Objectively a downgrade in every way

Automated_Footprint , 9 months ago

• fucking annoying

Maybe it is but this way you can’t log in to my account even if you have the password. You need to have my phone too.

akariii , 9 months ago

yes, that’s the most annoying part

\j

iwasgodonce , 9 months ago

I like yubikeys since it means I don’t have to pull out my phone. totp on the laptop also works well enough.

sms based 2fa is the worst. it seems like to me every ceo and other non-technical c-level person I’ve known personally loves sms based 2fa though because they can’t figure anything else out.

Uprise42 , 9 months ago

They like it because it’s cheap and easy. They pay a phone provider for the 4 digit phone number and type in a script to generate a random code and text it. There is no oversight or maintenance.

Pairing with an Authenticator app is easy, but a little more work. Pairing with a mobile app can get a little tougher and require development plus maintenance in making sure the app cannot be spoofed and works with updates. Using a physical drive for 2FA is a pain in the ass to set up. From a business standpoint, 2FA only needs to work enough to remove liability from your business. If someone spoofs your cellphone number that’s on the phone provider not them so that’s enough to remove liability

HubertManne , 9 months ago

Microsoft gave the option to call and you hit pound. I prefered that overall. works with any kind of phone.

Uprise42 , 9 months ago

Phone numbers can be spoofed and calls can be redirected. Or, even better, conditional call forwarding is supported by most carriers. It can be set up and you’ll never know. Then they get the phone call and not you

HubertManne , 9 months ago

and smart phones can be hacked. the point of two factor is they have to control both parts.

atocci , 9 months ago

Right but the point they're making is it's a lot easier for a third party to intercept a code that has to be sent to you than it is for them to get the code from an authenticator app since they're generated on your device. At that point you pretty much need physical access to the phone.

HubertManne , 9 months ago

im osrry so a hacked device would not show the authenticator code? I really don't see the difference here. Again its not each bit being so un breachable as much as they would have to have to breach both parts. I really don't think its taht easy to redirect all the calls that are supposed to go to my phone.

atocci , 9 months ago

One is much easier to accomplish than the other and doesn't give the target the same chance to realize something is going on.

HubertManne , 9 months ago

I don't think thats necessarily true. If diverting phonecalls were so easy there are a bunch of reasons outside of two factor attacks that it would be used for.

atocci , 9 months ago

There actually are lots of things it's been used for in addition to stealing 2FA codes. SMS based 2FA is better than no 2FA at all, but it's insecure and not recommended to be used when dedicated authenticators are available instead. The NIST has warned against their use since 2016.

HubertManne , 9 months ago

you seem to be limiting it to sms. you do realize your talking to a person who mentioned microsofts option to call you and you hit pound. They actually have an app where you input a two digit number and if anything I would have liked them to expand the phone call function with that. Anyway I was not speaking about sms but I still feel the vulnerabilities are overblown when used with a good password.

atocci , 9 months ago

That's semantics, the same insecurities apply to all telephone based methods. I personally wouldn't want my phone company's customer service to play any role in my online security. Even Microsoft wants people to stop using them.

HubertManne , 9 months ago

yes microsoft was the one I was complaining about but you can't redirect phone calls in the same way as sms and sms itself is mostly vulnerable due to legacy things that they could stop using and finally that article was not just 2 factor but bringing in using sms for a password reset which is really insecure but unrelated to 2factor. 2factor will always be safer than non 2 factor because more has to be done than just the one side.

atocci , 9 months ago (edited 9 months ago)

You can, the concern here is with people, not the specifications of SMS. People can be social engineered to give control of your phone number to someone else. It's happened before, it's not a hypothetical, and it's why security experts advise against using phone based methods.

HubertManne , 9 months ago

Im pretty sure that you would realize something was wrong with your phone then and its useless to them 2factor wise unless they have your password.

majestictechie , 9 months ago

Yeah who needs security anyway. Let’s all use the same password, or variation of the same one for everything while we’re at it.

strawberry , 9 months ago

that way, none of us ever forget!

GeneralVincent , 9 months ago

Let’s get rid of passwords entirely

• fucking annoying
• can’t believe they sold people that it’s BETTER to have to type a whole password to login
• incredibly annoying
• if you’re using this willfully you’re clearly just as worried about security as before anyway
• companies love having real passwords to pair with ‘their’ data

cooopsspace , 9 months ago

I love it when people are as confident as you, whilst simultaneously being wrong.

tuxrandom , 9 months ago

If you use a good 2FA app instead of Google Authenticator (yes, they can be used interchangably) you can use it on desktop and copy the OTPs to your clipboard. I personally use Authy, but others compatible with GA exist as well.

Also, 2FA is optional almost everywhere, but if you decide to not enable it, don't act surprised if your accounts get taken over. These days a password just isn't enough.

Security and convenience are just mutually exclusive and I don't expect mankind to ever find a way around that fact.

InfiniWheel , 9 months ago

Man, passwords are indeed so fucking annoying, imagine having to memorize an intricate all separate string of text other than your username. And having to create a completely new one for every site? This sucks. I should be able to login just by typing my username

atocci , 9 months ago

Sorry, this is a bad take. It might be annoying but the security 2FA offers is better in every way.

Catsrules , 9 months ago

fucking annoying

security is annoying. You also have to carry around keys for your home, work, car, locker etc… Personally I think that is much more annoying.

can’t believe they sold people that it’s BETTER to have to get your phone out to login

Security wise it is better. Have you not seen a heist movie? There is always multiple layers of security. Two factor is another layer of your security.

incredibly annoying

Some passwords managers have 2FA built in. Just use that if your so annoyed. Less secure but still better than having no 2FA.

If you’re using this willfully you’re clearly just as worried about security as before anyway

I would be way more worried about an account without 2FA. Done right it is a huge security improvement.

Companies love having real phone numbers to pair with ‘their’ data

Good thing a proper 2FA system doesn’t require a phone number. In fact using a phone number is less secure. So avoid giving out your number and use another option if possible.

HenriVolney , 9 months ago

Fuck the phone number harvesting. However, double verification is the same as the driving belt and the condom: it’s annoying and spoils the experience but it protects you.

Rhaedas , 9 months ago

I just got a replacement router (bad lightning storm) and to set up the wifi information or anything else I had to download an app on a phone to access it. 192.168.1.1 shows the QR code to install. And what I can change on this new one is even less than the limited version I had before. Total overkill.