General > General Technical Chat
2FA two step verification & the obsession with security
magic:
GMail isn't the only "brand name provider".
Last time I checked, Microsoft still allowed signups without phone numbers and bullshit like that. You did have to do some captcha thing.
madires:
In case you go for a FIDO token get two, one for daily use and the second one as backup token. Register both with each 2FA account. The problem is that you can't copy/backup/restore those tokens. If you have just one and it breaks or you lose it, you will have a lot of fun recovering access to your accounts. Most services support having multiple tokens, but the odd one might only allow a single token. BTW, hardware tokens usually provide higher security than apps on your mobile phone.
Marco:
It's a shame FIDO is explicitly designed to prevent cloning, even by the user.
I'd really prefer a paper backup of the private key.
JohanH:
--- Quote from: sleemanj on February 13, 2022, 01:09:10 am ---TOTP (Time-based One Time Password) is the mechanism by which most 2FA works.
Plenty of existing libraries to do it in various languages - even an Arduino can do it. You need a reasonably accurate clock and to be able to do an sha1 hash and that's about the biggest complexity.
--- End quote ---
I'd set up google-authenticator in PAM on the raspberry pie. Suddenly one day it didn't accept my TOTP. I had of course forgot to set up ntp on the raspberry that lacks an internal hardware clock and the clock had drifted. But, I waited for half a minute (for the next round of codes) and now it accepted the old code. With ntp it works without problems.
tooki:
--- Quote from: jonovid on February 12, 2022, 07:20:00 pm ---recently google ,microsoft and others have started pushing two step verifications
and having an obsession with security. :scared:
as if it was a big threat to them.
as a non-phone owner.
I never asked for this level of security. I never asked for more verifications
[…]
my point is the obsession with security is not coming from us users, but google , microsoft & apple Inc
who are the paranoid users, that say we want this.
--- End quote ---
The stupid in this post is so strong it hurts.
You clearly haven’t put even two seconds of thought or research into what the consequences of a personal security breach can be.
The fact that we’re moving everything to 2FA isn’t a show of “paranoia”, but rather a fully justified condemnation of 1FA.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version