After weathering two waves of credential stuffing attacks thus far in 2024, the second of which involved over half a million compromised accounts, Roku is now requiring that customers set up a 2FA method.
Twitter cites abuse of the text messaging 2FA option by bad actors as the reason for the change in policy. The service will still allow free use of authentication apps or hardware security keys as an additional account security layer.
Apple, Google and Microsoft have been working closely with the FIDO Alliance to introduce passkeys, which are a much more secure and effective successor to password-based security. This commitment is likely to drive a rapid change in consumer behavior and expectations. But will other enterprises be ready to respond?