back to article 2FA? More like 2F-in-the-way: It seems no one wants me to pay for their services after all

"Buy me a beer?" Sure, I buy beers for perfect strangers all the time. But you will have to wait your turn. There is a queue, and the other strangers are more reluctant to accept my hospitality. It is already 11pm and I am still sprawled across the sofa. I had been hoping for an early night but fat chance now. Pride is at …

  1. brotherelf

    I will raise my hand and admit…

    I looked what particular shade of red #E10600 is. Because Friday. Unexpectedly, the color picker I installed didn't have 400MB of extra dependencies.

    1. Dan 55 Silver badge

      Re: I will raise my hand and admit…

      That's not a friendly colour, it doesn't make me want to donate anything apart from blood.

      1. A.P. Veening Silver badge

        Re: I will raise my hand and admit…

        That's not a friendly colour, it doesn't make me want to donate anything apart from blood.

        And not my blood at that.

        1. Anonymous Coward
          Anonymous Coward

          I don't donate blood anymore

          Too many questions.

          Who's blood is that?

          Where did you get it?

          Why is it in a bucket?

          Can you wait there until the police arrive?

          They did give me all the biscuits though, so there is that.

  2. chivo243 Silver badge

    To be fair

    There are one or two Seinfeld's that are funny as hell.... Master of your own domain anybody? Lie detector? It's not a lie Jerry if 'you' believe it...

    1. Tessier-Ashpool

      Re: To be fair

      To be even fairer, I’ve only seen snippets of Seinfeld, and I was already at the point of chewing my leg off to go see something that was actually funny.

      Maybe it’s a classic case of humour not travelling well. But I don’t blame myself.

      1. AnotherName

        Re: To be fair

        I find it very useful when American 'comedy' programs have a laughter track. It informs me what just happened or said was supposed to be funny. If it wasn't for the audience I would never have guessed. But I do wish they would cut out all that cheering and applause when a character comes on screen for the first time in an episode. The opening captions should inform us that "This program was filmed in front of a bunch of morons".

  3. Dabooka

    I'm glad it's not just me

    I've never understood the fascination with Seinfeld either. Didn't make it to the ad break, never been back.

    1. Tom 38

      Re: I'm glad it's not just me

      This is verging in to internet-taste-flame style territory, but I quite like Seinfeld. The characters are delicious - they are mostly amoral and never grow as people, and the situations their lack of morality gets them into is usually some excellent farce. Most of the humour is based around their morality, which makes it very human and timeless.

      The other great thing about Seinfeld that has made it more durable is that there is very little in terms of long term story - as I said, these characters don't grow or evolve - so each episode is fairly standalone. Therefore, you can watch any episode in any order, George is still George, Jerry is dating someone new each episode, Kramer is nuts. You don't have to track if they were "on a break".

      1. Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble?

        Re: I'm glad it's not just me

        You don't have to track if they were "on a break".

        I worry about the implication that Friends has become the bastion of plot development and story progression to which all else can only aspire.

        But then I didn't get Seinfeld either, I was more of a Frasier aficionado.

        1. Franco

          Re: I'm glad it's not just me

          Agreed, this narrative that Friends was the greatest comedy ever because hipsters in their early 20s think it's vintage really annoys me, I stopped watching it long before "we were on a break" become the go to punchline every time they ran out of jokes.

          For American comedy of that era, Dream On was one of my favourites but that may be rose tinted memories as it was rather more adult in content than most of it's time.

          1. Anonymous Coward
            Anonymous Coward

            Re: I'm glad it's not just me

            We have a saying 'Friends don't let friends watch friends"

        2. Philip Stott

          Re: I'm glad it's not just me

          Plus many for the Frasier reference; I loved that show.

          Heard a nasty rumour that they're bringing it back. Hope that's not true, as IMHO they ruined it already when Niles & Daphne got together.

          1. Robert Grant Silver badge

            Re: I'm glad it's not just me

            It definitely took a chunk out of the show, but I don't think it ruined it. Kelsey Grammar reading Ulysses in the last episode is a treat.

    2. Chris G

      Re: I'm glad it's not just me

      I always thought it was only the other actors that made it watchable, Seinfeld is not funny and lacks character, in or out of the show.

    3. Keven E

      Re: I'm glad it's not just me

      I couldn't stand watching a show (for very long) where I could *see the "jokes"/"gags" coming a mile away. I gave it a second try and the setup was exactly the same so could see it coming from last week.

    4. Boo Radley

      Re: I'm glad it's not just me

      Mother in law hated him, Steinfeld, she called him. For once I trusted her judgment. Never could stand to watch him, even adverts for the show have me scrambling for the remote.

  4. Dr_N

    French Bank 2FA

    Do you not have the card reading code generator that you have to insert your carte into and tap your PIN. So as to get an authentication code for each transaction, Mr Dabbs?

    The one you don't travel with. And then work out you can use someone else's. From a completely different UK bank.

    1. the spectacularly refined chap Silver badge

      Re: French Bank 2FA

      That's not an issue, indeed my bank actually say that, presumably to head off endless requests for additional or replacement units. The crypto stuff actually works on the card's chip, the reader is just a user interface to the functionality on the card.

