KrellanSep 27, 2024
Joe Brockmeier (@jzb)

Authenticating to a website, 2010: Type in username and password

Authenticating to a website, 2024:
- Type in username
- Look up 20-character password in password keeper
- wait
- Prompt for 2FA token
- Dig out phone
- Unlock phone
- Scroll through 50 services to find 2FA token for website
- Type in 2FA token
- Success
- Receive email alerting you to the fact you've logged in
- Six weeks later: receive email telling you service had been compromised eight weeks ago and you must change password.

Sep 23, 2024 at 5:31pmWeb
Show threadInternet Hedgehog 🦔Sep 24, 2024
@jzb what did you do to make it so that you don't get asked to solve 7 captches and then get your account auto-locked anyway when you login using 4 different factors?
Show threadsoloSep 24, 2024
@jzb tbh I hate services forcing 2fa on you when you don't need it, so I just store my 2fa codes in bitwarden. yes, it makes it not actually 2fa. no, I don't care.
Show threadwinterSep 24, 2024
@solonovamax @jzb It's still beneficial. There are a couple things i don't keep in Bitwarden but most of it i do. I guess i could separate them out but it seems so tough given how 2fa works.
Show threadsoloSep 24, 2024
@winterayars @jzb yeah if it was smth where I really cared about the security I'd use actual 2fa
Show threadOliver JensenSep 25, 2024

@solonovamax @winterayars @jzb arguably it's still 2fa (assuming you 2fa into your pw manager)

The second factor is something you have: you're using the device from which you 2fa'd into your password manager.

Show threadsoloSep 25, 2024

@ojensen @winterayars @jzb I'm not using 2fa for my password manager lol (tbh I prob should, but, inconvenient)

so it's not really 2fa

Show threadOliver JensenSep 25, 2024

@solonovamax @winterayars @jzb ok so I'm going to disagree *hard* with the idea of not 2fa'ing into your pw manager. For real, you should set that up right now.

It's not inconvenient, you do it like once every 30 days or something.

Show threadsoloSep 25, 2024
@ojensen @winterayars @jzb my password manager logs me out after like 30 mins
I also use a unique & long password for it that I don't use anywhere else
Show threadJoachim JablonOct 3, 2024
@solonovamax @ojensen @winterayars @jzb (you mean lock or logout ? If lock, bitwarden doesn't request 2FA on unlock (unless you request it specifically). If logout... why ?
Show threadwinterSep 25, 2024
@ojensen @solonovamax @jzb I definitely have 2fa on my password manager and recommend it. I don't make it ask every time but it's on there.
Show threadDavid ZaslavskySep 30, 2024
@ojensen @solonovamax @winterayars @jzb There's a still a single point of compromise for the login to the website, i.e. the password stored in the password manager. If someone were to get their hands on that password, it'd be completely irrelevant whether you have 2FA on the password manager. But on the other hand, in order to have a meaningful discussion about how much of a problem that is, you'd have to go beyond the heuristic of "2FA is good" and actually start considering threat models and such, and I imagine for all but the most important websites you'd probably arrive to the conclusion that it's almost as good as the website offering 2FA itself anyway, so I guess I have talked myself into agreeing with you in spirit 😛
Show threadsoloSep 30, 2024

@diazona @ojensen @winterayars @jzb I think they're assuming that the password manager is using 2fa in this scenario

so, the points of failure would be the password used for the password manager + the 2fa device used for the password manager

Show threadDavid ZaslavskySep 30, 2024
@solonovamax @ojensen @winterayars @jzb Yeah that's the situation I was talking about too - the password manager itself requires 2FA to unlock it, but the website does not. Getting into the password manager has two points of failure, but getting into the website has one (albeit a difficult one).
Show threadsoloSep 30, 2024
@diazona @ojensen @winterayars @jzb if it's 32 characters including random numbers & letters (which is what I use by default) then they're not getting in before the heat death of the universe, so
Show threadDavid ZaslavskySep 30, 2024
@solonovamax @ojensen @winterayars @jzb They're not guessing it by brute force before the end of the universe, sure, but there are other ways to acquire a password. (MITM attacks, various sorts of compromise on the server side, etc)
Show threadsoloSep 30, 2024

@diazona @ojensen @winterayars @jzb

  • mitm: if the site is not using ssl/tls, I'm sure as hell not entering any password data into it
  • website compromised: 2fa wouldn't solve this either. the website has been compromised.
Show thread13reak Sep 24, 2024

@solonovamax @jzb

It still helps against online attackers. They (hopefully) don't have access to your bitwarden.

