I'm 100% in favor of 2fa, but use a standard system that allows for my password manager to solve it. Don't send me a SMS or email or require your custom goofy app.
Conversation
Notices
-
Embed this notice
Ron Gilbert #KamalaHarris (grumpygamer@mastodon.gamedev.place)'s status on Wednesday, 12-Apr-2023 07:19:11 JST 
Ron Gilbert #KamalaHarris
-
Embed this notice
Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Wednesday, 12-Apr-2023 07:19:01 JST 
Jake Hildreth (acorn) :blacker_heart_outline:
@ASCIInaut @flameeyes @grumpygamer
Yet again I need to shout “THREAT MODEL”. Saving your TOTPs in your password manager is good enough for 95% of people.
-
Embed this notice
ASCIInaut (asciinaut@infosec.exchange)'s status on Wednesday, 12-Apr-2023 07:19:08 JST 
ASCIInaut
@flameeyes @grumpygamer I always get very sad when people save their second factor back to the first factor for convenience. This is the digital form of PINs written on the magnetic stripe cards. ?
-
Embed this notice
Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Wednesday, 12-Apr-2023 07:19:09 JST 
Diego Elio Pettenò
@grumpygamer email 2FA should work better than SMS, but password manager TOTP would just make it "security fiction" for what it's worth.
https://flameeyes.blog/2021/11/30/2fa-totp-keys-and-password-managers/
-
Embed this notice
Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Wednesday, 12-Apr-2023 07:31:39 JST
Diego Elio Pettenò
@horse @ASCIInaut please read the post, I do indeed talk about thread models.
For those people there's no need for 2FA at all at that point, the password manager is already a suitable defence.
-
Embed this notice
Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Wednesday, 12-Apr-2023 07:31:39 JST
Jake Hildreth (acorn) :blacker_heart_outline:
@flameeyes @ASCIInaut And what about sites that force you to use MFA?
-
Embed this notice
Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Wednesday, 12-Apr-2023 07:36:17 JST
Diego Elio Pettenò
@horse @ASCIInaut that's literally the one case I explicitly call "Security Fiction" in this context.
Read the post before passing judgement, next time?
-
Embed this notice
Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Wednesday, 12-Apr-2023 07:36:17 JST
Jake Hildreth (acorn) :blacker_heart_outline:
@flameeyes @ASCIInaut Absolutely not. This is social media.
-
Embed this notice
ASCIInaut (asciinaut@infosec.exchange)'s status on Wednesday, 12-Apr-2023 07:36:56 JST
ASCIInaut
@horse @flameeyes @grumpygamer Yes, that's right. The real problem is that the decades old concept of knowing something to authenticate yourself no longer scales with increasing computing power. ?
-
Embed this notice
Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Wednesday, 12-Apr-2023 08:32:11 JST
Diego Elio Pettenò
@horse @ASCIInaut (unreasonably deadpan here) ah but social media is what we make of it ourselves!
What if we actually used it to spread the nuance that comes with concept like threat model, and discuss how to explain reasonable people when sites insist on terrible practices due to bandwagons rather than thought out security considerations?
-
Embed this notice
Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Wednesday, 12-Apr-2023 08:32:11 JST
Jake Hildreth (acorn) :blacker_heart_outline:
but but but
(I started reading your blog shortly after my last post. I was interrupted by dinner but intend to finish reading tomorrow.)
-
Embed this notice
Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Wednesday, 12-Apr-2023 20:28:02 JST
Diego Elio Pettenò
@horse @ASCIInaut to be clear, I also have a ton of "low stake" 2FAs in my password manager because too many services are unreasonable re: 2FA and it's easier to go with the flow.
I just wish it wasn't needed.
-
Embed this notice
Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Wednesday, 12-Apr-2023 20:28:02 JST
Jake Hildreth (acorn) :blacker_heart_outline:
@flameeyes @ASCIInaut LOL! That's exactly my point. For most people, EVERY account they use is low-stakes. 2FA may be security fiction, but it's also reality, so why not make it easy to use?
-
Embed this notice
Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Thursday, 13-Apr-2023 00:15:00 JST
Diego Elio Pettenò
@horse @ASCIInaut I agree on making it easier (website should stop insisting I use *their* app, especially for TOTP! I'll take a push notification, maybe), but I'd rather make it less bullshit too -- send me an email with the code, you already have my email, don't ask me for a phone number.
-
Embed this notice
Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Thursday, 13-Apr-2023 00:15:00 JST
Jake Hildreth (acorn) :blacker_heart_outline:
@flameeyes I've yet to run across a site that requires me use *their* app other than Microsoft Authenticator. Which other services do that?
-
Embed this notice
All GNU social JP content and data are available under the