I despise 2fa. I hate needing my phone within reach at all times, especially considering it's a device I don't own, I don't have root on. There must be a better way.
this post was submitted on 28 Jan 2025
48 points (85.3% liked)
Ask Lemmy
27813 readers
2181 users here now
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com.
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
founded 2 years ago
MODERATORS
In today’s world, MFA (multifactor authentication) is a necessity for literally any account in which you store information you don’t want to be stolen by someone. I’m more upset that several services I use still don’t support it, or only support MFA via text or email, neither of which is secure enough to be of much use.
You don’t want the place where you store your passwords, likely including your bank account, health insurance, social media accounts, etc. to be more difficult to hack? You live in a post-quantum world. Passwords aren’t enough.
100% agree with the exception that 2FA over SMS or email needs to die, along with the “magic link” style of signing in.
Why is everyone so slow to implement FIDO2?
Agreed. But I think it’s evident even in these threads why companies are slow to adopt. Lemmy is still a niche corner of the internet predominantly used by technology savvy people, and yet you see folks here saying that they hate the inconvenience of it. Less tech adept users are more likely to dislike the additional friction.
Maybe I’ve been in the Apple garden too long but Passkeys make this easy enough for any idiot.
Now if websites would stop prompting for a password and just use passwordless authentication I’d be happy.
In fact I did this for my own business in one day using Authentik as SSO like three years ago. What’s the holdup?
This is the correct answer. MFA should be enforced for literally every account you have, and the method should be app-based or a hardware token.
It turns out that people en masse are lazy and will use the same simple password for all their accounts and then wonder how they got hacked. People in tech for the past 30 years or so struggled with the difference between theory and practice when it came to user psychology, and I am happy that we are finally starting to realize the user psychology aspect and just force them to be secure.
Disagree. So much money is lost because of simple password auth. Mandatory mfa fixes nearly all of it.
I hate it. It should be my choice. Not all of my accounts need to be super secure. It sucks enough already when my phone breaks or something I don't need to be locked out of everything
This is something thats actually scary. Phones are so necessary now that when it breaks you could be digitially stranded, unable to log in to anything
I remember reading of a privacy-aware couple who were each others' "backups" in case one lost access. Well, they lost their house in a fire, along with their personal backups, and their "backup person" couldn't access their cloud backups either.
I'm an old-fashioned believer in the 3-2-1 -rule. Three copies of important data, two of them on different media, and one offsite. And make sure you can access all of them without the other two.
So like one password database on phone (even if it's offline, like most password apps have); one on the computer (like you probably want for use too?), and one in the cloud without need of either device or anything onsite to unlock (in my case, I've set up Bitwarden emergency access to someone in another country, and have a second Yubikey with a more local friend).
2FA has backup codes, plus you can keep TOTP on your other devices too.
I just hate it when the only 2fa option is my phone number.
This is an issue. I've been using Microsoft authenticator when I can.
Phone/SMS 2FA is a joke. You can tell which organizations need to be ditched.
Sure its deeply flawed in a bunch of ways, but it is miles better than nothing
Depending on the implementation, it's better than nothing
Phone/SMS 2FA is a joke. You can tell which organizations need to be ditched.
Oh... so you mean like... banks?
🤔
(Guess I gotta find a good mattress to put my money in... 😓 /s)
(Seriously tho, everything like government stuff, taxes, university, everything now requires 2fa, most are sms 2fa 😡, I hate this.)
My small credit union with nine branches offers TOTP 2FA
Necessary but evil. My workplace had a million headaches implementing an email-based 2fa system. So many automatic services blocking our emails, so many people who are tech illiterate who cannot understand 2fa, and all of their calls got sent to me and my team despite none of us having technical support experience. However, it has massively increased the security of our site, while allowing us to finally implement a way for people to unlock their own accounts if they do have too many unsuccessful login attempts. The juice is worth the squeeze.
Fully agree. One of my old password was leaked years ago in one of the many many database breaches and it was used for Spotify and steam. I got the mfa code for the steam account email and was able to lock it down immediately.
Now I use bitwarden and all my passwords are random strings of 16 characters that I will never remember, nor care to. Good luck hackers. And have MFA setup where I'm able to.
Sample password - 8rY2xD7fNjE#TH#ROM
Teaching people and explaining why we have it is easy for me since I was almost a victim. After that, it's easy.
I get why 2FA is adopted so widely: companies need to cover they asses. Even if you don't care if a hacker gets ahold of your password for a flash game website, that password leak could cause issues later on, and opens the website up to responsibility.
