Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

MFA

⁨964⁩ ⁨likes⁩

Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ by ⁨alyth@lemmy.world⁩ to ⁨mildlyinfuriating@lemmy.world⁩

https://lemmy.world/pictrs/image/d1de918f-dfbe-4601-852b-b92baa22cff7.jpeg

source

Comments

Sort:hotnewtop
  • cooopsspace@infosec.pub ⁨1⁩ ⁨year⁩ ago

    SMS: Here is your 30s “MFA” code, I’ll send it to you 40 minutes after you need it.

    source
    • KairuByte@lemmy.dbzer0.com ⁨1⁩ ⁨year⁩ ago

      SMS isn’t even secure. Mitm, social engineering, straight up theft, and more are all ways around it. It should never have been implemented, but especially not when totp exists.

      source
      • Opisek@lemmy.world ⁨1⁩ ⁨year⁩ ago

        What I despise most in when SMS is not just optional but forced upon me as “backup” to TOTP. “Lost your authenticator app? Send an SMS instead.” How about no?

        source
        • -> View More Comments
    • JasonDJ@lemmy.zip ⁨1⁩ ⁨year⁩ ago

      Dude.

      My wife’s phone started acting up the other day. It would keep losing cell service and even when it showed a signal, it still would only work on wifi.

      That happened a few hours after I ported my phone number (on the same family plan) to another carrier. So naturally, I thought the issue was with the carrier.

      Since I planned on porting her number out to my new carrier anyway, I didn’t want to troubleshoot.

      Well, get to the new carrier and it’s still not working. Go through the whole process of resetting network settings, and then eventually deleting the esim.

      New carrier, though, needs you to receive a text message before they send the esim.

      Naturally, with the esim deleted, it couldn’t receive text messages.

      source
    • datelmd5sum@lemmy.world ⁨1⁩ ⁨year⁩ ago

      I’ve heard people in the US still use SMS to communicate with eachother. Fucking crazy.

      source
      • Crashumbc@lemmy.world ⁨1⁩ ⁨year⁩ ago

        Inertia and ease of use are powerful.

        SMS “just works” and works for everyone here.

        While I would like the new fancy features. At least RCS is bringing some and is seamlessly integrated.

        Bonus I have 10+ years of txt history and can scroll/search to find something.

        source
        • -> View More Comments
      • JasonDJ@lemmy.zip ⁨1⁩ ⁨year⁩ ago

        Only when iPhone users need to send a message to literally anyone else.

        source
      • Swedneck@discuss.tchncs.de ⁨1⁩ ⁨year⁩ ago

        uhhh that’s not some unique american thing lol, that’s how people here in sweden communicate too

        Barely anyone cares what specific protocol is being used, they just care about what app they have to use and who they can reach, and if anyone isn’t using a normal sms app they’re generally using facebook messenger or imessages both of which support sms fallback and thus their users don’t even know there’s a difference half the time.

        source
      • rickyrigatoni@lemm.ee ⁨1⁩ ⁨year⁩ ago

        why not

        source
        • -> View More Comments
      • jnk@sh.itjust.works ⁨1⁩ ⁨year⁩ ago

        Blame apple for that. IPhone has this proprietary messaging app pre-installed which is probably super convinient for the ecosystem but uses some obsolete SMS protocol to communicate with android phones. I think recently this has gotten better, but only because beeper and the EU pressing on them

        source
    • MeanEYE@lemmy.world ⁨1⁩ ⁨year⁩ ago

      SMS is good enough. Sure it’s not as authenticator or some other MFA method, but it’s good enough. Chances of my random account hiding something worth subverting cell operator to get the SMS and my password, are slim to none. At that point don’t upload anything worth that much.

      source
    • Crashumbc@lemmy.world ⁨1⁩ ⁨year⁩ ago

      Buy a real phone service. I don’t ever remember missing a code.

      source
      • cooopsspace@infosec.pub ⁨1⁩ ⁨year⁩ ago

        It’s overwhelmingly whatever provider they use for SMS, or some sort of anti spam checking.

