On Sun, Jan 24, 2016 at 1:04 AM, Greg Stark <stark@mit.edu> wrote:
On Sat, Jan 23, 2016 at 11:25 PM, Joshua D. Drake <jd@commandprompt.com> wrote: > No. I meant the idea of having Google Authenticator required (which is open > source). It works on any Android device as well as others (windows). I > believe it would help with the autoscripting edits?
Why? It doesn't in any way prevent automated scripted spammers. They can automatically generate TOTP codes from a script just as easy as the app can. A SMS-based 2FA scheme might have an impact but even that can be farmed out easily.
Actually requiring a Google account and OAUTH login would actually have an impact because Google cares about spammers with Google accounts and goes after them and shuts them down. On the one hand Google is going to do a better job of anti-spam, opsec, and dos mitigation than we every will. But on the other hand I suspect Google is only concerned by numbers that are significantly larger than our threshold of pain and it would mean giving away a lot of control over the process.
The majority of the spam came from people with freshly signed up @gmail.com or yandex email addresses. So they clearly got through at least one layer of defense there.