What really bothers me more, is that 2FA is relying so heavily on phone numbers, which is an extremely flawed security system. At least some of the larger companies are open to using authenticator apps, or sharing the private key for storing in a database. But so many websites do 2FA by "requiring a phone number", which just puts a lot of security responsibility on the phone carrier now. The user doesn't really gain any extra responsibility for having good opsec, because phone companies fuck up all the time and assign phone numbers to new sim cards all the time, often on concerningly small amounts of information
While they are annoying unfortunately we live in a world where username+password is not enough for anything that has to be remotely secure.
I'm guilty of password reuse. I'm guilty of choosing weak passwords, my desktop computer has the password "1" because I had to set something.
I get it, but fuck it's beyond annoying sometimes. Its also impossible for homeless/at risk people who dont hold onto phone numbers or 2FA apps.
With luck they can guess an email password or reset it. But when 2fa is tied to a mobile 3 numbers ago, or needs the exact same device. Its fucked
Then you have to call the government (verbally Thanks for gov accounts) who are increasingly hard to get hold of coz its all a robot phone tree telling you to go online. Then when you so get someone you have to provide ID (thst they may or may not have a copy of) and start again.
Every time. Its near impossible.
Its fucking annoying that I need my phone surgically attached to me at all times, to do fucking anything on the internet, especially anything important.
This combined with constant logging out is driving me nuts, I truly only have one device that can actually log into everything, all my other devices are logged out so frequently theyre unusable.
Ever look into something like yubikey?
I dislike it. I already have a unique, long, randomly generated password for every account. That's stored in a password manager with a unique, long passphrase. 2FA provides very little additional security in that scenario.
Worse, many services won't let me use a standard TOTP authenticator. Some insist on SMS. Worse, some insist on their own app.
2FA does protect against the password being leaked and used by someone else though.
I think it's absolutely wild how archaic some systems are. And the worst offenders are those regulated by financial and medical industry laws. I have an account with one financial account that is protected only by password that is 12 characters max with special characters limited to just a few. I don't know how they haven't been breached and then sued into oblivion.
I'm fine with companies enforcing 2FA. Bitwarden is addressing the current weakest link in the chain: users.
Most of those banks just... pay the damages
I don't have any intrinsic issue with 2FA, but via something like storing an OTP on a store I decide on, not if it involves needing to install Random Company's app on a phone or provide a phone number.
They been a disaster for the elder and homeless community. Many of them have no cell phone and only login once a week and 2fa makes it pretty much impossible for them.
I think its great, but only when it's actual 2FA with a TOTP code. SMS/Email 2FA is annoying to deal with.
I don't have any issues with them. What I do take issue with is companies enforcing them with the assumption being you will use your own mobile device to authenticate for them. I feel like it's not worth the stink to complain but both places I work for require 2fa now and I need the authenticator app or get a message to my phone.
It should be required everywhere.
Username+password alone is not safe.
But if someone store all their 2FA in their password vault, wouldn't that just be 1FA with extra steps?
It still protects against sites getting breached and the password leaked which is very common.
You don't have to store 2fa in your password vault, and even then, you can enable 2fa for the vault. It's just more secure. Be confident that your login info will be leaked sometime, somewhere. With 2fa you're still safe.
I hate it. I already agreed to use unique unmemorizable password for every account and store them all in Bitwarden and now this is not enough? Yeah, I store my email password in Bitwarden too. With phones it's even worse, since it's way more probable to lose your phone than to lose your money due to database password breach. I don't understand why those probabilities are not estimated when introducing practices like this. Also, I don't remember the details but in the past I lost some accounts and passwords just by factory resetting the phone which had password manager app installed (probably forgot to transfer passphrases from the phone before wiping it).
Hate it. Or at least several implementations.
Apps that email and must open the emailed link in app? Sucks when phone is set to block links opening apps, or the address is not configured on that phone.
Many apps store too much data.
Bitwarden will only ask for 2fa when signing in from a new device.
Problems is, I still haven't received any notice, and I'm assuming nobody received that notice either. Only knew because I happen to see it on the webpage.
Imagine someone with only a phone (most people have their phone as their only device) and then lose their phone, then try to log in and... "Wtf is this?!?" and their email password is in the vault.
There are probably a lot of people that this scenario will happen to.
They should've gave at least 3 month of advance notice befote implementing this, this is rushed and a lot of people are gonna get locked out. (I know you're supposed to backup, but like do you think the average person just expect Bitwarden to shut down, or just do a policy change with inadequate notice?)
2fa is like mandatory nowadays for security purpose. just use TOTP like lemmy with ente or standardnotes as an app. it is easy to just copy and paste TOTP to access your password manager.
They have tried this before, with no notice and reversed the decision
Absolutely necessary.
* with the right implementation. Phone numbers or security questions suck