    2. Anonymous Coward
      Anonymous Coward

      Re: French Bank 2FA

      "From a completely different UK bank."

      I occasionally verify the pin codes for all my bank account and credit cards - as they don't get used in anger very often. It was a disappointment to find that my Barclays and VISA pin sentry device doesn't recognise my Halifax MasterCard.

  5. Dan 55 Silver badge

    "Alternative authenticator app". This is the way.

    Configure your MS account to use an "alternative authenticator app" then remove the MS authenticator.

    Same for Adobe.

    Same for everyone.

    What's this mysterious "alternative authenticator app"? One which does with six-digit TOTP codes and has backup, e.g. FreeOTP+ on Android. I just checked and it's not available in Tim Apple's walled garden though.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Alternative authenticator app". This is the way.

      No but there's lots of other that are - Google, Sophos and Authy all seem to work OK for this Apple Fanboy. Some of the password managers also support TOTP, but that makes me feel slightly uneasy about eggs and baskets.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Alternative authenticator app". This is the way.

        +1 for Authy

    2. Anonymous Coward
      Anonymous Coward

      Re: "Alternative authenticator app". This is the way.

      FreeOTP exists on the iOS App Store, as does Google Authenticator, Authy, OTP Auth - it's a long list of apps which basically all do the same.

      I used OTH Auth for a while for its ability to choose which codes were visible from the logon screen so they could be used in case of emergency without logging in, but of late I have become a massive fan of Step Two, simply because of its very bold UI (not its integration - I abandoned Safari quite a while back and there's no plugin for FF). I now tend to store new codes in both so one acts as a backup to the other.

      There are only two things that every decent OTP app needs: the magic code that the PIN is generated from, and a way to identify the account it represents. In Step Two that is both by whatever name you give it and what colour you choose, and that colour also comes back in the Watch app.

      And I like simplicity when it comes to security.

      1. Dan 55 Silver badge

        Re: "Alternative authenticator app". This is the way.

        FreeOTP without the + doesn't have backup. That's too precarious for me.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Alternative authenticator app". This is the way.

          That's why I like Step Two - it syncs across all devices. But I also tend to store critical 2FAs in two separate apps because I agree with you - backup is critical.

    3. Anonymous Coward
      Anonymous Coward

      Re: "Alternative authenticator app". This is the way.

      Kept reading "TOTP" as "Top Of The Pops!"

      1. DJV Silver badge

        Re: "Alternative authenticator app". This is the way.

        You're not the only one - shudder, shades of that bastard Saville molesting young women on live TV...

      2. Ken Moorhouse Silver badge

        Re: Kept reading "TOTP" as "Top Of The Pops!"

        Quite expecting somebody* to say that OGWT was superior, even though it self-professed to be in beta throughout its entire life.

        * Oh? I guess that's me.

  6. Pascal Monett Silver badge

    A brilliant demonstration of how phones can become useless annoyances

    Damn smartphones and the apps that go with them.

    Damn the companies that pre-install useless shit I don't need and don't want but can't get rid of.

    I hate smartphones.

    1. Anonymous Coward
      Anonymous Coward

      Re: A brilliant demonstration of how phones can become useless annoyances

      "Damn smartphones and the apps that go with them."

      The worst is security 2FA apps that require a postal mail to be scanned by your app. Because any time you loose/break your phone, you'll need to request this mail.

      And if, like Dabbsie, you're unlucky enough to live in France, you already know you only receive 90% of postal mail addressed to you, so this one can be lost, while you need to work on your bank account fast ...

    2. Chris G

      Re: A brilliant demonstration of how phones can become useless annoyances

      I don't hate smartphones but I do hate more than half of the crap they come preinstalled with.

      Crap that is cunningly crafted so that if you disable it, important parts of the OS will no longer function.

      In other news, the video was a piece of post punk, punkjunk, contrived and made to market to an audience, none of the genuine spontaneity of the original. I feel a little qualified to criticise having worked on the door at a couple of Sex Pistols gigs in the 70s.

      1. Alistair Dabbs

        Re: A brilliant demonstration of how phones can become useless annoyances

        Bear in mind the vid was shot about 1.5 decades ago. The target audience of MSI was unusual for an American punk band: school-age, mixed gender, cross gender, goths.

      2. Potemkine! Silver badge

        Re: A brilliant demonstration of how phones can become useless annoyances

        Ah, the Sex Pistols... the punk boys band, made by a marketer to make money when claiming to be against the system... the Great Rock 'n' Roll Swindle.

    3. Anonymous Coward
      Anonymous Coward

      "I hate smartphones"

      So do I, that's why I don't have one. I think a lot of people assume that they are obliged to have one without questioning whether it would be of net benefit for them. It probably is for most people but I got fed up of shutting down an app which would relaunch itself 5 seconds later, the short battery life, lack of tactile feedback (ie buttons) and, of course, the data slurping. I didn't find I used enough of the apps to warrant having one over a dumb phone. Now I've got a CAT builder's phone, it's pretty indestructible and the battery can easily last over a week.

