Monty IcenogleI need to rant a moment about two factor authentication, and the downsides of it. First of all, why is it forced on us, why can't the user decide if they need or want 2FA when logging into a system? If I have a 20 character password, that even I don't know or care what it is because it's in my password manager, why can't that be sufficient to get me into the thing I'm trying to log into? Secondly, most 2FA codes are sent via SMS, and that's great, but what if you have to change your phone number suddenly? What if you need to log into something, and maybe you don't have service or text messaging is being finicky? What then? And if your 2Fa code gets sent to you by email? Well that's all fine and Dandy as well, until you try and receive a code and it never arrives, even when you check your spam folder! That last scenario is exactly what has just happened to me this morning when trying to log into my Amazon web services (AWS) account. Had I been able to just login with my AWS USERNAME AND PASSWORD, ALL WOULD BE GOOD AND I COULD GET ON WITH MY DAY, BUT NO, A VERIFICATION CODE HAD TO BE SENT TO MY EMAIL, WHICH I checked, OVER an HOUR AGO, AND I'M STILL WAITING for either code to arrive. Of course by the time any code arrives, it will be invalid, and I would have to start the process all over again. Why are passwords suddenly this awful evil entity that should never exist, despite the fact that they've worked for decades? Hackers will always try and access resources, but if they seriously want to access my Amazon AWS ACCOUNT, AND CAN GUESS MY LONG PASSWORD ON THE FIRST TRY, THEN I WOULD THINK I WOULD KNOW SAID HACKER. WE HAVEN'T STOPPED HACKERS, WE'VE JUST MADE THINGS RIDICULOUSLY INCONVENIENT FOR END-USERS. WHY NOT MAKE THINGS EVEN MORE COMPLICATED? LET'S MAKE THE LOGIN PROCESS FOR A SIMPLE WEBSITE A 27 STEP PROCESS, complete with essay questions.
Andre Louis@kd6cae All about pass keys. Much harder to get around than passwords.
@FreakyFwoof @kd6cae Passkeys are the way. Also, authenticator apps where possible. What I wish Amazon would do (my bank does this) is send the 2FA directly through their mobile app. It doesn't get much more secure than that.
@FreakyFwoof @kd6cae Which is just dumb. I mean look. You've spent years encouraging us to download your stupid app. We did. Fucking use it. ...And this is why I'm not in any position of influence.
Alex Chapman (moved to new account)@FreakyFwoof @kd6cae I thought the same thing lmao
@kd6cae I'm surprised AWS haven't moved on to passkeys, those are far easier for us, yet harder for hackers to steal or bypass.
Brandon@alexchapman @kd6cae Unless you're on windows, it seems. I agree with you other than that.
@kd6cae I don't know why stuff has to be this way, it's bullshit, that's what it is. Here's an idea, stop thinking about it, and go listen to the Flash Drive. It's happening right now on Server 1 on The Mix.
JamminJerry@kd6cae I personally hate hate hate hate and hate two factor auth, and wish it was never invented. this is just my personal opinion, and I know what people will say. if someone gets your pw, they can just log in, but with two factor auth, this cuts down on that. I would say they are right, but leave that up to me. don't fore me to use something I fucking hate with a passion!
Simon Jaeger@kd6cae Occasionally my Zoom signs me out of my work account, so I have to sign back in. Most of the time, it sends me a code by e-mail, which expires in ... wait for it ... ten minutes.
Sometimes it never arrives. Last time it took nine minutes to arrive.
My bank makes me approve a notification on my phone, and for all six of the six years they've offered 2FA, it hasn't worked. I get the "Sorry, we're having technical issues" error, which could mean "The server returned a 404" or it could mean "Your internet isn't working", because who the fuck cares about useful errors anymore?
Projects like the Ableton and Linux admin in general are my happy place now. When it fails, it fails because I did something wrong, and there's an actual path to working out the solution. It turns out that's a lot less frustrating than hitting a wall.
Sometimes it never arrives. Last time it took nine minutes to arrive.
My bank makes me approve a notification on my phone, and for all six of the six years they've offered 2FA, it hasn't worked. I get the "Sorry, we're having technical issues" error, which could mean "The server returned a 404" or it could mean "Your internet isn't working", because who the fuck cares about useful errors anymore?
Projects like the Ableton and Linux admin in general are my happy place now. When it fails, it fails because I did something wrong, and there's an actual path to working out the solution. It turns out that's a lot less frustrating than hitting a wall.
Robin Frost@kd6cae The only thing I'd add is many in fact I'd say a goodly portion of the sites where I either need to or choose to use MFA are now moving away from sms messages or emails and going to authenticator apps. I learned this when I had in fact changed my phone number and they wouldn't even let me set up a new one for MFA.
YourFavoriteAtheist🇨🇦@kd6cae I recently had this very same thing happened to me with a loyalty card that I have. I changed my phone number a while ago and I didn't change it in the app. When I wanted to start using the app again I couldn't because it wanted to send a two factor authentication code to my old number. I couldn't delete my account and re-register because I couldn't get into it. I couldn't just create a whole new account because the email that I used to create that account was still active. I ended up having to call their customer care team and they were able to sort it for me. But really how annoying.