Some security people have this terrible Darwinian attitude towards user’s security “if they don’t turn on security feature x, that’s on them” nonononononononono we are supposed to make this transparent, at worst easy - for everyone.

@dwizzzleMSFT I wonder how many "real" accounts at Twitter use MFA, and how many are just alts or bots. Otherwise, though, very telling.

@markhachman Not sure, even if you took an aggressive view on bot population that number is incredibly low for its importance to basic user security.

@dwizzzleMSFT Agree. However sometimes I see that the security feature’s security aspect degrades experience. I would add a corollary that security feature must meet the bar to harden invisibly unless the friction added is by design & would not impact adoption

@vikascb 100% this is the hard work - getting the "feng shui" right. to paraphrase @dinodaizovi "security is engineering"

@dwizzzleMSFT Preach

@dwizzzleMSFT You know also, like, if somebody takes over my Twitter account it’s *embarrassing*, but I’m not permanently owned like if they take over my primary email

@dwizzzleMSFT I don't care about my Twitter account so much that I want to find my phone to login to it.

@dwizzzleMSFT "Creating a security feature is 1000x easier than turning on a security feature. " i totally believe you... but how about you get started some project that collect all enable/disable buttons into one app that also can show the current state of the features?IT SHOULDNT BE SO HARD

@dwizzzleMSFT Seen that movie play out before!

@dwizzzleMSFT I am 1 for 2 for getting locked out of my personal Github account because I turned on 2FA to mollify a company I was working with and lost my phone and backup codes simultaneously. Availability is a significant concern for me turning on 2FA.

@dwizzzleMSFT Yo I respect that. However, some security features have low yield but very high barriers. There are some diminishing returns at play. 2FA will provide much better protection than a default HVCI config. Both demand much of the user, but HVCI provides little value in itself.