75
votes
I hate 2FA
I get that it’s supposed to make things more secure, but it feels like a constant chore every time I try to log in somewhere. Grab a code from my phone. Check my email. Open an authenticator app. Repeat this process for every single account, over and over.
I know there are tools like YubiKey that are supposed to make 2FA easier, but the reality is that most websites don’t even support them.
I already use a password manager, and all my passwords are long, randomized, and secure. Is there something I am missing that makes this easier, or is this just as infuriating for everyone else?
2FA/multi-factor authentication is a critical security tool that should be implemented everywhere, regardless of convenience.
Imagine if your email account is compromised. (Even if you have a long password, it could still appear in a leak.) If your other accounts don't have 2FA active, all your passwords can be reset with access to your email account.
If someone does this during your sleeping hours, you could wake up to everything being taken away from you. They could send emails to your family with false claims about your welfare that scam them into sending money to this malicious actor.
The list of consequences goes on and on. Yes, it's a mild annoyance, but it provides enough additional security to justify it (imo).
It is not a mild annoyance when it is implemented poorly. And unfortunately, it is often implemented poorly. Then, when people complain about those poor implementations, they generally get responses like yours about how the security is so important that it is necessary "regardless of convenience".
I have students who need to enter a 2FA code every time they log in to their student accounts for their classes. The system also has an automatic logout set at around ten minutes. Students can easily need to enter codes dozens of times per day, for a single site. (Edit: unrelated to 2fa, but as another frustrating security implementation: the automatic logout has no warning or notification. The only way students know they have been logged out is when, for example, they submit the written responses to questions they have been entering, or the comment they have been making in a class forum, and the system instead unrecoverably discards everything they have entered, and asks them to log in again.)
I have one account that nominally requires a new code every 14 days. In practice, it is at least every 14 days, per device, per program, but then also has some significant chance of needing one whenever a device switches networks. I need to enter a code at least a few times a week for that account in order to keep that email working. At one point it seemed they might even restrict 2fa to only Microsoft Authenticator, at which point I had to demand that they at least continue to support the hardware keys I was already using (fortunately, they ended up keeping both hardware key and totp support).
I have another account that just doesn't allow 2fa settings to be updated, at all. I have no way of updating to another 2fa method. At this point I now need to use a recovery code every time I log in.
I have yet another service where I've simply not been able to log in since they switched 2fa on, because they use email-based 2fa, and they simply don't send them to my email address (not a spam filter problem, or anything else: they never even connect to my SMTP server).
Then I have multiple services that require 2fa on every login, and only support SMS 2fa. Why!? It's well known this isn't secure.
I'm strongly in favor of 2fa. I use hardware keys quite often myself. And many services, especially in tech, do a good job implementing it. But in many cases where users are complaining about 2fa, it is the result of bad implementations, and those implementations can go far beyond mild inconvenience.
Just to add to your existing list of poor implementations:
There’s a platform that I occasionally use for work that’s provided by a third party vendor. They require Microsoft Authenticator for me to access the landing page, and Okta Authenticator in order to place an order (the whole reason we even use their service)
I think the issue is that for a lot of these companies, they hear “2FA is important” but then implement it in a way that just does not consider why 2FA is important or how to implement it in a good way
Should it though? Should it reeeeeeeeeeeeeaaaaaaaaaaaaaaaaaaaallyyyyyyyyyy?
Because like, I'm pretty sure Jimmy's Long Schlong Hot Dongs down the road shouldn't require 2FA whenever I want to log into my account and order some hot dogs. Why would a local restaurant/sex shop duplex, that doesn't even let people store credit card information, require customers to jump through more hoops than username+password to login, and get some goddamn hot do(n)gs?
Just feels unnecessary, like I'm being forced to jump through arbitrary hoops while trying to complete some simple task.
So again, reeeeaaaallyyy? Everywhere? Are you suuuuuure?
I've investigated so much financial fraud in the past year thanks to compromised accounts. From what I learned about how these attacks happen, there's a whole lot of people out there who still use the same password for their email as they would their local restaurant or sex store website.
It's a problem with PEBKAC at its root. 2FA everywhere is certainly a strong correction to the issue but there's not a lot of other effective options. But whose responsibility is it in the end to protect users from themselves? Probably not the sex store/restaurant really. But maybe if they use Square or Wix or whatever then those services should have better and easier account checking and password verification tools built in.
You've got the situation backwards here. If someone uses the same password on their bank and sex shop account, then 2fa on the sex shop account isn't going to help with anything. It's the bank account that needs 2fa!
2fa also doesn't do anything for protecting a password. You still need to trust that the password is being correctly hashed by the website, and all that's different now is that the website has a new column in their database for your 2fa secret.
What I was pointing out is that email accounts are already being compromised by sharing passwords with small site accounts. The obvious fix is that users shouldn't use the same password everywhere but not everyone gets that. 2FA everywhere would still mitigate the issue but it would be very strong correction because any amount of 2FA is too much for some people.
The questions I'm interested in exploring is if there are other, simpler mechanisms or ways to guide people into better security rather than brute forcing them into it, and with how small business sites are made now should there be an onus on their technology providers to provide a secure and easy security flow?
One example I can think of is Shopify, who offers various services to centralize accounts across various small business sites, and they maintain a higher level of security than if the sites were to spin up their own accounts.
How many people are you willing to tell "Sorry, you're an idiot" when their life savings is stolen?
That's mostly what this all boils down to. 1 idiot uses the same password/email at your hot dog sex shop and their bank account and email address. You compromise the easier target first to get access and then compromised the second.
Even if you're willing to say "Screw you you're an idiot" you are now massively overloading the system with these kinds of issues and cases. So yes, until we get REAL data standards (something else that should exist) you basically need any vendor who collects any sort of PII or account info to incorporate 2fa.