    4. Stoneshop

      Re: A brilliant demonstration of how phones can become useless annoyances

      I hate smartphones.

      As do I. Still I have one. Sort of. A Sony XperiaX that exclaims on startup that it can't be trusted[0], then offers me a screen with apps I deem useful. And just those.

      It's also not my phone because I prefer phones that don't need to be recharged every night, so it get used more like a small form-factor tablet.

      [0] Orly? how about all the info that ChocFac is siphoning off your phone while it's running its stock Android?

    5. vtcodger Silver badge

      Re: A brilliant demonstration of how phones can become useless annoyances

      I don't know whether I hate smartphones or not. I bought one on sale. And I managed to set up wi-fi. Then I tried a few things. And the more things I tried, the less I liked it. So I never activated service. If I need to make a phone call, and I'm not at home, I use my 15 or 20 year old Nokia which doesn't aggravate me at all and costs about a third of what the cheapest smartphone service would cost.

      1. Stoneshop

        Re: A brilliant demonstration of how phones can become useless annoyances

        I was using such a phone, a Nokia indeed, as my work phone until quite recently. That's when I got a call from someone in Ops Support whether I was still using a 2G SIM? Well, no, but it's in a phone that does 2G only. "$PROVIDER will cease offering a 2G network, so you'll have to change."

        After a bit of cursory checking and finding that most of the 4G nonsmartphones were six of one, half a dozen of the other, I settled on some Alcatel that $PROVIDER was offering. Which turned out to be right in the middle of the 'meh' range I expected it to be in. But it works as a phone with little of the cruft[0] that smartphones tend to come with, and runs several days on a battery charge.

        [0] which I have no intention of using, so why should I lug around a phone that offers them at the cost of battery life, and bulk?

        1. ChoHag Silver badge

          Re: A brilliant demonstration of how phones can become useless annoyances

          I have recently (today) had to buy car insurance while trapped in the middle of nowhere without internet connectivity (Hangar Lane). According to my brother who did the paying, the reason you need a fisher price phone is because once in a blue moon you might need to contact some corporate behemoth and they don't provide a phone number to give them your money over.

  7. Mage

    I had been told by colleagues

    After a 1/2 a lifetime in Computer Journalism, and training surely you know:

    1) Random advice from colleagues is dangerous

    2) Unless you have a team of more than 15 or a project the size of building & outfitting a hospital you know you don't need any Task List program (or Project manager sw, which I had to keep explaining to people that it's sw for a project manager of giant projects, it doesn't manage).

  8. Mage

    SMS and 2FA

    1) Nothing wrong with good passwords, different for every site. Money related ones in the paper address book kept safely (never with phone/tablet/laptop), others in the browser with a master password. So only need to remember two, but written in the book in case you die suddenly; note some kinds of deaths destroy your phone too.

    2) SMS is not secure. Someone can either intercept it or even setup your number.

    3) SMS has no guaranteed delivery or latency.

    4) What happens to the 2FA when your phone is lost, broken (stupid model with virtual SIM) or stolen? A backup phone can't easily get the same number unless you are the expert criminal in item 2. A backup phone/tablet/computer can use the same email address as a broken one

    5) properly done email can be safer than SMS or an App.

    1. Anonymous Coward
      Anonymous Coward

      Re: SMS and 2FA

      5) properly done email can be safer than SMS or an App.

      Um, email has no guaranteed delivery or latency, and can easily be intercepted or spoofed.

      1. Anonymous Coward
        Anonymous Coward

        Re: SMS and 2FA

        Intercept: out of the many emails I get every month, only spam now ever arrives at the server without an encrypted connection, so intercept is a bit harder now. Thank God, IMHO.

        Spoofing: yes, if the sender doesn't set up at least SPF records you will have that problem. Before anyone mentiond DKIM, yes, fine, but I object against a "hello world" email acquiring another 5k of ballast (especially looking at you, Microsoft).

    2. devin3782

      Re: SMS and 2FA

      Nope there's no such thing as a properly done email, like physical mail they're not guaranteed to get arrive or be from whom they claim to be.

      I recommend a hardware key, shame too few sites use those.

    3. 42656e4d203239 Silver badge

      Re: SMS and 2FA

      5) properly done email can be safer than SMS or an App.

      email is a bit of a potch as well... I use a website that insists on using email 2FA; they have set the timeout to 1 minute.

      So you have to swap to the email app, once the email has arrived, open the email, copy the code, swap back to the website, paste the code in and voila, one is finally logged in.

      Trouble is that the phone may have other ideas, the email app may crash, they keyboard app may crash, the phone may be sulky about checking for new mail, there may be an "a" in the day name, who knows? it usually takes 3 or 4 goes to get it right.

      What is the website? One which allows me to control my christmas tree lights! (No not IFTTT)

      Yes email well done might be as secure as SMS (certainly no more secure if you are talking SMTP) but you try finding 'well done'' in any software these days.... you may get patches of brilliance, however, in general, website code appears to be written by the lowest bidder using copy and paste from Google searches for functionality, or the VSCode "AI" that steals other people's copyright code.

