this post was submitted on 26 Jun 2024
304 points (95.8% liked)

Cybersecurity - Memes

2004 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] headset 26 points 5 months ago* (last edited 5 months ago) (3 children)

Fuck the 2 factor bullshit. I've lost many accounts just because I moved to another country and changed my number. I still know the password, It is my account but I can't login just because the asshole who created 2 factor authentication never moved out of his parent's basement.

[–] [email protected] 31 points 5 months ago (1 children)

SMS based 2FA isn't recommended and with an authenticator/hardware token your scenario is not a problem.

[–] jj4211 6 points 5 months ago (2 children)

While true, other scenarios do come into play, like "I'm using a FIDO key but I dropped it down a storm drain". Meaning you pretty much have to provide some recovery mechanism, since you can't really require the user to have a backup device.

[–] [email protected] 3 points 5 months ago* (last edited 5 months ago) (1 children)

That's why I don't use hardware tokens. They are more secure but they can break or get lost/stolen. My authentication app supports backups.

[–] jj4211 1 points 5 months ago (1 children)

Indeed, but some "security" guys frown deeply about the private key ever leaving a specific hardware device, because the second it can be backed up they freak out that it could, theoretically, be stolen. It's hardly a practical concern, but there's a lot of security people that don't care about practical considerations.

[–] [email protected] 4 points 5 months ago (1 children)

I see it more neutrally - the concern isn't wrong after all. Security is always to be balanced against convenience.

I consider being locked out for good so inconvenient that I'm willing to sacrifice a bit of security to avoid it. But everyone has to find what works best for them.

[–] [email protected] 3 points 5 months ago

Get out of here with your pragmatism. We'll have none of that in this security context.

[–] [email protected] 1 points 5 months ago

That's why it is called multi-factor

[–] Skipcast 8 points 5 months ago

Skill issue (don't use sms based 2fa it's the worst and least secure kind)

[–] Bytemeister -2 points 5 months ago (1 children)

No 2FA on an account these days is like having a fucking bead curtain for a front door.

[–] AlotOfReading 1 points 5 months ago

The security level should be the user's choice. Maybe I don't care if my neopets account is hacked. Maybe the 2fa offered actually decreases security, like the SMS 2FA required by my 401k account that can be used as the sole recovery factor, bypassing the password. Maybe I'm accessing from a system configuration that makes 2fa really annoying, like a build system running inside a fresh VM on every run.

The service doesn't have the context necessary to know when 2FA is warranted.