But surely if the important thing (banking) still uses 2FA does that nullify this? I don’t object to 2FA in certain situations, but I do object to it in places that just don’t need it. If someone gets access to my chess online account, who cares? If I have 2FA anywhere important with health, bank access and all email then the rest can just be less secure.
Regretfully, and also in my experience, a lot of financial institutions are very willing to go this route. This is one of the responsibilities of many customer service managers and legal teams within them.
If you have older relatives, get involved with their digital financial accounts and ensure that you are protecting them because their banks and pension funds sure aren't.
All of them. Every single one. Let's call it Financial Darwinism. May he with the strongest password retire.
Look i'm down for a lot more things like this, but I'm also pretty realistic that I myself am probably not making it to the finish line. People would be surprised at how inadequate most of their measures are if certain safety nets weren't in place.
Edit-
Hell that's one of the most interesting parts about watching the whole crypto phenomenon. "I don't want centralized banking" mixed with "uhhh wait...where did my money go"
It’s not really Darwinism if the consequences come after they’ve procreated.
The consequences of having to support financially drained parents and grandparents will provide the Darwinism, just in reverse. Generations of families, being pulled downward into the gaping maw by clickjacking and skinner boxes. At the bottom, permanent financial ruin, and the end of their genetic line.
Have to chip in here. Before I start though, agree completely that the implementation of second factors, be it TOTP, passkeys, physical security tokens or anything else is often poor. There is a huge amount of friction, far too much for most normal people to readily accept.
However, you might not be considering the way that most common compromises happen, which is via social engineering... We humans have always been creatures of habit[1], and are almost always the weakest link! We're also generally poor at assessing risk.
The more of these unimportant sites you have with local businesses which aren't secured, the higher your risk increases. They are unlikely to build sites from scratch, even less likely to pay for proper security testing, and if unimportant, are possibly also candidates for password reuse... BUT they might also contain nuggets of information about you that can be used to build a bigger picture:
If a naughty person decided they wanted to, they could find three possible targets for information, all from your public posts on farcebook. There's enough information in these poorly secured accounts, on potentially poorly secured websites to collate enough of your information to start really digging in to your life.
that might be enough to get through telephone security with your cellphone provider, where they could request a password reset on your online account... Which could lead them to change your address, and order a new SIM. Now they have your phone.
I'm not fear mongering here. This stuff happens. You might not think you are at risk, because why would someone target me? But what if it was you? what if you, or someone you loved were defrauded of everything they have? Was that worth not securing Jimmy's Long Schlong?
[1] Our house was broken into some years ago, and after the fact, a nice police person talked us through some physical security in our home. Most of the boxes we had ticked, but one thing which absolutely amazed me was how she immediately knew where we would store our keys for cars, garages, front and back doors etc in the kitchen and hallway. We had them "safely hidden away" and used the same places as all other humans, supposedly. If the good guys know this, so do the bad guys[2].
[2] That said, our keys are now easily accessible if someone wants to steal them, as I'd rather lose a thing than have someone threaten the life of a loved one...
As someone who works in IT and witnessed a 2FA rollout, I whole-heartedly agree. Since we migrated all our services to use SSO and enforced 2FA on staff accounts, phishing basically stopped being an attack vector for university resources, as it also has for students who enabled it (though it's not mandatory for them yet, so it is still a problem in much the same way anti-vaxxers tend to contract preventable diseases more often than the general population). Now, the only way to reliably hijack 2FA-enabled accounts is through cookie harvesting/session hijacking, which requires a lot more effort since the user has to do more than just fill out a form and you only get access to the services whose cookies are still valid (i.e. if you authenticated to O365 more than 24 hours ago, someone who steals your O365 cookie will just get a redirect to our SSO page, completely nullifying the attack).
In theory, someone could build an advanced phishing attack that also faked a Duo prompt so they could complete the login, but we haven't heard of this happening yet, and since we require 2FA every 24 hours, the blast radius is time-limited. It's so effective that I believe everyone should use it for every website, even for throwaway accounts. The inconvenience is absolutely worth it for me.
Edit: For the record, I'm very much against websites that implement SMS-only 2FA. Many SMS 2FA services only work with non-VoIP numbers and can easily be intercepted via SIM swapping, in addition to not working if service is spotty. I believe it should be abandoned entirely in favor of TOTP and hardware tokens, as both can operate on any connection, mobile or otherwise, and cannot be easily hijacked like SIM swapping attacks. Duo is great in this regard since it supports phone calls (an excellent choice for older faculty), SMS, push notifications, TOTP, and hardware tokens.
Regarding SMS-only 2FA, it's absolutely mind boggling to find that sites like Fidelity still use SMS based 2FA. And I've seen a handful of bank websites (that I cannot recall at the moment) that restrict password length to 20 characters. Like, wtf?!
I think they have changed this at some point. My work switched to Fidelity this tear and I didn't have to jump through any weird hoops to set up TOTP with the app of my choice.
Why is a phone call better than SMS? I get that it's more convenient for some people, but it's no more secure since it's still vulnerable to SIM swapping (unless you use a landline number I suppose).
Also, something that really bugs me is so many sites allow more secure methods of MFA (TOTP, hardware keys, etc) yet allow you to fall back to SMS as a recovery mechanism. That means you're still vulnerable to the attacks involving SMS since an attacker can just use the fallback.
I don't like phone calls or SMS for 2FA, I just think Duo is great since you can have phone calls as an option. It helps with getting older faculty on-board, especially those who have a good deal of influence in their departments. When you have phone calls as a fallback method, it eliminates the "but I don't have/want a cell phone" argument.
You would be surprised how many faculty still only have landline phone and cable TV service at home. The fact that landlines (especially campus landlines) are much more resistant to SIM swapping-style attacks is a happy coincidence.
