Things must get worse before they get worser: 
Discussion
Why is 2FA bad?
Is it cuz not everyone has physical, funnel into SMS?
SMS 2FA is worse than no 2FA. Everyone has been moving away from this for a while now.
Faxxxxxx lol
Ordering mine this week. I’ve been using BitWarden for a long time, but I’d like to separate points of failure if you know what I mean.
Which? I like 2nd from left, bigger finger easier to hit maybe USBC alltheway
I’ll be getting the USB-C version, as most of my machines have that (or only that) now.
Getting a backup key?
Yes. To keep in the fireproof safe.
I don't think backup keys actually work. The "backup" doesn't do anything to help you access anything.
If you lose a key, you already registered the other. No freakout?
Whoa EZ there, those things are all trash, I've been deep diving the webauthn+fido2 specs past months, and it's a proprietary hellhole. Not a solution for anything.
For instance, the architects decided that the public key should only be exposed once and stored in a mysql Database. Instead they rely on something called credential ID.
The point is, these devices were and are designed for web 2.0.
Oh right, Google injects data into your payload:
The entire passkey standard is big-enterprise.
Because it gives them your phone number. That eliminates privacy between GitHub/Microsoft and the user
Because one password is already bad enough, now I need two passwords?
What you are describing is specifically NOT 2FA. Two passwords would be only one factor, not two.
OK, so instead of two passwords I'm supposed to have INFINITE passwords.
What?
🤔
That’s not how that works. Do you really not know what MFA is or are you joking?
My apologies if it was a joke.
A password is simply something you know. You only need 1, not 2, not INFINITE as you say, just 1.
Then you need another factor (something you have, or something you know, or someone you know, etc. The password(s) is(are) only one of the two factors.
The second factor can be a certificate, a hardware token, a seeded RNG, biometrics, a geo-location, and on and on.
GitHub should have MFA at least optionally, Nostr should have MFA at least optionally. It’s up to them or
If Microsoft decides it’s mandatory on their platform, so be it.
Yes but don't forget to buy all the proprietary hardware keys but make sure to buy 2 so you have one as backup incase you lose one.
Your personal security is at stake and it is very much related to national security.
So everyone must listen to the security experts because they have have read articles on the internet and watched hours on YT so we don't have to. 2FA 🤘
What priority keys are you talking about?
Own your 2FA.
'Hardware' keysfobs brother. but no, you can't "own" your 2FA. Cause it's a web2.0 server based concept.
What you want is to generate your own private key and then call it a day :-)
Be insecure, that’s your choice.
You can own your other factors, you’re just wrong and embracing it.
MFA you can own:
- An email domain and server
- A certificate
- open source Fido2 Security key
- Geolocation via IP address or GPS or network node
- Time-Based OTP
The only one of those that technically relies on someone else is your DNS provider for your mail domain or ISP for geolocation.
One man lives an in a house surrounded by good neighbours.
Another man lives in a house with five locks and a barking dog alarm.
Which of the two men would you call insecure?
I’m sure you are joking..
And you have to approve log ins using other devices
2FA helps people who have terrible security but harms those who have good security.
If you don't have the device compromised then the only way to break into the account is getting the password. This is only possible in these cases:
* You don't use password manager and type the password every time, some camera in public sees you typing it
* You use the same password on multiple services and one of them is hacked
* The service has data leak and your password is weak
*The service has data leak and they don't store the password properly
* The service is compromised and you enter the password at the time
As you see except for the last two you can prevent these. In case of any of the last two you're already screwed and 2FA doesn't help.
If your device is compromised then the attacker will just wait for you to login and use your logged-in device to do the harmful actions he wants in the background without having to use 2FA or password.
And even if you can specifically 2FA "more harmful" actions, which would be a good idea, nobody actually does it in meaningful way. The other device doesn't show you what you're actually confirming, only that you're confirming something. For instance you might think you're confirming permission change and you actually confirm account deletion.
wen git remote on nostr
I’ve got a web site I need for work with username, password, captcha, 2FA.
And the password has to be changed every few months.
Typical example of consolidation and centralization. These additional “security measures” provide practically no benefit for small developers like me, but come at an additional cost. For large organizations it is the other way around: they have a dedicated security team to deal with it and individual developers never worry about the additional burden of having to deal with this extra time-waste.
#github won’t care about us
Harming the small to the benefit of the large is the common pattern emerging again.
Same story with closing small business because of #pandemic while the large remain open.
Or billionaires paying proportionally less taxes because they can afford good accountants and find the loopholes.
Always. Same. Story.
#sad #zaps #grownostr
Billionaires borrow their income, because they pay next to nothing in interest.
Good. They should be requiring 2FA.
Contrary to what you've been told, 2FA is not a good thing.
From the issuers perspective it means that you like a child are not considered a source of trust, but must have both your mom's and dad's written signature to be allowed to partake.
Be careful what and where you 2FA.
I could not disagree more and your comment speaks volumes of your lack understanding of MFA and its inherent risk reductions.
Please research MFA on your own to understand more and ask if you have any questions.
And if anyone else reads this person saying “be careful what and were you 2FA” please research it more on your own because this is directly promoting the lack of your data security.
Oh joe
This is good. Just don't use the SMS option.
Wen #gitstr ?
Microsoft walling the garden of free/opensource,
this is bad..
Many species of projects and developers are going to become alienated and dissapeared. :'-(
Embrace, Extend, Extinguish.
https://en.m.wikipedia.org/wiki/Embrace,_extend,_and_extinguish
Why is this bad?