Josh the BlockadedSep 4, 2024
It's 2024, and this is the majority of 2FA in a nutshell:

Institution: I'm sending you a code I need you to put into this form.
Institution: Also don't give it to anyone.
Institution: Oh except me.
Institution: Oh except for these other codes which we'll send from the same shortcode but will never ask you for.
Institution: Don't get confused or hacked lol

#infosec #security
Show threadSiguza

@josh

Institution: Also give me your phone number.
Institution: No, like, really, I won't let you continue without it.
Institution: Even though you already went through 2FA setup.
Institution: We need it for recovery purposes.
Institution: We definitely won't use it for marketing.
Institution: Oh, and by recovery we mean username, password and 2FA.
Institution: SMS is so secure.

Sep 4, 2024 at 1:51amWeb
Show threadSass, DavidSep 4, 2024
@siguza @josh the institution is #Microsoft, isn't it?
Show threadSiguzaSep 4, 2024
@sassdawe @josh I actually think I got away without giving Microsoft my phone number... but this is definitely Twitch, Google, Apple, a few government services, and then some.
Show threadJosh the BlockadedSep 4, 2024
@sassdawe @siguza No more like every bank ever. I don't know why banks love 2FA via SMS but not via security key or TOTP
Show threadMormegilSep 4, 2024

@siguza
@josh

Google: You did not login to this account for a long time. For security purposes, we need to make sure who you are: CAPTCHA: OK, alternate email address registered on the account: OK, and now give me your phone number (which was never set on the account). No, really, you are not "recovering" your account until you give me a phone number.

Show threadJosh the BlockadedSep 4, 2024
@mormegil @siguza Yeah that one I don't like. I think it's designed to ensure it's a real human (if I'm right, it's a dumb test) and you're right, it's weird that doing that neither updates the phone number on that account or really actually seems to serve any purpose whatsoever :/
Show threadSiguzaSep 4, 2024

@mormegil @josh

Apple: You've been inactive for 3 seconds. You need to log in again. Oh, that logging-in session has expired while you were logging in.

Google: To confirm your login, open this app on your phone where we can show you ads.

Microsoft: [incoherent eldritch screeching as the web server instructs an Xbox 360 to try and talk to Outlook via the Skype infrastructure for some fucking reason]