General > General Technical Chat

2FA two step verification & the obsession with security

<< < (4/15) > >>

magic:
GMail isn't the only "brand name provider".

Last time I checked, Microsoft still allowed signups without phone numbers and bullshit like that. You did have to do some captcha thing.

madires:
In case you go for a FIDO token get two, one for daily use and the second one as backup token. Register both with each 2FA account. The problem is that you can't copy/backup/restore those tokens. If you have just one and it breaks or you lose it, you will have a lot of fun recovering access to your accounts. Most services support having multiple tokens, but the odd one might only allow a single token. BTW, hardware tokens usually provide higher security than apps on your mobile phone.

Marco:
It's a shame FIDO is explicitly designed to prevent cloning, even by the user.

I'd really prefer a paper backup of the private key.

JohanH:

--- Quote from: sleemanj on February 13, 2022, 01:09:10 am ---TOTP (Time-based One Time Password) is the mechanism by which most 2FA works.

Plenty of existing libraries to do it in various languages - even an Arduino can do it.  You need a reasonably accurate clock and to be able to do an sha1 hash and that's about the biggest complexity.


--- End quote ---

I'd set up google-authenticator in PAM on the raspberry pie. Suddenly one day it didn't accept my TOTP. I had of course forgot to set up ntp on the raspberry that lacks an internal hardware clock and the clock had drifted. But, I waited for half a minute (for the next round of codes) and now it accepted the old code. With ntp it works without problems.

tooki:

--- Quote from: jonovid on February 12, 2022, 07:20:00 pm ---recently google ,microsoft and others have started pushing two step verifications
and having an obsession with security.  :scared:
as if it was a big threat to them.
as a non-phone owner.
I never asked for this level of security. I never asked for more verifications

[…]
my point is the obsession with security is not coming from us users, but google , microsoft & apple Inc
who are the paranoid users, that say we want this.

--- End quote ---
The stupid in this post is so strong it hurts.

You clearly haven’t put even two seconds of thought or research into what the consequences of a personal security breach can be.

The fact that we’re moving everything to 2FA isn’t a show of “paranoia”, but rather a fully justified condemnation of 1FA.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod