907
MFA (lemmy.world)
top 50 comments
sorted by: hot top controversial new old
[-] cooopsspace@infosec.pub 167 points 7 months ago* (last edited 7 months ago)

SMS: Here is your 30s "MFA" code, I'll send it to you 40 minutes after you need it.

SMS isn't 2FA. Its 1.5FA.

[-] KairuByte@lemmy.dbzer0.com 90 points 7 months ago

SMS isn’t even secure. Mitm, social engineering, straight up theft, and more are all ways around it. It should never have been implemented, but especially not when totp exists.

[-] Opisek@lemmy.world 50 points 7 months ago

What I despise most in when SMS is not just optional but forced upon me as "backup" to TOTP. "Lost your authenticator app? Send an SMS instead." How about no?

[-] KairuByte@lemmy.dbzer0.com 10 points 7 months ago

I don’t believe I’ve run into that, but yeah it completely misses the point of totp. Hell, I’d prefer a lockout over SMS backup in most cases, my totp authentication has multiple encrypted backups.

[-] lorkano@lemmy.world 8 points 7 months ago

Especially because you can just backup authenticator to the pendrive in encrypted form. I don't care I loose my phone, that's exactly the reason authenticator is better.

[-] JasonDJ@lemmy.zip 16 points 7 months ago* (last edited 7 months ago)

Dude.

My wife's phone started acting up the other day. It would keep losing cell service and even when it showed a signal, it still would only work on wifi.

That happened a few hours after I ported my phone number (on the same family plan) to another carrier. So naturally, I thought the issue was with the carrier.

Since I planned on porting her number out to my new carrier anyway, I didn't want to troubleshoot.

Well, get to the new carrier and it's still not working. Go through the whole process of resetting network settings, and then eventually deleting the esim.

New carrier, though, needs you to receive a text message before they send the esim.

Naturally, with the esim deleted, it couldn't receive text messages.

Her issue did end up being her phone. Even after the port went through in full, it was still hit-or-miss with cell service. Worked on wifi though.

[-] datelmd5sum@lemmy.world 13 points 7 months ago

I've heard people in the US still use SMS to communicate with eachother. Fucking crazy.

[-] Crashumbc@lemmy.world 23 points 7 months ago* (last edited 7 months ago)

Inertia and ease of use are powerful.

SMS "just works" and works for everyone here.

While I would like the new fancy features. At least RCS is bringing some and is seamlessly integrated.

Bonus I have 10+ years of txt history and can scroll/search to find something. And since my phone is Google (I know evil) I can access it all from the desktop seamlessly in one window.

[-] mexicancartel@lemmy.dbzer0.com 5 points 7 months ago

Sms just works everywhere though

[-] JasonDJ@lemmy.zip 22 points 7 months ago

Only when iPhone users need to send a message to literally anyone else.

[-] Swedneck@discuss.tchncs.de 8 points 7 months ago

uhhh that's not some unique american thing lol, that's how people here in sweden communicate too

Barely anyone cares what specific protocol is being used, they just care about what app they have to use and who they can reach, and if anyone isn't using a normal sms app they're generally using facebook messenger or imessages both of which support sms fallback and thus their users don't even know there's a difference half the time.

load more comments (1 replies)
load more comments (3 replies)
[-] slazer2au@lemmy.world 130 points 7 months ago

At least it isn't email or SMS MFA.

[-] wreckedcarzz@lemmy.world 40 points 7 months ago* (last edited 7 months ago)

Or email OFA. Burger King, Popeyes (I know they are the same company), and just a bit ago, BuyMeACoffee. They let you enter a password; fuck if I know what their requirements are. No tooltip, no failure text. 60 char with special chars? Nope. (a few moments later) 20 chars with no special chars? Nope. Fuck it, let's try 2FA. Get seed, generate code, go to setup verification page (on phone), first box, paste. ONLY THE FIRST NUMBER PASTES AND MY KEYBOARD CLOSES. SCREAMS

(only factor authentication)

[-] drolex@sopuli.xyz 15 points 7 months ago

Nothing compared to BOFA, which is arguably even worse and a lot more stupid

[-] grue@lemmy.world 27 points 7 months ago

For those who don't know, the BofA app clears the username and password fields every time you switch to a different app, completely thwarting the use of password managers because Bank of America is apparently Hell-bent on forcing everyone to have easily-typed (and therefore easily-brute-forced) passwords.

