This 2 Factor Hooey!!!!

[Lost_in_the_HTTP]

We need a major class action suit to force ALL websites, financial, Government and others to allow members to choose not to use it. I don't care if some people wish to play silly games or jump through hoops to log in, I don't want to be forced to.

We gotta have some freedom minded lawyers here on this site, don't we?

 

[DisarmedDespot]

Okay, what are your damages?

 

[Lost_in_the_HTTP]

Inconvenience. Emotional stress.

 

[DisarmedDespot]

Inconvenience. Emotional stress.

So you have no damages.

I mean, sure, go ahead and call a lawyer. Assuming you're in the US, anyone can sue anyone for anything, but I don't envy your chances when your damages amount to 'they mildly annoyed me.'

 

[Lost_in_the_HTTP]

Unknown Browser - Android
Sunday, May 22, 2022
WrongTown, State, United States
IP: xx.xx.xxx.xxx
Location displayed is determined by your Internet Service Provider.

Which is also hooey because they city they list is over 100 miles from me.

 

[lxskllr]

I routinely get an ip that's 1k miles away on my phone, and it causes google to have a shit fit, and block access with my mail client. It'll be a good day when I ditch google for good.

 

[sdifox]

You know, if you go into the branch to do your banking, there is no extra 2fa just bank card and pin.

 

[Captante]

While I don't particularly enjoy proving I am in fact human all the time, it's not even on the radar in terms of being a serious problem in my life.

 

[Red Squirrel]

I do hate that it's forced on some sites. At least make it an option with a warning that it's not recommended to go without it.

Worse is when they don't offer text 2FA. I know it's not considered secure but it has to be better than no 2FA at all right?

I hate having to install apps just to be able to login to one specific site. I run a custom rom now so anything that's going to be in Google Play is not going to work anyway. The other issue with apps is that it's basically a black box, there is no real easy way to backup the data so that if you get a different device you can restore it not to mention the privacy aspect, most apps are also data miners. I heard if you save the QR code they give you to set it up you should be able to set it up again on a different phone, but what if their particular app does not allow that? They could make the QR code a one time use, which in a way would make more sense from a security point of view.

Imo the best approach to 2FA would be if they used some kind of open standard, and you could just use a program on a computer or browser extension etc, something easier to backup and where you have more control, and not need any specific phone OS for it to work on. I presume there probably is such standard, but most sites are not using it and use their own app.

 

[Lost_in_the_HTTP]

I don't want to use it at all. The devices I use for banking never leave this house and no one else has access.

Set a cookie or token or whatever and be done with it.

I'm sort of OK with a code to email once to register a device, but not on every log in. Thing is, if someone breaks in the house and steals all my stuff, they get the cookies, tokens and emails too, so the codes going to emails won't accomplish much.

 

[Torn Mind]

With Yahoo! getting breached in the past and Home Depot as well, 2FA is obviously here to stay.

Although, most sites are not that strict after the first attempt on a new device.

 

[Lost_in_the_HTTP]

I also hate that appie word thingy. I have them installed for many of the institutions I use and while they are somewhat convenient, they are often crippled. I find clicking on certain options gets a message to open the full site. Other options don't even appear unless you use a browser and open the full site.

Though it too is crippled to a large degree, at least the USAA banking site has an option that doesn't require a code to anything. If you choose to set it up, a keyboard displays on start up for you to enter a PIN.. No user ID, no PW, no code to anything.

CitiBank's sort of works OK, but won't let you autofill a PW. And they won't let you do basic things like opt in or out ot paperless statements without an extra log in step.

Chase's works better in that it will autofill both ID and PW.

None of thiose banks have branches within 100 miles of me, so stopping it isn't an option.

 

[Lost_in_the_HTTP]

With Yahoo! getting breached in the past and Home Depot as well, 2FA is obviously here to stay.

If the bad guys get into the root servers like that, they get the codes too as well as the emails and all other personal information.
.

 

[Lost_in_the_HTTP]

And now Uncle Sam is staring their own mass logon system (login.gov) to link between sites with one ID even though they already have systems like DSLogon.

 

[Exterous]

As someone who spends a large part of their job on the IT Security side I'm going to go with:
"More sites should enforce this and also expand their capabilities to allow non SMS based 2FA"

Sorry but too many people are falling for scams and failing to protect their systems with updates. There is a ton of added cost and risk overhead to companies when they don't enforce 2FA. Not to mention the very loud complaining when someone screws up and then blames the company for not making them use 2FA. I tell groups we work with 'People will be unhappy with you either way. You might as well choose unhappy + safer over unhappy + riskier'

And just because your devices don't leave the house that doesn't mean the world can't reach your devices.

 

[dlerious]

Imo the best approach to 2FA would be if they used some kind of open standard, and you could just use a program on a computer or browser extension etc, something easier to backup and where you have more control, and not need any specific phone OS for it to work on. I presume there probably is such standard, but most sites are not using it and use their own app.

There is a standard called FIDO . You can use Authenticator Apps like Authy, Google Authenticator, and others on your computer. Google and MS have browser extensions and there are hardware security keys from Yubico, google, and others. I use yubikeys.

 

[Red Squirrel]

There is a standard called FIDO . You can use Authenticator Apps like Authy, Google Authenticator, and others on your computer. Google and MS have browser extensions and there are hardware security keys from Yubico, google, and others. I use yubikeys.

Yeah heard of it, but most sites just use their own app unfortunately.

 

[Lost_in_the_HTTP]

I'm no longer quoting posts here since I can't quote only parts of them, so you'll have to guess who this is in reply to.

Leave it to the user to decide. Never force it.

 

[Scarpozzi]

While I don't particularly enjoy proving I am in fact human all the time, it's not even on the radar in terms of being a serious problem in my life.

Too much goat cheese in a salad sometimes results in hunger.

 

[sandorski]

Being annoyed is a Feature of the Internet.

 

[[DHT]Osiris]

Jesus Christ, lot of whiney people here. Every single login should be behind a 2fa, preferably 8192-bit encrypted device embedded into a bone.

 

[Scarpozzi]

Jesus Christ, lot of whiney people here. Every single login should be behind a 2fa, preferably 8192-bit encrypted device embedded into a bone.

So the second factor is elective surgery?

 

[[DHT]Osiris]

So the second factor is elective surgery?

So long as it keeps people from whining that they lost their keyfob or can't be bothered with something as complicated as a phone app, sure.

 

[Captante]

I'm no longer quoting posts here since I can't quote only parts of them

What led you to this false belief?

 

[Exterous]

I'm no longer quoting posts here since I can't quote only parts of them, so you'll have to guess who this is in reply to.

Leave it to the user to decide. Never force it.

Sorry but users are, collectively, too dumb for that to be a good idea