    4. Stoneshop

      Re: SMS and 2FA

      A backup phone can't easily get the same number

      My provider offers the option of a second SIM[0] that you can stick in another phone for an emergency switchover. Of course, they state, you can not have both phones active at the same time; that second SIM is in its predestinated phone with a fleck of kapton over its contacts.

      [0] you're actually getting two new SIMs, as they have to do something unmentionable to get the PINs to match.

  9. Boothy

    Authentic banking confirmation page

    Quote: "The screen changes to something apparently designed by a MySpace fan: clunky fonts, non-adaptive layout, impossibly tiny text (some of it underlined, some of it – gulp – flashing), 3D-chisel-bevel buttons… in other words, an authentic banking confirmation page. I pinch and zoom four times so I can read what it says: it's telling me I have to enter a six-figure code that has been sent to my handset by SMS."

    Had the above thanks to Verified by Visa just yesterday.

    Picked up the car from the garage after a successful MOT, but their card reader system wasn't working and they asked if I could pay-online instead? I said yes.

    Typical options, Visa, Paypal etc and I selected Visa. After entering card details, this inevitably triggered the Verified by Visa screen.

    So on a typical phone screen, ~6" diagonal, so about 7cm wide, the Verified by Visa screen itself was at most, about 2cm wide, surrounded by white space. Zoom in, some text, and a Next button. Click Next, hmm, it's tiny again, so zoom in, it now want's to send an SMS, click yes, it's tiny again, zoom in, we now have a box to paste the 6 digit code into and so on.

    Seems Verified by Visa simply ignores the fact you're on a mobile device, and scales to a desktop screen instead, so zoom, click, zoom, click, zoom click, aaarrrhhh!

    Icon --> As that's what should happen to the devs who created the abomination that is Verified by Visa UI.

    1. Loyal Commenter

      Re: Authentic banking confirmation page

      It's as if they've never even heard of media queries.

    2. Anonymous Coward
      Anonymous Coward

      Re: Authentic banking confirmation page

      Verified by Visa is a joke - every time I've encountered it I *always* click on the "forgotten my password" button and it asks me for the same personal data (card number, name on card, etc) that someone trying to fraudulently purchase would have already just provided this to an online merchant before being redirected to Verified By Visa, the only "new" (i.e. additional) bit of personal data needed to change password is Date of Birth which for any fraudster who got this far (with card number, address, etc) would likely have been able to also find this out.

      VbV is just smoke-and-mirrors, security theatre!

      1. Jay 2

        Re: Authentic banking confirmation page

        So much this ^

        Fortunately most of my cards seem to be Mastercard at the moment. But I always thought that VbV was pure security theatre and also somewhat designed to point the finger of blame at the legit card holder opposed to Visa...

  10. Doctor Syntax Silver badge

    Two factors: User Id and password.

    Count them. Two.

    Why don't we call these two factor ID/

    Because some numpty at some point decided that the user's email address was a piece of secure, unguessable information that could be safely used as a user ID and would save on the effort of keeping a separate email address. And the lemmings followed. Because most people only have a single email address they use the same user ID everywhere, reducing its authentication value to zero.

    So now we have to have an additional, how many hoops can you jump through, "factor" and call it 2 factor authentication.

    1. Anonymous Coward Silver badge

      Username/email address is an identifier. Not any form of authentication.

      The password is one form of authentication. Something else gives a second form of authentication. As in authenticating that you are the person who you identified yourself as.

      1. Anonymous Coward
        Anonymous Coward

        Yup. The difference between identification and authentication is sadly something that most people don't pick up on. They are not the same thing.

        Identification proves who you are.

        Authentication proves that you are consenting to this security check.

        Which is one of the problems with using fingerprints to log in to phones. They are identification, not authentication as in theory somebody could press your phone against your hand whilst you sleep. That proves your identity, but it doesn't mean you consented to that log-in.

        1. Doctor Syntax Silver badge

          "Authentication proves that you are consenting to this security check."

          By the time you've entered the password a second time and entered two digits of the pre-arranged security code a second time the SMS, should it arrive before time out seems a bit superfluous in terms of authenticating that you are consenting to the check.

          And let's remember that the bank, should they ring you up, will be totally unable to distinguish themselves from any random phone phisher.

          They will also fail to reply to any emails requesting that they confirm whether of not the marketing spam, laden with links, sent in their (noreply) name from some 3rd party professional spammer digital marketing company professional spammer is really theirs or not.

      2. Doctor Syntax Silver badge

        "As in authenticating that you are the person who you identified yourself as."

        And some potentially lost, stolen or cloned package of electronics does that?

        It's all security theatre.

      3. AnotherName

        I hate those systems that won't allow you to change the username when it is an email address - BT Wholesale is one of them - and you no longer have access to that email address.

    2. AndersH

      "Something I know" (username) and "something I know" (password) isn't 2-factor authentication.

      1. Anonymous Coward
        Anonymous Coward

        "Something I know" isn't ....

        Aha! I get it now! You need a "something I don't know" to complement the "something I know", thus giving 2FA. Which is why the don't-know something is sent by means of non-arriving SMS messages! :-)

        1. Doctor Syntax Silver badge

          Re: "Something I know" isn't ....

