You're doing two-factor authentication wrong because of not allowing me to use a single factor only (maybe I do not want to check e-mail and/or to carry smartphone with me and/or your website has too miserable value to me to take care about it).
I see you're being downvoted, but I see your point. Twitter has so little value to me, I don't see the point in requiring the extra security (for me).
I guess if you're some sort of public figure it might be, but selling blue badges to anyone kinda destroyed any credibility it had as a platform for those people.
I have a pile of accounts that I really don't care about. I joined a harmonica group about 10 years ago. My password is something like asdf1234, because really if someone pretends to be FAKE_NAME_123 on a harmonica site, I'm cool with it.
Twitter is about there for me. If someone took over my account, Meh. I'd just create a new one. It's not tied to a real email anyway. I actually think I'm on my 3rd one now. Because I forgot which email I used to sign up.
I remember the good old days when a lot of forums used to have a test/test account, and I also used to register some accounts with "test" login and "test" passwords for the sake of convenience for future folks who obviously will be wanting just to download something and forget about the website.
Bitwarden, and keepassxc, support adding TOTP tokens to an account entry. Allowing you to only use the password manager for authentication, no secondary device or application necessary.
The world is too complicated for me to learn about how TOTP works, who supports it, how smartphones work, how password manager works, etc. All I want is an ability to use login/password with neither extra knowledge nor extra property nor having extra installed software (cookies, password manager) on the computer I am accessing the website from. Let 2FA will remain for those who really want it as it was 10 years ago.
And that is important. Usability and simplicity is important for adoption. Every security layer we add does in fact strip away a layer of convenience.
In my opinion, learning to use a password manager has effectively eliminated dozens if not hundreds of passwords and user names that I would have had to remember and all I need to remember is my one password manager password and everything gets copied and pasted in automatically. Even easier on my phone with FaceID unlocking the vault.
But it is still a complication and disruption to previous sign in flows that I had to adapt to and maintain.
> learning to use a password manager has effectively eliminated dozens if not hundreds of passwords
Generating passwords properly gets rid of need of any password manager while each password keeps being unique. It is useful if most of my devices for internets don't have any password manager implemented (example - any Blackberry/Symbian/Opera Mini)
Absolutely, which is why I use a custom diceware list to generate the few dozen passwords between work and home that I have to manually type out, such as my computer logins, phone, etc. Drives my wife crazy for our shared accounts that I use random strings of words numbers and symbols. The password manager is highly effective at creating even stronger passwords and managing the 50+ accounts that I can copy and paste the information into, such as this Hacker News account. And even serves as a safe place to save passwords that I rarely use and could otherwise forget.
What do you do if you need to change the password for a site, such as a site that enforced password age limits or a site that has had a leak that exposed passwords?
The problem is these platforms double as identity providers so your twitter hacked can give access to other websites - it’s crazy that this was ever a thing
Ubisoft's UPlay tries to get me to sign up for 2-factor every now and then. For some it might be a good idea, if they have a large library and maybe use their account on internet cafes and such.
But they have a "Skip" button which so far works just fine. And I'm very happy it's there. So regardless of other merits, at least Ubisoft did that right with UPlay.
When we were implementing blockchain-based voting, we assumed that since people trust banking apps with their money, they should be able to trust a crypto wallet with their vote.
But the biggest security flaw, it turns out, is systemic, not individual: people simply don’t care about securing their one measly vote as much as they care about securing $100,000 in their bank.
So while people were motivated to secure large individual balances, they were not motivated to secure their votes.
Which is why we have to force people to confirm their votes on another device, so that Apple or Google couldn’t theoretically steal the election by lying to you about who you voted for, let alone some random website like stackoverflow (which people trust in their moderator elections etc.)
It turns out that this is also necessary for Web3 — the current state of security is dismal, the vast majority of people don’t actually check they are interfacing with the right contract or calling the right method or sending the right parameters before they hit “Submit” to sign the transaction. So even there, people have to be forced to double-check the details on another device, depending on the value of the transaction.
Personally, I think we will move beyond blockchains. There are new technologies out there (DAG, HashGraph, and our own: Intercloud). There is also "sidetree protocol" that is used to secure Merkle trees with a blockchain, used by Microsoft's DID-compliant new ION for identity, and also I think by bluesky. But at the moment, Blockchain is widespread, kind of like PHP is widespread.
I imagine that, in the future, we will simply have an "embarrassingly parallel" set of append-only logs, which is already possible with projects like Hypercore. And we will run consensus with those.