[-] Natanael@slrpnk.net 9 points 7 months ago* (last edited 7 months ago)

Android has password managers with keyboard app integration so you can paste both fields from the keyboard itself

I use Keepass2Android and it's own keyboard app for this. I switch active keyboard app when the login field shows up to paste and then switch back to my normal keyboard after

load more comments (4 replies)
[-] mutter9355@discuss.tchncs.de 22 points 7 months ago

What's BOFA? (Apart from BOFA deez nuts)

[-] drolex@sopuli.xyz 6 points 7 months ago

Aw you're too good. Can't you even let your guard down a little? I need this.

[-] possiblylinux127@lemmy.zip 7 points 7 months ago* (last edited 7 months ago)

My bank requires SMS mfa

Admittedly I kind of see why

[-] KairuByte@lemmy.dbzer0.com 4 points 7 months ago

Why?

Totp is easier, cheaper, and more secure. It makes no sense to go with SMS.

[-] possiblylinux127@lemmy.zip 4 points 7 months ago* (last edited 7 months ago)

For one that requires more training and support. However I think the biggest reason is that it is predictable and requires access to the device. You also can't steal a phone number as easily as stealing poorly secured keys

[-] KairuByte@lemmy.dbzer0.com 5 points 7 months ago

Poorly secured keys usually still require device access, unless they are secured so poorly that the individual would be compromised in one of many other ways regardless.

Stealing a phone number requires, at most, paying off an employee at a telco company. At best it just requires a call and some social engineering. And don’t forget, people who leave their phone laying around without a passcode exist.

Now, neither of these are really options for a dragnet approach, they’d need to be targeted. But the fact that one can be done fully remote should be a red flag.

load more comments (3 replies)
load more comments (4 replies)
[-] Limonene@lemmy.world 58 points 7 months ago

I agree with this sentiment. Steam notably falls into the third category, while otherwise being pretty good.

But I'm quite disgusted now seeing an image of a Yubikey for the first time. I've heard so many good things about them that it's a major disappointment to see now that they use that awful noncomplaint shape of USB plug.

There are two very important reasons for the metal shield around USB plugs: 1. For ESD protection, and 2. to hold the receptacle's tongue in place and prevent it from bending away and losing contact. Every USB device I've owned that was a flat plug (like this Yubikey image in this post) has within a month deformed the USB receptacle it's plugged into to the point that the device no longer works in that port. Compliant USB devices still work in that port's deformed receptacle, because they have a correct metal shield that bends the tongue back into the correct position.

[-] alvvayson@lemmy.world 64 points 7 months ago

Yubikey also has usb-c versions with compliant plugs.

[-] bus_factor@lemmy.world 40 points 7 months ago

YubiKeys have almost every imaginable form factor these days. Here's the USB-C version without NFC:

YubiKey 5C

[-] flames5123@lemmy.world 9 points 7 months ago

Yeah I have an even smaller USB-C one. It sticks out less than 0.5cm from the port.

[-] Nyfure@kbin.social 31 points 7 months ago

No problems with yubikeys or the receptacle they are plugged into yet.. no idea what you do while these sticks are plugged in.. doesnt seem like a major concern per the reviews

[-] 018118055@sopuli.xyz 22 points 7 months ago* (last edited 7 months ago)

I've had my ubikey fido2 token knocking around on my keychain for about 7 years now. Scratched and beaten, works perfectly and never had a port damaged, it doesn't put enough pressure on it.

[-] anyhow2503@lemmy.world 16 points 7 months ago

It is kind of annoying that Steam doesn't enable the usage of third-party OTP apps. To be fair, when they first implemented the feature, that wasn't widely used and plenty of websites only enabled the use of one specific OTP app like Authy or Google Authenticator. They recently added a QR code login feature, which makes sense, but that still shouldn't stop them from enabling MFA via third party OTP apps.

[-] lemann@lemmy.dbzer0.com 6 points 7 months ago

Some third party apps allow you to import your Steam OTP, such as Gnome Authenticator

However to obtain it in the first place you need to either use SteamDesktopAuthenticator (GitHub), an android emulator on your PC, or a rooted device to export your key...

[-] jet@hackertalks.com 5 points 7 months ago* (last edited 7 months ago)

Thanks for mentioning this! I had no idea

https://bitwarden.com/help/authenticator-keys/#steam-guard-totps

I've always hated that I don't have two factor on my steam account, because of that proprietary app requirement.