          "sent by means of non-arriving SMS messages"

          Just this.

          Tried to make a payment this morning. After jumping through the hoops of enter password again and enter two digits from security code again they send a text. Phone which was supposed to be charging wasn't.. Hastily plug it in properly. Request resend. Request it again. Nothing. Eventually 3 texts arrive by which time the payment page has timed out. If I try to go through the whole thing again will it send duplicate payments? Who knows with this wunch of bankers? Thank goodness I still have a cheque book.

      2. Anonymous Coward
        Anonymous Coward

        What about when somewhere in the distant past you were forced to set it up, and are suddenly confronted with 'what is the name of your pet?' (if that, indeed, was how they decided they were going to do it back then).

        Uh-oh. Did I use the cat, or the dog we used to have? And did I capitalise the first letter or not?

        My online share dealing account uses such a system, and fortunately I use it often enough to know (but still sometimes forget the first letter capitalisation if I'm in a hurry). But every now and then, another site will ask a question it hasn't asked for a long time, and password recovery is the order of the day.

        My Halifax bank account is the worst, though. You have to enter three characters from dropdowns that correspond to random characters in the complicated and hard-to-guess (and equally hard to remember unless you wrote it down somewhere) magic pseudo-word you had to create initially.

        And it got worse when I opened an account for my dad during the lockdown, and for some reason left one lower case 'L' as 'l' in the pseudo-word, but got clever with the second occurrence and used a numerical '1' for that. Then promptly forgot I'd done it. Stupid system waited for a couple of months before it wanted that second character, and I was stumped until I looked closely after almost being locked out.

        1. Anonymous Coward
          Anonymous Coward

          Nationwide are currently driving me in circles. HMRC want to know how much peanuts interest Nationwide paid me for tax year 2020-21. The same every year. When I give them the information over the phone they also ask for all the details of the account. Why can't their computers talk to each other?

          Discover that Nationwide no longer send out paper copies of the information and expect you to go online. Usually I would go to the local branch and get my passbook updated - but I am taking no unnecessary risks with Covid.

          Start to create a login. All goes well until it says they need to send me a verification code - and it then says they don't have an email or SMS number for the account. A letter will be sent to me at my registered address with a magic hidden number.

          Letter arrives with details needed to login. Try to login - needs verification - and they don't have an email or SMS for the account. (Sound familiar?)

          Did the local branch ever ask me for that to register for the future?

          To register the details I have to post them my passport - or go into the local branch with it.

          Ring the probably generic number to talk to my local branch to see what hoops are in place for Covid visits. Phone stops ringing - and then disconnects.

          I have good mind to close my old age nest egg account of over 20 years and find another mutual.

          1. Anonymous Coward
            Anonymous Coward

            "Ring the probably generic number to talk to my local branch to see what hoops are in place for Covid visits. Phone stops ringing - and then disconnects."

            Today I girded my loins for a visit to my local branch - my first non-medical foray in 18 months of isolation. The branch looked rather dark - "Closed for refurbishment until November" .

        2. Stoneshop


          What about when somewhere in the distant past you were forced to set it up, and are suddenly confronted with 'what is the name of your pet?'

          All my pets, parents, parents' birth places, schools, first loves, streets and whatever else they think they can authenticate you with are curiously enough named "forgotthat", in a particular bastardisation of a local dialect[0].

          [0] Easy enough for me to remember the exact spelling, plus I have to use that sufficiently frequently to keep it fresh.

    3. doublelayer Silver badge

      A user id never was a security proposal. What it is is another detail the user needs to remember for almost always no reason. I have a username here to identify myself to you guys, and in fact I don't even know why I set it to what it is--I couldn't think of anything back when creating the account and went with this one. For other things where I don't need a pseudonym to label myself, there is no purpose in a custom username. It's another thing to memorize, and it doesn't secure anything.

  11. Anonymous Coward
    Anonymous Coward

    You assumed Paypal is any different from banks security wise.

    A few days ago I tried changing my Paypal password. The new password is generated by a password manager. I don't care what the password is, it's all asterisks to me. Copy paste exists after all.

    "Your password should be 8-20 characters long."

    Ugh, grumble, but OK. Let's shorten it.

    "Your password can only include letters, numbers and these characters: !@#$%^&*()."

    What? It included some "7 bit" ASCII chars. What is this crap?!

    Also reminds of how I lost access to my work related Apple Developer account. The account was used to manage Apps not only for my company, but also clients' companies. Don't use iOS devices though, only for testing and those have separate non-Developer accounts of course.

    Apple reasonably decided to require 2FA. But to set it up it wanted me to answer the password recovery security questions. These I had initially answered with random be cause my password is more secret than my mother's maiden name and I use a password manager. I'm not a toddler. Or may be I am for assuming Apple Security not misusing retarded security features.

    So I couldn't answer the questions I should have been asked only when I lose my password which I didn't lose. Talked with Apple support multiple times about this, no solution.

    Even though I could access my account (new user/pass) and had access to the associated work email and still worked there etc and could be vouched by other "Aplle Developer team" members, once the deadline for 2FA activation arrived I was locked out.

