Well, if you ever needed more convincing to turn on MFA, this article is it! I had a funny story with a friend recently that is similar to this, luckily the "crook" was his brother, so it was...
Well, if you ever needed more convincing to turn on MFA, this article is it!
I had a funny story with a friend recently that is similar to this, luckily the "crook" was his brother, so it was resolved, but it caused difficulties. His brother wanted to play a game that my friend owned, so the friend gave him the account. No big deal. Problem was, when the brother signed in, Microsoft prompted him to add a 2FA and the brother entered his phone. Fast forward and my friend tries signing back in, but it asks to send a text to his brother's phone. Normally, he could have just asked for the code, but the brother recently went camping for a few days, so he was effectively locked out. He remembered me preaching 2FA at some point, so he asked for help, but we were pretty much stuck for a few days. He got his account back luckily.
Moral of the story, enable 2FA, but try not to do it through SMS. Use an authenticator app :)
No they shouldn't. Ideally, everything should be encrypted in a way that the service provider has no access to the users data. In a perfect world, it should be physically impossible for the...
they should have offered a solution in cases like this
No they shouldn't. Ideally, everything should be encrypted in a way that the service provider has no access to the users data. In a perfect world, it should be physically impossible for the service provider to decrypt your data if you can't provide the required number of secrets. This is to protect you from privacy invading employees, and anyone who compromises their data center (criminals, overzealous law enforcement, nefarious governments).
This is really more a problem of default behaviors and customer education.
The default behavior should be to require mfa immediately upon creation of a new user account.
All users should be provided with backup codes and informed to store them in a safe place (I keep mine in a keepass database). This protects users from a lost phone or authenticator.
All of this should be adequately explained to the user when they activate mfa. If people don't bother to read, well that's on them.
In my time with many different implementations of 2FA, Apple's stands out as perhaps the most precarious. It seems their entire approach is predicated on you being neck-deep in their ecosystem,...
In my time with many different implementations of 2FA, Apple's stands out as perhaps the most precarious. It seems their entire approach is predicated on you being neck-deep in their ecosystem, with multiple devices at your disposal so you know you can always access at least one Apple device. It doesn't work nearly as well when you only have the one device. They don't really offer many avenues outside of their physical devices to recover an account if something happens with the 2FA since their recovery methods all involve either having the device or access to the iTunes account.
I understand why they won't have backdoors for their own techs to get into accounts but they should expand how many different avenues the user has to recover their account but plenty of software and accounts have the ability to reset or remove 2FA without accessing any user data. I don't see why Apple of all companies cannot do that if someone is able to reliably prove who they are and what iTunes account is theirs. I mean, it's as simple as asking for credit card information, address, name, and verifying email access. That same amount of information can let me begin accessing my own bank account, but not recover my iTunes account?
As it stands, another already-registered device or the iTunes account already-logged-into on a previous browser or device can easily create a recursive loop of locking out access to the user's own account. Even if having more points of entry weakens security a bit, there are ways to mitigate that. Google's pretty good at it.
For people (like us, perhaps) who are generally on top of their tech, this is largely a non-issue. I always have access to my iTunes account and I know what devices I have, and where I store them. But that doesn't mean I still don't run into issues with Apple's 2FA. When I got my new work iPhone, I had to wait until I went home to my iPad before I could register my iTunes with my new phone because I had no other avenue to do it. That was my only registered Apple device. Other platforms offer email or phone backup options if I can provide the email or phone registered. Others have backup emails they can ping. I was shut out until I could go dig out the iPad I last used two months ago, charge it, and then have it receive the 2FA code. What would have happened if I lost or permanently damaged that iPad? I think my iTunes account would actually have been lost into the ether until iForgot finally comes through.
