this post was submitted on 22 Aug 2023
381 points (98.5% liked)

Technology

34988 readers
467 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.


Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.


Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
 

I personally am fine with this.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 1 year ago (5 children)

No offense to companies but I'm honestly sick of companies forcing 2fa. Every single one seems to have a different shitty way of doing it. Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)? Some do sms/phone number, but then yell at you and prevent you from doing 2fa if you have a "bad phone number". This happened on discord where I'm locked out of certain servers because I can't do phone verification, and I can't do it because discord doesn't like my phone number. Twitter was the same way for a long while (couldn't do 2fa/phone verification due to them not liking my number).

From the article it sounds like they're doing authenticator app or sms. I'm guessing sms won't work for me, so app it is. I decided to dig to see which authenticator app they use and they list: 1password, authy, lastpass, and microsoft.... no google?

Honestly, even email requirements for accounts is annoying because you know it just ends up spamming you. is the future where we're gonna have to have 30 different authenticator apps on our phone?

[–] [email protected] 28 points 1 year ago (2 children)

Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)?

you... don't?

Both of these implement exactly the same protocol (TOTP). Used authy for all my ~~Top Of The Pops~~ Time-based one-time password needs exclusively, before moving everything to bitwarden

[–] subtext 6 points 1 year ago (1 children)

Unfortunately there are some websites that require Authy (probably because Authy wined and dined some business executive). I absolutely loathe these sites but if it’s a site you’re not willing to live without, you’re stuck with having Authy plus your main 2FA app.

[–] [email protected] 5 points 1 year ago (1 children)

which ones are that? I'd love to check, because afaik, they have a feature that enables push-2fa via authy, but should generally work on other apps as well

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

Sendgrid's only options for 2FA are Authy (their proprietary token generation, no option for TOTP) or SMS. Tried signing up the other day and was surprised to find no option to use standard TOTP.

https://docs.sendgrid.com/ui/account-and-settings/two-factor-authentication

[–] [email protected] 0 points 1 year ago (1 children)

Are you sure that you can't use a different TOTP generator? There's a difference between telling you to use Authy and still being able to use a different app

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago) (1 children)

Yes I'm sure, hence why I specifically mentioned that. Try the sign up procedure yourself. It REQUIRES 2fa and it has to be Authy's non-standard token or SMS. No option for regular TOTP.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago)

thx. just making sure. I already saw a lot of people annoyed about a specific app, just because that was the one being advertised, but in the end it was TOTP

[–] [email protected] 1 points 1 year ago (1 children)

websites explicitly said to get one or the other so I did.

[–] subtext 7 points 1 year ago (2 children)

Well the good news for you is that a website specifying one or the other is nothing more than marketing from that app maker! So long as there is a QR code (or a long random-ish string), you can use any authenticator app that supports that website’s 2FA algorithms!

That last bit is important because I think Lemmy had a non-standard 2FA algorithm (SHA-256?) that wouldn’t work with Google Authenticator.

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago)

Lemmy works with Google Authenticator, but not with Authy.

Annoyingly Authy fails silently and ignores the part of the code that specifies SHA-256 and just generates a SHA-1 code that won't work with no warning or indication to the user.

[–] [email protected] 1 points 1 year ago

that's good to know. I'll just switch everything over to google authenticator then.

[–] [email protected] 15 points 1 year ago (1 children)

BTW, any authenticator app works when it tells you to use one. They all use a standard, so it doesn't matter which one you use.

[–] tool 4 points 1 year ago

BTW, any authenticator app works when it tells you to use one. They all use a standard, so it doesn't matter which one you use.

Eh, it's a little more nuanced than that, there're more standards for MFA code generation than just TOTP.

And even within the TOTP standard, there are options to adjust the code generation (timing, hash algorithm, # of characters in the generated code, etc.) that not all clients are going to support or will be user-configureable. Blizzard's Battle.net MFA is a good example of that.

If the code is just your basic 6-digit HMAC/SHA1 30-second code, yeah, odds are almost 100% that your client of choice will support it, but anything other than that I wouldn't automatically assume that it's going to work.

[–] [email protected] 5 points 1 year ago (1 children)

Anyone who claims they're doing OTPs over SMS for "security" ia lying to you. Discord wants your phone number; it has nothing to do with your security

[–] [email protected] 2 points 1 year ago (2 children)

there's quite a lot of services that want phone for verification/2fa/whatever. whenever I run into them I usually just refuse to use the service altogether.

[–] [email protected] 4 points 1 year ago

How do you even use the internet? I mean, you could never book a flight, use any food rewards program, book a ride share, etc. Almost everything uses my phone number for 2FA.

[–] totallynotarobot 2 points 1 year ago (2 children)

There is literally no bank in my country that doesn't use sms for 2fa.

[–] [email protected] 4 points 1 year ago

Yes banks are terrible about this, and it makes no sense

[–] [email protected] 2 points 1 year ago (1 children)

what happens if you don't have a phone number? you're just prevented from having a bank account?

[–] totallynotarobot 2 points 1 year ago* (last edited 1 year ago)

You can have a bank account, but you wouldn't be able to do online or mobile banking.

Sms is the only 2fa option (some offer email as well, but last I checked all fall back on sms), and it's mandatory for online/mobile.

[–] vinniep 2 points 1 year ago (2 children)

Google Auth works just fine. The standard for app generated 2FA is, well, standard. They're only listing a non-complete list of options for people that don't know what an authenticator app is and need to get one for the first time.

[–] [email protected] 2 points 1 year ago (1 children)

The google auth which transmits your totp code in plaintext to there servers?

[–] vinniep 1 points 1 year ago

That is the specific app the person I replied to was asking about, so yea. Would have been a little weird if I was talking about some other app.

[–] [email protected] 1 points 1 year ago (2 children)

do all authenticators work for all services?

[–] vinniep 1 points 1 year ago

Mostly. The 6 digit standard ones that you see almost everywhere are standard TOTP codes and most apps work for them. There are some proprietary things out there too but you typically see those with a matching app from the same company. Those are far less common though so for practical reasons you can assume they are all interchangeable.

Those values are computed separately what the app is really storing is just the input values which are then combines with the current time to create the 6 digit code. That means that keeping that input value (seed) safe is a big deal, and how and where that is done is one of the major differentiators between the various options.