I think my frustration is more towards the fact there is no "standard" everyone is using that is easier to use than having to pull up my email or phone every time I log in somewhere. If websites all started to support using passkeys or something similar I wouldn't mind as much, but right now it's a mish-mash of different methods. Email, text, passkey, authenticator apps
That's a fair criticism. If I could just use codes in my authenticator app for everything, it'd be nicer. But having to use specific phone apps for some, then email and sms for others, is quite annoying and disjointed.
As previously mentioned, SMS based 2FA is not as secure, but still better than nothing and easy for average joe to set up. Walking your grandma through setting up an authenticator app and scanning a QR code, then having to remember to open that app for every login? That isn't easy for everyone.
There's a lot of room for improvement, but it's worth the hassle and growing pains for the sake of security.
Agreed. I'm fine using 2 factor, but the fact that I need 3 apps (2FAS, Steam, Duo) plus insecure SMS messages is a pain in the neck.
Depending on the 2FA app you use, you can actually get your steam guard codes in it. Bitwarden has a guide on how to do it, for example.
OATH is the standard you are looking for, and any service taking MFA seriously will at the very least let you add your account to an OATH compliant authenticator app. SMS-based 2FA should be avoided at all costs.
Most reasonable sites these days support Auth apps, and you only need one (i recommend one that can be locked with its own code given the amount of access you'll have there). Sometimes its hidden in security settings.
Realistically, though, it won't be unless it's convenient. This thread shows that much. People don't like change (and 2FA is a big change), but they'll accept change, provided the overall work involved is similar. 2FA needs to get there, because that's what's stopping people from adhering, and it's the people who don't adhere that are the security risks.
It is not a "mild annoyance" when multiple elderly relatives lose a significant chunk of their digital lives due to 2FA.
I have never met someone in real life that was hacked. I know several people who lost their digital identities due to 2FA. Including someone who had their entire hard drive remotely encrypted by Microsoft.
2FA is openly hostile. It's like a banker surrounding their banks with moats full of crocodiles. That is probably reassuring to whoever controls the drawbridge. It is not reassuring to anyone else who wants access to their money.
I know two or three that have been hacked, and one several times.
I’m not certain how losing your second factor is any worse than losing a password, in a world without second factors? It seems like the hostility you’re experiencing is from the poor account recovery flows in those services, which seem like they would affect lost passwords just as much.
Most people can handle writing a password down on a piece of paper. 2FA is not intuitive which is why regular people are often surprised by an unsolvable situation.
Fair enough. I don’t agree — passwords you need to write seem just as unintuitive as second factor backup codes — but I appreciate that intuitiveness and complexity are inherently personal experiences, so that must be the case for the people you’re often around.
I'm going to agree with OP, that 2FA has outgrown its purpose.
When I tried to buy movie tickets (online), I was told they needed my phone number for 2FA. The answer is no they do not. I don't need to give you my personal information, to acquire movie tickets. And if I do, that's the last time I come to your theater.
Data collection is all the rage these days, and if you can require 2FA to get more contact details and traceable information about a client, they're going to do it.
in the age of simswaps and data driven profit, i dont understand why i cant use three different emails across three different hosts instead of one email and one phone number. i dont want anyone at all to have my phone number, for ANY reason, let alone when a more anonymous medium can fulfill the same purpose while not being paywalled (phone bill/mo). not to mention its an absolute HEADACHE to fix everything if your number ever changes. ive just given up and let accounts go before because my phone number changed and it locked me out of my own account. im never making that mistake again, for any website or app.
it just feels detrimental to me, like my accounts are being held hostage by my phone company.
So how do you deal with phone number requirements now?
lol i dont! if a service wants my phone number so bad its a requirement, i just dont use it. unless its related to friends, family, business or utility ive stopped handing it out.
im also worried about who its sold to, since phone numbers are pretty personal to me, and i get enough spam already. ive had my current number for about four years now, and never once have i answered or called back an unknown number and yet still mine is floating around on call list and being rung even through the spam filter.
i hope that answers, if not, i guess id give it out for things like signing up my home for internet service, my auto mechanic etc. but not for a game, online service or app.
i just dont equate sharing my personal information to being secure. gotta be another way.
Absolutely should be secure. I asked as I have seen some temporary phone number services, but they usually recycle them at some point and it feels insecure to use.
theyre great for throwaway use! i wouldnt use one for for any legitimate purpose, or for very long. i wouldnt recommend against them, but im also just some idiot, so use your own judgment ;)
Sane 2fA is mostly done by authentication app. Phone numbers/emails are recognized as a terrible way to do 2fa. It's easier to spin up a junk email for all those.
That assumes the point of 2fa for these companies is to secure accounts, not to get contact information.
In the EU, gdpr means they can't use 2fa data for other things. That mightnt be relevant to everyone, but it sure is to a lot of folks!
In principle, they can just ask for consent at the time to use it for other purposes, and I have seen instances of that; it does mean that you can be at least somewhat confident they won't do so unless you check a box, at least, though they will sometimes a bit more dubiously put that box (unchecked) in a list of things like "I agree to the ToS".
In practice, they can try sketchier things, like the 'pay or OK' tactic (pay us or consent to everything if you want to see our site). And even if they just ignore the GDPR on a point like this, enforcement is dependent on who they are and where they are; they could be in a country with a strict DPA and find themselves quickly fined, or they could be in a country where the DPA really doesn't care.
And let's be honest here, in practice it's pretty likely that a given service is only doing the barest minimum of pretending to care about it to stay below the radar and otherwise using it as toilet paper whenever convenient/profitable (or rely on something that does, knowingly or not). Don't get me wrong, the GDPR is a great thing to have and it's not completely toothless as you can usually leverage it to force companies to get rid of the data they have collected from you (even if it's occasionally like pulling teeth and not foolproof). But the very existence of Windows 11 in its current form is part of a massive mountain of conclusive evidence that it is constantly being violated at even the most basic level.
