Forum Overview :: E.Y.E.: Divine Cybermancy
 
MFA is a mess, continued by Ice Cream Jonsey 05/14/2019, 7:36am PDT
https://www.theverge.com/2017/7/10/15946642/two-factor-authentication-online-security-mess

This article doesn't align precisely with my views, it takes as a given that all sites should have MFA. The use case I just encountered about some awful implementations of it was this:

- Flying out of the country, get a Europe SIM card from Three.co.uk.
- Put that in, with the understanding that my old SIM card is out
- Go to use a website and that website wants to send something to my old telephone number

Now I am swapping SIM cards. :/

This part in the article is kind of amazing to me:

For much of the last five years, the center of the campaign for two-factor has been twofactorauth.org, a site run by Carl Rosengren that’s dedicated to naming and shaming any product that doesn’t offer two-factor. At a glance, it can tell you which sites offer more than just a password login, and offers you an easy way to tweet at companies that don’t. Today, the site sends out hundreds of thousands of shaming tweets a day.

CONSUMERS WANT TWO-FACTOR. IF YOU DON’T OFFER IT, THEY’LL FIND A SERVICE THAT DOES
The campaign seems to have worked; nearly every company now offers some form of two-factor. Netflix is the biggest holdout — “I feel like I should buy a cake or something when that happens,” Rosengren says.


MFA for Netflix is stupid. Netflix wants you to share your account. It is frequently used (via the download to device option) on airplanes. If someone got my Netflix credentials they can't do any damage. The only reason we have accounts on Netflix, really, is for billing. Of course I shouldn't need to go get my goddamn phone for Netflix. It bothers me that they are doing the right thing and well-intentioned people that can't think about the real world implications of this for a second think they are in the wrong.

I'll let "hundreds of shaming tweets" go.


ICJ
PREVIOUS NEXT REPLY QUOTE
 
I hate a lot of implementations of MFA by Ice Cream Jonsey 04/28/2019, 8:54am PDT
    SMS isn't MFA and can be intercepted. It's just a webshit doing the laziest. NT by The Happiness Engine 04/29/2019, 3:50pm PDT
    Some people keep a burner phone with a secret number just for this. by Blackwater 05/01/2019, 6:48pm PDT
    MFA is a mess, continued by Ice Cream Jonsey 05/14/2019, 7:36am PDT
        Did you see this post on slashdot? by Dan Driedelberg 05/19/2019, 8:42pm PDT
        The saddest thing is that we actually have the tech to make 2FA work for real by blackwater 05/22/2019, 8:31am PDT
            Tell me more about this Yubikey. Sell me on it. NT by Jack Bauer 05/22/2019, 8:53pm PDT
                basically it is a physical thing you carry it around that unlocks stuff by Blackwater 05/22/2019, 10:14pm PDT
 
powered by pointy