I recommend checking out GitHub's authentication settings, which are better than average. You can authenticate in a lot of ways. To avoid lockout I recommend setting up multiple ways to get in,...
I recommend checking out GitHub's authentication settings, which are better than average. You can authenticate in a lot of ways.
To avoid lockout I recommend setting up multiple ways to get in, including printing out paper codes and keeping them with your important papers, a phone authentication app, and a Yubikey if you're willing to buy one. If there's one method you don't like (for example, I don't trust text messaging for authentication), there are others.
With that set up, I'm fairly comfortable using GitHub as a way to log into other websites when that's possible.
You'd think that financial firms would have similar offerings, but I haven't seen one that's as good.
Ugh, I have no idea why but my broad experience with financial institutions is that they’ve tried to reinvent the wheel and come off with worse than basic industry standard security as a result....
You'd think that financial firms would have similar offerings, but I haven't seen one that's as good.
Ugh, I have no idea why but my broad experience with financial institutions is that they’ve tried to reinvent the wheel and come off with worse than basic industry standard security as a result. My mortgage lender asks for only certain characters from the password, meaning it’s stored in plaintext, for example, and has no second factor of any kind. None of the banks I use support TOTP or U2F/FIDO2. Many add inconvenient hoops to jump through that fall somewhere between “no better than TOTP” and “actively dangerous”. It’s incredibly frustrating when they have more than enough resources to do it right, and security is one of their primary reasons for existing.
If it's any consolation, it could just be because they couldn't figure out how to escape characters or sanitize the input to do so. Better, but not by much I suppose. Nah. It's because it's easy...
My mortgage lender asks for only certain characters from the password, meaning it’s stored in plaintext
If it's any consolation, it could just be because they couldn't figure out how to escape characters or sanitize the input to do so. Better, but not by much I suppose.
security is one of their primary reasons for existing.
Nah. It's because it's easy money. If it wasn't, they'd probably be all about having the post office doing the banking.
Seems good, as long as it's not SMS 2FA. Any developer who isn't aware of 2FA will get introduced to it and hopefully learn why it's important; for the rest, this won't be an issue at all.
Seems good, as long as it's not SMS 2FA. Any developer who isn't aware of 2FA will get introduced to it and hopefully learn why it's important; for the rest, this won't be an issue at all.
Uh oh. I don't own a cellphone so two-factor is a prohibitive requirement for me. I hope they allow email verification instead, similar to Valve's "Steam Guard" service.
Uh oh. I don't own a cellphone so two-factor is a prohibitive requirement for me. I hope they allow email verification instead, similar to Valve's "Steam Guard" service.
That sounds useful, though I'm not entirely sure what it means. I use KeePass to manage passwords. Until now I thought two-factor was always a phone thing, but if I can do it on the desktop, that...
That sounds useful, though I'm not entirely sure what it means. I use KeePass to manage passwords. Until now I thought two-factor was always a phone thing, but if I can do it on the desktop, that seems much better.
I'll do some googling so you don't need to explain information that is probably already available online. Cheers.
Can we get some perks from the forced 2FA being rolled out (not just on Github mind)? Like not tracking all my devices and making me register each one? I'd be more happy if all 2FA was something...
Can we get some perks from the forced 2FA being rolled out (not just on Github mind)?
Like not tracking all my devices and making me register each one?
I'd be more happy if all 2FA was something like TOTP, but that rarely is the case and more often results in further mandatory smartphone dependance.
The worst is Sendgrid where you need to use Authy. You can use any TOTP app but only if you hack the desktop Authy electron app and extract the secret key.
The worst is Sendgrid where you need to use Authy. You can use any TOTP app but only if you hack the desktop Authy electron app and extract the secret key.
I recommend checking out GitHub's authentication settings, which are better than average. You can authenticate in a lot of ways.
To avoid lockout I recommend setting up multiple ways to get in, including printing out paper codes and keeping them with your important papers, a phone authentication app, and a Yubikey if you're willing to buy one. If there's one method you don't like (for example, I don't trust text messaging for authentication), there are others.
With that set up, I'm fairly comfortable using GitHub as a way to log into other websites when that's possible.
You'd think that financial firms would have similar offerings, but I haven't seen one that's as good.
Ugh, I have no idea why but my broad experience with financial institutions is that they’ve tried to reinvent the wheel and come off with worse than basic industry standard security as a result. My mortgage lender asks for only certain characters from the password, meaning it’s stored in plaintext, for example, and has no second factor of any kind. None of the banks I use support TOTP or U2F/FIDO2. Many add inconvenient hoops to jump through that fall somewhere between “no better than TOTP” and “actively dangerous”. It’s incredibly frustrating when they have more than enough resources to do it right, and security is one of their primary reasons for existing.
If it's any consolation, it could just be because they couldn't figure out how to escape characters or sanitize the input to do so. Better, but not by much I suppose.
Nah. It's because it's easy money. If it wasn't, they'd probably be all about having the post office doing the banking.
Oh, no, unfortunately not - I meant "Input characters 2, 3, and 7 from your password".
Seems good, as long as it's not SMS 2FA. Any developer who isn't aware of 2FA will get introduced to it and hopefully learn why it's important; for the rest, this won't be an issue at all.
Uh oh. I don't own a cellphone so two-factor is a prohibitive requirement for me. I hope they allow email verification instead, similar to Valve's "Steam Guard" service.
GitHub supports 2FA via TOTP; presumably it should suffice for this requirement.
You can buy a yubikey.
Some password managers, like 1Password, can manage TOTP 2FA codes and are available on desktop.
That sounds useful, though I'm not entirely sure what it means. I use KeePass to manage passwords. Until now I thought two-factor was always a phone thing, but if I can do it on the desktop, that seems much better.
I'll do some googling so you don't need to explain information that is probably already available online. Cheers.
Can we get some perks from the forced 2FA being rolled out (not just on Github mind)?
Like not tracking all my devices and making me register each one?
I'd be more happy if all 2FA was something like TOTP, but that rarely is the case and more often results in further mandatory smartphone dependance.
The worst is Sendgrid where you need to use Authy. You can use any TOTP app but only if you hack the desktop Authy electron app and extract the secret key.