If it was being enforced to the fullest extent of its stated regulations, we would be witnessing a digital Apocalypse in the biblical sense of the word as all the "big tech" corporations instantly get bankrupted several times over from the fines alone, the infrastructure of the advertising industry is obliterated, every single generative "AI" model vanishes (I'm not saying the technology inherently infringes on the GDPR, as it is perfectly possible to ethically gather a sufficient dataset to train such a model and I'm sure at least someone out there is doing that, but it's also blatantly obvious not a single of the models seeing any significant use were trained in their entirety from such a dataset) and not only the modern web but also the entirety of the personal computing technological stack collapses in one fell swoop.
Since no event approaching anything like the above has happened except in some of my especially self-indulgent daydreaming, assuming the GDPR is being upheld by a given service isn't a safe assumption, and establishing beyond doubt whether they are on a case by case basis can be very difficult or often flat out impossible (and if it's easy to find the answer, chances are that answer is no.)
I’ve literally got two phone numbers for exactly that reason, but alas my original main phone number has been leaked enough times that I’m on half a dozen spam call lists already.
My phone supports dual SIM as long as one is physical and one is eSIM, so it was just a matter of finding a provider who would provide an eSIM for cheap. I found a pre-paid plan that’s like $10 for 365 days, and yes in my mind $10 for a year of less spam (on a phone number that I can just throw away if it gets too spammy) is absolutely worth it.
It also means if I ever get messages or calls on the spam number, I’m instantly more suspicious than if I would receive them on my main number.
This is my issue, too. I don't have a problem if I can scan a barcode, write down some backup codes, and then an app generates a new number every few seconds. But I will not give a random website by phone number when it doesn't need it for any other purpose than texting me a code.
2FA is hostile
2FA is good for technical reasons that are irrelevant to most people, and every time a platform forces people to use it, they show profound ignorance of how real people uses their devices. They fail to communicate just how tragic losing 2FA can be, sometimes locking you out completely and forever.
To some, especially the elderly, changing to 2FA should not be as easy as clicking one or two buttons. That is a drastic change to their entire relationship with a platform and should be accompanied by a short but very real course (yes, actual education!), explaining all the actions they must take in order to never lose their credentials.
One may argue that if a technology meant for everyone requires an actual course to use correctly, perhaps that is not a good technology to impose on everyone.
2FA outsources the complexity of online security to unsuspecting users who will just click "Next" a bunch of times until they can do what they want. 2FA makes passwords irrelevant but you still type them out, which makes people think nothing has changed... until they're randomly logged out of their devices, they have a new smartphone and cell number and don't even remember their old one anymore. And then they're asked to open an authenticator they never used on a phone that was lost or stolen, which might require the use of an additional password that they typed in a hurry back in 2018 while completely unaware of its purpose and immediately forgot. Or maybe they'll need access to an email address which is also requesting 2FA...
Every time this comes up tech people will answer with sound technical reasons that are meaningful to them and then describe some perfect convoluted setup they have so they're never locked out even for a second. This is like saying jumping off the Empire State Building is perfectly fine because it's fine to you. Also, you're Superman.
I hate 2FA.
Thanks Lou.
My elderly, fixed income neighbour just got a new smartphone because life requires this of her now. She has no idea how to do anything anymore, and when she tries to voice call companies, instead of humans she gets scripts or humans who have no ability to solve any of her problems at all. It's very hostile indeed.
My father has a neurological decline health issue, and 2FA is really messing him up as well. To him, going to a physical bank, the same guy who's been working there for years, where you know the clerk and you can see his face and say his name and look him in the eye, that's security. They're asking him to not only sit at a computer and type in a long password, but also to pull out his phone and do more stuff: to him that feels like anyone with more knowledge about computers than he does (eg, everyone) is going to steal all his money and not let him call for help. It makes him feel like if he ever dropped his phone the person who picks it up will steal all his money. It's very upsetting for me to tell him, yeah, it's more secure because they'll need both....and he says, so if people break into the house and try to use the computer to steal money they won't just let him run away because they'll need his phone too?
My heart ......
Fingerprint authentication is really frustrating for me. It inevitably stops working after a week, or sometimes less. My skin will become more or less dry depending on the weather, and that’s all it takes for my fingerprint to become unacceptable, I guess. I get really tired of having to set up a new fingerprint that I know isn’t going to work for long.
Your experience mirrors mine other than I only have one (extremely stubborn) parent still living. They can barely use a modern phone these days and are only able to access anything with my or my siblings help. It takes hours to accomplish what should be a 5-10 minute task and they frequently just give up, leading to frustrating repercussions. Now, this doesn't mean it isn't good at securing things, obviously. I am sure that if not for 2FA being such a burden, they'd have been scammed many times (there have been several attempts). I just wish there was a better way that didn't lock them out of their own digital life and business.
2FA does NOT replace passwords. The point is to have two forms of authentication. Sure you can do one time login links and such, but that means if your single point of weakness (email/text/whatever) is compromised then all of your access is compromised. Passwords are relatively secure on their own, but complexity requirements encourage users to reuse them which leads to getting pwned if their password gets leaked by one of the random websites they use it on. Passwords are also able to be cracked without your knowledge and since few people rotate passwords, that means they could be compromised without knowing it.
2FA solves a lot of these issues. By having a short time code that is generated by something you have, the risk of losing your account to someone knowing your password is greatly reduced. Yes, losing 2FA causes pain but it doesn't have to. Services don't need to lock out your access when 2FA is lost, they can provide an intentionally slower method of verification which allows users to see that someone is trying to strip their 2FA.
