On 7/2/22 10:15, Marc wrote:
The two factor became necessary for the big 'moron' companies who decided to start using email addresses as logins so it was easier to track people, because in that situation you only have to try commonly used passwords or passwords used at a different application. Maybe some companies are using e-mail addresses for tracking. But I can tell you that most times users want to use their e-mail address for login because that's what they easily memorize.
If you stay with an username that is not published publicly, the commonly known password is still useless, since you do not have the username. Whether that protects you depends on your threat model.
In my world I regard the confidentiality of usernames to be near zero. And I'm in the camp who recommends not to use usernames based on person names (unguessable or even completely random).
Unless of course they do not think ios and windows are not secure enough to store your username ;)
Indeed my threat model includes breaches concerning the local storage of all sort of MUAs. Unfortunately there's currently no real solution for this.
Ciao, Michael.