Recent examples Twitch and Firefox 🤦

  • @[email protected]
    link
    fedilink
    English
    381 month ago

    That and most accounts that use TOTP auth apps, let you bypass/disable them via email 2fa, while also letting you reset your password the same way…

    Got access to your marks email? You’ve got both factors.

  • Fubarberry
    link
    fedilink
    English
    181 month ago

    A bank I used for a mortgage has mandatory text message 2fa if they think you’re on a new device (won’t allow google auth/etc). And web browsers like firefox/brave block enough cookies/etc that it requires the “new device” authentication everytime I log in.

    Problem is, for a couple months there was some delay with their text messages. It would take 10-20 minutes to send your 2fa code, and the code would expire after 5 min, meaning that by the time you got the code it was always expired and unusable.

    Made it completely impossible to log in to pay my mortgage payments. Led to some really frustrating talks on the phone about how I didn’t want to pay with a credit card over the phone, I wanted them to fix their damn system so I could log in and pay via bank transfer like usual.

    • JohnWorksOP
      link
      fedilink
      English
      81 month ago

      Ah yeah I remember I had a service that had a delay with sending the 2fa code (can’t remember if it was email or sms) but it got to the point where it was basically gambling on if I’d get into the account on that day or not lol. Glad it wasn’t as important as mortgage payments though that sucks to hear.

    • @[email protected]
      link
      fedilink
      English
      01 month ago

      What century do you live in where you have to actually log in to pay your mortgage?! 😂

  • ERROR: Earth.exe has crashed
    link
    fedilink
    English
    81 month ago

    Couldn’t be more infuriating than apple’s forced 2fa that requires a phone number. Effectively making iOS devices useless unless you have a phone number.

    • JohnWorksOP
      link
      fedilink
      English
      41 month ago

      Didn’t know about the phone number requirement but I am annoyed that any time I log into my apple account it’ll only ping my iOS devices as a 2fa option. Wish I could use generic/standardized 2fa code gen.

    • @SpaceNoodle
      link
      English
      31 month ago

      Mine somehow got linked to my work MacBook, and it won’t even let me use my phone to authenticate. They really love that ecosystem lock-in.

      • @TrickDacy
        link
        English
        21 month ago

        Yeah I had a very frustrating issue with that on an old work laptop

    • @[email protected]
      link
      fedilink
      English
      61 month ago

      My guess is that it’s the easiest and cheapest way to set up “MFA”.

      The number of banks that don’t have proper MFA really bugs me.

      • Saik0
        link
        fedilink
        English
        91 month ago

        My guess is that it’s the easiest and cheapest way to set up “MFA”.

        TOTP is cheaper.

        SMS is actually expensive at scale. An example would be Signal, the messenger app that doesn’t use SMS. They have overhead for sending backup codes/new account creation/Verification/etc… https://www.wired.com/story/signal-operating-costs/ 6 million a year. API integrations for SMS messages/codes are still like 1-5 cents per message.

        TOTP’s requirements? A reasonably accurate clock on the server, and storing the shared secret in a database.

  • @[email protected]
    link
    fedilink
    English
    31 month ago

    Facebook not only sends the code to text without asking, but they love to just directly start the reset password procedure.

    Now, that’s super weird. Are they assuming that, because last time I logged in was 6 months ago, I must have forgot my password?