General > General Technical Chat
2FA two step verification & the obsession with security
magic:
--- Quote from: tooki on February 14, 2022, 04:31:35 pm ---So just forgo all the utility of modern services. Email? Gone. Online storage and backup? Gone. Sync between devices? Gone.
And with that, no more applying for jobs online, signing up for government services, or any other of the myriad things that one is now expected to do online, often with no alternative method.
--- End quote ---
I have email. Still works without 2FA and admittedly the password isn't Suzy, I know, I'm lame. I try to minimize my exposure to pwnage by being sure to have other means of communication with important people or institutions and of course keeping a local archive of all mail. It would suck to lose the address, but I would rather have that minimal risk than be forcibly locked out without a fucking phone at hand. I'm not a target to anyone who genuinely cares to justify such level of paranoia.
I use one service which does use the 2FAD and it's the bank. Arguably a good idea, but because of some stupid EUSSR directive it no longer works with one time passwords sent by snail mail, but requires the fucking phone. Lotta fun if that PoS breaks.
Government services? Fun that you ask. Some moron in Poland routinely uses my e-mail address to sign up to various services that don't require e-mail confirmation to start using :palm: :palm: :palm: and one of them is indeed a government body. I'm still wondering if/how/when to pwn him for maximum lulz >:D
metebalci:
--- Quote from: dunkemhigh on February 14, 2022, 04:45:26 pm ---Now it's assumed everyone has a phone, it's always with them, and it's always the same phone (or, at least, the same number).
--- End quote ---
I always argued that the phone number/SMS OTP is not a proper 2FA. The phone number does not fully belong to you. Mobile operator can connect your number to another SIM without you realizing, there happened fraud cases because of this when SMS OTP started to be used by banks 10+ years ago. It is not a big issue anymore but I still think there is a difference and I prefer to not use it if there is an alternative.
JohanH:
--- Quote from: dunkemhigh on February 14, 2022, 04:45:26 pm ---
Now it's assumed everyone has a phone, it's always with them, and it's always the same phone (or, at least, the same number). That's not actually always the case, and as with any other hardware key, if you lose it you're in for a world of hurt.
--- End quote ---
Most services assume you have a 2FA application of some sort. Some still offer SMS and email as the second factor. In most of the cases, they also offer TOTP that works with any TOTP application. This isn't tied to a phone (but is most commonly used on a phone app), it could be a separate PC (your desktop or a raspberry works fine) or hardware key. If you backup the TOTP keys (encrypted of course), you will not lose anything.
Someone:
--- Quote from: dunkemhigh on February 14, 2022, 04:45:26 pm ---Now it's assumed everyone has a phone, it's always with them, and it's always the same phone (or, at least, the same number).
--- End quote ---
... the subscriber account is paid up, and they have mobile network coverage.
Halcyon:
--- Quote from: dunkemhigh on February 13, 2022, 04:07:18 pm ---Would you want to do 2FA to get onto EEVBlog?
--- End quote ---
Many users are already doing it. It's not such a bad thing.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version