As for your question - the way you have secret voting is by using ring signatures. (Monero has ring signatures.) You just have to indicate that you're part of a group, and that you used your one vote, but it doesn't say who you are https://en.wikipedia.org/wiki/Ring_signature
A blockchain-based way would be to use a mixer (like Tornado Cash does) to mix up the tokens so each person still has exactly 1 but now it's harder to trace who has which one.
This is the unfortunate truth about 2FA. While it significantly improves security, it is significantly less ergonomic than passwords (which are already sucky). It is also a problem when phones are, for whatever reason, not ideal for the work environment.
But I also hate to add a password for each shitty website. I also don't want to connect an account via e.g. OIDC with any of my important accounts. I think there is a product or at least a new common mechanic somewhere in this mess.
Passkeys solve exactly your complaints. They’re being pushed heavily by Apple and Google, so very soon you’ll be able to sign up for sites without having to set a password + MFA.
But won't this just use Google Sign In in the end. This will give the shitty website at least my OpenId data from Google and enables social engineering with my important account?
You missed their point, accessing a website also requires you to have _something_, namely a device with a browser. If you have a device with a browser, then you have a device with a password manager.
Unless you only access that site via public infrastructure like a library, but that might not be infrastructure that you want confidential information to run over, because everybody and the milkman has access to it. And even then, 1Password for example also has an online version that you can access in those cases.
> You missed their point, accessing a website also requires you to have _something_, namely a device with a browser. If you have a device with a browser, then you have a device with a password manager.
My point from the root of this tree was that I do not want to make a shit travel (github asks me to prove identiny by mail > gmail asks me to prove my identity by phone > my phone is somewhere else because I am not addicted to it) just to have an ability to use my github from web-interface. If I can successfully use my bitcoins without any 2fa/totp security theater than github is just shitting me with no good reason for me and for my helloworlds collection.
Probably just saving cookies solves the problem of the shit travel, but since every few hours session of browsing makes me to store tens megabytes of cookies with no value to me (except of not un-logging from github) I use to clear all cookies every time I close my browser.
You are probably not lazy enough ;). I even hate to generate a password for a site. Having to open an authenticator app is too much of a hassle to be worth it for many sites. And it doesn't really make sense if the second factor is available on the same device...
2FA is about _proving_ you have something. For someone else to prove they have that same thing they have to physically steal it from you and possess it at the time of authentication.
The password manager being 'your brain' implies that you have only a hand-full of passwords... my brain has no way of remembering 1000+ passwords and logins, while I prefer to use random usernames and passwords. Sure, I don't need 2fa for a knitting forum, but I still need something to remember my login and password... try to never re-use either.
I have two categories of passwords. One for knitting forum class, and one for password manager class.
No, it isn't a crisis if someone gets my credentials to the knitting forum, the pics of acrons forum, and the local 'reserve space at the county pool' website... all in one go.
I can just change them all at once, from the letter 'a' to the letter 'b'.
To further support your argument, I'd suggest that requiring a login at all for this class of "service" is bullshit.
I've set the bar pretty low these days for "if you require a login, I go somewhere else" because there are plenty of places that just don't need it in my opinion.
To be honest, I class Twitter as one of those places; I go there to read certain information from specific "outlets" but Twitter as we all know have made it very difficult (as with other social sites of this type) to be read-only.
Hell you can literally run TOTP via pen and paper if you want to (though you probably need to compute it a few windows in advance, especially with the hmac_sha1).
My company enforced 2FA on our GSuite accounts and discouraged using SMS for 2FA.
Well, every year a new iPhone comes out, employees buy the new iPhone and factory reset their old phone. Now their 2FA codes are gone.
Only recently Google Authenticator supported backing up to the cloud.
Trying to do 2FA correctly is one thing and trying to make your whole company do it correctly is a whole other challenge...
I don't want to authenticate using something I have, because I won't be able to authenticate if I lose that thing. Phone number is something I legally own and this ownership can be enforced because I can get a new SIM card with the same number using my government ID - something I am rather than I (temporarily) have
In Australia, for example, telcos get punished heavily for delaying ports but don’t get punished for unauthorised ports. This disincentivises telcos to perform any due diligence whatsoever. Up until a few years ago, anyone could walk into a telco and port any random number onto a new sim. These processes are improving, but sim swapping is still trivial.
Not to mention SMS is also an unencrypted medium.
I avoid using my phone number for MFA unless I’m forced into it (which sadly happens quite often).
I can’t speak to USA vs Australia as I don’t know what the process is like in the USA, but this is how Australia works. The regulation originated from good intentions - in the 90s telcos would make it difficult for people to port their number, so ACMA stamped that out by prohibiting the losing telco from denying/delaying a port. It was up to the gaining telco to verify the identity of the owner, which was rarely done. You could just walk into a telco, give them your number, and get it ported to a new phone/sim immediately. I did it plenty of times in the 2000s.
