• @[email protected]
    link
    fedilink
    English
    15110 months ago

    There was a chap on here the other day who said they hate 2fa and don’t need it because they use passwords that are 50 characters and generated by the password manager.

    This is a perfect example of why you should always activate it when possible.

    • @Specal
      link
      English
      4310 months ago

      Alot of people don’t like Microsoft, but they’re pushing for zero password authentication for a reason. Passwords are getting really insecure really fast.

      • andrew
        link
        fedilink
        English
        35
        edit-2
        10 months ago

        This vulnerability has nothing to do with password strength or security and everything to do with password reset security, i.e. email and improper handling of parameters to that reset API call.

        Passkeys are interesting and potentially quite strong but they’re going to have to fall back to the same old reset mechanism if you e.g. drop your passkey device (phone) into a lake.

        • @[email protected]
          link
          fedilink
          English
          110 months ago

          Or just make it clear your account is gone if you lose your passkey, so have a second key for backup or learn a hard lesson.

          • @cley_faye
            link
            English
            210 months ago

            Yeah, good luck with that. You can tell someone “if you lose this token, all data are unrecoverable”, they’ll reply with “ok, got it!” and about two and a half second later call you saying “Hey I lost my token can you recover my data?”.

            • @[email protected]
              link
              fedilink
              English
              110 months ago

              Hence the “hard lesson” part. A lot of us tech-focused people learned the same lesson with our document backup systems. You lose some important documents, then you realize you really should backup your stuff. All I hope is these people learn the lesson earlier in life before the consequences become more and more severe.

      • Encrypt-Keeper
        link
        English
        1710 months ago

        Have they given up on their “Passwords are insecure, use this 4 digit pin instead” push?

        • @Specal
          link
          English
          310 months ago

          I just use their Authenticator app out of convenience, I get a notification when I login through it and it asks me to input the correct number given by the app, a 2 digit number.

        • @Flying_Hellfish
          link
          English
          310 months ago

          Not entirely, but now MS, and a lot of other companies, are pushing passkeys. I still prefer password + hardware 2fa but it’s safer than people reusing the same password everywhere.

          • Encrypt-Keeper
            link
            English
            3
            edit-2
            10 months ago

            I am a fan of passkeys. Particularly because they essentially function as hardware 2fa, except they’re the only factor, which isn’t as big of a problem because it’s not something you can steal in a service breach like passwords. I’ve also noticed that even when using passkeys, most sites let you force a TOTP code as well anyway.

            • @Flying_Hellfish
              link
              English
              310 months ago

              Very true, the big issue with them is a lot of popular hardware keys, including the yubikeys that I have, are limited to the number passkeys they can store (yubikey is 25 unique). Luckily password managers are starting to support them, but now you’re back to having a strong password + hardware 2FA to store those passkeys anyway.

              I do like TOTP or just hardware 2FA as a backup for my passkeys. What I really can’t stand is sties that only offer SMS as 2FA, it makes me more angry than it probably should.

              • Encrypt-Keeper
                link
                English
                110 months ago

                iPhones natively support passkeys, so at the very least the iOS user base can easily use them. Not sure about Android though.

      • CubitOom
        link
        fedilink
        English
        210 months ago

        How does Microsoft’s implementation work?

        Is it possible to log into windows without a Microsoft account using that method?

    • @[email protected]
      link
      fedilink
      English
      1610 months ago

      I see a lot of people around me resetting passwords of services they rarely use because they forgot what password they used and don’t have a password manager (or not synced one). And I don’t understand why all services don’t propose to generate a one time link to log in instead of changing passwords (a few services do propose it already)

      Passwords are useless for all users using the same password for every account they have, and i’m sure it’s a majority of users.

      • @[email protected]
        link
        fedilink
        English
        910 months ago

        Google is moving that way with passkeys. I think it’ll catch on with many people.

        Just cut the passwords out and go straight to unlocking with a device.

        That said not sure what happens if you lose your device.

        • @Baines
          link
          English
          11
          edit-2
          10 months ago

          don’t even have to lose the device

          phone is the most common, plenty of ways in from mitm attacks (insecure wifi for example) to social eng the account phone provider

          guess you could go the dongle route but if it was super common thieves would just target them

      • GigglyBobble
        link
        fedilink
        310 months ago

        How do you secure email accounts then? And wouldn’t that make those just even more attractive targets?

    • @pizzawithdirt
      link
      English
      510 months ago

      I don’t have 2FA for my GitLab account since it’s only accesible via my GitHub account which has 2FA. Is this good or should I add 2FA to GitLab also?

        • @BirdsWithBeefyArms
          link
          English
          410 months ago

          This isn’t necessarily true. If you are using an identity provider, you can still perform a password reset on GitLab and set a password there, bypassing your 2FA on GitHub. You usually shouldnt rely on IdP 2FA unless the destination system enforces IdP signin every time. There is a group setting in GitLab that does that, but it will only apply for that group.

    • CubitOom
      link
      fedilink
      English
      210 months ago

      One of the biggest issues with 2fa is that normally it’s either an easily spoofable phone/email or an app locked to a device.

      This is why I use a password manager (pass) that is synced across all of my devices (via a private self hosted git for version control) that I can send 2fa QR codes to cameraless devices via screenshots using zbarimg and have every device capable of 2fa verification with the pass-otp extension.

      I know this setup is a bit complicated as just dealing with git or importing a gpg key would give most people I know sense of existential dread. I am curious to see what others use for similar functionality.

      • @[email protected]
        link
        fedilink
        English
        110 months ago

        Is that second factor, though? If I understand it right, you are basically generating your MFA from your password manager, is that so?

        • CubitOom
          link
          fedilink
          English
          110 months ago

          I’m just using my password manager in place of the authenticator app.

          So rather than using an app like Google authenticator or Authy to see what the new random sequence is for the MFA, my password manager stores that QR as a string and will display the same random sequence that a normal MFA app would.

          They key difference is that my MFA is synced across any device that I have configured my password manager on using the same cryptographic keys and version control history.

          So if my phone is dead, lost, or stolen, I can still access my banking account via MFA as normal.

          I suppose it brings up the idea of what a “factor” is in how it’s used for MFA. If a factor is supposed to be a different device, a different app on the same device as your password manager, or just a different passphrase that’s constantly changing.

          • @[email protected]
            link
            fedilink
            English
            210 months ago

            I see. IIRC from school, “factor” actually has a definition - it’s either something you have (keycard, phone), something you are (biometrics) or something you know (password).

            For authentication to be truly an effective MFA, it would have to require at least two of those factors. And that’s also why I.e email isn’t really a MFA.

            So, I guess it boils down to where are you storing your passwords. If they are also in the password manager, then, its only 1FA, because knowing your password manager password is enough to defeat it. (Or, if someone finds a zeroday in the pass manager).

            • CubitOom
              link
              fedilink
              English
              110 months ago

              It’s still two separate passwords so I think it qualifies as 2 factors.

              But yes the password manager has one gpg key which only has one passphrase used to decrypt the passwords saved in the password manager. So if that was compromised then so would all passwords