Meanwhile...
on the rare occasion when Gmail requires me to do my 2FA thing, the "remember me on this device" box is checked by default...
Getting people to use multi-factor authentication is surprisingly tough – or unsurprisingly, depending on your opinion of IT users. In any case, GitHub is managing it by playing the long game. The code-sharing shack declared in March that two-factor-auth was pretty much not going to be an avoidable option by the end of the …
2FA connecting anything to something as insecure as mobile phones is a joke. I wish browsers would just use my SSH public key and be done with it when logging onto sites.
I also think central certificate authorities are a stone-age concept and am embarrassed that we haven't done better.
Everything is wrong with the web at this point.
You complain about the insecurity of mobile phones and then want to use a solution involving browsers which are far far less secure than phones?
For all the security issues regularly fixed in phones the number of actual exploits against them is pretty low - they are almost always targeted attacks or it is some Android app no one has ever heard of that affected a few thousand people in China. There has never been some sort of mass exploit on a phone affecting millions of people even one time, but that's happened with PCs countless times. So unless you are the type of person who would be chosen for a targeted attack on a phone, using an app on your phone (NOT SMS!) as the second factor is quite reasonable. It requires someone be in possession of your phone and be able to unlock it, so even if the 2FA is to a website you're opening in the phone's browser it is secure enough that real world exploit is quite unlikely.
If you want greater security than that use a separate 2FA device - which could be a second phone with no/minimal connectivity that is used only for 2FA and absolutely nothing else.
You talk about phone based 2FA but don't say whether you distinguish between SMS and other phone based methods. As for SMS, you are only relying on the low wage worker at the ATT customer service not to sell you out, which is why it happens - although you are right those are mostly targeted.
Besides that large numbers of people are phone hacked, have money taken out of their accounts, and haven't got a clue what happened. Their bank tells them it's their fault - a small number of likeable people who are also media savvy get their problem written up in the paper and the bank pays out.
I feel like I’m ok at security…. But I always see people talking about SMS like it’s a plaintext password. WHAT is so bad about it?
People talk about spoofing, ok, but how does stealing an SMS help its 2 factor auth, if you steal the SMS you’ve still only got 1 factor?
You mention AT&T… how would AT&T know my GitHub username, what can you do with an intercepted SMS without the account that goes with it?
Am I just being too optimistic - I use a different email for every service, sure they are probably guessable by a determined adversary, but I’m not exactly in the public eye.
For the average Joe, why isn’t SMS good enough? You still need the password, I can’t reset an account password and username with an SMS alone, surely???
I suppose the main issue that I have with the way 2FA is generally implemented is that they all require access to largely the same thing. Either my phone (for a text message) or an email account. If I lose access to one of them, I'm pretty stuffed for all accounts that require that they are available. I consider that a single point (or 2 points) of failure. If my email account gets targeted and I lose access, I potentially lose access to everything else.
That's not a very comforting situation. Whenever another website starts requiring me to enable 2FA, I feel more vulnerable, not less.
We *like* keyfob authentication. Since it is actually a fully-independent second factor, It worked even in China, and it's not compramized by anything that happens on or to your phone.
Unfortunately, it requires server-side stuff that costs money, so it's fallen out of favor. But if it was offered, I could move all of my users on to that kind of 2FA today.
Back when I used Authy as my 2FA. Later, I changed my preferred 2FA to the github mobile app and removed github from Authy. My settings say that the gibhub app is my preferred 2FA method.
And yet every time I log in it tells me to check my authenticator app and I have to argue with it to use the github app.
So if things actually worked as stated people might be happy to use them. No, I haven't opened a ticket for this.
/rant complete
Update, tried to open a ticket. Chatbot/Virtual assistant hell. The classic software concept that 'well there cannot in any way ever be anything wrong with our system, so you, user, are obviously wrong. Please click below to tell us what you are doing wrong.' No way to raise a ticket.
Bless.
The deadline is end of 2023 now? Last year the absolute final deadline was end of 2022.
I made some notes on this last year, and based on that their preferred 2FA method is TOTP.
There is a command line program called "oathtool" which will run on my PC. I can integrate that into my git bash scripts and also add a simple GUI front end via zenity to use for web log-ins.
For example:
oathtool --totp 01234567
Oathtool is in the Ubuntu repositories, and the same probably goes for most mainstream distros. So far as I am aware, the phone app just generates a TOTP key just like oathtool, so there's no need for me to use a phone or other separate hardware.
2FA isn't perfect by any means. Especially when you have to 2FA into a myriad of accounts every day, like I do.
However it's better than no 2FA. In much the same way a locked car is better protected than an unlocked on. If bad guys have singled you out, then no security in the world will stop them either just towing your car away, or making you open it with a gun at you - or your lived ones - head.
Yes, losing your phone can be a PITA. But with Google now clouding up it's authenticator, recovery is as easy as signing in on another device.
Anyway, folk who have a problem with 2FA - please carry on giving it a swerve and shielding me one step from the bad guys
This post has been deleted by its author
Is weak 2FA even worth the cons? Lost access to email or phone is a problem. I work in areas without cell services and cannot login when 2FA is only SMS. Implementations are shit. 30 second lifetime of the 2FA code, usually expired by the time it is received. SMS nor email is supposed to be instantaneous nor even quick. Recovery methods that completely circumvent any protection the 2FA provides.
email is not as insecure as it used to be as generally since connections between clients and servers and server to server tend to be encrypted and additional hops on relays to get from domain to domain are nearly non-existent. SMS on the other hand is relatively immature and has not implemented much in the way of security.
I have researched the server side of TOTP and there is not that much more work to implement support for an authenticator app if email or SMS delivery of the TOTP has been implemented. Good enough is not good enough and far better does not require far more effort. Even then, poor implementation could still negate the whole.
I prefer U2F but {whiny voice}"that is just too hard"
I used to absolutely love having to run down a flight of stairs, stand out in the middle of the pavement in the rain until my phone picked up the 2FA (calling my voicemail often helped), then re-enter the building, run back upstairs, unlock my machine and then type it in (correctly) only to find it had timed out.