        My phone has reception the whole time.

        source
  • slazer2au@lemmy.world ⁨1⁩ ⁨year⁩ ago

    At least it isn’t email or SMS MFA.

    source
    • wreckedcarzz@lemmy.world ⁨1⁩ ⁨year⁩ ago

      Or email OFA. Burger King, Popeyes (I know they are the same company), and just a bit ago, BuyMeACoffee. They let you enter a password; fuck if I know what their requirements are. No tooltip, no failure text. 60 char with special chars? Nope. (a few moments later) 20 chars with no special chars? Nope. Fuck it, let’s try 2FA. Get seed, generate code code to page (on phone), first box, paste. ONLY THE FIRST NUMBER PASTES AND MY KEYBOARD CLOSES. SCREAMS

      (only factor authentication)

      source
      • drolex@sopuli.xyz ⁨1⁩ ⁨year⁩ ago

        Nothing compared to BOFA, which is arguably even worse and a lot more stupid

        source
        • -> View More Comments
    • possiblylinux127@lemmy.zip ⁨1⁩ ⁨year⁩ ago

      My bank requires SMS mfa

      source
      • KairuByte@lemmy.dbzer0.com ⁨1⁩ ⁨year⁩ ago

        Why?

        Totp is easier, cheaper, and more secure. It makes no sense to go with SMS.

        source
        • -> View More Comments
      • viking@infosec.pub ⁨1⁩ ⁨year⁩ ago

        My bank has its own authenticator app, which doesn’t work on my phone. Piece of crap. They now enabled fingerprint login without additional 2FA somehow, and I can also authorise payments with biometrics. Only to change my limits, update address etc. I have to use the app (on an old Pixel 3a as a standby device just for this purpose).

        source
        • -> View More Comments
  • Limonene@lemmy.world ⁨1⁩ ⁨year⁩ ago

    I agree with this sentiment. Steam notably falls into the third category, while otherwise being pretty good.

    But I’m quite disgusted now seeing an image of a Yubikey for the first time. I’ve heard so many good things about them that it’s a major disappointment to see now that they use that awful noncomplaint shape of USB plug.

    There are two very important reasons for the metal shield around USB plugs: 1. For ESD protection, and 2. to hold the receptacle’s tongue in place and prevent it from bending away and losing contact. Every USB device I’ve owned that was a flat plug (like this Yubikey image in this post) has within a month deformed the USB receptacle it’s plugged into to the point that the device no longer works in that port. Compliant USB devices still work in that port’s deformed receptacle, because they have a correct metal shield that bends the tongue back into the correct position.

    source
    • alvvayson@lemmy.world ⁨1⁩ ⁨year⁩ ago

      Yubikey also has usb-c versions with compliant plugs.

      source
    • bus_factor@lemmy.world ⁨1⁩ ⁨year⁩ ago

      YubiKeys have almost every imaginable form factor these days. Here’s the USB-C version without NFC:

      YubiKey 5C

      source
      • flames5123@lemmy.world ⁨1⁩ ⁨year⁩ ago

        Yeah I have an even smaller USB-C one. It sticks out less than 0.5cm from the port.

        source
    • Nyfure@kbin.social ⁨1⁩ ⁨year⁩ ago

      No problems with yubikeys or the receptacle they are plugged into yet.. no idea what you do while these sticks are plugged in.. doesnt seem like a major concern per the reviews

      source
    • 018118055@sopuli.xyz ⁨1⁩ ⁨year⁩ ago

      I’ve had my ubikey fido2 token knocking around on my keychain for about 7 years now. Scratched and beaten, not bent and works perfectly.

      source
    • anyhow2503@lemmy.world ⁨1⁩ ⁨year⁩ ago

      It is kind of annoying that Steam doesn’t enable the usage of third-party OTP apps. To be fair, when they first implemented the feature, that wasn’t widely used and plenty of websites only enabled the use of one specific OTP app like Authy or Google Authenticator. They recently added a QR code login feature, which makes sense, but that still shouldn’t stop them from enabling MFA via third party OTP apps.

      source
      • lemann@lemmy.dbzer0.com ⁨1⁩ ⁨year⁩ ago

        Some third party apps allow you to import your Steam OTP, such as Gnome Authenticator

        However to obtain it in the first place you need to either use SteamDesktopAuthenticator (GitHub), an android emulator on your PC, or a rooted device to export your key…

        source
        • -> View More Comments
    • vox@sopuli.xyz ⁨1⁩ ⁨year⁩ ago

      iirc it’s possible to somehow export the secret key used by steams 2fa

      source
      • KairuByte@lemmy.dbzer0.com ⁨1⁩ ⁨year⁩ ago

        It absolutely is, the issue is that most mfa apps spit out 6 character outputs, while Steam requires 5.

        source
        • -> View More Comments
    • cafeinux@infosec.pub ⁨1⁩ ⁨year⁩ ago

      It is actually possible to use Aegis for Steam, that’s what I do. It’s a pain to setup if you’re not rooted (I think you need to use an Android emulator on a computer IIRC) but it’s possible. Look at https://github.com/beemdevelopment/Aegis/wiki/Adding-Steam-to-Aegis-from-Steam-Desktop-Authenticator Steam is still very welcome to go fuck themselves with their shitty app, though.

