Soldato
I prefer using an MFA App with OTPs, I have got a bit lazy, on some sites I have Bitwarden storing the creds and the OTP, unless it's critical, in which case I handle them separately.
How do you feel about 2FA / MFA verification to use a website or service?
- Thread starter Ice Tea
- Start date
Commissario
Aye IIRC the google one needs to be authorised whenever you set it up on a new phone so a number hijack doesn't work.
Man of Honour
Same with Microsoft one too 
Deleted member 651465
D
Deleted member 651465
I use 2FA on any website that supports it, although I use 1Password to generate the codes.
If they want my mobile number and there's no way to use an authenticator app then I'll consider if I want to join. If it's some junk site that I need to join for a specific purpose then I'll go elsewhere.
If they want my mobile number and there's no way to use an authenticator app then I'll consider if I want to join. If it's some junk site that I need to join for a specific purpose then I'll go elsewhere.
Commissario
Depends on what you do on the forums.
For example if you use them to buy or sell anything.
Except it's extremely common for "hackers" to gain access to important stuff via other less secure systems where you've used the same/variation of your 'usual' password.
Man of Honour
Salesforce is enforcing MFA next year; must be millions of people who use it at work who'll be impacted by that.
Soldato
- Joined
- 16 Aug 2009
- Posts
- 7,748
OTP is ok as long as I get an SMS text, its annoying but I can live with it, its apps I have an issue with as I don't have anything that can run them natively. Windows 11 is supposed to run android apps so that looks like that may be a solution...
So don't use the same darn passwords then. I've been using passwords for 20 years and havn't had anything hacked yet but then I don't use passwords that can be easily guessed, leaks of databases are another matter but then its a case of change all your passwords. It feels like once again the internet is being dumbed down for dumb users who need their hands holding because they're too stupid or too lazy to take security seriously. Sorry but this just annoys me.
Last edited:
I assume you mean SMS or email based? Just enable OTP.
Personally I use OTP + Yubikey + SSH key (or GPG in one or two cases). If it doesn't have at least three layers I don't want to use it for anything that isn't disposable. For example, passphrase+OTP+Yubikey or passphrase+OTP+SSH.
It goes without saying that only an idiot would use a similar password for online banking or email that they use for forum accounts.
Having to use 2fa for forums/reddit/etc would just be an irritation for me.
Soldato
It's not just your password. If someone got access to your forum account they can then get things like email address and date of birth from your profile. Another couple of forum accounts to piece together some more information and soon they know enough about you to answer the security questions on your bank account or something like that.
I don't know about other forums but ocuk remembers your device for 30 days so it's only an irritation once a month
Not really, questions like mothers maiden name aren't on a forum account.
My email address is public on my website, it's not a security risk.
Again with the birthday thing, I don't use a real birthday for any forum account.
Soldato
Associate
As a security advocate I like using 2FA much better than just using a password. I think all websites should use 2FA. But use app based 2FA not SMS as that could be intercepted. Question for you guys do you use hardware based 2FA like tokens? I'm thinking of getting one like a nitro key or Yubikey wondered if anyone was using one and if so how have you find it