You must log in or register to comment.
got hired by a new company. every fucking day I have to MFA to use the VPN. then I have to MFA to sign into email. Then MFA into tickets. MFA into confluence. MFA into git.
and then I have to do it all over again 4 hours later after lunch.
No sso?
mid-size enterprise. my team has gone through 5 managers in 12 months.
they can’t even with SSO right now lol
It’s relatable
Same, but also add MFA to log into laptop.
dude…I do that so often I completely glossed over it. 💀
I’ve had good luck with bitwarden. It copies autofills the username and password, then once you submit, it copies the 2fa to your clipboard.
of course, it’s a pro feature, so you’d either pony up or host vaultwarden assuming you can even install the plugin on your PC.
Why not HSM?
I’m glad that a pizza place has higher MFA requirements than many banks. We’ve made good decisions as a society for that to be true.
Like with insurance, it’s far more worth spending an extra 2.5 seconds on 2fa than it is spending regaining your stolen identity and (potentially) ruined reputation (unless it’s text based 2fa)
2.5 seconds? You must be the fastest 2fa grinder
You’ll lose many more years if your accounts with sensitive content ever get compromised.
Every time I read comments on posts like these, it reaffirms to me how the average person does not give a shit about real security or is completely ignorant to how and why these extra safeguards are used. Lemmy, I would assume, has a higher than average tech knowledge amongst it’s user base vs many other platforms, but the sentiment often that of, MFA and needing to login to a bunch of separate applications is too much work and the people that designed them don’t know what they’re doing. It’s a bit disheartening.
nah, you can care about security and also lose hours on MFA. for global enterprise, the overall user experience is far from optimal imho.
At work I need multifactor for everything, but… ITS ALL THE SAME MICROSOFT ACCOUNT. We have SSO, but every single stupid webpage needs me to sign in separately with 2FA and forgets about me hours later. It’s needlessly tedious.
GoDaddy sends a confirmation email for updating DNS. It does not ever arrive faster than 10 minutes from the time they claim they will send it, and sometimes it takes up to 15 minutes. The code expires in 20 minutes, so if you switch focus to something else in the mean time and miss the email and the code times out, you have to send another one and just sit there staring at the email inbox. I have lost hours of my life to GoDaddy MFA. Not all MFA is stupid, but their implementation is amazingly stupid.
Yes, I can’t defend dog shit implementation. There are enough authenticator apps available that anyone reputable should use one instead of the less secure email or SMS.
Another bigass reason why godaddy sucks lol
I just use strong, unique passwords and be mindful when something is asking for my logins.
That should be the bare minimum for everyone, but it doesn’t protect anything if a password is compromised, especially something like email that can lead to getting other passwords.
If your email is compromised, isn’t 2FA also compromised?
I suppose in some cases, yea. I was thinking about authenticator apps as MFA and forgot about email. Ideally, all MFA would be through a separate authenticator. For stronger security, something like a ubikey or other hardware security device can be used.
I don’t even think I use websites that would use that. The only “app” like that is google using my phone for new logins. Every other 2fa uses my email. If it’s not a google service, I’d prefer not to have to use an app because I treat my whole phone as insecure.
Do I really need TFA for social media? Or a forum? News sites? Fucking weather? Financial logins I get, but every single site requiring it is a cumulative time and hassle burden that is not worth it.
I don’t mean to sound rude but why would you need an account just to check weather
I would say anytime where someone can impersonate you or make purchases as you deserves MFA. That’s my risk tolerance, but it can differ obviously. I just feel that threshold is too low for a lot of people.
…for social media?
Where someone can impersonal you and scam people out of money? Yes. 2FA.
…Fucking weather?
I mean, I’m not here to kink shame but, probably? I’m partially wondering now what weather looks like when it fucks. Like a tornado in a sinkhole?
…every single site requiring it is a cumulative time and hassle burden that is not worth it.
It wouldn’t be necessary IF:
- People chose decent passwords that were different for every login
- Website security was taken seriously by anyone who has a login.
The galaxy-brain move is to store the password in a password manager, and also have the same password manager store the TOTP. Finally, you set your password manager to unlock by biometric authentication
All of a sudden, you’re set by just showing your fingerprint to the reader.
Only downside is that you can more likely be compelled to give up biometric authentication than a password (as far as I understand)
Very true. But most of the places that will compel you also have no issue just compelling the companies you have accounts to give you up.
This is a threat I’m not planning to handle.
xkcd 538
Physical security keys to the rescue!
Break it when you’re in danger.
Or just invest in some real, physical security using all the crypto you’ve got to prevent something like this happening in the first place, that way you’ve got both physical and digital security to protect u rather than js one like some jokeman.
What kind of physical security will protect me when the government breaches into my house?
Also, I see you using your alt accounts to upvote yourself.
What kind of physical security will protect me when the government breaches into my house?
None. Prolly why you need offsite backups. Find a better govt ig
Also, I see you using your alt accounts to upvote yourself.
Just don’t travel to the USA. Or 100 miles into the interior of the United States from any land or maritime border.
I’m not planning to. Not without a burner setup, at least.
I have a very secure password protecting my password manager, and have set up all my passwords there to 123456
A minor annoyance now to avoid a major headache later. Worth the trade
It’s been nothing but a headache for me with no benefit
This is a misunderstanding. You can’t possibly know if there’s been a benefit, because you wouldn’t know unless your account was compromised. The mere presence of 2fa on an account will stop credential stuffing attacks dead in their tracks.
