How do you feel about 2FA / MFA verification to use a website or service?

[Demon]

I prefer using an MFA App with OTPs, I have got a bit lazy, on some sites I have Bitwarden storing the creds and the OTP, unless it's critical, in which case I handle them separately.

 

[Werewolf]

A better option is to use an MFA app like Microsoft Authenticator / Google Authenticator etc.

Aye IIRC the google one needs to be authorised whenever you set it up on a new phone so a number hijack doesn't work.

 

[mrk]

Same with Microsoft one too

 

[Deleted member 651465]

I use 2FA on any website that supports it, although I use 1Password to generate the codes.

If they want my mobile number and there's no way to use an authenticator app then I'll consider if I want to join. If it's some junk site that I need to join for a specific purpose then I'll go elsewhere.

 

[Energize]

No reason to use 2fa unless the account is actually important, like online banking, for trivial stuff like forum accounts I don't bother.

 

[Werewolf]

No reason to use 2fa unless the account is actually important, like online banking, for trivial stuff like forum accounts I don't bother.

Depends on what you do on the forums.

For example if you use them to buy or sell anything.

 

[Scam]

No reason to use 2fa unless the account is actually important, like online banking, for trivial stuff like forum accounts I don't bother.

Except it's extremely common for "hackers" to gain access to important stuff via other less secure systems where you've used the same/variation of your 'usual' password.

 

[Lopéz]

Salesforce is enforcing MFA next year; must be millions of people who use it at work who'll be impacted by that.

 

[Blackjack Davy]

I prefer using an MFA App with OTPs, I have got a bit lazy, on some sites I have Bitwarden storing the creds and the OTP, unless it's critical, in which case I handle them separately.

OTP is ok as long as I get an SMS text, its annoying but I can live with it, its apps I have an issue with as I don't have anything that can run them natively. Windows 11 is supposed to run android apps so that looks like that may be a solution...

Except it's extremely common for "hackers" to gain access to important stuff via other less secure systems where you've used the same/variation of your 'usual' password.

So don't use the same darn passwords then. I've been using passwords for 20 years and havn't had anything hacked yet but then I don't use passwords that can be easily guessed, leaks of databases are another matter but then its a case of change all your passwords. It feels like once again the internet is being dumbed down for dumb users who need their hands holding because they're too stupid or too lazy to take security seriously. Sorry but this just annoys me.

 

[Hellsmk2]

I have 2fa on every account I can. It shouldn't even be optional at this point... Enforce it.

 

[Rainmaker]

It depends. For my bank or email 2FA then yes. For random sites then no and it would stop me joining.

This. I’m not doing 2FA for anyone other than the most trusted sources.

I assume you mean SMS or email based? Just enable OTP.

Personally I use OTP + Yubikey + SSH key (or GPG in one or two cases). If it doesn't have at least three layers I don't want to use it for anything that isn't disposable. For example, passphrase+OTP+Yubikey or passphrase+OTP+SSH.

 

[Energize]

Except it's extremely common for "hackers" to gain access to important stuff via other less secure systems where you've used the same/variation of your 'usual' password.

It goes without saying that only an idiot would use a similar password for online banking or email that they use for forum accounts.

Having to use 2fa for forums/reddit/etc would just be an irritation for me.

 

[touch]

It goes without saying that only an idiot would use a similar password for online banking or email that they use for forum accounts.
Having to use 2fa for forums/reddit/etc would just be an irritation for me.

It's not just your password. If someone got access to your forum account they can then get things like email address and date of birth from your profile. Another couple of forum accounts to piece together some more information and soon they know enough about you to answer the security questions on your bank account or something like that.

 

[Scam]

Having to use 2fa for forums/reddit/etc would just be an irritation for me.

I don't know about other forums but ocuk remembers your device for 30 days so it's only an irritation once a month

 

[Energize]

It's not just your password. If someone got access to your forum account they can then get things like email address and date of birth from your profile. Another couple of forum accounts to piece together some more information and soon they know enough about you to answer the security questions on your bank account or something like that.

Not really, questions like mothers maiden name aren't on a forum account.

My email address is public on my website, it's not a security risk.

Again with the birthday thing, I don't use a real birthday for any forum account.

 

[touch]

I don't use a real birthday for any forum account.

Are you saying you lied to Overclockers on your forum registration

 

[nitrousx123]

As a security advocate I like using 2FA much better than just using a password. I think all websites should use 2FA. But use app based 2FA not SMS as that could be intercepted. Question for you guys do you use hardware based 2FA like tokens? I'm thinking of getting one like a nitro key or Yubikey wondered if anyone was using one and if so how have you find it