In my time on an IT help desk (with a company that had a corporate account with Apple), this was a frequent issue among people that couldn't care a whit about their technology, especially not 2FA. They'd lose their iTunes account information all the time, or their only registered Apple device was the iPhone they had just returned to get a new one after the lease expired and then couldn't get their 2FA back, so they had to create a new iTunes account with a dummy email. It's not as simple as saying "If people don't bother to read, well that's on them" when Apple specifically markets themselves as being exactly for that kind of tech user, the person who barely knows the difference between a CPU and a computer and couldn't care less. On starting up a new device for the first time, Apple tells them how much they should trust their iTunes account with all kinds of personal and private data, but then offers little to no help to get those people back into their accounts. I'm not a fan of that approach, it feels very much like a have their cake and eat it too sort of situation where they market a level of security but not a guarantee of it being secure for you, as you would have with any other security deal.
I don't see why Apple cannot take steps to make the process of recovering a stolen iTunes account easier for legitimate account holders, especially after they insist so heavily that people who want simple tech experiences should trust their iTunes account with so much data.
I think this is really just a failing of having 100+ 2FA schemes with poor implementations. If 2FA can be added without validating anything other than a (potentially compromised) password, that is...
I think this is really just a failing of having 100+ 2FA schemes with poor implementations.
If 2FA can be added without validating anything other than a (potentially compromised) password, that is the failing of the company. Minimally there should always be a confirmation email before making change, and always a way to roll it back. Emails shouldn't be able to be switched without validation emails or a lengthy support process first. 2FA shouldn't be able to be registered to a different email.
And they even say at the beginning of this article: Password re-use is the bigger problem. If you use actual, unique passwords for everything, 2FA becomes far less of an issue.
Am I weird for not trusting it at all? My phone is stuck to my person, many of my online accounts are more or less anonymous. Also my phone is something that nine times out of ten is in another...
Am I weird for not trusting it at all? My phone is stuck to my person, many of my online accounts are more or less anonymous. Also my phone is something that nine times out of ten is in another room and having to find it every time I log in is a pain in the neck (I don't use my phone that often and sometimes just turn it off entirely). If I could have 2FA tied to something else like email, or Telegram or Matrix, that would be way easier.
When it's the standard TOTP method that a lot of sites use (which is the one you can add to Google Authenticator and similar apps), you can just use an app on your PC to store the accounts and...
When it's the standard TOTP method that a lot of sites use (which is the one you can add to Google Authenticator and similar apps), you can just use an app on your PC to store the accounts and generate the codes too. For example, the Bitwarden password manager supports storing TOTP info for sites.
This isn't as secure as truly keeping 2FA separated onto a different device, but it's still strictly better than not using 2FA, and is secure against most of the realistic threats normal users have to worry about.
My phone is stuck to my person, many of my online accounts are more or less anonymous.
There's no way for services that offer 2FA to know anything about which device you're using to generate the codes. There aren't any privacy concerns that you have to worry about for it.
You, sir/madam, knows how to talk to a low-skill tin-foilhat person <3 Will take it to heart and try to look in to how to do it properly.
There's no way for services that offer 2FA to know anything about which device you're using to generate the codes. There aren't any privacy concerns that you have to worry about for it.
You, sir/madam, knows how to talk to a low-skill tin-foilhat person <3 Will take it to heart and try to look in to how to do it properly.
A hardware key on your keychain that you can plug into a USB port is another way to do it that works better with desktops or laptops. Not many websites support it, though, and they're still kind...
A hardware key on your keychain that you can plug into a USB port is another way to do it that works better with desktops or laptops. Not many websites support it, though, and they're still kind of expensive.
If you get a yubikey, you can use the tunic Authenticator app to use totp codes from they key. The device it is plugged into can be hostile, and it still only knows the current code, not the...
If you get a yubikey, you can use the tunic Authenticator app to use totp codes from they key. The device it is plugged into can be hostile, and it still only knows the current code, not the secret to generate new codes. They have an app for Windows, Mac, iOS, and android, and I think Linux.
I appreciate the effort but I feel that is a path to disaster in my case I mean ok so for honesty's sake: I am not only desperately lazy, I am also a bit of a tinfoil-hat who's too lazy to build a...