      source
      • KillingTimeItself@lemmy.dbzer0.com ⁨1⁩ ⁨year⁩ ago

        can we please make shitty MFA illegal? Where is the EU and the US government when you need them.

        source
  • gedaliyah@lemmy.world ⁨1⁩ ⁨year⁩ ago

    Uuuuugh. I just had this problem after dropping my phone. Can’t log into the phone without the phone being logged in. Solution: disable 2fa on a logged in device. If I can disable it from another device why can’t I verify it from another device? This is so broken!

    source
  • KillingTimeItself@lemmy.dbzer0.com ⁨1⁩ ⁨year⁩ ago

    my favorite instance of google MFA was when i went to log into my google account for some reason. Google hit me with the MFA, cool whatever, i’ll MFA, google does the usual “heres how we do it because we give you no options because fuck you” and im like, cool, ok just gotta wait for this to work.

    And then it proceeds to not work, at all. Thanks google, very cool. Fortunately, i had a secondary auth app setup so i used that, and it worked, weird how that works huh? BTW, it wasn’t sms, it’s googles integrated android MFA service, which as far as i can tell, is literally a fucking requirement to using MFA.

    Also, i remembered again, that logging into my google account, automatically logs me into every google account i have. Yknow, because security. Anybody know how to disable that one btw? Google seems to be an endless labyrinth of options everytime i try and do something with it so.

    source
  • Thrydwulf@lemmy.today ⁨1⁩ ⁨year⁩ ago

    Wait, can you eli5 why multifactor authentication (MFA) (and maybe also 2-factor authentication apps) is “fuck off” levels?

    Is it privacy concerns or something bigger like more points of failure for overall security? Or smaller like not every one has/wants a smart phone?

    source
    • FrostyPolicy@suppo.fi ⁨1⁩ ⁨year⁩ ago

      If I read it correctly the “fuck off” level refers to some proprietary app for the selected login. The other two are standard code app and yubikey.

      source
      • jodanlime@midwest.social ⁨1⁩ ⁨year⁩ ago

        This is also how I read the meme. Codes are fine, tokens are fine. Your proprietary spyware app is NOT fine (Microsoft) and I hope you get fucked.

        source
        • -> View More Comments
      • cm0002@lemmy.world ⁨1⁩ ⁨year⁩ ago

        I was reading it as “it never fucking works right” LMAO

        source
    • Bezier@suppo.fi ⁨1⁩ ⁨year⁩ ago

      I already have an authenticator app. If some service wants to force me to install their own app for their login, they are indeed welcome to fuck off.

      source
    • cley_faye@lemmy.world ⁨1⁩ ⁨year⁩ ago

      Standard authenticator (software or hardware) are, well, standard. You can pick anything compliant and use it with any compliant service. Requiring a specific app means that you have to install yet another app, which may or may not be well made, and may or may not snoop on you, and usually will only work with one service, assuming you have a compatible device to run it to begin with.

      It’s more than an inconvenience; not insurmountable, but way more work than just having a standard thing that works perfectly well and is based on known and proven algorithms.

      source
  • BluesF@lemmy.world ⁨1⁩ ⁨year⁩ ago

    At work usually I can login without any input thanks to SSO, but occasionally it will ask for a security check. The default is to press a notification in outlook on my work phone, which I only ever use when travelling, so it’s invariably off… 🙄

    source
    • walden@sub.wetshaving.social ⁨1⁩ ⁨year⁩ ago

      My work has something similar, but I can change the default.

      source
  • AngryCommieKender@lemmy.world ⁨1⁩ ⁨year⁩ ago

    My brain needs to boot faster. Took me far too long to figure out that wasn’t Mother Fucking Authentication, and was instead more likely Multi-Factor

    source
    • krondo@lemmy.world ⁨1⁩ ⁨year⁩ ago

      You are doing gods work sir!

      source
  • Hotzilla@sopuli.xyz ⁨1⁩ ⁨year⁩ ago

    Sorry, as IT person I have to disagree, app based MFA is just way much easier to maintain instead of HW keys.

    source
    • FiniteBanjo@lemmy.today ⁨1⁩ ⁨year⁩ ago

      If you want to install software on my personal device with elevated privileges then I’ll just use a different service than you’re shitty low effort maintained trash.

      source
      • Hotzilla@sopuli.xyz ⁨1⁩ ⁨year⁩ ago

        Company device of course. Like mentioned, in IT, I want nothing to do with users personal phones

        source
        • -> View More Comments
    • mypasswordis1234@lemmy.world ⁨1⁩ ⁨year⁩ ago