Thankfully bitwarden supports it!

load more comments (1 replies)
[-] vox@sopuli.xyz 12 points 7 months ago

iirc it's possible to somehow export the secret key used by steams 2fa

[-] KairuByte@lemmy.dbzer0.com 5 points 7 months ago* (last edited 7 months ago)

It absolutely is, the issue is that most mfa apps spit out 6 character outputs, while Steam requires 5. They’d need to implement the alternative algorithm, but 1password for instance flat out refuses since it’s non standard.

load more comments (1 replies)
[-] cafeinux@infosec.pub 7 points 7 months ago* (last edited 7 months ago)

It is actually possible to use Aegis for Steam, that's what I do. It's a pain to setup if you're not rooted (I think you need to use an Android emulator on a computer and then export the Aegis DB to reimport it on your mobile IIRC) but it's possible. Look at https://github.com/beemdevelopment/Aegis/wiki/Adding-Steam-to-Aegis-from-Steam-Desktop-Authenticator Steam is still very welcome to go fuck themselves with their shitty app, though.

[-] KillingTimeItself@lemmy.dbzer0.com 6 points 7 months ago

can we please make shitty MFA illegal? Where is the EU and the US government when you need them.

[-] jet@hackertalks.com 5 points 7 months ago

I think the good people at yubikey want to provide people with every possible form factor, for whatever is convenient for them.

If your organization issued you a yubikey, but you don't like the form factor, I'm sure you could purchase your own and have them add it instead.

You can also use a USB extension cable, to add a bunch of flexibility between your yubi key and your computer, especially if you leave it always attached. That would remove the lever problem you mentioned

[-] gedaliyah@lemmy.world 29 points 7 months ago

Uuuuugh. I just had this problem after dropping my phone. Can't log into the phone without the phone being logged in. Solution: disable 2fa on a logged in device. If I can disable it from another device why can't I verify it from another device? This is so broken!

[-] KillingTimeItself@lemmy.dbzer0.com 27 points 7 months ago

my favorite instance of google MFA was when i went to log into my google account for some reason. Google hit me with the MFA, cool whatever, i'll MFA, google does the usual "heres how we do it because we give you no options because fuck you" and im like, cool, ok just gotta wait for this to work.

And then it proceeds to not work, at all. Thanks google, very cool. Fortunately, i had a secondary auth app setup so i used that, and it worked, weird how that works huh? BTW, it wasn't sms, it's googles integrated android MFA service, which as far as i can tell, is literally a fucking requirement to using MFA.

Also, i remembered again, that logging into my google account, automatically logs me into every google account i have. Yknow, because security. Anybody know how to disable that one btw? Google seems to be an endless labyrinth of options everytime i try and do something with it so.

[-] intensely_human@lemm.ee 8 points 7 months ago

logging into one google account does not log me into all my google accounts, as far as I know

[-] BluesF@lemmy.world 18 points 7 months ago

At work usually I can login without any input thanks to SSO, but occasionally it will ask for a security check. The default is to press a notification in outlook on my work phone, which I only ever use when travelling, so it's invariably off... 🙄

load more comments (1 replies)
[-] AngryCommieKender@lemmy.world 13 points 7 months ago

My brain needs to boot faster. Took me far too long to figure out that wasn't Mother Fucking Authentication, and was instead more likely Multi-Factor

load more comments (1 replies)
[-] pineapplelover@lemm.ee 8 points 7 months ago

Fuck Duo authenticator and its proprietary ass shit

[-] burgers@toast.ooo 5 points 7 months ago

im definitely an idiot but i couldn't figure out at all how to make a yubikey work with a keepass database on android

[-] 2xsaiko@discuss.tchncs.de 6 points 7 months ago

Yubikey is only really useful for authentication with a trusted party, and not decryption. You can technically use store a secret key on it but then its two biggest advantages are gone, namely that you can't copy the key and that it doesn't use the limited storage on the device.

load more comments (10 replies)
load more comments (6 replies)
load more comments
view more: next ›
this post was submitted on 03 Apr 2024
907 points (96.1% liked)

Mildly Infuriating

35459 readers
723 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.


Rules:

1. Be Respectful


Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...


2. No Illegal Content


Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...


3. No Spam


Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...


4. No Porn/ExplicitContent


-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...


5. No Enciting Harassment,Brigading, Doxxing or Witch Hunts


-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...


6. NSFW should be behind NSFW tags.


-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...


7. Content should match the theme of this community.


-Content should be Mildly infuriating.

-At this time we permit content that is infuriating until an infuriating community is made available.

...


8. Reposting of Reddit content is permitted, try to credit the OC.


-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

...


Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense


Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 1 year ago
MODERATORS