• @MrJameGumb
    link
    815 months ago

    Here’s a little scenario that played out at work the other day…

    Dramatis personae:

    M - who is Me. Customer service agent extrodinaire.

    C - who is a dumbass cranky customer

    Our scene opens on your humble narrator diligently toiling at his work station

    M: Thank you for calling The Company, my name is M, may I have your name please?

    C: yeah yeah, my name is C, and I got a lot of problems with you people! Do you know how many times that damned robot voice tried to send me messages? I just want to talk to a person dammit!

    M: I’m so sorry to hear you’re having a bad experience sir! I’ll be happy to help you with anything you need, but it does appear you have enabled two factor authentication, so I’ll need to send a link to your phone so I can access your account

    C: THIS IS FUCKING RIDICULOUS! YOU CAN’T JUST TELL ME WHAT I WANT??? I PAY YOU PEOPLE A FORTUNE EVERY MONTH AND I CAN’T EVEN ASK A DAMNED QUESTION??? THIS COMPANY IS A FUCKING JOKE!!!

    M: Yes sir, I know the enhanced security requirements can be frustrating, but unfortunately we’ve had to update them in order to make sure our customers accounts remain secure. It should just take a moment for me to send the message though and all you have to do is click the link! Can I go ahead and send it to your number on file?

    C: are you fucking kidding me here? Is this what I pay for every goddamned month??? ALL I WANT TO DO IS ASK A QUESTION AND YOU ARE REFUSING TO HELP ME!!! GET ME YOUR SUPERVISOR! NOW!

    M: again sir, I understand how frustrating this can be. Unfortunately in order to protect your security, I cannot give you any information or transfer you to anyone else until we have verified your account. If you would prefer not to verify the account that is certainly your right though. Was there anything else I can help you with today?

    C: (sighs dramatically) fine… just send me the goddamned thing… I’m leaving this joke of a company tomorrow though.

    M: well sir I would hate for you to have to go to a competitor who doesn’t value your security as much as we do here at The Company. I’ll send that message out. You should be getting it right… now

    (Mr C grumbles incoherently as he clicks the link. It takes him all of two seconds.)

    C: THERE! I did what you ORDERED! Now will you PLEASE help me with my account???

    M: Absolutely sir! What can I help you with today?

    C: I have gotten at least 20 messages from you people today telling me some bullshit about approving an order being placed on my account! I DIDN’T ORDER ANYTHING!!! DO YOU PEOPLE EVEN KNOW WHAT YOU’RE DOING OVER THERE???

    (I pause to take a brief respite and collect my thoughts as I feel a little piece of my soul dying)

    M: That is a very serious issue sir! It appears someone was attempting to access your account online, and nearly managed to place an order for almost $5000 worth of equipment! It looks like the order was canceled because they couldn’t get past your (here it comes) enhanced two factor authentication requirements.

    C: …oh. Thank you have a nice day (click)

    (I scream internally, yet god does not listen)

    END SCENE

    • slazer2au
      link
      English
      345 months ago

      I do miss Tales from tech support.

    • WIZARD POPE💫
      link
      185 months ago

      Man, that was a rollercoaster. I don’t think I have the mental fortitude to not start crying if that happened to me.

      • @MrJameGumb
        link
        55 months ago

        It can be overwhelming for people when they first start, but after a while you eventually learn to expect it lol

        I can tell you from experience that someone like this probably makes up a reason to call in once or twice a month at least and claims they are taking their business elsewhere EVERY TIME for years and years lol

    • @Droggelbecher
      link
      33 months ago

      It might be I’m being stupid, so please tell 'em if I am. But why do you not wait to find out what the question even is before going into their account? That way you could explain the troubleshooting process better to them, no?

      • @MrJameGumb
        link
        13 months ago

        If someone is calling about an alert that there was an order placed on their account I can’t troubleshoot a single thing until I’m in the account

        • @Droggelbecher
          link
          23 months ago

          Aah ok, it sounded like they only said that after you logged in

    • @[email protected]
      link
      fedilink
      English
      25 months ago

      I’ve done that soul sucking job… You’re a saint. And I love those sorts of conversations.

  • @Aeri
    link
    265 months ago

    I do live in a state of constant dread of losing my phone, or having it break down, or getting a new phone now, but at least things are “secure” again *sigh

    • @Audalin
      link
      English
      135 months ago

      TOTP can be backed up and used on several devices at least.