    1. Anonymous Coward
      Anonymous Coward

      This sort of thing makes me wonder just how maintainable the name-space for usernames is.

      Because many organisations have a very sensible policy of not re-using usernames, for some long lived services, eventually new users will not be able to find a name that is unique or relevant.

      My name is pretty unusual, but I know of at least three others with the same first and last name as me, two of them in the UK, and this causes me issues when people try to guess what one of the other's mail address is, and mail for them lands up in my mailbox (I got in early enough that I got my name as a user account in several mail systems).

      I don't want to see their medical bills, although I was tempted to attend an invite to the British Embassy in Dar es Salaam for a formal event, although the plane ticket would have been a bit steep.

      1. Anonymous Coward
        Anonymous Coward

        The company I work for have AD user names that have no relation to the user's name or identity, it's just three letters and four numbers, randomly (I assume) assigned. I guess it's pretty secure (by being obscure), but the mental lookup table I use when trying to work out who the other people logged onto the same network devices as me are is having indexing issues...

        1. Loyal Commenter

          Security by obscurity is no security

          There are reasons why having random user names might be useful, rather than user names based on a person's identity (phishing attacks), or sequential identifiers (automated / rainbow attacks), but you need to have other, stronger, measures in place, to protect your logins. You should be working on the principle that user names are known, and the attacker is trying to crack the password. Adding 2FA into the mix means the attacker also needs to physically have the 2FA device, or be able to spoof it, as well.

          1. Anonymous Coward
            Anonymous Coward

            (Same AC as before.)

            You have very good points! And yes, there is 2FA when logging in remotely; for on-net logins there's 802.1x verification on all switchports / wifi APs in addition to the "untraceable" usernames.

          2. Doctor Syntax Silver badge

            "Adding 2FA into the mix means the attacker also needs to physically have the 2FA device, or be able to spoof it, as well."

            And nobody ever lost a phone or had one stolen. Or had their SIM swapped by a bit of social engineering of their mobile service provider.

            1. doublelayer Silver badge

              Which is more work, so it is harder. If you want it to be even more secure, keep disabling the easiest method and adding another one, like this:

              1. Don't use SMS, so SIM swapping won't work.

              2. Make the user have a passcode on their phone, so simple theft won't work.

              3. Make the authentication app have a custom unlock code, so stealing a phone after somehow extracting the device code from the user won't work.

              4. Etc until you are happy with the level of difficulty and risk you're dealing with.

              Having just a password is around -4 on this list.

            2. Loyal Commenter

              The difference here isn't that the attacker can't do this, but that it is much harder. They need the username, and the 2FA device, and then they can get to work trying to crack the password. If the auth provider has any sense at all, they will have an escalating delay on failed password entry as well, to prevent dictionary attacks, and such activity should raise an alarm somewhere.

              The most notable difference here, though, is that the attacker needs the 2FA device for every account they are trying to crack, so in practice are going to have to go after one user, and not any user. From a security viewpoint, the attack surface is greatly reduced.

      2. CountCadaver

        I could have had any of the following roles - cardiac surgery fellow, waterpark worker, brain surgeon, senior company photographer and more....

        More annoyingly I keep getting final demand for payment from frontier telecom and Direct TV despite not living in their service areas (and yes I tried asking them to stop emailing me as I wasnt their customer), had to file a complaint with the Australian FCA to force National Australia Bank to stop emailing me, they refused as I "wasnt their customer", so I went the data protection route along with "keeping accurate records" and the AFCA agreed....

        1. John Brown (no body) Silver badge

          Same here in the UK with MBNA. They kept sending me statements but refused to deal with me as I wasn't their customer. After some significant research, I found a way to contact them and basically told them to check and update their records or I'd be passing the info onto the relevant authorities. I even gave them my mobile number with a strong disclaimer to not use it for any other purpose than to contact me over this specific issue. Someone from their security team actually phoned me! Wow! After a bit of toing and froing, we agreed I was getting these emails and was not the intended recipient and this was a problem for them to deal with. The emails stopped. A year later, they started again. Did the account owner not know his own email address? Did he think he could just make one up and it would magically work? Did MBNA have an outage the meant they restored from an old backup? No idea, don't care. Sent them an email, CC's to the relevant authorities and set up a rule on my mail server to to "bounce" any more of these statements from them to any and all MBNA official accounts I could find.

      3. Doctor Syntax Silver badge

        "This sort of thing makes me wonder just how maintainable the name-space for usernames is."


      4. Andy A

        I used to work at a site where we were allocated mail accounts in the same system as our customer. At the time that system was Lotus Notes. There were two people in that worldwide system with my surname.

        I was listed as Andrew, the other one was listed as Andy.

        People sending us email commonly took the first person with the surname that they noticed.

        So he forwarded stuff to me about IT, and I forwarded stuff about his job.

        And when I visited Brisbane on hols, we took up our longstanding promise to partake of a beverage or two.

  12. Peter Gathercole Silver badge

    Smartphone apps

    I'm starting to avoid services that require you to load apps on your smartphone, partly because I object to my phone becoming cluttered, and partly out of principal to defend the rights of people who don't want/need a smartphone.

