You're doing two-factor authentication wrong because of not allowing me to use a single factor only (maybe I do not want to check e-mail and/or to carry smartphone with me and/or your website has too miserable value to me to take care about it).
I see you're being downvoted, but I see your point. Twitter has so little value to me, I don't see the point in requiring the extra security (for me).
I guess if you're some sort of public figure it might be, but selling blue badges to anyone kinda destroyed any credibility it had as a platform for those people.
This is the unfortunate truth about 2FA. While it significantly improves security, it is significantly less ergonomic than passwords (which are already sucky). It is also a problem when phones are, for whatever reason, not ideal for the work environment.
But I also hate to add a password for each shitty website. I also don't want to connect an account via e.g. OIDC with any of my important accounts. I think there is a product or at least a new common mechanic somewhere in this mess.
My company enforced 2FA on our GSuite accounts and discouraged using SMS for 2FA.
Well, every year a new iPhone comes out, employees buy the new iPhone and factory reset their old phone. Now their 2FA codes are gone.
Only recently Google Authenticator supported backing up to the cloud.
Trying to do 2FA correctly is one thing and trying to make your whole company do it correctly is a whole other challenge...
I don't want to authenticate using something I have, because I won't be able to authenticate if I lose that thing. Phone number is something I legally own and this ownership can be enforced because I can get a new SIM card with the same number using my government ID - something I am rather than I (temporarily) have
In Australia, for example, telcos get punished heavily for delaying ports but don’t get punished for unauthorised ports. This disincentivises telcos to perform any due diligence whatsoever. Up until a few years ago, anyone could walk into a telco and port any random number onto a new sim. These processes are improving, but sim swapping is still trivial.
Not to mention SMS is also an unencrypted medium.
I avoid using my phone number for MFA unless I’m forced into it (which sadly happens quite often).
You might get pwned by (1) the government, (2) your mobile carrier, or (3) a hacker that can social-engineer your mobile carrier's tech-support (SIM jacking / SIM swap attack).
Just to warn, social engineering attacks can get sims transfered without your involvement. There were some stories about it here somewhere a very long time ago.
I’m not doing them wrong. They’re a user hostile design. The point of TOTP was just to say “here is an actually good password and a time element to it”. But expecting every user on the planet to carry their TOTP app around was wrong so immediately everyone put it in their password manager and it stopped being a check of whether I had the device.
Then the most common TOTP app, Google Auth, didn’t backup your codes so that was pointless and user hostile. They fixed it but I mean damage done I guess.
I’m not gonna buy a hardware security key and carry it around for casual usage. I absolutely will never ever do that. For work I will because I need to get paid, but for every login? Give me a break. Once again security cannot destroy the user experience.
Here’s the actual right answer. Switch to passkeys and give up on all this poorly thought out junk.
I mean you still benefit from TOTP if it's in your password manager. That still means that if you're password is stolen, they can't get in without you being on an authorized device.
Two factor authetication is dumb. It invites poor disipline with reusing passwords and with 500 pound gorilla corps, losing your second factor is losing your account permanently.
Yup — and the standard phone authenticator app pretty much guarantees you'll lose your second factor one day, unless you always upgrade your phone before it breaks.
- Alice is currently reusing passwords, and does not use 2FA. Alice decides to set up 2FA, but keeps reusing passwords. Not ideal, but net improvement.
- Bob is using a password manager, but does not use 2FA. Bob decides to set up 2FA, and sticks to using the password manager for storing password. All good!
- Charlie is using a password manager, but does not use 2FA. Charlie decides to set up 2FA, and afterwards drops the password manager, and starts reusing passwords. Not good.
My guess is the Alice and Bob cases would be the majority. Do you think the Charlie cases would also be common?
None of this is true. It doesn't encourage password reuse but it does protect against it. I've also never found a single site that wouldn't let me reset MFA, even if the support process was painful and slow.
FWIW, password reuse with MFA is not actually that much of a problem any more. Neither is rotation (which was show to be a net negative). There's a whole set of NIST guidelines on the topic.
eimrine|2 years ago
alias_neo|2 years ago
I guess if you're some sort of public figure it might be, but selling blue badges to anyone kinda destroyed any credibility it had as a platform for those people.
plaguepilled|2 years ago
chromanoid|2 years ago
But I also hate to add a password for each shitty website. I also don't want to connect an account via e.g. OIDC with any of my important accounts. I think there is a product or at least a new common mechanic somewhere in this mess.
cyberbanjo|2 years ago
httpz|2 years ago
Trying to do 2FA correctly is one thing and trying to make your whole company do it correctly is a whole other challenge...
ThePowerOfFuet|2 years ago
zb3|2 years ago
shortcake27|2 years ago
In Australia, for example, telcos get punished heavily for delaying ports but don’t get punished for unauthorised ports. This disincentivises telcos to perform any due diligence whatsoever. Up until a few years ago, anyone could walk into a telco and port any random number onto a new sim. These processes are improving, but sim swapping is still trivial.
Not to mention SMS is also an unencrypted medium.
I avoid using my phone number for MFA unless I’m forced into it (which sadly happens quite often).
edf13|2 years ago
krmbzds|2 years ago
world-set-free|2 years ago
mduggles|2 years ago
Then the most common TOTP app, Google Auth, didn’t backup your codes so that was pointless and user hostile. They fixed it but I mean damage done I guess.
I’m not gonna buy a hardware security key and carry it around for casual usage. I absolutely will never ever do that. For work I will because I need to get paid, but for every login? Give me a break. Once again security cannot destroy the user experience.
Here’s the actual right answer. Switch to passkeys and give up on all this poorly thought out junk.
Encrypt-Keeper|2 years ago
tempestn|2 years ago
Then goes on to explain why it is indeed better. Perhaps meant to write 'worse'?
igetspam|2 years ago
theorangeone|2 years ago
vidanay|2 years ago
Pretty sure this was FB training their facial recognition models.
rad_gruchalski|2 years ago
moralestapia|2 years ago
[deleted]
world-set-free|2 years ago
oneeyedpigeon|2 years ago
cuu508|2 years ago
- Alice is currently reusing passwords, and does not use 2FA. Alice decides to set up 2FA, but keeps reusing passwords. Not ideal, but net improvement.
- Bob is using a password manager, but does not use 2FA. Bob decides to set up 2FA, and sticks to using the password manager for storing password. All good!
- Charlie is using a password manager, but does not use 2FA. Charlie decides to set up 2FA, and afterwards drops the password manager, and starts reusing passwords. Not good.
My guess is the Alice and Bob cases would be the majority. Do you think the Charlie cases would also be common?
igetspam|2 years ago
FWIW, password reuse with MFA is not actually that much of a problem any more. Neither is rotation (which was show to be a net negative). There's a whole set of NIST guidelines on the topic.