Lessons Learned from enforcing 2FA


In march 2019, I enforced 2FA (2nd factor Authentication) for anyone using or registering on ORNG central. I took this step in the light of consistent spam accounts being created on the forum due to which situation was getting out of control and I always had a queue of spam posts awaiting review.

I had to bite the bullet and take the nuclear step of enforcing 2FA for threaten the forum being bloated with unwanted spam. I took the step and here are my observations from it.

  1. My step was rushed. Yes, I took it in an unwanted hurry and that caused some people to lose access to their accounts without any precursor or warning. I should have spent more time educating users before enforcing such a process.

  2. Spam is under control. Though these spammers still try to register but setting up 2FA is just too much work for them given that the username/password won’t be enough for their attack without someone manually entering an OTP so it technically defeats their purpose.

  3. Steep decline of active users Before 2FA there was a sizable number of active users which has reduced by over 70% since enforcing 2FA. I primarily suspect many reasons for this so I’m not really sure but this can be the definitive cause of the fall.

I’ll add more findings here as and when they’re measurable.