When you have to have your phone number or your fingerprint or your bank card or something similar to log in. Basically, encouraging people to also steal your phone number/card/finger(
) if they want access ....<snip>
I can see why companies love it but it's not as completely helpful as they try to suggest. It's probably worth it for important logins, but I'd be slightly cautious about what you use them for.
As I suspect you know, it does matter.<snip>
Yes, I do know, but, as I'm sure you know too, this is a complicated area and going into the detail of what does and doesn't matter is instance-specifc and requires understanding threat models peculiar to the situation of the person in question, including the risk of loss involved. (A better phraseology might have been '
It doesn't matter, comparatively, since it's a minor detail compared to the bigger picture of pseudo-randomising.')
For example, if a specific attacker wants a specific target's credentials then everything is very different from broad-brush attacks where all of Company X's client's credentials are stolen. In the former case, you may get the theft of 'phone, fingers, keys, etc., but that scenario is very much in the minority of threats. Most threats are of the more general type, originating on-line and in that instance a basic starting point is pseudo-randomised passwords using the widest potential character set possible.
On two factor authentication, I agree that it's not perfect and introduces additional problems (most particularly so once widely adopted), but it is a big improvement on simply using a password. The precise nature of what the second factor is makes a considerable difference to the type of threat it protects against and the type that it introduces (I'm thinking biometrics based on body parts which can be removed here!). It
is fair to say, though, that
for the most numerically common threats, two factor is a very effective defence.
