> Another option is that a service libraries could provide (at possibly great expense to themselves, but options on the table) would be to serve as a credentials broker for their users. Have the library keep track of the 2FA side of things. Risky and adds expense to the library, but for this userbase that local service is the missing piece of the puzzle. Unfortunately, this isn't something Google is set up to provide; they're too centralized, they aren't actually in the communities where the need lies.
This. I wrote as much in an earlier comment. Why not allow the option to delegate a trusted third party to manage $ACCOUNT MFA flow? I'd use it (and kind of already do, via the recovery email addresses) for managing my aged parents accounts.
This seems like not that hard in terms of implementation and UX. What is the risk/expense from the libraries PoV you are alluding to?
If the library is holding even a piece of users' credentials, they become liable for either intentional or unintentional harm. On the unintentional side: their 2FA back-stop solution could be compromised or stolen by a third-party because they failed to secure it (they'll be a smaller target... Crooks will get very little from stealing access to a small population of older folks over what they'd get for, say, finding a reliable way to compromise any Gmail user's access... But they'll be a target). On the intentional side: they now have to move the bar on vetting whoever staffs the project from "trusted enough to be a librarian" to "trusted enough to be a keeper of passwords or reset emails..." Which, TBH, may be a lateral move, since librarians know what books we read. ;)
But the insider attack situation here is nasty... A corrupt individual in the loop could trivially trigger a password-reset attempt, use the fact they have control over the user's 2FA (or recovery email) to steal the user's credentials, act on behalf of the user for a bit (reroute benefits to some other address?), and then just wait for the user to discover their password is locked out and kindly help them correct it.
This. I wrote as much in an earlier comment. Why not allow the option to delegate a trusted third party to manage $ACCOUNT MFA flow? I'd use it (and kind of already do, via the recovery email addresses) for managing my aged parents accounts.
This seems like not that hard in terms of implementation and UX. What is the risk/expense from the libraries PoV you are alluding to?