Authentication for my work email: Enter 28 character password, receive sms, enter message, log in
Authentication for my Battle.net account:
-Enter email made before 2000 because they don’t let you change email
-Enter password
-Get rejected
-Solve CAPTCHA
-Try backup passwords, get rejected
-Request new password
-Send request to 24 year old email
-Try to log on to 24 year old email, email is suspicious and sends Authentication request to my newer email
-Open newer email, Authenticate older email
-open old email, Put in code to battle.net
-Battle.net requests Authenticator code from Battle.net app
-Open battle.net app (no requests)
-Try manual code, doesn’t work
- Realize Battle.net app Authenticator not connected
-Try to connect Battle.net app Authenticator to account
-Realize you cannot connect Authenticator without signing in AND signing in requires Authenticator
-Close Battle.net app
-Open Blizzard Authenticator
-Close warning that this app got depreciated in January
-Enter manual code
-it works
-Attempt to change password to password I first attempted
-Won’t let me use same password
-Try logging in using that password
-Still doesn’t work - Solve one more CAPTCHA
-Change password to backup password and back to original password - have to solve 2 more Captchas
-Finally works
-Log in
NIST has been saying since 2016 not to use SMS for MFA. It’s always been horribly insecure.
I hate forced 2FA that you can’t disable anyway. I don’t want to waste time waiting for an insecure text, I don’t want to input an unencrypted code you sent to my email, I don’t want to click your damn notification that runs through Play Services, and no I’m not enrolling in passwordless auth. I don’t need to be babied into securing my accounts. Any account I do actively and willingly secure is already using TOTP. Let me put in my username and password, then kindly fuck off.
Yeah. So you, myself, and some others are the exception to the rule. But, you can’t look at it that way because its a ‘lowest common denominator’ problem. The least secure of us means we are all only as secure. Others need to be hand held.
It’s definitely time to raise all boats and drop SMS 2fa like a hot rock.
The most natural authentication mechanism for humans is a key. That thing you carry with yourself. A physical key containing, well, the actual secret (shouldn’t be retrievable, should be used for decrypting access request and signing the response) that, maybe combined with your password (another natural for humans authentication mechanism) or maybe, yes, TOTP, gives you access.
Like those “security keys” Imperial officers in Jedi Outcast carry with them. Maybe a bad example.
Phone numbers are used as identifiers because governments like it, nerds don’t like it, and normies explicitly like what nerds don’t like and also want everything to be insecure, they call it “having nothing to hide”.
Also “normal and social” people have that idea that their social prowess is more elegant, smarter at ensuring their security that those dumb and boring nerd technical solutions. So them always choosing things logically opposite of sane, like social media instead of forums, and phone numbers instead of any other identifier, is literally a matter of principle. It’s really not that hard to use something else. They do the stupidest possible thing technically to prove a point that you only have to do the smart thing socially. I mean, in Galileo Galilei’s case the other side of the disagreement is generally considered right, but that’s not an argument effective in society.
I should admit that I’ve been doing the opposite - the stupidest possible thing socially to prove a point that only technical sense matters, which is why nobody would send me encrypted mail except Facebook with its notifications, and nobody would write me in Tox, and nobody would even contact me via XMMP. Which is why I’m now using TG, VK, FB, WA and Signal for communication, of these Signal is secure, and WA is kinda better than the rest of them.
So many services still don’t even offer 2FA at all. Any service that stores payment information and PII without any 2FA options, let alone a secure one, at this point are a disgrace.
The end of an era.
Or actually, probably not until we redo whole cellular phone technology works and kick out all the bad actors using SS7 vulnerabilities for stuff like spoofing numbers and stealing messages. We really shouldn’t be using a 45 year old system for almost all communications.
Use Telegram.
Not the app, the 200 year old wire radio messaging system based on Morse code, E2EE (Elderly man to Elderly man Enciphered)
I guarantee you that is the opposite of a solution, old man encryption is very easily hacked by other old men for spoofing, redirecting, or listening.
if you count whiskey and cigars as hacking
Always has been
Since when was sms ever secure? My understanding is that messages are sent in the clear, meaning your carrier and the recipient’s carrier both have the opportunity to intercept messages.
I mean that’s the message content, not the authentication, but still, sms is the opposite of secure, always has been.
'nuf said
of course it is. forced 2fa BY SMS OF ALL THINGS is one of the stupidest ideas
I assume businesses only jumped at the chance to enable SMS 2FA to get their greedy little fingers on our phone numbers.
It was the simplest/cheapest form of 2FA to implement. Grandma will never understand how to setup TOTP.
Capitalism requires regulations, otherwise it will ALWAYS do what is cheapest or most profitable, regardless of how dangerous or destructive.
Hollywood hacking has nothing on real hacking it seems.
id take email Authentication over sms Authentication if there was only them 2 let me use my 2facter app for the love of god plz i hate how banks use sms its like come on man
I’m really happy that my doctor’s website uses Signal to send the authentication code.
Email is also unencrypted
Ya just saying I don’t like sms I wish email was encrypted maybe one day
What are yall using as an alternative?
TOTP or Signal, depending on the use-case
Any examples on what could cause the preference?
Usually signal for communication, totp for 2fa. I’ve as of yet seen only one site that sends 2fa codes through signal.
Oh interesting thanks
Yubikey
I’m new to technology, is this good?
They will now push proprietary apps which steal your data, so you decide.
In a sane world we would move to yubikeys or codes like Google authenticator, but we live in a post sane technological world
TOTP or GTFO
Thank god, give me my HMAC hash please.
Nothing more terrifying than losing your phone number these days because of all the accounts tied to it via 2FA.
I wish Signal stopped using it. I know you can set a Signal PIN but a lot of the non-techy friends I speak to on Signal probably wouldn’t think to, or look through the settings (not that you need to be “techy” to set it, but you know the kind of learned helplessness most people have about tech). At least a prompt for all users to set an account PIN so their account can’t just be stolen by anyone with their SIM card.