It’s like saying “this lock on my door is pointless because nobody has broken into my house”.
No it would be more like having the key to my house, but after I use the key I can’t get in and have to wait for a text and verification email before my door opens
More like using a key that hasn’t been used in I over 30 days and needing to wait on a text/email.
Also text or email is a bad second factor and an implementation problem. TOTP is better. Passkeys way better and are so simple once you start using them.
So if you go on vacation your house key doesn’t work anymore? What is the point of a password if it doesn’t get you in?
Yep your rarely used vacation house needs an extra step given how rarely it’s used.
Passwords are a miserable and lazy solution. The point was; they are cheap and easy to implement. I highly recommend dropping them whenever possible and switching to Passkeys, oAuth, SAML anything even a tiny bit harder to compromise.
Ok. Why don’t you try explaining how digital security works to the security professional some more. I’m sure you’ll convince me real soon 😜
I’m a security professional also, i don’t see the issue with their analogy?
Their analogy is from the perspective of an authorized user complaining about inconvenience, completely ignoring the things I was addressing (their statement that 2fa provides no benefit)
they said it provides no benefit to them… and i get it - for some things, maybe you don’t need “all the security” … just “enough” of it. for example; i might not need any lock on my laundry room door, i might choose a privacy lock on my toilet room door (no key required to unlock), but i will fit an additional a deadlock on the front door. each has a level of security that i deem to be appropriate. they asserted their opinion about MFA as it pertained to them, not in general.
Oh shit im talking to a master hacker! How could I have been so foolish??
Nobody cares
I just think it’s funny how this is literally my job and you think you know better xD
Your metaphor is garbage and makes no sense because you are providing the perspective of an authorized user while I’m speaking about attackers.
You think that because your house hasn’t been broken into that the locks are pointless. But it’s the locks that keep your house from being broken into
I literally have this conversation with dumbass leadership on a regular basis; how the absence of security compromise isn’t a reason to cut security, but rather proof that the security is working
But go off, dude. You just look like a fool
The clunky user experience in the analogy isn’t wrong but is focused on the wrong thing, having locks is already an annoying user experience.
Having to carry keys everywhere and juggle shopping when opening my door sucks. It would suck more if someone entered my house and stole my stuff so I accept the trade off.
It’s the same with MFA. We all accept a worse user experience for significantly improved security.
Is it really so bad? I enable it wherever I would care if my account was gone. It’s only annoying to me when I can’t use my own TOTP app.
Oh you know your password? Fuck you. We’re sending an email to your second account and to verify that one we will text you.
Let’s say your account is logged into from 1000 miles away, wouldn’t you want that account or device, whether it was you or an attacker, to prove itself?
In most cases, if you’ve logged in on a specific browser/device/account, unless you’ve cleared cookies, it doesn’t constantly ask for MFA. but in my example above, a new IP, new device, or app, it should absolutely go “whoa, wtf is this” and make you verify.
they lost access to their account because of mfa or they just think it’s a waste of time?
It’s not a waste of time, but God is does it waste time…
I assumed it was cumulative use.
Well, maybe. You said years plural, so let’s take just two years. 2 years * 365 days a year * 24 hours a day * 60 minutes an hour is 1,051,200 minutes in two years.
Let’s say that every time you use 2FA it’s an extra 2 minutes. How many times a day do you use 2FA? That’s probably the biggest variable. For some people it’s a couple times a week, for others it’s several times a day. Let’s say 5 times a day. We also need to know how long you’ve been using 2FA. That’s going to be another big variable. Does 5 years seem reasonable? If so, 5 years * 5 times a day * 365 days a year * 2 minutes each time = 18,250 minutes wasted on 2FA.
That’s a small fraction of the million minutes in two years, but it could change a lot depending on some of the variables.
But on the other side, if even one time the 2FA stopped you getting your account hacked, the calculation would change a lot.
Passkey
Lemmy passkey wen
I saw your comment earlier today and thought “heh ok, challenge accepted.”
Sweet!
i like the idea if username/password with optional passkey as secondary … ie “something i can keep in my brain” mixed with “something a compute device can do”
having only a passkey doesn’t feel like it aligns to a “defense in depth” approach, which we’ve learned many times over is critical to surviving a single oopsy. someone gets access to your passkey manager (eg phone) then you’re fucked.
i’d like layers please!
There’s lots of things that have two factor authentication that don’t need it.
Drag’s bank lets drag log in and see drag’s balance with just a password, but drag needs to authenticate to transfer any money. That’s perfect, drag loves it. Yet somehow, drag’s library card and epic games account have more restrictive MFA requirements.
Drag probably wouldn’t want the library books Drag has been reading to be splashed across the town when the revolution happens.
Also, Drag’s bank doesn’t sound as secure as it should be; if I were Drag I would move my shiny rocks elsewhere.
lost your password? time for a scavenger hunt!
What was the colour of your childhood best friend’s hero’s first car?
Blue! No, yellooooooooowwwwwwwww…
At work, I must to use it every day to open google docs or gmail.
The MFAs using an authenticator are torture.
Do you like the ones sending you a text better?
For me they’re worse. You need to have reception. And SIM cloning/swapping/stealing is something that is a thing too.
That can’t happen with an authenticator app.
Yeah, opening an app and typing 6 numbers? Way too much work. Also why can’t my password be ‘password’ like the good old days?
