on it), feels like it'd be a bit much.

IMHO, anyway.