Unfortunately these regulations now hurt the consumer more than they help. Imagine if you could transfer a domain name without a transfer code or confirmation from the owner or current registrar. That’s what phone numbers are like in Australia. I absolutely want my telco to deny a port without my permission, but regulation prevents them from doing this. Instead, I have to rely on every other telco in Australia doing their due diligence if someone tries to port my number. It’s a losing battle because my identity has been leaked several times in the past few years. I have to assume that at any moment my phone number will be ported away by a bad actor.
I believe this is being reformed to require explicit approval from the owner. But this is very late and inferior compared to other countries such as the UK with PAC codes etc.
I live in Australia, and every number port has required me to have the old SIM live, and respond to an SMS token exchange, before the receiver could proceed. Or, present the 3 trick questions and be recorded with the telco desk, and incur liability.
I've done three: Telstra to A now defunct MVNO back to Telstra and now Aldi.
I have never been able to socially engineer the change without either other online proof of posession, or this SMS exchange. Never.
Maybe I just found providers who implemented tighter controls.
I wasn't clear, that I also believe the RATE of sim port attacks in Australia is far, far lower than in the USA. I don't doubt some happen, but I think we have less per head of population. In part, I think the 100 points checks and KYC plays to this.
Isn't the telco contractually required to let me use it? Not sure about the US, but in Germany I think you even have the right to keep your phone number when changing telcos.
I guess it depends on the jurisdiction, but in Europe (at least, France and Italy I'm certain of) the phone number is treated as personal sensitive data[1] and "owned" by the contract owner, not the telco.
You might get pwned by (1) the government, (2) your mobile carrier, or (3) a hacker that can social-engineer your mobile carrier's tech-support (SIM jacking / SIM swap attack).
Yes, that's true, but it's not an argument in favor of authentication based on something I have.
I don't think we can prevent everything, but I at least want there to be some way to undo the damage (things like courts, chargebacks and so on).
I think the argument for something you have is cyber-physical security. No matter how advanced malware is it won't be able to extend a finger through your monitor and tap the capacitive touch sensor of your Yubikey.
Just to warn, social engineering attacks can get sims transfered without your involvement. There were some stories about it here somewhere a very long time ago.
Yes, I know - my method isn't perfect. But at the same time I don't want to rely on some "irreversible" purely technical solutions to the complex problem of (human) authentication.
I’m not doing them wrong. They’re a user hostile design. The point of TOTP was just to say “here is an actually good password and a time element to it”. But expecting every user on the planet to carry their TOTP app around was wrong so immediately everyone put it in their password manager and it stopped being a check of whether I had the device.
Then the most common TOTP app, Google Auth, didn’t backup your codes so that was pointless and user hostile. They fixed it but I mean damage done I guess.
I’m not gonna buy a hardware security key and carry it around for casual usage. I absolutely will never ever do that. For work I will because I need to get paid, but for every login? Give me a break. Once again security cannot destroy the user experience.
Here’s the actual right answer. Switch to passkeys and give up on all this poorly thought out junk.
I mean you still benefit from TOTP if it's in your password manager. That still means that if you're password is stolen, they can't get in without you being on an authorized device.
Two factor authetication is dumb. It invites poor disipline with reusing passwords and with 500 pound gorilla corps, losing your second factor is losing your account permanently.
Yup — and the standard phone authenticator app pretty much guarantees you'll lose your second factor one day, unless you always upgrade your phone before it breaks.
- Alice is currently reusing passwords, and does not use 2FA. Alice decides to set up 2FA, but keeps reusing passwords. Not ideal, but net improvement.
- Bob is using a password manager, but does not use 2FA. Bob decides to set up 2FA, and sticks to using the password manager for storing password. All good!
- Charlie is using a password manager, but does not use 2FA. Charlie decides to set up 2FA, and afterwards drops the password manager, and starts reusing passwords. Not good.
My guess is the Alice and Bob cases would be the majority. Do you think the Charlie cases would also be common?
None of this is true. It doesn't encourage password reuse but it does protect against it. I've also never found a single site that wouldn't let me reset MFA, even if the support process was painful and slow.
FWIW, password reuse with MFA is not actually that much of a problem any more. Neither is rotation (which was show to be a net negative). There's a whole set of NIST guidelines on the topic.
> I've also never found a single site that wouldn't let me reset MFA, even if the support process was painful and slow.
It's pretty common to read about people fully losing access to their Google accounts and often only regaining it by using internal contacts at the company (or being shit out of luck). I don't think even supporters of 2FA can discount how difficult (or impossible) it can be to regain access to 2FA accounts for certain providers.