I appreciate the effort but I feel that is a path to disaster in my case
I mean ok so for honesty's sake: I am not only desperately lazy, I am also a bit of a tinfoil-hat who's too lazy to build a bomb shelter and form some death cult militia - further I am also a clutz and pretty forgetful. And to make it worse I tend to be pretty obsessive about stuff. Tbh I'm pretty happy being such a mess considering the horrible suicide cult militia I COULD have formed, had I not been busy at home re-reading comics, or forgetting to order our cult uniform patches.
(The difference between a doomsday militia cult and a lot of overweight white dudes in a forest wearing random Amazon-bought camo's is obviously a snassy patch)
So long story short, its very sweet of you to suggest it, but it feels like an invitation for "never being able to access any site ever again" - and if I shall have even the slimmest glimmer of hope of creating this doomsday militia I need access to Twitter at least ;)
Well, if you ever needed more convincing to turn on MFA, this article is it!
I had a funny story with a friend recently that is similar to this, luckily the "crook" was his brother, so it was resolved, but it caused difficulties. His brother wanted to play a game that my friend owned, so the friend gave him the account. No big deal. Problem was, when the brother signed in, Microsoft prompted him to add a 2FA and the brother entered his phone. Fast forward and my friend tries signing back in, but it asks to send a text to his brother's phone. Normally, he could have just asked for the code, but the brother recently went camping for a few days, so he was effectively locked out. He remembered me preaching 2FA at some point, so he asked for help, but we were pretty much stuck for a few days. He got his account back luckily.
Moral of the story, enable 2FA, but try not to do it through SMS. Use an authenticator app :)
No they shouldn't. Ideally, everything should be encrypted in a way that the service provider has no access to the users data. In a perfect world, it should be physically impossible for the service provider to decrypt your data if you can't provide the required number of secrets. This is to protect you from privacy invading employees, and anyone who compromises their data center (criminals, overzealous law enforcement, nefarious governments).
This is really more a problem of default behaviors and customer education.
The default behavior should be to require mfa immediately upon creation of a new user account.
All users should be provided with backup codes and informed to store them in a safe place (I keep mine in a keepass database). This protects users from a lost phone or authenticator.
All of this should be adequately explained to the user when they activate mfa. If people don't bother to read, well that's on them.
In my time with many different implementations of 2FA, Apple's stands out as perhaps the most precarious. It seems their entire approach is predicated on you being neck-deep in their ecosystem, with multiple devices at your disposal so you know you can always access at least one Apple device. It doesn't work nearly as well when you only have the one device. They don't really offer many avenues outside of their physical devices to recover an account if something happens with the 2FA since their recovery methods all involve either having the device or access to the iTunes account.
I understand why they won't have backdoors for their own techs to get into accounts but they should expand how many different avenues the user has to recover their account but plenty of software and accounts have the ability to reset or remove 2FA without accessing any user data. I don't see why Apple of all companies cannot do that if someone is able to reliably prove who they are and what iTunes account is theirs. I mean, it's as simple as asking for credit card information, address, name, and verifying email access. That same amount of information can let me begin accessing my own bank account, but not recover my iTunes account?
As it stands, another already-registered device or the iTunes account already-logged-into on a previous browser or device can easily create a recursive loop of locking out access to the user's own account. Even if having more points of entry weakens security a bit, there are ways to mitigate that. Google's pretty good at it.
For people (like us, perhaps) who are generally on top of their tech, this is largely a non-issue. I always have access to my iTunes account and I know what devices I have, and where I store them. But that doesn't mean I still don't run into issues with Apple's 2FA. When I got my new work iPhone, I had to wait until I went home to my iPad before I could register my iTunes with my new phone because I had no other avenue to do it. That was my only registered Apple device. Other platforms offer email or phone backup options if I can provide the email or phone registered. Others have backup emails they can ping. I was shut out until I could go dig out the iPad I last used two months ago, charge it, and then have it receive the 2FA code. What would have happened if I lost or permanently damaged that iPad? I think my iTunes account would actually have been lost into the ether until iForgot finally comes through.
