In a previous company, one of the employees enabled 2FA for their staff account (it was mandatory), stored the backup codes on his phone (presumably as a photo) and it fall in the ocean the next day.
With large enough numbers, you'll see everything, but you don't even need large numbers to get people whose lives are made more difficult by technology.
Yes, that is exactly what I want. Life should be much more difficult without the TOTP and backup codes, so much that it takes a great deal of resources to get around it, if at all possible. Maybe even providing heavy documentation such as a Facetime call with various proof so that fraudulent actors are sufficiently deterred.
In a previous job I implemented a recovery page with a long random key (also posted as a QR code) that you could print out and use as an emergency password reset if ever required. You'd scan the QR code and it would take you to a page where you could set a new password directly.
This, coupled with a "I know what I'm doing, never let support reset my password" option that disabled changing the user's password for anyone without direct write access to the production database was pretty good for security, I feel.
Dude. If somebody wants into your account specifically, they’ll get into it. 2FA, specifically SMS based 2FA, is really about the provider getting mass compromised because people recycle their password across all their sites.
It great for keeping people using scripted attacks against a huge list of accounts. It isn’t really to keep people specifically after your account out.
If somebody wants your shit and specifically your shit.... they’ll get it...
> If somebody wants your shit and specifically your shit.... they’ll get it...
How? I don't think Brian Krebs has been hacked, even though he's extremely targeted by hackers (his site is literally the benchmark for performing DDOS attacks on).
With large enough numbers, you'll see everything, but you don't even need large numbers to get people whose lives are made more difficult by technology.
reply