| ▲ | tgv 5 days ago |
| > 1. I genuinely don't understand why. You never make a mistake? Never ever? It's a question of numbers. If the likelihood of making a mistake is 1 in 10000 emails, send out links to 10.000 package maintainers, and you've got a 63% chance of someone making that mistake. |
|
| ▲ | chrisweekly 5 days ago | parent | next [-] |
| Your point is completely valid.
Tangent: in your example, what calculation led to "63%"? |
| |
| ▲ | theanonymousone 5 days ago | parent [-] | | 1-(.9999)^10000 I trust the user did this calculation. I didn't. | | |
| ▲ | tgv 5 days ago | parent [-] | | That's indeed the formula. The .9999 is (1 - 1/10000), 1/10000 being the likelihood. It would perhaps have been clearer if I had chosen two different numbers... |
|
|
|
| ▲ | egorfine 5 days ago | parent | prev [-] |
| Then hardware 2FA won't help. |
| |
| ▲ | smw 5 days ago | parent | next [-] | | This seems to be a common misunderstanding. The major difference between passkeys and hardware 2fa (FIDO2/yubikeys) and TOTP/SMS/Email solutions is that the passkey/yubikey _also_ securely validates the site it's communicating with before sending validation, making traditional phishing attacks all but impossible. | |
| ▲ | tuckerman 5 days ago | parent | prev [-] | | Hardware 2FA, with something like passkeys (or even passkeys with software tokens), _would_ prevent this as they are unique to the domain by construction so cannot be accidentally phished (unlike TOTP 2FA). |
|
