John Peltier
Accidental CISOAll I want for Christmas is for you to use multi-factor authentication.
Here it is, folks! The Christmas MFA post on shirts!
I just ordered a hoodie for myself!! 🔥
https://shop.mindfulsmbshow.com/listing/Christmas-mfa-tweet-shirts
My hoodie finally shipped!!! I think it will make it in time for Christmas!
Ann Johnson@accidentalciso brilliant
WhiteHatShark🦈@accidentalciso ugh, hate this season but luckily prepping to escape winter again
Frank Barton@accidentalciso wouldn't "Two front teeth" be "Something you have"?
Tommy Kavanagh@accidentalciso now there's a tune security folk can sing all year round
bojkotiMalbona@jerry @accidentalciso I seem to recall that #Twitter reassured users by privacy policy that their phone numbers would only be used for that purpose before getting caught selling the phone numbers to advertizers & before a malicious exfiltration of those numbers in a separate incident. In all cases I can think of outside of banking, the phone number compromize is typically worse than losing my account.
@accidentalciso @jerry I’d be okay with the RSA token & the like with bank accts, but the extra login effort doesn’t seem justified for something like a social media acct.
Christian Andersson@bojkotiMalbona @accidentalciso @jerry the problem for you if someone manages to get into your account and start posting stuff that you would ever agree to is not something you think about?
All it requires is a badd password habit and it can be a reality.
Besides, I have 2FA on my social media where it is allowed, and I hardly have to deal with it unless I
* Get a new computer or phone so that I need to login again from scratch.
* Wipes the current browser from all cookies, etc
* chooses to logout from the, service.
So in short I probably have to deal with 2FA on my social media accounts maximum once a year..
So yeah, max once a year is just too much...
@mr2fa @jerry @accidentalciso I have 5+ fedi accounts. If I had to enter any kind of information for each login, it would exceed my patience. Even the 1FA web UI would be too tedious. infosec.exchange frequently comes under attack and as a Tor user I get booted off dozens of times per day, so it’s important that I can login with just ~5 keystrokes (which uses something I have instead of something I know).
@accidentalciso @jerry @mr2fa It’s interesting how a password is something you /know/ up until a point. Once it becomes hundreds of bits long it becomes something you /have/. In any case, I’m grateful that I only have to enter the pw if I need the web UI.
I suppose it all comes down to how important the account is to you and the impact that a compromise would have.
Matt@bojkotiMalbona @jerry @accidentalciso MFA doesn't always mean SMS messages to your phone, I've never liked that for MFA, and wish it would DIAF.
ChuckMcA@accidentalciso I'll double down on that. I'll hand out 5 YubiKeys from my personal stash to anyone that needs one.
RosaLSmothers@ChuckMcA @accidentalciso 👏🏻👏🏻👏🏻 Yubikey is the way to go.
APT Ate My Homework@accidentalciso I, too, have kinky desires which are unrealistic to fulfill
mlbiam 
@accidentalciso really, that's ALL you want? Because I have a bargain basement 2fa with SMS I can give you...
Nick (Alatar the Blue)@accidentalciso to be honest, all I want for Christmas is MFA that is friendly for end users, and that can be validated out-of-stream for the inevitable lost token.
2FA is great, until you get caught in the trap of having to undo it all because your phone was smashed in a car accident, or get chewed out by a department manager because their people are never at their desks and 2FA is debilitating to job function.
IMO, it truly is one of those “it shouldn’t be this hard” techs.
2FA is great, until you get caught in the trap of having to undo it all because your phone was smashed in a car accident, or get chewed out by a department manager because their people are never at their desks and 2FA is debilitating to job function.
IMO, it truly is one of those “it shouldn’t be this hard” techs.
DrJekyll@accidentalciso ... but not SMS right?
@DrJekyll I'll take what I can get at this point.
mika@accidentalciso I couldn’t help myself, I apologize to you and anyone reading this in advance.
I don't want a lot for Christmas
There is just one thing I need
For us all to use MFA, no it doesn’t have to be Yubikeys.
I just want a second factor
To mitigate that threat actor
Make my wish come true
All I want is factor number 2.
uglyfishI just want my bank to allow me to use an authenticator app.
The Bear Leftist@accidentalciso all I want for Christmas is for two factor auth to not lock me out of ALL of my accounts when I get a new phone and attempt to restore it. Literally every other app works fine from a restore except this one. I lost my VPN connection because I forgot to back up my 2FA backups codes.
I’d rather we replace all of this bullshit with something like decentralized digital identity so my passwords can live behind unhackable homomorphic encryption.
I’d rather we replace all of this bullshit with something like decentralized digital identity so my passwords can live behind unhackable homomorphic encryption.
Alyssa Miller 🛩️ 
@accidentalciso All I want for Christmas is for your stupid app to actually support MFA of some fashion!
@alyssam_infosec and not force me into the enterprise pricing tier. 🤬
AMS@alyssam_infosec @accidentalciso There is a sulphurous flash. The app now supports mandatory MFA, but only using a sketchy 3rd party app that will not run without device admin and permanent access to location, files, and contacts. Your battery life is now 6hrs.
Julio J. 🀲@AMS @alyssam_infosec @accidentalciso Oh, forgot to mention it, there's no way to export the private keys, and no recovery codes, if you lose/break your device you lose access to the app completely.
ToeJam85 
@j3j5 @AMS @alyssam_infosec @accidentalciso you forgot to mention that your emails to technical support are black holed because they have no other method of identity verification.
Mike Murphy
Maymew 🏳️⚧️@accidentalciso an idea just struck me: Would people in the infosec world, that also like ASMR, get totally turned on by someone seductively whispering things like "I enabled 2FA on all the services that support it" and "My passwords are at a minimum 24 characters long, randomly generated and not even fully known by myself - Even my master password is a set of random words with symbols added and substituted"? (Might need to workshop that one xD)
aresall i want for christmas is for people to stop using sms for mfa