I think it would be fine for the library to have/be the 2ND FACTOR and the user would still need their password. Being at a physical location seems like a reasonable 2FA (more reasonable than a phone in these cases).
Could the library buy a few FIDO tokens, hot glue them into the backs of the computers, users add them as 2fa to their accounts and now the computer being wiped between users is no longer an obstacle?
- Users would only be able to use the exact same computer each time. If it’s out of order, too bad
- Users wouldn’t have unique tokens between each other, so there’s a risk of other library patrons shoulder surfing and then logging in with the same token after you
And given that a lot of the staff working those desks aren't librarians + are working part time, it's also great incentive for bad actors to get jobs in libraries specifically to start stealing that data.
That seems like a movie plot threat: who’s going to go to library school, pass a background check (government job, access to children), and actually do a job which isn’t easy and doesn’t pay anywhere near enough just in the hopes that someone will walk in the door with enough money to be worth scamming in a manner which is both obvious and easily traced to them?
I can see some value in it for scammers, hackers, and businesses that pray on the poor. (For example the 'buy now, pay later' Aaron's Rent-A-Center type businesses).
If this were discovered the library as their employer would necessarily have sufficient personal information to prosecute them. That’s a lot more risk than your typical online scammer has.
