User Profile
Polymathic
Copper Contributor
Joined Nov 20, 2019
User Widgets
Recent Discussions
Re: Self-service MFA changes not possible for users
I sympathize, but I think you've framed this in a way that might not be the best comparison. Changing an MFA credential/token is arguably an administrative act, even if the user is doing it. My experience with Google has been very similar in circumstances like the one you're describing. I don't think you can compare this with a circumstance where "MFA was entirely disabled" because even your own situation doesn't sound like that. That's before we even get to questions of whether it's advisable to run with no MFA at all. Architecture is best derived from your own threat model, but these days, it's difficult to make the case that a username/password tuple is a robust credential for anything important. Part of why you'll find pretty much any competent cloud service provider requiring a little additional assurance for credential administration is that credential theft is by far the primary risk to cloud service users (and operators). MS has written volumes about that, but they're not unique.1KViews0likes0Comments
Recent Blog Articles
No content to show