    I once checked in at a highly automated hotel where you could not access the WiFi, or even book breakfast without loading an app on your phone (I didn't, and made a pain of myself in the restaurant in the morning - why do I need to pollute my phone for a one-night stay in a hotel I never intend to use again).

    My phone has enough junk on it that I actually need without having loyalty apps for all of the retail outlets that I use, and goodness knows how many of the other things I already ignore. I just have to see "Have you tried our app.." for my blood to start boiling.

    I'm happy to use smartphone apps for things that are genuinely useful to me (and have been since I got a Palm Treo over 15 years ago), but I refuse to be dictated to by organisations trying to replace workers with poorly thought out, badly written junk, and that's ignoring all of the tracking that many of these apps use to mine data about me from my phone (this [trivial] app require location services to be turned on, and access to files and the address book on your device).

    It's making me consider going back to a dumb phone.

    1. Chris G

      Re: Smartphone apps

      The only 'required' app I have on my phone is from my bank because they told me without using it to authenticate online purchases, I would not be able to make them.

      I discovered that purchasing through paypal seems to be a one time authentification, so now all of my purchases go through paypal whom I trust more than my bank and have the app disabled most of the time.

      When it is on, most of the absurd list of permissions are denied.

      Any service that demands I use their app is not a service I use.

    2. Doctor Syntax Silver badge

      Re: Smartphone apps

      "why do I need to pollute my phone for a one-night stay in a hotel I never intend to use again"

      In fact it could be the cause of reversing the order of "never" and "intend".

      1. Anonymous Coward
        Anonymous Coward

        Re: Smartphone apps @Doctor Syntax

        Not got anything to do with smartphone apps, and everything to do with the fact that I never learned all of the English grammar rules.

        Everything has to sound right when spoken, and sometimes things that sound right (to me) are wrong. It's going to be difficult to change at this point in my life.

    3. swm

      Re: Smartphone apps

      I always tell people that want my cell phone number etc. that I don't have a cell phone. It's the truth.

    4. Anonymous Coward
      Anonymous Coward

      Re: poorly thought out, badly written junk

      poorly thought out, badly written outsourced junk so when it does not work you cannot even complain to the monkeys that created it. Happened to me more than once with a supermarket 'fidelity' app you can use to 'activate' your discounts except it didn't.

      Being an old codger, the last time it didn't work the cashier told me that there was nothing she could do, so I politely asked her to call someone that could do something about it. Of course no one could, and I got the discount anyway, but the cashier and her supervisor mentioned that it happened quite frequently...

      Now get off my lawn.

  13. Uncle Slacky

    Online French banking outside working hours - fuggedaboutit

    In my experience, online French banking knocks off work when the staff do (I suspect every transaction still has to be approved manually), so forget about buying stuff in the evenings, at weekends and often on Mondays. They still put the verification pages etc. up, but it's only for appearances.

    1. John Brown (no body) Silver badge

      Re: Online French banking outside working hours - fuggedaboutit

      So, it onlt works 10am to 3pm, has a 2 hour lunch and the colour scheme is surly and like to say "Non!"

      1. Mike Pellatt

        Re: Online French banking outside working hours - fuggedaboutit

        Only if you insist on attempting to speak to it in English. Try the tiniest bit of school O level French on it and all of a sudden its attitude will improve dramatically.

        It's only human and hoping for a little bit of respect, after all.

    2. Potemkine! Silver badge

      Re: Online French banking outside working hours - fuggedaboutit

      Mine doesn't. Change to another bank.

      The best way to make businesses understand they do poorly is to go elsewhere.

  14. oiseau

    Made my day.

    Good morning Mr. Dabbs:

    Reading your column (today) made my morning sunnier.

    Your smartphone woes and the plight of those who cared to share theirs made me aware that I am not alone in my refusal to use one instead of a Blackberry 9620 which (as a phone) works perfectly well.

    I would not dream of using any sort of portable as a banking/payment terminal.

    Have a good week-end.


  15. Anonymous Coward
    Anonymous Coward

    Whenever I see 8 - 20 characters all I can think is they're storing my passwords in plain text at best some sort of 2 way encryption (which is as bad) morons!

    When they prevent you using pasting into a password box, whoever came up with that needs stringing up by their balls.

    My password policy 8 chars minimum and you need to score a minimum of 3 on zxcvbn's complexity the upper limit is 4000 because it has to be set somewhere and it doesn't matter since its one way random salted hash. DON'T USE BCRYPT (most/all implementations truncate at 72bytes (sigh))

  16. CookieMonster999

    We have a newish standard for secure authentication passwordless called Webauthn but for some reasons it's not taking up.

    So secure and comfy passwordless authentication is always 3 years away.

  17. Adrian 4 Silver badge

    time for change

    Alistair tells it like it is.

    We need to get and there and PROVE that these security-obsessed arseholes are the first against the wall come the revolution.