I am a user. Technical distinctions are irrelevant to me. When I am forced to use 2FA, I get locked out. I am actually locked out of my Microsoft account as we speak. With all my Xbox games and files on OneDrive. And my recovery code doesn't work!
When I am not forced to use 2FA, I don't get locked out. So now I presume that the absence of 2FA greatly increases the odds that I will remain in possession of that account. Given my concrete experience and that of my relatives, I believe that is a reasonable assumption, and no amount of technical, abstract considerations will have a greater weight than my actual concrete experiences with 2FA.
2FA fucked me and my relatives multiple times. Passwords have not.
That's simple. I understand the impulse to make technical distinctions but, as a user, there is no difference between concept and implementation. They're the same thing to me. It is not my job to understand the computational maze an IT company goes through to provide the services I acquired. I just want it to work.
I don't care if the issue is the abstract concept of water treatment, the water treatment plant, or the pipes in my street. If the water tastes like shit, I'm not drinking it.
Passkeys are making it somewhat easier. I can just do 2FA with a fingerprint on my phone or touch id on my laptop. But if I'm logging into a foreign device, I still have to dig out my phone, scan a QR code, tap tap, fingerprint to unlock the phone, tap tap, another fingerprint to unlock the passkey I guess? whatever, wait for moment..., before I'm in. And I don't think they're likely to be supported anywhere Yubikeys aren't.
I have mixed feelings about passkeys. If they only require device-level authentication, there's some level of risk if your device is stolen. In theory, there's always some biometric feature keeping them safe - fingerprint, Face ID, Windows Hello, etc. But I've seen some criticism of how they reduce security overall.
(Unfortunately I can't find a detailed article I read on the topic a while back.)
Yeah, after my partner had her phone stolen a few years back, it was an absolute shitshow and a ton of work getting everything back on track afterwards. If her phone also contained her passkeys for everything, I'm not certain she would've actually been able to get back into her accounts, especially important ones like banking - at the time, she was also using a bank without any physical branches as well, so it could've been even worse if she couldn't get into that account.
A lot of sites give you the option to print out single-use recovery codes, but what if you also lost those, or you lost your phone through a house fire or something else that destroyed the recovery codes as well?
I'm really not sold on passkeys.
That problem is the same with a 2FA authenticator app. If you lose your phone (and therefore lose access to the authenticator app), you lose all the accounts secured with the authenticator, unless you have recovery codes or other backups.
My understanding is that it’s a best practice to get customers to confirm that they’ve stored their recovery codes somewhere prior to allowing them to enable 2fa. So they should have a copy …
Also, for important accounts, you can typically contact support and go through some gruelling identification process to get your account back. Kinda depends on the organization though.
Most people don't follow best practices or even know what they are.
Personal accounts are not tied to organizations. Most people have those. Also, it's probably not a great idea to assume that you'll be able to contact real support on a free Google or Microsoft account.
Yeah, I follow someone on Mastodon who says that he worked at Google and tried without success for years to get them to implement even the most basic customer support for individual accounts.
He recommends not activating a passkey with Google, because their implementation is difficult to understand and if you get locked out of your account you have no recourse.
Personally I resist using passkeys because none of the entities pushing them has seen fit to explain clearly what they are, how they work, or what to do if they stop working. All I see is, “New! Click here!”
you can store your passkeys in bitwarden. Cross platform, and available everywhere you have your bitwarden installed on.
The problem is mostly that the default passkey location is not asked for when you start using it. There is also absolutely no explanation when you start using them, on how it can be used. In the end, when you configure it right, it's so much easier than anything out there.
But you have bitwarden, which is cross platform, supports the platforms you mentioned, and has passkey support?
I personally use 1password, which works on all the platforms you mentioned.
Keepass is getting there, with some effort it can work.
A yubikey or similar can work on all those devices.
I personally don't like to be tied into 1 platform or ecosystem, so I am not.
On the plus side, I’m already seeing quite a few places support passkeys (and by extension Yubikey, which supports the same API) where they didn’t previously. I get the impression that a lot of sites didn’t consider hardware token support worth the effort for the number of people wanting to use them, but the shift to phones and laptops themselves acting as a second factor has tipped the balance.
My solution to this is to save multiple passkeys per account. Once I have a passkey in Apple's keychain and on my Android phone, that pretty much covers it.
Someday there will hopefully be an automatic sync between password managers, but for now you have to save a passkey more than once if you have devices that have different native password managers.
when you store them in chrome (Google Password Manager), you're pretty much covered. I think the only one lacking still is iOS, but that is planned, if not done already.
I'd suggest using something else like bitwarden or 1password that both support cross platform passkeys thanks to their browser extensions. And if you're on a new device, you can still use the QR code/BLE method.
There's nothing wrong with having multiple passkeys for convenience for apps that you frequently use, but when you go down that route you risk making it more complicated for yourself... what thing do I use to sign in here?
Me too, I hate it.
Either Im out and I need to use my mobile data which isn't free,
or else I'm home and I gotta use my cellular network, which is spotty in my area.
-..- even best case it's just more hurdles. Another annoyance is the ever changing password: you don't want me to write it down? Then don't ask me to memorize and forget a 20 character string every 30 days. The more annoying ones get worse passwords from me.
Any security experts want to weigh in on how secure 2FA and biometrics on phone really are compared to a good password?
This is partly the reason why NIST(I think?) recently decided to remove this recommendation from their standards. Though in theory this sounds more secure, in practice many users either ended up using the same "easy" passwords over and over, or wrote them down in plain text (e.g. in their phone's notes app), which kind of defeats the point. (NIST SP 800-63B, I think?) Sadly some other standards (including the Payment Card Industry's DSS) still require that the user changes their password every few weeks.
I'm not the right person to comment on the "biometrics" part because it's not something I specialise in, so I will only answer part of this. If I forgor anything or accidentally said something inaccurate, I urge any other infosec folks to jump in and correct me.