      Re-writing a 6-digit code is easier than tapping a USB device?

      source
      • bus_factor@lemmy.world ⁨1⁩ ⁨year⁩ ago

        They’re talking about operationally. They don’t want to configure and distribute a bajillion dongles to users.

        source
        • -> View More Comments
      • derpgon@programming.dev ⁨1⁩ ⁨year⁩ ago

        Open an app, find the one number for your specific app among the bajillion you have, oh the timer is almost out and you forgot halfway through, tap back in the app, oh the fucking app scroll all the way to the top again.

        source
        • -> View More Comments
      • HeavyDogFeet@lemmy.world ⁨1⁩ ⁨year⁩ ago

        Often times, yes. I don’t want to always have to have a USB key on me, but I always have access to MFA apps via my phone, watch, or laptop. I have no idea why you’re typing the code out instead of copying and pasting.

        source
      • daq@lemmy.sdf.org ⁨1⁩ ⁨year⁩ ago

        Pretty sure he’s talking about mfa that just asks for confirmation whether that’s you logging in on the phone. No typing required.

        source
    • MSids@lemmy.world ⁨1⁩ ⁨year⁩ ago

      App-based TOTP are not phishing resistant and do not require any level of proximity to the login session. The future is more likely passkeys that use device TPMs.

      source
      • Hotzilla@sopuli.xyz ⁨1⁩ ⁨year⁩ ago

        Simple challenge number handles that, for example Azure AD MFA forces that today

        source
        • -> View More Comments
  • pineapplelover@lemm.ee ⁨1⁩ ⁨year⁩ ago

    Fuck Duo authenticator and its proprietary ass shit

    source
  • burgers@toast.ooo ⁨1⁩ ⁨year⁩ ago

    im definitely an idiot but i couldn’t figure out at all how to make a yubikey work with a keepass database on android

    source
    • 2xsaiko@discuss.tchncs.de ⁨1⁩ ⁨year⁩ ago

      Yubikey is only really useful for authentication with a trusted party, and not decryption. You can technically use store a secret key on it but then its two biggest advantages are gone, namely that you can’t copy the key and that it doesn’t use the limited storage on the device.

      source
      • cley_faye@lemmy.world ⁨1⁩ ⁨year⁩ ago

        The yubikey can perform a hmac using a secret (supposedly) only available to the key’s internals. This is used in addition to the password, so that knowledge of the password without the key, or the key without knowledge of the password, can’t be used to decrypt the database. It’s kind of a half second factor (I know it’s not technically correct to call it that, but I hope you get the idea).

        It’s also in their doc (that they use challenge/response): keepassxc.org/docs/ and is even featured on yubico’s website, which is somewhat weird but why not: www.yubico.com/works-with-yubikey/…/keepassxc/#te…

        The issue GP had is probably that the keepass app does not support it on Android.

        source
    • hungprocess@lemmy.sdf.org ⁨1⁩ ⁨year⁩ ago

      This works for me on KeepassXC, and it looks like Yubico has instructions for original Keepass.

      source
  • warm@kbin.earth ⁨1⁩ ⁨year⁩ ago

    Passkeys gonna fix all this bullshit.

    source
    • LodeMike@lemmy.today ⁨1⁩ ⁨year⁩ ago

      No they fucking won’t. You know that websites are going to be massive throbbing cocks about it.

      "Due to security issues, passkeys for our service must be kept in <Company name>® Secure Passkey App™

      source
      • baronvonj@lemmy.world ⁨1⁩ ⁨year⁩ ago

        “Your device has been rooted and therefore cannot be supported.”

        source
        • -> View More Comments
      • warm@kbin.earth ⁨1⁩ ⁨year⁩ ago

        Fair enough!

        source
      • suzune@ani.social ⁨1⁩ ⁨year⁩ ago

        Passkeys are an open standard. You need to install a Webauthn-compliant supplicant that talks to the browser. The supplicant can be anything, as long as it does the required protocol. The browser doesn’t care.

        At the moment the browsers are the main problem. They need to open their APIs properly.

        source
        • -> View More Comments
      • rickyrigatoni@lemm.ee ⁨1⁩ ⁨year⁩ ago

        Please make your device unsecure to give your account the illusion of security.

        source
  • possiblylinux127@lemmy.zip ⁨1⁩ ⁨year⁩ ago

    Agreed

    source
  • nickwitha_k@lemmy.sdf.org ⁨1⁩ ⁨year⁩ ago

    MFML.

    source