    • AggressivelyPassive
      link
      fedilink
      35 months ago

      True. And I don’t even know, what to do about it. I can’t really be expected to always keep and maintain two phones, ideally at different places.

      • WIZARD POPE💫
        link
        15 months ago

        If you have an old phone you don’t use anymore, like your previous smartphone for example. Set it up on that as well and have it stored somewhere you know it is. Also make sure to charge it every couple months to make sure the battery stays healthy.

        • AggressivelyPassive
          link
          fedilink
          35 months ago

          Well, I ditched my old phone because the battery is practically dead.

          And my point is not, that I don’t have a mitigation at hand, but it’s stupid that I even need that mitigation. Essentially, the security providers offloaded their incompetence and/or unwillingness to pay insurances onto all of their users.

    • @[email protected]
      link
      fedilink
      English
      05 months ago

      Google Authenticator will back up keys. I often add keys on my main phone and read them off my backup phone.

  • @headset
    link
    26
    edit-2
    5 months ago

    Fuck the 2 factor bullshit. I’ve lost many accounts just because I moved to another country and changed my number. I still know the password, It is my account but I can’t login just because the asshole who created 2 factor authentication never moved out of his parent’s basement.

    • @[email protected]
      link
      fedilink
      315 months ago

      SMS based 2FA isn’t recommended and with an authenticator/hardware token your scenario is not a problem.

      • @jj4211
        link
        65 months ago

        While true, other scenarios do come into play, like “I’m using a FIDO key but I dropped it down a storm drain”. Meaning you pretty much have to provide some recovery mechanism, since you can’t really require the user to have a backup device.

        • @[email protected]
          link
          fedilink
          3
          edit-2
          5 months ago

          That’s why I don’t use hardware tokens. They are more secure but they can break or get lost/stolen. My authentication app supports backups.

          • @jj4211
            link
            15 months ago

            Indeed, but some “security” guys frown deeply about the private key ever leaving a specific hardware device, because the second it can be backed up they freak out that it could, theoretically, be stolen. It’s hardly a practical concern, but there’s a lot of security people that don’t care about practical considerations.

            • @[email protected]
              link
              fedilink
              45 months ago

              I see it more neutrally - the concern isn’t wrong after all. Security is always to be balanced against convenience.

              I consider being locked out for good so inconvenient that I’m willing to sacrifice a bit of security to avoid it. But everyone has to find what works best for them.

              • @[email protected]
                link
                fedilink
                English
                35 months ago

                Get out of here with your pragmatism. We’ll have none of that in this security context.

    • @Skipcast
      link
      English
      85 months ago

      Skill issue (don’t use sms based 2fa it’s the worst and least secure kind)

    • @Bytemeister
      link
      Ελληνικά
      -25 months ago

      No 2FA on an account these days is like having a fucking bead curtain for a front door.

      • @AlotOfReading
        link
        15 months ago

        The security level should be the user’s choice. Maybe I don’t care if my neopets account is hacked. Maybe the 2fa offered actually decreases security, like the SMS 2FA required by my 401k account that can be used as the sole recovery factor, bypassing the password. Maybe I’m accessing from a system configuration that makes 2fa really annoying, like a build system running inside a fresh VM on every run.

        The service doesn’t have the context necessary to know when 2FA is warranted.

  • @Zachariah
    link
    155 months ago

    Unfortunately, it’s often implemented as two-step authentication though. Like asking for a password and an answer to a security question. Those are both something you know. Two-factor authentication would involve two of these factors: something you know, something you have, and something you are.

    • WIZARD POPE💫
      link
      35 months ago

      I thought the security code version was more common. Either geting a SMS code or email or the better version with a designated Authenticator app.

  • @mlg
    link
    English
    115 months ago

    Cybercriminals stealing the Oauth2 tokens after users authenticate with 2FA:

  • @[email protected]
    link
    fedilink
    95 months ago

    IT pro here with over 40 years XP. I have MFA in some places, not in others. As with everything else in IT, IT DEPENDS.

  • udon
    link
    75 months ago

    I was all for it and even bought a USB dongle to make it super easy. Turns out this shit doesn’t work anywhere. Fuck 2FA if nobody implements decent mechanisms.

