SMS: Here is your 30s "MFA" code, I'll send it to you 40 minutes after you need it.
SMS isn't 2FA. Its 1.5FA.
this post was submitted on 03 Apr 2024
950 points (100.0% liked)
Mildly Infuriating
38779 readers
125 users here now
Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.
I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!
It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.
Rules:
1. Be Respectful
Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.
Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.
...
2. No Illegal Content
Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.
That means: -No promoting violence/threats against any individuals
-No CSA content or Revenge Porn
-No sharing private/personal information (Doxxing)
...
3. No Spam
Posting the same post, no matter the intent is against the rules.
-If you have posted content, please refrain from re-posting said content within this community.
-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.
-No posting Scams/Advertisements/Phishing Links/IP Grabbers
-No Bots, Bots will be banned from the community.
...
4. No Porn/Explicit
Content
-Do not post explicit content. Lemmy.World is not the instance for NSFW content.
-Do not post Gore or Shock Content.
...
5. No Enciting Harassment,
Brigading, Doxxing or Witch Hunts
-Do not Brigade other Communities
-No calls to action against other communities/users within Lemmy or outside of Lemmy.
-No Witch Hunts against users/communities.
-No content that harasses members within or outside of the community.
...
6. NSFW should be behind NSFW tags.
-Content that is NSFW should be behind NSFW tags.
-Content that might be distressing should be kept behind NSFW tags.
...
7. Content should match the theme of this community.
-Content should be Mildly infuriating.
-The Community !actuallyinfuriating has been born so that's where you should post the big stuff.
...
8. Reposting of Reddit content is permitted, try to credit the OC.
-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.
...
...
Also check out:
Partnered Communities:
Reach out to LillianVS for inclusion on the sidebar.
All communities included on the sidebar are to be made in compliance with the instance rules.
founded 2 years ago
MODERATORS
SMS isn’t even secure. Mitm, social engineering, straight up theft, and more are all ways around it. It should never have been implemented, but especially not when totp exists.
What I despise most in when SMS is not just optional but forced upon me as "backup" to TOTP. "Lost your authenticator app? Send an SMS instead." How about no?
I don’t believe I’ve run into that, but yeah it completely misses the point of totp. Hell, I’d prefer a lockout over SMS backup in most cases, my totp authentication has multiple encrypted backups.
Especially because you can just backup authenticator to the pendrive in encrypted form. I don't care I loose my phone, that's exactly the reason authenticator is better.
Dude.
My wife's phone started acting up the other day. It would keep losing cell service and even when it showed a signal, it still would only work on wifi.
That happened a few hours after I ported my phone number (on the same family plan) to another carrier. So naturally, I thought the issue was with the carrier.
Since I planned on porting her number out to my new carrier anyway, I didn't want to troubleshoot.
Well, get to the new carrier and it's still not working. Go through the whole process of resetting network settings, and then eventually deleting the esim.
New carrier, though, needs you to receive a text message before they send the esim.
Naturally, with the esim deleted, it couldn't receive text messages.
Her issue did end up being her phone. Even after the port went through in full, it was still hit-or-miss with cell service. Worked on wifi though.
I've heard people in the US still use SMS to communicate with eachother. Fucking crazy.
Inertia and ease of use are powerful.
SMS "just works" and works for everyone here.
While I would like the new fancy features. At least RCS is bringing some and is seamlessly integrated.
Bonus I have 10+ years of txt history and can scroll/search to find something. And since my phone is Google (I know evil) I can access it all from the desktop seamlessly in one window.
load more comments
(1 replies)
Only when iPhone users need to send a message to literally anyone else.
uhhh that's not some unique american thing lol, that's how people here in sweden communicate too
Barely anyone cares what specific protocol is being used, they just care about what app they have to use and who they can reach, and if anyone isn't using a normal sms app they're generally using facebook messenger or imessages both of which support sms fallback and thus their users don't even know there's a difference half the time.
load more comments
(6 replies)
load more comments
(3 replies)
At least it isn't email or SMS MFA.
Or email OFA. Burger King, Popeyes (I know they are the same company), and just a bit ago, BuyMeACoffee. They let you enter a password; fuck if I know what their requirements are. No tooltip, no failure text. 60 char with special chars? Nope. (a few moments later) 20 chars with no special chars? Nope. Fuck it, let's try 2FA. Get seed, generate code, go to setup verification page (on phone), first box, paste. ONLY THE FIRST NUMBER PASTES AND MY KEYBOARD CLOSES. SCREAMS
(only factor authentication)
Nothing compared to BOFA, which is arguably even worse and a lot more stupid
For those who don't know, the BofA app clears the username and password fields every time you switch to a different app, completely thwarting the use of password managers because Bank of America is apparently Hell-bent on forcing everyone to have easily-typed (and therefore easily-brute-forced) passwords.
Android has password managers with keyboard app integration so you can paste both fields from the keyboard itself
I use Keepass2Android and it's own keyboard app for this. I switch active keyboard app when the login field shows up to paste and then switch back to my normal keyboard after
load more comments
(4 replies)
I agree with this sentiment. Steam notably falls into the third category, while otherwise being pretty good.
But I'm quite disgusted now seeing an image of a Yubikey for the first time. I've heard so many good things about them that it's a major disappointment to see now that they use that awful noncomplaint shape of USB plug.