    I love that my bank and credit card claim, by making their use impossibly difficult and resulting in multiple unwanted cancellations, to be trying to save me from 3rd world thieves. No, you're not. Be honest. You're trying to save yourselves from first world thieves by adding to my inconvenience. You forget that it's YOUR business and YOUR problem if you can't make it work reliably. Fix your own bugs. Don't pass them on to me. That is specifically what the banking regulations making you responsible for fraud were intended to so stop wriggling and stand up to the plate.

    1. Barry Rueger

      Re: time for change

      Canada. VanCity Credit Union, except that they just foisted a new and ungainly login scheme that is honestly bad enough that I'm abandoning them.

      What frustrates me most though is that the most labyrinthine and non-standard password restrictions are invariably for some crap entity that I will never use twice in a year.

      1. Stoneshop

        Password parser fail

        What frustrates me most though is that the most labyrinthine and non-standard password restrictions are invariably for some crap entity that I will never use twice in a year.

        The password entry box had an accompanying text stating that my password had to be "At least 12 characters, of which one digit and one non-alphanumeric character".

        Entering "atleasttwelvecharactersofwhichonedigitandonenonalphanumericcharacter" it horked up an error that it was too long[0] and didn't conform to the set requirements.

        [0] What hidden part of "at least" was there that implied "not more than"?

    2. Stoneshop

      Re: time for change

      We need to get and there and PROVE that these security-obsessed arseholes are the first against the wall come the revolution.

      But now the parting on the left will be a parting on the right.

  18. Franco

    Maybe more for On Call but here goes....

    I was recently working on a desktop refresh and Office 365 migration project, and one of the goals was to move everyone to MFA via MS's Authenticator app. We had a very high failure rate and a lot of calls from users who couldn't get it working.

    Turns out that around 60% of users didn't read the instructions fully, so instead of scanning the QR code they should have generated on the MS website to sync the Authenticator app they were scanning the sample code that was on the instructions PDF.

    1. Anonymous Coward Silver badge

      Re: Maybe more for On Call but here goes....

      A perennial problem.

      If I had a pound for every time I've uttered "you've clicked on the button next to the text that says 'click on the button that looks like:', haven't you?" (or similar), I'd be richer than I am.

      1. Anonymous Coward
        Anonymous Coward

        Re: Maybe more for On Call but here goes....

        It's obviously a UI problem. Whether that's User_Intelligence, User_Interface, or Usual_Incompetence is as yet Undetermined, I Imagine.

    2. Doctor Syntax Silver badge

      Re: Maybe more for On Call but here goes....

      That's easily dealt with. Ensure that scanning the sample results in a message telling them that it's only a sample and scan the one on the authentication scheme.

  19. Gene Cash Silver badge

    This is why Amazon is kicking everyone's ass

    I'm sure I don't have to talk about how easy it is to give them your money.

    People need to learn from this, or else Bezos is just going to get richer and richer.

    The other day I wanted a particular item, so I went to their website. After dealing with the fact it only worked in Chrome and not Firefox or IE, I finally found what I wanted. It took 3 attempts before something appeared in my shopping cart. An attempt to pay gave me "Routing Number Unknown" despite the fact I was paying with a credit card and not an e-check.

    Fuck it. I went to Amazon and purchased it in less than 4 minutes, "free" shipping no less.

  20. Anonymous Coward
    Anonymous Coward

    good show

    and a great excuse for me to keep on Not installing any apps. If it can't be done in the browser, I don't need it :)

    1. Ken Moorhouse Silver badge

      Re: If it can't be done in the browser, I don't need it

      PrimaryBid started off as a great way to invest in offerings not usually available to Private Investors. Login to their website, select the company you are interested in, and away you go.

      Can't do that anymore. It's all App-based. Had to ring their Helpdesk too many times to do exactly the same thing that previously took a few clicks on the website. I don't bother now...

      Will someone let me know if they ever see sense and revert back?

  21. Anonymous Coward
    Anonymous Coward

    BT have updated their "Report a scam call" page. A few new questions have been added - like "who did the caller claim to be?" which surprisingly didn't include "Microsoft" as a tick box option.

    Having given them the number you were called on - they then ask if it was "landline" or "mobile". Do they not know the UK number group differentiators?

    They finally ask if you would like to complete a survey. This then ignores your previous "NO" tick boxes - and assumes you fell for the scam. Navigating through the questions you use "NO" a lot. Finally the form will not submit until you give them some information which is predicated on a preceding tick box "YES" - to which you had already answered "NO".

    Even a work experience 14 year old would have made a better design job of it.

    1. Claverhouse Silver badge

      To be fair, my response to either regular Microsoft or a scammer feigning to be them would be precisely the same.

    2. Anonymous Coward
      Anonymous Coward

      To be fair there is no mobile number group. There is a personal number group which is mostly the same thing. Having said that you can tell which org owns the number so would see it belonged to one of the mobile companies. Number porting would make that potentially inaccurate though.

  22. Eclectic Man Silver badge

    Aside: Alpertron

    OK, so I have to admit that I have attempted to make a donation to a free web site and failed. Alpertron (I'm an occasional user nothing to do with the developer) does mathematical calculations, very very well. In particular I have used it to find factors of quite large integers, and it is excellent, maybe I'll have another go now he's got a PayPal account.

    The web site is at

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like