General > General Technical Chat

2FA two step verification & the obsession with security

<< < (3/15) > >>

metebalci:

--- Quote from: jonovid on February 12, 2022, 11:49:27 pm ---if I need one of them USB thumb drive 2FA verification keys how do I know if its trustworthy? they are not free!
its a bit like buying a crypto wallet,  is the USB thumb drive 2FA inline retailers site trustworthy? will Google , Microsoft & apple Inc  find it acceptable.

--- End quote ---

Just get one from a well known company like yubico, I am sure there are many others. Currently all should be based on FIDO, so a certification would be a good indication.

metebalci:

--- Quote from: Someone on February 13, 2022, 03:08:33 am ---2FA makes sense for things that are valuable/sensitive, but asking students to 2FA so they can access course material? at some point its just "security" because its little to no cost to the operator, ignoring the costs to the users.

--- End quote ---

I understand the point and you have right to some extent. However, it may not matter  because on that site to download course material, there can be for example user data so the security of that site is also important. There might not be any sensitive data now, but there might possibly be in the future etc. It is not a bad practice. I 100% agree about the cost to the user. It was becoming quite not seamless in the past, now it is getting simpler (password managers, FIDO, biometrics etc), but there is still some obstacles.

alexanderbrevig:
You should want it.

The reason for enforcing rules and why most companies require 2FA is because people absolutely suck at passwords. So much so that the top five most common passwords should make you cringe.

Even Trump reused an already absolutely crap password across multiple services. When one got leaked (maga2020!), his Twitter got hacked. This would be mitigated by good password hygiene (which is hard for people) or 2FA which is comparatively easy.

magic:
And nothing has happened because Trump's twatter got pwnzored.

Which is why you sholudn't care when it comes to stupid things.

But it's 100% what Monkeh said: the companies themselves don't want do deal with the drama of user getting compromised, so they shove security down their throat.

Someone:

--- Quote from: metebalci on February 13, 2022, 07:51:46 am ---
--- Quote from: Someone on February 13, 2022, 03:08:33 am ---2FA makes sense for things that are valuable/sensitive, but asking students to 2FA so they can access course material? at some point its just "security" because its little to no cost to the operator, ignoring the costs to the users.
--- End quote ---
I understand the point and you have right to some extent. However, it may not matter  because on that site to download course material, there can be for example user data so the security of that site is also important. There might not be any sensitive data now, but there might possibly be in the future etc. It is not a bad practice. I 100% agree about the cost to the user. It was becoming quite not seamless in the past, now it is getting simpler (password managers, FIDO, biometrics etc), but there is still some obstacles.
--- End quote ---
Agree 100% on all you are saying, its a lot of lazy implementation that is the friction here. Extending the example of above, 2FA can easily be required for "higher" access within a system that has levels of sensitive information/control. Plenty of well thought out services already have this in place where you can do the cheap/easy login to go through everyday things but a challenge comes up when you do something unusual or with exposure commensurate to that. That sort of tiered security was in place well before 2FA became a thing, requiring the user to acknowledge/recognise the relative value of their access. Having a single level of login may cheapen the differentiation and will lead back to complacency by users.

The OP is probably also put out by the security being dictated chosen for them by the service provider. Long gone are the days of setting up an anonymous/throwaway email address with a brand name provider. Many people would be fine with minimal security on their worthless accounts but layers of perceived unnecessary security is pushed as mandatory. Another example, I don't link payment details with webshop accounts for instance but someone who does have their platinum card linked to their account may well want 2FA at some point in that chain (some credit cards are now mandating that).

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod