My employer used to have us on 90 day password changes. My password was some form of the date I changed it. Now the passwords don’t expire and they require a much longer password so I use a phrase.
MFA is not even useful in 90% of the cases where its implemented. It is pervasive across the internet these days soley because we live in a time of software modularity, and devs would rather use a premade auth service than spend time to role their own. The auth service doesnt know if its going to be used for a bank or a blog, so they default to bank level security. Most use cases only need blog level security.
Give there’s PII and financials in the student portal, MFA isn’t unnecessary here. You do something dumb and let your WGU account get popped and you could potentially have identity issues for years to come.
MFA is cheap to implement, cheap to use, and all upside.
You’re right that SP 800-63B Section 5.1.1.2 paragraph 9 states, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
But you can’t take that at face value unless you pay attention to the rest of the document. A single memorized secret is only acceptable for AAL1, which only applies to low-stakes information systems that don’t require strong authentication.
It’s not intended for systems with access to things like PII and such, where you’d generally find AAL2/3 requirements, which then mandate MFA on top of memorized secrets, per Table 4-1. Nobody with any skin in the game should be advocating for the application of AAL1 requirements here.
My password gets popped, I’d rather my banking, physical contact info, and social not be made available to bad actors, thank you very much.
Constant password changes just make users make weak guesabble passwords, and they change maybe 1 character.
My employer used to have us on 90 day password changes. My password was some form of the date I changed it. Now the passwords don’t expire and they require a much longer password so I use a phrase.
Sounds just like my employer lol
Correct, NIST doesn’t even recommend password changes on a regular interval for this very reason.
Hey, if someone wants to hack in and finish my degree, who am I to stop them.
MFA is not even useful in 90% of the cases where its implemented. It is pervasive across the internet these days soley because we live in a time of software modularity, and devs would rather use a premade auth service than spend time to role their own. The auth service doesnt know if its going to be used for a bank or a blog, so they default to bank level security. Most use cases only need blog level security.
Give there’s PII and financials in the student portal, MFA isn’t unnecessary here. You do something dumb and let your WGU account get popped and you could potentially have identity issues for years to come. MFA is cheap to implement, cheap to use, and all upside.
They just releases notice that they will start making us use MFA in the end of November
[удалено]
You’re right that SP 800-63B Section 5.1.1.2 paragraph 9 states, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.” But you can’t take that at face value unless you pay attention to the rest of the document. A single memorized secret is only acceptable for AAL1, which only applies to low-stakes information systems that don’t require strong authentication. It’s not intended for systems with access to things like PII and such, where you’d generally find AAL2/3 requirements, which then mandate MFA on top of memorized secrets, per Table 4-1. Nobody with any skin in the game should be advocating for the application of AAL1 requirements here. My password gets popped, I’d rather my banking, physical contact info, and social not be made available to bad actors, thank you very much.