Readit NewsTOTP or stronger, please.
TOTP just "feels" more secure.
Revenue is easy: how much did you take in for video? phone? Internet access?
Costs are harder because you can only include business line direct costs. Since the cable plant is used by voice, video and data services it's not a direct cost of any of them. Same thing with the service vehicle fleet, call centers, etc. Most things get saddled in "administration" categories and obscure the true cost of providing the service. As a company overall, their margins been hovering around 8-12%.
Integrating a password manager with a browser is too fragile and risky way of using both. It is best to have them fully separated so they can't communicate. They should communicate exclusively via the user.
The login process should have some friction and should not be fully automated. Adding a secret domain-specific suffix to the password is very little friction for the user a gives obvious benefits: password manager does not know the password, it can't send it to other application (intentionally or by chance), it won't login the user by accident.
Passwords are about proving identity. Using high entropy passwords for greater confidence of user identity is only part of the equation, the user needs to be able to identify the validity of the service as well.
The greatest benefit of an autofill enabled password manager is it handles the task of URL validation before offering up credentials. When you split up that function, now it's back to relying on humans to get everything right on verifying credentials get submitted only to the intended service.
I wish the idea of generating passwords when needed rather than storing and retrieving them was more popular. Traditional password Managers are just flawed.
I expect they probably pay more attention to abnormal access than most self-hosted users would as well, so you'd actually know about a data leak faster so you could rotate your passwords.
The biggest thing 2FA protects against is credential stuffing. If you’re using a password manager and have high entropy site-unique passwords, the additional entropy by TOTP is mostly moot anyway.
Not at all. TCP already does its own rate limiting without external throttling.
Individually, cars brake on the freeway to avoid hitting the car in front of them.
Collectively on a busy freeway, that sets off a chain reaction that results in the familiar rush hour crawl.
Minnesota did a study in 2001 on the effect of ramp meters, and disabling the meters (ie, removing throttling) resulted in statistically significant increase in overall freeway travel times.[0]
Statistically multiplexed shared networks like mobile wireless face similar issues. For a single TCP session the only metrics that can be divined by the endpoints are round-trip time and loss. As the shared network reaches capacity, larger numbers of TCP connections all back off around the same time, but large flows are more aggressive at ramping up than smaller flow (email/instant messaging, etc) and can result in an effective breakdown of network usability. A network control that has visibility to multiple flows and awareness of capacity of the system can influence overall performance much more effectively.
Ideally mobile providers would be trying to shoot for maintaining uniform latency per flow, similar to what queuing strategies like CoDel[1] achieve, but that's likely beyond the CPU and buffering capabilities of their existing hardware. Lacking the perfect solution, it's human nature to move on to the next approach: managing the biggest problem. Video is usually easy to identify, and so it wins the "able to be managed" prize.
[0]http://www.dot.state.mn.us/rampmeter/study.html [1]https://en.wikipedia.org/wiki/CoDel
You fully control how to store the TOTP seed and how you compute the value, so it is far more secure.
Yes, it can be phished if you fall for that, but it removes several attack vectors.
How was the first factor (the password) compromised?
Assuming the user is using site-unique passwords, in 99% of cases where an attacker obtains a functional password they can get at least one TOTP code or the seed in the same manner. (ie, if I can steal your password DB, odds are pretty good for me stealing your TOTP seed DB as well.)
The outcome of a single successful authentication is a longer-lived session cookie. Once an attacker has that they can reset your creds (usually just requiring re-entering the password) and the account is theirs.
IMO, the only 2nd factor that matters are those that mutually authenticate like PassKeys / FIDO keys.