@buherator@lorenzofb@ret2bed@jomo I'm not sure what would have been the best way to see this enforced. Obviously if you think your user data is in any way valuable and private you should be enforcing MFA. But due to the business of 23&Me I'm not certain what is really applicable to them?
If they were processing payments themselves there's PCI DSS but I don't think that's going to be enforcing MFA; they won't even care about user accounts themselves, just how payment information is stored.
SOX2 is basically "you documented what you do and you demonstrated to our auditor that what you wrote down is true"
There may be something else but I haven't been involved in any tech audits in a long time 🤨
@buherator@lorenzofb@ret2bed@jomo oh, well in that case we really do have pointers about what the "right" thing to do is: the NIST guidelines like 800-63B and their presentations on MFA, etc. These are basically "Public Service Announcements" about cybersecurity straight from the gov
@feld@lorenzofb@ret2bed@jomo Sure, regulatory compliance most probably won't go into this detail, but if we expect companies to make the right calls it seems fair to have some pointers for them about what "right" actually means.
Maybe requiring an extra special character in all passwords would've also mitigated all this, but I don't think that would've been the right way to go.
@feld@lorenzofb@ret2bed@jomo Ahh of course, AAL's! The fact that they didn't come to my mind is a proof that I'm doing this holiday thing right...
Thanks, this mostly settles the question, although I still find the question of "cascading impact" interesting - I'll probably read up on 800-63 again about this!