Overall, a semi-decent password + 2FA is absolutely preferred over a single, very strong password with no MFA. The reason being, having a strong password only protects you from someone who is trying to get into your account the hard way, by trying to guess your password. However, I can also get into your account in other ways, e.g.:
Passwords as an authentication have a lot of weak points and not many strong points. Which is why we need some tougher ways to use for authenticating. 2FA/MFA is supposed to merge "something you know" (password) with either "something you have" (authenticator app, specific device, ...) or "something you are" (e.g. biometrics). Overall this makes things more secure in the context of many exploits, it's not a panacea as there sometimes are ways to bypass it.
SMS/Email, TOTP authenticator apps, hardware keys, and biometrics all have their strengths and weaknesses. For example:
2FA/MFA is definitely a step up from (any) password, but of course it's neither unhackable nor a panacea. What you'll use depends on your (or your company's) "threat landscape" and/or acceptable level of risk. Currently the "preferred way" to do MFA, in my experience, is to not bug the user to verify their 2FA for every little action, but only for important, destructive, or otherwise impactful actions, and only if it's really required for them to verify their identity.
Periodic password changes have had a SHOULD NOT recommendation from NIST for at least a decade or two. The recent proposed change was to make it SHALL NOT.
Considering that, the number of state and federal agencies in the US that require periodic password changes, often saying it is a federal government requirement, is infuriating.
Absolutely, it's been observed across the industry that cycling passwords like that causes this type of behaviour and, in turn, ends up lessening your security posture rather than strengthening it. It's wild to me that it's still a requirement nonetheless for one of the most impactful standards, PCI-DSS.
I’m not employed as a security professional, but it’s kind of orthogonal as far as I know. The original intent of all this was to separate out a “thing you know” (your password) and a “thing you have” (your physical second factor) in order to decrease the odds of leaking one factor and compromising your account. So 2FA is a bonus, really. Yubikeys are just buttons you physically press anyways, and don’t have fingerprint scanners.
FYI that most “authenticator apps” use a standard, well known algorithm for generating codes, which happens entirely offline. You can also shove them all into a single app instead of using several, such as FreeOTP.
Ah … I’m sorry that someone suggested that writing down passwords is a bad idea. I think most modern suggestions are to memorize one password, then use that to secure a password manager where you write all your passwords down in.
At work they're doing physical walk around the office, and if they see sticky notes or note pad with passwords on them they're giving out sternly worded reprimands apparently.
Yes, it seems password manager seems like the correct solution :/ thank you
I've done physical penetration tests (i.e. pre-agreed "breaking into" a company's physical premises by trying to blend in with everyone else) a few times professionally, and sticky notes with passwords on them were basically a "low risk, high value" thing basically always. They weren't the only "low risk, high value" target, of course, but I can't really talk more about that.
All I'm saying is, as is typically the case in cybersecurity, it all depends on your risk tolerance and threat model. Physical break-ins are a realistic scenario for many companies, and often, our physical defenses against "hackers" are far fewer than our electronic defenses against hackers.
Now, technically, a notebook stashed away into a bookshelf in your house, alongside 500 other books and/or notebooks, not as easy of a target as a post-it note on your laptop or a notebook on your work desk. Is it secure? Well, not as secure as a proper password manager (i.e. one that doesn't get hacked every 2 months...), but more secure than having the password written on the device that uses it. But don't get me wrong, there are plenty of weaknesses when it comes to "hidden" physical notebooks with passwords inside them (can be stolen, no easy backups in multiple places, single points of failure, the passwords are written in text and are not encrypted, and so on). But I can see why I'd e.g. tell my grandma that she can do that. And that's not to say that password managers are flawless (each type has its own strengths and weaknesses), but they're better than storing passwords in plain text.
Gasp! You're a fancy Oceans Eleven hacker! Physical pen test sounds much more exciting than remote digital ones! Ooooh I wish you could share >..< but that's exactly what a bad guy over the internet would say isnt it.... I appreciate both your insight and your restraint :)
The gist I'm getting from reading this thread is that I need to bug my IT dept about what kind of password manager they'd prefer I use. I'll still have to use my phone for a bunch of 2FA stuff (grrr) but it might make the other parts less painful.
The old-school solution would be to write it in a notebook that you keep in a filing cabinet that you lock up when you're not there - not out in the open on your desk. After all, that's how people did things before they had computers.
True....I remember watching the new Charlie and the Chocolate Factory (with Timothy Chalamet), the McGuffin is a physical ledger book. And probably a lot of other media also portray old timey ledgera and notebooks as being important enough to lock up at night.
I have a digital version of something we have always used, that's all.
If you wanted there are some Yubikeys with fingerprint scanners https://www.yubico.com/products/yubikey-bio-series/
I normally check the “stay logged in” box, so I only use my second factor once in a blue moon. I guess I also have a very high tolerance for annoyance, since checking for a TOTP code has never seemed frustrating to start with (although I do wish they’d all stop using SMS and email, and switch to either TOTP or FIDO).
I really appreciate websites that start supporting TOTP now so I can get rid of the annoying email / SMS check.
Though currently I'm dealing with a program I have to 2fa for every 2 weeks per security protocol, and I got excited when I finally saw "we support TOTP now" in a news bulletin!
.... Turns out you can only have 1 authentication method and you also can't freaking delete your current method, without having to delete your entire account!!
I sent a persnickety email like you wouldn't believe*
*I mean I'm always extremely polite to Support people so it was along the lines of "and that would unfortunately be quite the inconvenience" but STILL
This is my issue with MFA because many of them have short durations where it doesn't require entering it every time or they just require MFA every single login. I recognize that asking for mfa every single login increases security to some extent, but the balance of security and convenience is always a factor. There's surely many non-existent security measures now that could be done but aren't because the inconvenience would be too high. I don't find that requiring MFA on every single login is a valid trade-off. It should be an option for people who want it, but that is it, an option.
