This 2 Factor Hooey!!!!

Lost_in_the_HTTP

Diamond Member
Nov 17, 2019
6,624
3,822
106
We need a major class action suit to force ALL websites, financial, Government and others to allow members to choose not to use it. I don't care if some people wish to play silly games or jump through hoops to log in, I don't want to be forced to.

We gotta have some freedom minded lawyers here on this site, don't we?
 

Lost_in_the_HTTP

Diamond Member
Nov 17, 2019
6,624
3,822
106
Unknown Browser - Android
Sunday, May 22, 2022
WrongTown, State, United States
IP: xx.xx.xxx.xxx
Location displayed is determined by your Internet Service Provider.

Which is also hooey because they city they list is over 100 miles from me.
 

lxskllr

No Lifer
Nov 30, 2004
55,612
5,585
126
I routinely get an ip that's 1k miles away on my phone, and it causes google to have a shit fit, and block access with my mail client. It'll be a good day when I ditch google for good.
 

sdifox

No Lifer
Sep 30, 2005
88,192
10,993
126
You know, if you go into the branch to do your banking, there is no extra 2fa just bank card and pin.
 

Captante

Lifer
Oct 20, 2003
23,510
5,511
136
While I don't particularly enjoy proving I am in fact human all the time, it's not even on the radar in terms of being a serious problem in my life.

 

Red Squirrel

No Lifer
May 24, 2003
62,889
9,847
126
twitter.com
I do hate that it's forced on some sites. At least make it an option with a warning that it's not recommended to go without it.

Worse is when they don't offer text 2FA. I know it's not considered secure but it has to be better than no 2FA at all right?

I hate having to install apps just to be able to login to one specific site. I run a custom rom now so anything that's going to be in Google Play is not going to work anyway. The other issue with apps is that it's basically a black box, there is no real easy way to backup the data so that if you get a different device you can restore it not to mention the privacy aspect, most apps are also data miners. I heard if you save the QR code they give you to set it up you should be able to set it up again on a different phone, but what if their particular app does not allow that? They could make the QR code a one time use, which in a way would make more sense from a security point of view.

Imo the best approach to 2FA would be if they used some kind of open standard, and you could just use a program on a computer or browser extension etc, something easier to backup and where you have more control, and not need any specific phone OS for it to work on. I presume there probably is such standard, but most sites are not using it and use their own app.
 

Lost_in_the_HTTP

Diamond Member
Nov 17, 2019
6,624
3,822
106
I don't want to use it at all. The devices I use for banking never leave this house and no one else has access.

Set a cookie or token or whatever and be done with it.

I'm sort of OK with a code to email once to register a device, but not on every log in. Thing is, if someone breaks in the house and steals all my stuff, they get the cookies, tokens and emails too, so the codes going to emails won't accomplish much.
 

Torn Mind

Diamond Member
Nov 25, 2012
8,699
1,584
126
With Yahoo! getting breached in the past and Home Depot as well, 2FA is obviously here to stay.

Although, most sites are not that strict after the first attempt on a new device.
 

Lost_in_the_HTTP

Diamond Member
Nov 17, 2019
6,624
3,822
106
I also hate that appie word thingy. I have them installed for many of the institutions I use and while they are somewhat convenient, they are often crippled. I find clicking on certain options gets a message to open the full site. Other options don't even appear unless you use a browser and open the full site.

Though it too is crippled to a large degree, at least the USAA banking site has an option that doesn't require a code to anything. If you choose to set it up, a keyboard displays on start up for you to enter a PIN.. No user ID, no PW, no code to anything.

CitiBank's sort of works OK, but won't let you autofill a PW. And they won't let you do basic things like opt in or out ot paperless statements without an extra log in step.

Chase's works better in that it will autofill both ID and PW.

None of thiose banks have branches within 100 miles of me, so stopping it isn't an option.
 

Lost_in_the_HTTP

Diamond Member
Nov 17, 2019
6,624
3,822
106
And now Uncle Sam is staring their own mass logon system (login.gov) to link between sites with one ID even though they already have systems like DSLogon.
 

Exterous

Super Moderator
Jun 20, 2006
19,826
2,727
126
As someone who spends a large part of their job on the IT Security side I'm going to go with:
"More sites should enforce this and also expand their capabilities to allow non SMS based 2FA"

Sorry but too many people are falling for scams and failing to protect their systems with updates. There is a ton of added cost and risk overhead to companies when they don't enforce 2FA. Not to mention the very loud complaining when someone screws up and then blames the company for not making them use 2FA. I tell groups we work with 'People will be unhappy with you either way. You might as well choose unhappy + safer over unhappy + riskier'

And just because your devices don't leave the house that doesn't mean the world can't reach your devices.
 

dlerious

Golden Member
Mar 4, 2004
1,194
337
136
Imo the best approach to 2FA would be if they used some kind of open standard, and you could just use a program on a computer or browser extension etc, something easier to backup and where you have more control, and not need any specific phone OS for it to work on. I presume there probably is such standard, but most sites are not using it and use their own app.
There is a standard called FIDO . You can use Authenticator Apps like Authy, Google Authenticator, and others on your computer. Google and MS have browser extensions and there are hardware security keys from Yubico, google, and others. I use yubikeys.
 
  • Like
Reactions: Captante

Red Squirrel

No Lifer
May 24, 2003
62,889
9,847
126
twitter.com
There is a standard called FIDO . You can use Authenticator Apps like Authy, Google Authenticator, and others on your computer. Google and MS have browser extensions and there are hardware security keys from Yubico, google, and others. I use yubikeys.
Yeah heard of it, but most sites just use their own app unfortunately.
 

Lost_in_the_HTTP

Diamond Member
Nov 17, 2019
6,624
3,822
106
I'm no longer quoting posts here since I can't quote only parts of them, so you'll have to guess who this is in reply to.

Leave it to the user to decide. Never force it.
 

[DHT]Osiris

Lifer
Dec 15, 2015
10,616
7,371
146
Jesus Christ, lot of whiney people here. Every single login should be behind a 2fa, preferably 8192-bit encrypted device embedded into a bone.
 
  • Like
Reactions: Captante

ASK THE COMMUNITY