Conversation
@ret2bed @feld @jomo @lorenzofb I'm genuinely curious if there is some standard risk assessment practice to take into account that compromise of n% of users would provide access to data of, say (n^2)% of users (that function obviously doesn't work but you get the idea)?

Same question whether there are best practices for determining a threshold for "enforce MFA" or is it just "if you got breached, you definitely should've enforced it"?
1
0
0
@feld @lorenzofb @ret2bed @jomo Sure, regulatory compliance most probably won't go into this detail, but if we expect companies to make the right calls it seems fair to have some pointers for them about what "right" actually means.

Maybe requiring an extra special character in all passwords would've also mitigated all this, but I don't think that would've been the right way to go.
0
0
0
Edited 10 months ago
@feld @lorenzofb @ret2bed @jomo Ahh of course, AAL's! The fact that they didn't come to my mind is a proof that I'm doing this holiday thing right...

Thanks, this mostly settles the question, although I still find the question of "cascading impact" interesting - I'll probably read up on 800-63 again about this!
0
0
1