    • @jj4211
      link
      6
      edit-2
      5 months ago

      Basically, you have:

      • TOTP - no particular investment needed, so very popular, but a bit onerous
      • Various MFA vendors that tie into their cloud services. I hate these since it means I generally have to get additional apps, with uneven platform support
      • Webauthn/Passkey - Cool, integration with my phone, a Fido usb key, windows hello if applicable, no need for external service, uses asymmetric encryption so it’s not shared secret and it’s more convenient… Almost no one bothers to implement it for their service though, despite it being pretty damn easy.
      • @[email protected]
        link
        fedilink
        English
        15 months ago

        I use Dashlane… It just handles all the user side of all of those for me, covering 2FA with the app/passkey nicely.

  • @JackLSauce
    link
    55 months ago

    Got to implement one of these systems at work before

    They wanted it in place ASAP so I skipped creating an opt-out/opt-in “feature”

  • @yesman
    link
    5
    edit-2
    5 months ago

    Your identity cannot be stolen. The idea is science fiction. What thieves make off with are your credentials. Many of which you have no choice and sometimes no knowledge of. If you think about it, these credentials aren’t necessarily for your benefit, and sometimes directly to your harm.

    But it’s your job to safeguard and secure these credentials with your time, effort, and hardware you own and maintain. Carry on consumer.

  • @ByteJunk
    link
    45 months ago

    This was my ISP and I a few years ago. I’m a beta tester for some of their features, and I argued this was necessary for ages. They finally implemented it, and now err on the side of way too many prompts for 2FA, but at least we have it.

    My current beef is arguing that we NEED IPv6 settings in the router. One size does NOT fit all. It’s an uphill battle…

    • @jj4211
      link
      65 months ago

      Yes, shared secret based, but not a big deal because it is machine generated and unique per account. The ‘server has your credential’ is only a problem if the credential is reused across services. If you have access to read TOTP secrets from the server, you probably don’t need those TOTP secrets to further compromise the service.

      But webauthn/passkey is a better approach. Properly managed SSH keys are good too, but folks aren’t too happy about how ssh keys are commonly pretty lax. Client certificates similarly would have worked, but never took off. Similar story for smartcards.

      • @[email protected]
        link
        fedilink
        1
        edit-2
        5 months ago

        I am in the process of buying a Nitrokey 3 Mini!

        Gonna test some stuff, like Secure Element LUKS encryption on my old Thinkpad

  • @[email protected]
    link
    fedilink
    15 months ago

    If only you could disable prompt on an already logged in device login. It almost completely eliminates half of the point of having 2fa.

  • @Bye
    link
    -35 months ago

    2-factor would be fine if it didn’t have to involve my phone. It’s such a pain in the ass. Like a second password would be fine, so my password manager could just do both at once.

    • @Feathercrown
      link
      English
      19
      edit-2
      5 months ago

      I don’t think you get why 2fa is more secure. That would be basically the same as having one password.

      • @Bye
        link
        65 months ago

        I guess I don’t

        I just want them to make it so I can use my password manager, because juggling multiple authentication apps and sms messages etc just makes me less likely to turn on 2fa in the first place.

          • @Crowfiend
            link
            75 months ago

            Until two separate accounts with authenticator/manager support don’t have any crossover.

          • @Bye
            link
            55 months ago

            No my bank and my work use different ones

            • @[email protected]
              link
              fedilink
              15 months ago

              Ah, normally they are cross-compatible, workplaces that use a cloud suite sometimes do require a certain service for everything.

    • slazer2au
      link
      English
      55 months ago

      KeepassXC can hold your password and your otop codes. It is recommended to use different databases tho.

    • @[email protected]
      link
      fedilink
      English
      3
      edit-2
      5 months ago

      There are options for 2fa for desktop, for Windows and Linux^. You could have multiple devices with your 2fa codes, makes it not as bad if your phone breaks.

      ^ (though from my experience with the Windows ones they are not as robust, but they get the job done)

      Edit: syntax jank…

    • @Bytemeister
      link
      Ελληνικά
      25 months ago

      A second password would not be 2FA, it would just be two passwords.

      2 Factor refers to 2 different ways of proving your identity. Something you know (your password) and something you have (your phone). You can also get dedicated 2FA devices, they look like a little USB drive with a screen, but honestly, they are more of a pain to deal with than your phone, and most 2FA systems do not have support for all the different brands and devices.