I automatically delete cookies on browser exit, and do so once every few days. That makes it much more of a pain.
Already a lot of good points in this thread. I'll just add that I think this mostly boils down to friction. The more friction in the 2FA system, the more annoying it is to use, even if I can appreciate its benefits. One good example are text codes that automatically show up on the top of the keyboard (on iOS at least, not sure about Android). If I'm logging into a banking app or something, and they send me a code to my cell, literally a second later that code will show up on the top of the keyboard and all I have to do is tap it and I'm in. Sometimes the code shows up before I even get the text! Super convenient.
Then on the other hand you'll have other places where you receive maybe an email code, and so then you have to open up your email, wait a few seconds to receive it, then copy the code and enter it in the box on the app you're trying to log in (or worse, sometimes the place doesn't allow pasting, so you have to memorize those stupid characters and enter them manually). Way more time consuming and therefore more annoying.
I'm with you that there should be more of a standard, but overall I don't mind the system as much because I'd rather be mildly inconvenienced a few times per day when logging in to things than have to deal with the nightmare of a stolen account for something important like my email or anything involving money.
For iOS at least, I think opening the email message is enough, because that forces it’s contents to be downloaded from the server, and then I can go back to the app and the code pops up above my keyboard (same as you described with SMS)
Really? I haven't noticed it with email messages before, only the text ones. Email still requires me to actually copy or memorize the code and then paste it or type it in. And I use the default mail app. Not sure why it doesn't show up for me. I'll pay more attention to it next time I come across it to see if I'm missing something.
The SMS one is a lot faster and happens in the background, and I don’t even need to open my messages app for it to pop up. By contrast, on the email side of things (I also use the default email app) I definitely have to open the email app but also open the email that contains the code itself.
It’s also not nearly as reliable, even for a service that I know has worked that way before. Maybe it’s a speed thing, like the email has to be loaded and then go back to the app within a brief time?
I just put most 2FA secrets into my Bitwarden vault. It's definitely less secure and kinda defeats the point because someone can just get into my Bitwarden account and then they don't even need anything else, but it makes it a lot easier for things I don't particularly care about. It also still adds some security if my password(s) get leaked, since there's still some 2FA.
To be honest, the ones I hate the most are email because I don't have an email client open 24/7 on my laptop or desktop. At least for SMS codes they're easy for me to check, but those aren't particularly secure.
I use Bitwarden. Is there something about 2FA I don't understand? I have a bitwarden passkey but it doesn't (as far as i can tell?) support the vast majority of websites I use. Most websites still send a code to my email or phone.
You can store TOTP secrets in the "Authenticator key" field of a website entry, and Bitwarden will use this to auto-generate TOTP codes that you can easily copy from the desktop app or browser extension. The mobile app also puts all your TOTP codes in one location - just tap "Verification Codes" from the "My Vault" screen.
If you have Bitwarden on your phone and you log in to a website/app via the Bitwarden app's autofill function, it'll also put the TOTP code on your clipboard so you can easily paste it into the 2FA field, making TOTP on mobile devices a breeze.
Bitwarden can also store website-generated passkeys (FIDO2 keypair credentials; basically a software implementation of a YubiKey), making authentication using them a breeze.
https://bitwarden.com/help/integrated-authenticator/
https://bitwarden.com/help/storing-passkeys/
Edit: Previously, to do this you would have to either hope they provided the raw seed as a backup method (in case the QR code failed to load) or copy-paste the QR code into a QR-decoding website and then copy the seed out of the URL (which also contains the website and account name) and paste it into Bitwarden. It seems it's much easier to add TOTP codes now - the mobile app can directly scan the QR codes, and the browser extension seems to have the ability to screenshot the page to do the same.
Yes you are missing one method of 2fa called TOTP where a code is generated every X amount of time. This is often an app on your phone, but it can also be a desktop app. Bitwarden supports it (though setting it up requires a tiny bit of knowledge) but there are also dedicated apps available for desktop use. Though for the latter I don't have recommendations as I never looked into the options myself.
Unfortunately, and I think this is a big part of OPs complaint, is that not every website implements 2FA the same way. I'm pretty security conscience so will opt-in to TOTP where available, and this might just be confirmation bias, but I feel like I have just as many accounts where text/email are the only 2FA options as I do where TOTP is an option. Chase bank for example, despite your bank account being probably one of the higher priority accounts to secure, only allows call/text 2FA. My credit union is the same way.
Yeah, banks worldwide are – unfortunately – way too often heinous in their implementations of “security” and not using the damned industry standard wherever possible.
Honestly, I don't enable 2fa everywhere except for those services where I want the extra security. With those services I have yet to encounter one that doesn't offer TOTP as an option.
Banks here have offered various forms of 2fa since... well internet banking was a thing. Back in the day it was sheet with tokens and others had authenticator devices that worked together with your bank card.
These days most banks here use the bank app as part of 2fa in combination with biometrics.
I don't think there is a single financial institution here that would even think of doing 2fa through text (as that has been proven to be insecure) or mail.
Every time I hear something about the state of banks in the US as far as digitalization goes I am amazed at how primitive it all sounds.
Irony of the ironies, I lost my phone 3 weeks ago. After 2 weeks without a phone I had to get another. Anticipating an Authentication hell, I went to my operator and got the same number.
I just tried to add my Microsoft account to the Authenticator on the new phone. It sent a code to my phone and proceeded to not accept the same code it sent to me. While setting up the Authenticator it kept telling me to authenticate on the very Authenticator I could not use.
I tried getting email codes but it doesn't trust its own codes. I retrieved the Recovery Code I had on a piece of paper. Authenticator won't accept it, nor will it say it is wrong. I was directed to a series of pages where I was supposed to add my personal informations, including my Xbox Gamertag that I couldn't check because I'm locked out.
