As someone who has had to walk the "I don't do computers" public through basic things over the phone, I can confirm that yes, a lot of people are way too lazy to learn anything new. They will instead call the support folks and blast some poor person just trying to deal with their day. Call center volume goes up anytime any barrier is added. Agreed though, SMS OTP is constantly becoming less effective. Email OTP is somewhat pointless.
this post was submitted on 27 Sep 2023
116 points (100.0% liked)
Technology
1082 readers
12 users here now
This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.
Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.
Rules:
1: All Lemmy rules apply
2: Do not post low effort posts
3: NEVER post naziped*gore stuff
4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.
5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)
6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist
7: crypto related posts, unless essential, are disallowed
founded 5 years ago
MODERATORS
Here's one that annoyed me this week. Juniper - the enterprise router people - require you to have an account to do their training. That's a web account that won't let you use more than 20 chars in your password, and won't let you paste a password.
Not 2fa, I'll grant you, but it's from the same bucket of dumb insecure shit that you're talking about.
The fields where you can’t paste a password or any other types of data like credit card info absolutely kill me. It’s doing the exact opposite of adding any level of security and it’s just infuriating.
My favorite recently is my company has TOTP 2FA but you can’t paste the 6 digits. You have to type in one digit at a time, each being its own box. Paste fails in every browser I’ve tried. It’s just a shitty user interface.
I hate all of these things so much. Like somehow my clipboard (which any halfway decent password manager either doesn't use, or scrubs clean after use) is the weak link in the security chain.
I'll go one better to @digdilem@lemmy.ml's example: I once created an account on a "security" vendor's website (quoted, because they acquired security products, rather than developing them) that limited passwords to 12 characters. They didn't tell you - they just shortened it before (presumably) storing the hash.
Fun and fucking games trying to logon each time, when your password manager has stored the random 16 char password you thought you were setting.
ThisismyJuniperpass!
Yeah, they just want your phone number.
It's against our company policy to let users do 2FA over SMS. Only secure options are allowed.
Yeah, this is something many people seem to not understand.
SMS is not secure. The best option is something with FIDO2 or similar.
TOTP is fine. The point is that the OTP shouldn't be sent to you. It should be generated on both sides independently.
Because our requirements come from a different business unit that has no understanding of their task, only a checklist of features that need to be implemented. "2FA" is one of those things, and we're tasked to take the easiest route possible.
I can't answer your question but it's particularly annoying for me because I travel a lot for work. Sending me an SMS message when I'm in the middle of Africa isn't going to work. (In fact I found a way to make it work by enabling wifi calling with my US cell provider.. but I shouldn't have to jump through hoops to verify my identity)
I also used to run into this when flying for work I would have paid for wifi on a plane flight but my mobile device isn't able to get their text or push notification because I only paid for my laptop to have wifi. Used to drive me crazy and then I just stopped working while on flights because of dumb policies.
I understand why people want 2FA, but I'm just not that worried about it and wish it was a choice. I am so fucking tired of pulling my phone out every single time I want to use certain applications on my computer. I don't care if these accounts get hacked, frankly, I have no money invested in them, so let me just choose to be risky for convenience sake.
I think it’s because TOTP requires some sort of initial token sync that is more complicated than entering a telephone number. There’s also no need to have people backup codes etc. To use Authy for example I need to photograph a QR code and have a smart phone.
Text message as a solution works on older non-smart phones so it’s possibly the “most widely accessible” solution.
From a backend perspective as well it’s just an API text $random to $phone.
Some companies main users that they want to protect are customers who consider security to be having one shared password written on the noticeboard in the office. Sadly, sms is just an easier sell to a lot of users, and even getting them to do that can be a nightmare.
As for why proper TOTP isn't supported as well... the cynic in me gives you the answer "the auditor required we implement 2fa, we have implemented sms 2fa, now go implement shiny feature x instead of wasting time" is probably a common corporate response.
Mobile apps should be fairly obvious. It’s drives use of their application which is something they want. For most everything else, everyone* already has a phone and can do SMS, though it’s being proven to be more insecure.
Both of those options meet their needs, the needs of the customer are secondary.
Steam is using their own implementation that is also used for getting push notifications when selling an item on their kind of marketplace.
I don't use that feature, so having a standard 2FA would be nice as I could back it up like all the others..
Steam’s 2FA is just a different TOTP algorithm, it’s just a pain to extract it. However, once you do, there are TOTP apps that support it - Bitwarden (with premium) and Yubikey Authenticator.
Here’s a guide - note that as far as I can tell this site is not owned by Yubico but is just a random person who put up some Yubikey guides. However I did something similar over a couple years ago - pretty sure I used the same tool that’s recommended - and my Steam account hasn’t been hacked yet.
I've 14 items in Authy, and basically never used SMS as 2FA. Only to validate my identity on first signup. The only time SMS was used as 2FA for me was by the company I had an internship in programming in.
Some corporate apps are starting to require you to scan a qr code with their phone app to login. You might encounter these type of 2FA sooner or later.
Not Invented Here syndrome.
Everyone must reinvent the wheel.