907
MFA (lemmy.world)
you are viewing a single comment's thread
view the rest of the comments
[-] slazer2au@lemmy.world 130 points 7 months ago

At least it isn't email or SMS MFA.

[-] wreckedcarzz@lemmy.world 40 points 7 months ago* (last edited 7 months ago)

Or email OFA. Burger King, Popeyes (I know they are the same company), and just a bit ago, BuyMeACoffee. They let you enter a password; fuck if I know what their requirements are. No tooltip, no failure text. 60 char with special chars? Nope. (a few moments later) 20 chars with no special chars? Nope. Fuck it, let's try 2FA. Get seed, generate code, go to setup verification page (on phone), first box, paste. ONLY THE FIRST NUMBER PASTES AND MY KEYBOARD CLOSES. SCREAMS

(only factor authentication)

[-] drolex@sopuli.xyz 15 points 7 months ago

Nothing compared to BOFA, which is arguably even worse and a lot more stupid

[-] grue@lemmy.world 27 points 7 months ago

For those who don't know, the BofA app clears the username and password fields every time you switch to a different app, completely thwarting the use of password managers because Bank of America is apparently Hell-bent on forcing everyone to have easily-typed (and therefore easily-brute-forced) passwords.

[-] Natanael@slrpnk.net 9 points 7 months ago* (last edited 7 months ago)

Android has password managers with keyboard app integration so you can paste both fields from the keyboard itself

I use Keepass2Android and it's own keyboard app for this. I switch active keyboard app when the login field shows up to paste and then switch back to my normal keyboard after

[-] Jimmycakes@lemmy.world 2 points 7 months ago

Dashlane has no problems filling out my bofa passwords on android

[-] grue@lemmy.world 1 points 7 months ago

Good for them, but there's no way in Hell I'd trust a proprietary, cloud-hosted password manager.

[-] Fosheze@lemmy.world 2 points 7 months ago

Thank you for clarifying because I was expecting a "BOFA dez nutz" joke.

[-] mutter9355@discuss.tchncs.de 22 points 7 months ago

What's BOFA? (Apart from BOFA deez nuts)

[-] einlander@lemmy.world 10 points 7 months ago
[-] randint@lemmy.frozeninferno.xyz 3 points 7 months ago

I thought it meant Bank Of Fucking America

[-] drolex@sopuli.xyz 6 points 7 months ago

Aw you're too good. Can't you even let your guard down a little? I need this.

[-] possiblylinux127@lemmy.zip 7 points 7 months ago* (last edited 7 months ago)

My bank requires SMS mfa

Admittedly I kind of see why

[-] KairuByte@lemmy.dbzer0.com 4 points 7 months ago

Why?

Totp is easier, cheaper, and more secure. It makes no sense to go with SMS.

[-] possiblylinux127@lemmy.zip 4 points 7 months ago* (last edited 7 months ago)

For one that requires more training and support. However I think the biggest reason is that it is predictable and requires access to the device. You also can't steal a phone number as easily as stealing poorly secured keys

[-] KairuByte@lemmy.dbzer0.com 5 points 7 months ago

Poorly secured keys usually still require device access, unless they are secured so poorly that the individual would be compromised in one of many other ways regardless.

Stealing a phone number requires, at most, paying off an employee at a telco company. At best it just requires a call and some social engineering. And don’t forget, people who leave their phone laying around without a passcode exist.

Now, neither of these are really options for a dragnet approach, they’d need to be targeted. But the fact that one can be done fully remote should be a red flag.

[-] areyouevenreal@lemm.ee 0 points 7 months ago

The issue being what do you do when your phone gets stolen? You can get a new SIM with the same number easily. What's the solution for TOTP?

[-] KairuByte@lemmy.dbzer0.com 1 points 7 months ago

You’re misunderstanding. Totp apps require authentication to use them, be it a password or bio-authentication. SMS does not, it just requires the phone number.

You can get the phone number through any number of ways, but it can be done remotely meaning no one ever interacts with you or your phone. Through various methods, they have your phone number transferred to a different phone, and then have the SMS sent directly to them.

Totp apps (typically) have a backup system in place. 1password as an example, uses their servers to host the data. But you can also back that up. The chances of someone gaining unauthorized access to your Totp account comes down to your security, and which service is chosen. 1password again as an example, is fully encrypted, they can’t see your passwords, if you forget your security token, the only solution is to wipe the entire password store and start again.

The difference in security is mountainous. It’s the difference between a single family home, and a bank vault.

[-] areyouevenreal@lemm.ee 0 points 7 months ago

Yes and muggers ask you for your phone pin. Ask me how I know. I am guessing this is why you need a separate password when using 2FA

I see now that there is a backup in place for losing a phone. That's primarily what I was concerned about.

[-] viking@infosec.pub 4 points 7 months ago

My bank has its own authenticator app, which doesn't work on my phone. Piece of crap. They now enabled fingerprint login without additional 2FA somehow, and I can also authorise payments with biometrics. Only to change my limits, update address etc. I have to use the app (on an old Pixel 3a as a standby device just for this purpose).

[-] possiblylinux127@lemmy.zip 3 points 7 months ago

I would change banks. Stuff like this is a reminder why letting government run such services is a bad idea. (I'm sure your bank isn't state owned but still)

[-] viking@infosec.pub 4 points 7 months ago

I can't, live abroad and no bank I contacted would open accounts for non-residents.

I have other accounts where I live, but all my investments and major holdings are sent back home.

[-] possiblylinux127@lemmy.zip 3 points 7 months ago

Oh, well that's a tough situation.

this post was submitted on 03 Apr 2024
907 points (96.1% liked)

Mildly Infuriating

35459 readers
723 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.


Rules:

1. Be Respectful


Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...


2. No Illegal Content


Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...


3. No Spam


Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...


4. No Porn/ExplicitContent


-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...


5. No Enciting Harassment,Brigading, Doxxing or Witch Hunts


-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...


6. NSFW should be behind NSFW tags.


-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...


7. Content should match the theme of this community.


-Content should be Mildly infuriating.

-At this time we permit content that is infuriating until an infuriating community is made available.

...


8. Reposting of Reddit content is permitted, try to credit the OC.


-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

...


Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense


Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 1 year ago
MODERATORS