I honestly trust my password manager more than my phone.

Show threadStefan MonnierSep 24, 2024
@jzb @maj Huh? What's that magical "unlock phone" step? Doesn't that require authentication?
Show threadLocksmithSep 24, 2024
@monnier @jzb @maj
The "unlock phone" itself requires two authenticators.
Show threadDavid Penfold Sep 24, 2024
@jzb ...and the change password workflow fails leaving you in a permanent loop.
Show threadPelle WessmanSep 24, 2024
@jzb 2024 should be passkeys, you’re at most describing 2020-2022
Show threadLocksmithSep 24, 2024
@voxpelli @jzb
Which is another device providing a key and which device requires a pin or password or fingerprint to unlock.
Show threadPelle WessmanSep 24, 2024
@locksmithprime @jzb On Apple devices it’s the same password / mechanism you use to log into the device (Face ID / Touch ID with fallback to password)
Show threadFrost「|霜の狼|人面獣心」Sep 26, 2024
@voxpelli @jzb Honestly these "passkeys" are being pushed so hard by corpos that we don't trust them. So nah, still passwords for us.
Show threadhttps://j0.lolSep 29, 2024
@frost its being pushed hard by corpos because its good and it has to be implemented on a per OS / browser basis. its good tech please dont sleep on this one
Show threadAlvaroSep 24, 2024
@jzb with bitwarden:

- Click on suggested username
- Click on associated password
- Paste 2FA token that is added to the clipboard automatically

That's it.
Show threadLinerdSep 24, 2024
@jzb you sure you ain't forgotten anything else?
Show threadJoe Brockmeier (@jzb)Sep 24, 2024
@linerd Oh, prolly - but character limits...
Show threadMx Autumn Sep 24, 2024
@jzb this is devastatingly accurate
Show threadKenSep 24, 2024
@jzb I find this flow only mildly more acceptable to the other sites that do all this plus ask you for answers to stupid questions, that no one in their right mind would answer truthfully, which I have to copy/paste out of the notes section of my password manager.
Show threadDavid LaFontaineSep 24, 2024
@jzb you make me want to set my head on fire
Show threadJoe Brockmeier (@jzb)Sep 24, 2024
@dave Sorry. I don't recommend doing that.
Show threadalexSep 24, 2024
@jzb bitwarden skips the totp steps tho. it copies the token after filling the password
Show threadJima Sep 24, 2024

@graphite @jzb I don't trust my password manager with my TOTP codes, and vice-versa.

(I may have trust issues. 👀)

Edit: ...is it really "multi-factor authentication" if all of the factors are stored in the same app? 🤔

Show threadBennettSep 25, 2024
@jima @graphite @jzb is it multifactor authentication if all the factors are stored in one app that also requires MFA? 
Show threadJohn DetersSep 24, 2024

@jzb You forgot the step in 2010 where you have to request a new credit card because you got a mystery letter from Visa saying that your card was stolen.

For a while it seemed like I was replacing cards almost annually back then.

Show threadBenBESep 24, 2024

@jzb Actually you fogot a few steps:

- Select "Login with Username&Password"
- Type Username
- Hit Next
- Reject loggin in with FIDO2
- Lookup Password in password manager
- Type the password manually, because Copy&Paste is blocked
- Uncheck "Store password"
- Hit Next
- Reject storing the password in your browser
- Select other method for second factor to avoid SMS
- Search for current 2FA code in your phone app
- …

Show threadAarøn 🇪🇺 🇺🇦 Sep 25, 2024

@benbe @jzb

- Check the "I am a human" checkbox
- Wait
- Identify and select fire hydrants from some crappy images
- Wait, maybe there comes another fire hydrant ...
- Hit next
- Mark 3 crosswalks on a grid
- Hit next
- Wait
- Redirect to the index page of the website and you totally forgot what you want here in the first place.