In my time on an IT help desk (with a company that had a corporate account with Apple), this was a frequent issue among people that couldn't care a whit about their technology, especially not 2FA. They'd lose their iTunes account information all the time, or their only registered Apple device was the iPhone they had just returned to get a new one after the lease expired and then couldn't get their 2FA back, so they had to create a new iTunes account with a dummy email. It's not as simple as saying "If people don't bother to read, well that's on them" when Apple specifically markets themselves as being exactly for that kind of tech user, the person who barely knows the difference between a CPU and a computer and couldn't care less. On starting up a new device for the first time, Apple tells them how much they should trust their iTunes account with all kinds of personal and private data, but then offers little to no help to get those people back into their accounts. I'm not a fan of that approach, it feels very much like a have their cake and eat it too sort of situation where they market a level of security but not a guarantee of it being secure for you, as you would have with any other security deal.
I don't see why Apple cannot take steps to make the process of recovering a stolen iTunes account easier for legitimate account holders, especially after they insist so heavily that people who want simple tech experiences should trust their iTunes account with so much data.
I think this is really just a failing of having 100+ 2FA schemes with poor implementations.
If 2FA can be added without validating anything other than a (potentially compromised) password, that is the failing of the company. Minimally there should always be a confirmation email before making change, and always a way to roll it back. Emails shouldn't be able to be switched without validation emails or a lengthy support process first. 2FA shouldn't be able to be registered to a different email.
And they even say at the beginning of this article: Password re-use is the bigger problem. If you use actual, unique passwords for everything, 2FA becomes far less of an issue.
Am I weird for not trusting it at all? My phone is stuck to my person, many of my online accounts are more or less anonymous. Also my phone is something that nine times out of ten is in another room and having to find it every time I log in is a pain in the neck (I don't use my phone that often and sometimes just turn it off entirely). If I could have 2FA tied to something else like email, or Telegram or Matrix, that would be way easier.
When it's the standard TOTP method that a lot of sites use (which is the one you can add to Google Authenticator and similar apps), you can just use an app on your PC to store the accounts and generate the codes too. For example, the Bitwarden password manager supports storing TOTP info for sites.
This isn't as secure as truly keeping 2FA separated onto a different device, but it's still strictly better than not using 2FA, and is secure against most of the realistic threats normal users have to worry about.
There's no way for services that offer 2FA to know anything about which device you're using to generate the codes. There aren't any privacy concerns that you have to worry about for it.
You, sir/madam, knows how to talk to a low-skill tin-foilhat person <3 Will take it to heart and try to look in to how to do it properly.
A hardware key on your keychain that you can plug into a USB port is another way to do it that works better with desktops or laptops. Not many websites support it, though, and they're still kind of expensive.
If you get a yubikey, you can use the tunic Authenticator app to use totp codes from they key. The device it is plugged into can be hostile, and it still only knows the current code, not the secret to generate new codes. They have an app for Windows, Mac, iOS, and android, and I think Linux.
One of these, perhaps?
I appreciate the effort but I feel that is a path to disaster in my case
I mean ok so for honesty's sake: I am not only desperately lazy, I am also a bit of a tinfoil-hat who's too lazy to build a bomb shelter and form some death cult militia - further I am also a clutz and pretty forgetful. And to make it worse I tend to be pretty obsessive about stuff. Tbh I'm pretty happy being such a mess considering the horrible suicide cult militia I COULD have formed, had I not been busy at home re-reading comics, or forgetting to order our cult uniform patches.
(The difference between a doomsday militia cult and a lot of overweight white dudes in a forest wearing random Amazon-bought camo's is obviously a snassy patch)
So long story short, its very sweet of you to suggest it, but it feels like an invitation for "never being able to access any site ever again" - and if I shall have even the slimmest glimmer of hope of creating this doomsday militia I need access to Twitter at least ;)