Simon B. StøvringiOS 17’s improvements to verification codes are SO GOOD! 🤯
Verification codes are now read from the Mail app and mails and messages containing a code is automatically deleted after use ✨ #WWDC #WWDC23
Resuna@simonbs Since they're one time codes so they have no meaning after one use, this seems to be a case of shutting the barn door after schrodinger's horse has bolted. The attack on these codes is not someone re-using them, it's someone social-engineering you into telling you them.
@resuna I don’t think they’re doing this for increased security. This is to ensure your messages and mails are cleaned up.
@simonbs This seems like a really minor component of the not-quite-spam-but-almost I have to deal with.
Possibly because if I have the opportunity to use a better MFA system like FIDO or open TOTP I do that instead.
But I suppose a company that's implemented their own proprietary MFA system instead of using one of the widely deployed and reliable open ones wouldn't understand that.
@resuna You realize this works with any verification code you receive through SMS or mail, right?
@simonbs Yes. That's the point. You shouldn't have many of those. If you get enough that this seems like a worthwhile feature, you have a security problem.
Verification codes through SMS or mail, except for the special case of verifying an email address during initial account setup, are so bad a security system that it's not clear they're not actually worse than not doing MFA at all. If you're routinely getting these that's a problem that needs to be fixed, not swept under the carpet.
@resuna But they do exist and Apple have made features to make it more pleasant to receive those verification codes. In the mean time, Apple is also pushing PassKeys hard which will ultimately get rid of high verification codes and passwords. I think it’s smart to push a more secure technology while making the transition period as pleasant as possible.
@simonbs I have been using basically passkeys for ssh authentication for decades and it's great but it requires a lot more coordination on both ends. Getting desktop or ops to re-install my .ssh directory after an upgrade is a regular chore.
And of course given their choice to make their MFA solution proprietary and require buying an Apple mobile device I am sure their passkey solution will be open and well coordinated with third parties and competitors.
That's sarcasm by the way.
Rick Williams@RickWilliams @simonbs I realize that most people are not as careful about security as I am. If they were the world would be quite different (and more secure). That doesn't mean that switching away from codes would not improve both their quality of life and their security, instead of just one.
@RickWilliams @simonbs I will not be dancing with the denial-of-service fairy by setting up proprietary authentication tokens.
@RickWilliams @simonbs I am forced to use Duo to authenticate at work, and this morning I dropped my phone in the dog's waterbowl and my whole email flashed before my eyes.