How do you feel about 2FA / MFA verification to use a website or service?
- Thread starter Ice Tea
- Start date
so that's a new 'thing' had an email last week ... is there a tear-down of it's relative security ?
I have 2FA enabled on pretty much everything, but I don't have my phone number linked to any of it.
I use the Aegis Authenticator app, with the encrypted file saved in various locations including a memory stick in my safe. If a website doesn't allow this then I probably won't use it.
I use the Aegis Authenticator app, with the encrypted file saved in various locations including a memory stick in my safe. If a website doesn't allow this then I probably won't use it.
Last edited:
Google to auto-enroll 150m users, 2m YouTubers with two-factor authentication
https://www.theregister.com/2021/10/06/google_twofactor_authentication
Somewhat awkward for people with multiple accounts.
https://www.theregister.com/2021/10/06/google_twofactor_authentication
Somewhat awkward for people with multiple accounts.
- Joined
- 30 Jul 2006
- Posts
- 12,129
Buy a cheapo throwaway mobile and a £10 SIM card and use that for 2FA - Job done
This. I treat any 'account' I have on anything without MFA as essentially not secure.
However, for random websites I certainly wouldn't be wanting to have the hassle. Especially not use text MFA as it's unreliable and surely a form of data harvesting.
PS: When will Google Auth sync in the cloud?
Soldato
Any decent service (including Google) will let you use app based authentication rather than SMS. You don't even need to have a mobile/internet signal for those to work as long as you've initially set it up (usually just through scanning a barcode). All you need to do is make sure your phones time isn't massively off as the numbers are generated based on time. There's hundreds of different apps you can use (Google Authenticator, Microsoft Authenticator, Authy...), it's a standard protocol.
SMS 2FA is more vulnerable to sim swapping hacks etc so I'd always favour the app based route. And guess which sector seems to mostly only allow SMS based auth? Banks. Such a backwards sector.
Whilst not as secure there are even browser extensions that let you generate the 2FA codes in your browser. I use these for a few less important things:
Chrome: https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai?hl=en
Firefox: https://addons.mozilla.org/en-GB/firefox/addon/auth-helper/
You can even scan a QR code from your screen and import it which is nice.
SMS 2FA is more vulnerable to sim swapping hacks etc so I'd always favour the app based route. And guess which sector seems to mostly only allow SMS based auth? Banks. Such a backwards sector.
Whilst not as secure there are even browser extensions that let you generate the 2FA codes in your browser. I use these for a few less important things:
Chrome: https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai?hl=en
Firefox: https://addons.mozilla.org/en-GB/firefox/addon/auth-helper/
You can even scan a QR code from your screen and import it which is nice.
Authy bugs - heavy on virtual memory ?
I've not yet found much web info on this problem, only on older versions where virus's had penetrated it,
had been up to nearly a gig a few days ago (windows OS)
I use authy for paypal principally, but, need to explore using it for ebay login, where I think they may have imposed faster aut-logout if you are not using 2FA
I've not yet found much web info on this problem, only on older versions where virus's had penetrated it,
had been up to nearly a gig a few days ago (windows OS)
I use authy for paypal principally, but, need to explore using it for ebay login, where I think they may have imposed faster aut-logout if you are not using 2FA
Associate
- Joined
- 7 Mar 2015
- Posts
- 1,044
Anything of value should have 2FA. I think there are services like twilio / mysudo which allow you to generate on the fly numbers and forward you texts etc.
I did instructions for one of my clients and one of the user was trying to scan the QR code on the instructions rather than on screen. There's only so much you can do!
Commissario
I bet the next time you did instructions you remembered to put an "EXAMPLE" across the example image and a note underneath "Scan the image that looks similar to this that appears on screen"
Seriously though, there is always someone who doesn't quite grasp the instructions, and i'm not afraid to say in a couple of instances that's been me, albeit usually when the instructions have shown something different to what the UI is presenting me with* (or where something has been moved to a different menu/submenu).
*I hate it when UI's change icon completely to something that bears not resemblance to what it's meant to represent or the old one from one version to another, especially if the guides are not updated.
Soldato
- Joined
- 30 Sep 2005
- Posts
- 16,551
Oh, can do one better. I wrote a user guide once and had a photo showing someone logging in as say "[email protected]"....guess what, yep....one user was trying to login in as "[email protected]"
To make things worse, when they phoned up someone said you need to be logging as your name, and they said what's that? no, YOUR NAME.....yes, but what is is? What your name? Yeah.....erm, your name is Sarah lol
Good reasons for that.
Most complaining about porn is moral outrage based and right now there is no law about anyone of any age looking at porn. Or a law about letting your kids watch porn.
There are laws on hosting/owning a handful or porn categories and major sites have made preparations to defend themselves by erasing any work by unverified performers and not hosting banned categories.
An intended law to force age checks and sharing of ID for porn crashed and burned when the public heard of it.
What did get forced through on moral outrage grounds is compulsory porn filters by all UK ISPs that you (the parent of any children?) have to request to have lifted.
User locked out of Microsoft account by MFA bug, complains of customer-hostile support
https://www.theregister.com/2021/10/12/user_locked_out_of_microsoft/
Good job this only happened to one person.
https://www.theregister.com/2021/10/12/user_locked_out_of_microsoft/
Good job this only happened to one person.
Authy makes things pretty simple for me, so I tend to have it control 2FA for all sites that are either important or can access some kind of payment / banking data.
I don't like using the phone 2FA because someone could sim swap and gain access to your texts or you could lose your phone or have it stolen. I've found having hardware keys is the best because you can have spares ones encase you lose it, and nobody can hack it.
Same here , Authy for Linux works really well.
Man of Honour
"There are ways around this if you use a modern phone. All iPhones and most Samsungs etc have eSIM support. Nobody can pinch your SIM if you are using an eSIM. Convert your current SIM to an eSIM (it should be free or cost 50p) via your account area and chuck the physical SIM away.
A better option is to use an MFA app like Microsoft Authenticator / Google Authenticator etc.