Why is 2FA bad?
Discussion
Is it cuz not everyone has physical, funnel into SMS?
SMS 2FA is worse than no 2FA. Everyone has been moving away from this for a while now.
Faxxxxxx lol
Ordering mine this week. I’ve been using BitWarden for a long time, but I’d like to separate points of failure if you know what I mean.
Which? I like 2nd from left, bigger finger easier to hit maybe USBC alltheway
I’ll be getting the USB-C version, as most of my machines have that (or only that) now.
Getting a backup key?
Yes. To keep in the fireproof safe.
I don't think backup keys actually work. The "backup" doesn't do anything to help you access anything.
If you lose a key, you already registered the other. No freakout?
Whoa EZ there, those things are all trash, I've been deep diving the webauthn+fido2 specs past months, and it's a proprietary hellhole. Not a solution for anything.
For instance, the architects decided that the public key should only be exposed once and stored in a mysql Database. Instead they rely on something called credential ID.
The point is, these devices were and are designed for web 2.0.
Oh right, Google injects data into your payload:
The entire passkey standard is big-enterprise.
Because it gives them your phone number. That eliminates privacy between GitHub/Microsoft and the user
Because one password is already bad enough, now I need two passwords?
What you are describing is specifically NOT 2FA. Two passwords would be only one factor, not two.
OK, so instead of two passwords I'm supposed to have INFINITE passwords.
What?
🤔
That’s not how that works. Do you really not know what MFA is or are you joking?
My apologies if it was a joke.
A password is simply something you know. You only need 1, not 2, not INFINITE as you say, just 1.
Then you need another factor (something you have, or something you know, or someone you know, etc. The password(s) is(are) only one of the two factors.
The second factor can be a certificate, a hardware token, a seeded RNG, biometrics, a geo-location, and on and on.
GitHub should have MFA at least optionally, Nostr should have MFA at least optionally. It’s up to them or
If Microsoft decides it’s mandatory on their platform, so be it.
Yes but don't forget to buy all the proprietary hardware keys but make sure to buy 2 so you have one as backup incase you lose one.
Your personal security is at stake and it is very much related to national security.
So everyone must listen to the security experts because they have have read articles on the internet and watched hours on YT so we don't have to. 2FA 🤘
What priority keys are you talking about?
Own your 2FA.
'Hardware' keysfobs brother. but no, you can't "own" your 2FA. Cause it's a web2.0 server based concept.
What you want is to generate your own private key and then call it a day :-)
Be insecure, that’s your choice.
You can own your other factors, you’re just wrong and embracing it.
MFA you can own:
- An email domain and server
- A certificate
- open source Fido2 Security key
- Geolocation via IP address or GPS or network node
- Time-Based OTP
The only one of those that technically relies on someone else is your DNS provider for your mail domain or ISP for geolocation.
One man lives an in a house surrounded by good neighbours.
Another man lives in a house with five locks and a barking dog alarm.
Which of the two men would you call insecure?
I’m sure you are joking..
And you have to approve log ins using other devices
2FA helps people who have terrible security but harms those who have good security.
If you don't have the device compromised then the only way to break into the account is getting the password. This is only possible in these cases:
* You don't use password manager and type the password every time, some camera in public sees you typing it
* You use the same password on multiple services and one of them is hacked
* The service has data leak and your password is weak
*The service has data leak and they don't store the password properly
* The service is compromised and you enter the password at the time
As you see except for the last two you can prevent these. In case of any of the last two you're already screwed and 2FA doesn't help.
If your device is compromised then the attacker will just wait for you to login and use your logged-in device to do the harmful actions he wants in the background without having to use 2FA or password.
And even if you can specifically 2FA "more harmful" actions, which would be a good idea, nobody actually does it in meaningful way. The other device doesn't show you what you're actually confirming, only that you're confirming something. For instance you might think you're confirming permission change and you actually confirm account deletion.