Show threadchebraSep 24, 2024
@jzb Where is the "Your account has been suspended for suspicious activity (using Firefox)"?
Show threadGreg BellSep 24, 2024
@jzb something you know
Something you are
Something you regret
Something that hunts you
Show threadDźwiedziuSep 24, 2024

@ferrix
Did you mean “haunts you”?

<floorboards creaking behind me>

Oh, nevermind…

@jzb

Show threadGreg BellSep 24, 2024
@dzwiedziu @jzb that would also have been great
Show threadDiego PinoSep 24, 2024
@jzb this is the short version, the longer version is when your 2FA app is installed in your former phone (now your nephew’s phone)
Show threadmdargeSep 24, 2024

@jzb but it's necessary though.

By the way I'm currently compute the checksum of a file I just downloaded. Which is the best MD5, SHA-1, SHA-256 or SHA-512 ?

Show threadDźwiedziuSep 24, 2024

@jzb Well, what about passkeys?

You know, that thing you can't save it to your password manager and was called asymmetric cryptography when I was younger.

<canned laughter>

Show threadHelmut TammenSep 24, 2024
@jzb you compare apples (1FA) with pears (2FA).
Show threadFred MoyerSep 24, 2024
@jzb I’m sorry but what is the “success” item in the list?? 🤣
Show threadAscendorSep 24, 2024
@jzb true. Yet, tbf, in 2010, the service has been compromised as well, they just didnt email you back then.
Show threadwoofSep 24, 2024
@jzb the frustrating thing is that, while 2fa does have a valid use for security, I strongly believe it's just being weaponized by online services for kyc purposes.
Show threadoshySep 25, 2024
@jzb Passkey universal adoption can't come soon enough
Show threadamenomeSep 25, 2024
@[email protected] @jzb misskey supports passkeyz
Show threadoshySep 25, 2024
@anemone @jzb Oh is that what the key in misskey stands for
Show threadskullSep 25, 2024

@jzb In 2010, if a service was breached, the passwords were probably stored in plaintext and you could just credential stuff another service with it. Since there was no 2fa, you'd get in all those accounts. Bruteforcing an individual user was extremely possible too, and once you got the hit, you're in, nothing else needed. Try that now with a service like Google and you'd know it's close to impossible.

Anyways, passkeys are the future for frictionless secure authentication. Once more services adopt this, login should become easy & convenient once again, except secure this time! :)

Show threadstgiga (they/them) Sep 26, 2024
@jzb And this is why I despise mandatory app-based 2FA.
Show threadBruno AdeléSep 26, 2024

@jzb

I've always said that 2FA doesn't prevent vulnerabilities or attacks, it just theoretically avoids the theft of passwords written on a post-it.

Show threadOliver D. ReithmaierSep 29, 2024
@jzb my man. These things aren't done to spite you. These things are done to force the 90% of people who've never even heard of password manager apps (yes, you read that right) and keep reusing passwords to implement SOME form of security.
Show threadRyan HiebertSep 30, 2024
@jzb we need the added security, but it sure is a painful user experience. That’s why I’m so optimistic about passkeys.
Show threadMaya🌙Sep 30, 2024
@jzb don't forget the part where you have to fill in 5 captcha
Show threadJoachim JablonOct 3, 2024
@jzb
Username ? >Type in username
Push this button to send you an email with a magic link rather than having you type your cumbersome password > no thanks
Are you sure ? Because typing a password is annoying and if you just press this button, we'll just send you a link instead and you won't even have to type your annoyingly long password > no thanks
Ok > password manager pastes
That's the right password but just to be sure it's you, I'm going to send you a link to click on your email