There are two very important reasons for the metal shield around USB plugs: 1. For ESD protection, and 2. to hold the receptacle's tongue in place and prevent it from bending away and losing contact. Every USB device I've owned that was a flat plug (like this Yubikey image in this post) has within a month deformed the USB receptacle it's plugged into to the point that the device no longer works in that port. Compliant USB devices still work in that port's deformed receptacle, because they have a correct metal shield that bends the tongue back into the correct position.
Yubikey also has usb-c versions with compliant plugs.
YubiKeys have almost every imaginable form factor these days. Here's the USB-C version without NFC:
Yeah I have an even smaller USB-C one. It sticks out less than 0.5cm from the port.
No problems with yubikeys or the receptacle they are plugged into yet.. no idea what you do while these sticks are plugged in.. doesnt seem like a major concern per the reviews
I've had my ubikey fido2 token knocking around on my keychain for about 7 years now. Scratched and beaten, works perfectly and never had a port damaged, it doesn't put enough pressure on it.
It is kind of annoying that Steam doesn't enable the usage of third-party OTP apps. To be fair, when they first implemented the feature, that wasn't widely used and plenty of websites only enabled the use of one specific OTP app like Authy or Google Authenticator. They recently added a QR code login feature, which makes sense, but that still shouldn't stop them from enabling MFA via third party OTP apps.
load more comments
(3 replies)
iirc it's possible to somehow export the secret key used by steams 2fa
load more comments
(2 replies)
load more comments
(3 replies)
Uuuuugh. I just had this problem after dropping my phone. Can't log into the phone without the phone being logged in. Solution: disable 2fa on a logged in device. If I can disable it from another device why can't I verify it from another device? This is so broken!
Wait, can you eli5 why multifactor authentication (MFA) (and maybe also 2-factor authentication apps) is “fuck off” levels?
Is it privacy concerns or something bigger like more points of failure for overall security? Or smaller like not every one has/wants a smart phone?
If I read it correctly the "fuck off" level refers to some proprietary app for the selected login. The other two are standard code app and yubikey.
This is also how I read the meme. Codes are fine, tokens are fine. Your proprietary spyware app is NOT fine (Microsoft) and I hope you get fucked.
Microsoft login works just fine with any TOTP app, like Aegis. They just heavily push you toward their app.
Unless your company doesn't know wtf they're doing and it just doesn't work.
load more comments
(2 replies)
MS is fine, your average bank or broker institution though... when it's not SMS, chances are it's an "in-house" solution
load more comments
(5 replies)
load more comments
(1 replies)
I already have an authenticator app. If some service wants to force me to install their own app for their login, they are indeed welcome to fuck off.
load more comments
(3 replies)
At work usually I can login without any input thanks to SSO, but occasionally it will ask for a security check. The default is to press a notification in outlook on my work phone, which I only ever use when travelling, so it's invariably off... 🙄
load more comments
(1 replies)
My brain needs to boot faster. Took me far too long to figure out that wasn't Mother Fucking Authentication, and was instead more likely Multi-Factor
load more comments
(1 replies)
Sorry, as IT person I have to disagree, app based MFA is just way much easier to maintain instead of HW keys.
Edit: forgot to mention that in Finland companies here has to provide phone if your work require that. In IT I don't want nothing to do with users personal devices, and it sounds insane to me that in US companies force apps to your personal devices.
If you want to install software on my personal device with elevated privileges then I'll just use a different service than your shitty low effort maintained trash.
load more comments
(2 replies)
Re-writing a 6-digit code is easier than tapping a USB device?
They're talking about operationally. They don't want to configure and distribute a bajillion dongles to users.
load more comments
(1 replies)
Open an app, find the one number for your specific app among the bajillion you have, oh the timer is almost out and you forgot halfway through, tap back in the app, oh the fucking app scroll all the way to the top again.
load more comments
(1 replies)
Often times, yes. I don't want to always have to have a USB key on me, but I always have access to MFA apps via my phone, watch, or laptop. I have no idea why you're typing the code out instead of copying and pasting.
load more comments
(1 replies)
I've had this argument with different people when asking for a hardware token vs app only two factor.
I'm not installing a proprietary app on my personal device. I'll use a open standard, I'll use a light weight hardware token. I'm not going to run a invasive binary black box for push authentication 24/7 on my personal device.
At this point everyone has extra phones that don't get security updates. I just used a old phone installed the app on that phone, and left it in my desk... It's kind of a terrible security dongle at this point.
load more comments
(1 replies)
load more comments
(3 replies)
Passkeys gonna fix all this bullshit.
No they fucking won't. You know that websites are going to be massive throbbing cocks about it.
"Due to security issues, passkeys for our service must be kept in ® Secure Passkey App™. Please install the app on your device to continue. This app requires Apple Notification or Google Play services to operate. Must have verified phone number to use."
"Your device has been rooted and therefore cannot be supported."
Unironically this...
Passkeys don't work on my rooted device - they seemingly set up correctly, but sites like GH claim your device passkey doesn't exist when you try to actually login. When you go to the affected site's account settings to add the device as a passkey again, an error of some kind claims the passkey already exists 🤷♂️
Deleting/re-adding has no effect. Using FF with device biometric passkey auth
load more comments
(1 replies)
load more comments
(8 replies)
view more: next ›