I now have to wait 24 hours for someone to decide if I still have access to all my Xbox games and files on OneDrive. Edit: apparently the forms where for something else and not related to fixing my 2FA. So now I have to figure out how to get support from Microsoft.
Super.
I HATE 2FA
I have my 2fa in my 1password. As people said, you have all the eggs in one basket I guess, but I'm hedging that against due to ease of use I'm more likely to randomize passwords and use 2fa which ultimately is better than having to password reuse or use variations as that is easily guessed once one of your passwords is leaked, which is more likely to happen. So with it in 1password it is just 2 clicks or even no clicks at all with last update. It just passwords then fills 2fa and you are in, very easy.
1password has also never been hacked. Many other password managers can’t say that. Some have been hacked multiple times.
I’m slowly working through the process to move away from LastPass for this exact reason, but it’s slow going
Recently my Google Authenticator randomly stopped generating a few different codes (notably the one for my google account). And I'm not the only one: https://support.google.com/accounts/thread/295605525/corrupted-google-authenticator-codes. I always write down the backup codes but 2FA just feels so dangerous to me, like there's no recourse if my phone dies or I lose my written down codes (fortunately this is unlikely). Anyway I don't really have a point but I wish I at least had the option to determine what sort of risk I'd like to take, hacking vs losing codes.
Be careful if you're using Google Authenticator.
The struggle of convenience/usability with security. It's a question of risk, if you are visiting sites that if the account gets compromised no big deal then 2FA is an overkill. However if you visit a site and if your account gets compromised would result in a big deal (am thinking Tildes at this moment...) then 2FA is proper, IMO. Not sure if that helps you decide what to do but I hope that provides perspective as to how you can approach it.
Passkey will solve this. Might be a while for adoption though, as most sites also doesn't accept U2F or Yubikeys. Many sites like Google and GitHub accept passkeys in place of password altogether.
If you use a password manager, a passkey could be a RSA public/private keypair stored on your password manager. The password manager handle the passkey exchange with the site so you simply authorize the key usage on the password manager and you're in, plus it verify that the entry URL matches so it is also phishing resistant (obviously, as long as your password manager itself is not hacked).
The problem with the spec is that it seems to be not pro-consumer. The site owner can choose to enforce limitations on the key, such as device bound (stored in TPM), require two factor authentication to use (eg. password and fingerprint), or that you're required to reauthenticate before the key can be used (which in case of password manager they define it as re-unlock with master password or fingerprint or whatever you used to unlock it). Last I heard KeepassXC is not playing that game and they do not honor reauthenticate flag and report keys as two factor. Someone on the specs team were saying that doing this may cause websites to block KeepassXC, but I heard that Apple is also not playing that game and will not report vendor information so blocking a no-name Passkeys means blocking Apple users.
The coming of Passkey will be a paradigm shift where many people, even in security fields, believed that you need two devices to be secure. Now your authenticator is back on the same device but can be more protected against cloning and phishing than 2FA.
Rather surprising to see so many negative opinions on 2FA, on the reason of inconvenience no less. A badly implemented 2FA is no different from website of software with bad UI, deal with it, or don’t. But in this day and age any service that requires an account but don’t offer 2FA I consider it a security risk.
Oh I agree with you from a security point of view: 2FA is a beneficial evil. But it still creates friction, and it's okay to complain about had side effects of something good too. Best case, it's worth the little bit of annoyance.
Poorer cases:
it's used for frivolous sites to gain your phone number to sell to telemarketing
poorly implemented ones won't let you copy paste or otherwise some UI / flow problems
security theatre where other aspects of the site has glaring security issues
Puts way too much importance on a mobile device, or when the service stops working properly there's no other way in (@tesseractcat)
Just use a good password manager. Even pay for one if you can. It's worth it!
Having your 2fa code gen, or passkeys in a password manager, solves a lot of frustration.
Having a different username/email for every account makes it even better.
Put the time into finding what works for you!
Passkeys in general are great, but I get why people complain about it. The experience can be bad, especially when you just want it to work with the tools that you are using. Plenty of people don't even seem to want to understand it, and adding information to the places where you register a passkey doesn't help, people don't read these annoying steps, they just click.
Our 2FA solutions get phishing attacks all the time. People just give out their codes, or accept requests for logins, without actually initiating it themselves. Passkeys would definitely be better for users like that.
I'm a big advocate that schools should incorporate mobile phones in some classes rather than banning them. Kids should learn how to be online responsibly. Password management, basic security and why it is important.
Why would anyone ever attack me or try to get into my accounts, I am just a random person, I have nothing of value online. Then when their facebook is "hacked" and can't get it back, they'll cry cause they lost all these conversations/photos/history, while it's basically their own fault. And that's just the most common/basic example. It can be so much worse that actually has a huge negative impact on someone's life. I've seen situations where even I would shed a tear for some random person I don't know.
2FA is absolutely necessary and the friction is the point as others have pointed out. I wanted to add that what more sites should be using is using OAuth
I think the issue is that MFA/2FA is used too often as a binary secure/not secure switch. Some applications have you provide MFA and then don't again for a period of time unless something about the session changes dramatically. That's way less irritating. If I've used my MFA, username, and password with the exact same IP address and browser user agent in the last 24hrs - maybe require password but not MFA for awhile?
In the US there will be push back from religious people who believe in the mark of the beast from the book of Revelations in the Bible
I mean, even if I weren't Christian I still wouldn't accept an RFID implant from a private cooperation. From a government maybe, if it's easy to remove in case of protest, civil war, uprising, drafting etc. such as at the end of an ear lobe or woven into hair or on top of a fingernail that gets re-inplanted every few weeks.
Sounds like being branded like cattle