It gets worse if you search around for people talking about how they use 2FA codes to protect their accounts when logging into services on public computers.
The perception of the security added by 2FA emboldens people to make all kinds of poor security choices.
There was a link just 2 days ago on HN [1] about how 2FA has already been forced, but it's a mess b/c every site does it differently and usually in a way that's not secure.
Oh boy another plug for 2FA. I won't deny the obvious security advantages it confers, but that well has been poisoned a long time ago.
Call me paranoid, but I have a hard time seeing the push for 2FA as anything other than a plot to collect valuable user data. As with most any good lie, it's mostly true -- 2FA does improve security -- but what happens when a company goes bankrupt and sells off it's assets?
Moreover, I can't help but to question the actual necessity of this security feature. The OP's mess could have been avoided if he'd ... you know ... systematically chosen secure passwords.
The same could be said for the majority of financial institution websites. It's ridiculous how insecure and behind the times they are. Behind password restrictions, I'd say the next biggest thing that angers me is that they claim to support two-factor when it's really just "Wish It Was Two-Factor" in the form of so-called "security questions": http://thedailywtf.com/articles/WishItWas-TwoFactor-
Well, I think the point is that most people who don't work in IT would have no clue what 2fa means. Besides, this isn't 2fa, authentication isn't the issue here.
All of these quotes are saying to use 2FA (besides security questions, which are a horrible security measure: https://security.stackexchange.com/a/224271/10863). That sounds like a good suggestion, though it costs business because it adds friction. Maybe now that they need to save their reputation, and they're an established business with plenty of customers already, it makes sense for them to add, but a new entrant to the market would simply not do it and I'm not sure whether they can be fully blamed in a competitive market
I don't think there's quite as much malice as you seem to read into it. Yeah, 2FA is kind of annoying, particularly when you don't have a real concrete understanding of the reasons why it's important.
It's a funny frame device to float a couple different satirical ideas. I'm sure faculty members – and most people – understand that 2FA is a necessary minor annoyance.
"Sorry if I'm a security noob but I have a genuine question. Why at the beginning I need to use 2FA if I can remember secure enough passwords (or use password managers) and I'll not stupid enough to give the passwords away easily?"
Glad you asked ...
... and your comments children are not just wrong, but completely misunderstand the ecosystem they are discussing.
Mobile telephone 2FA is not for you. It's not to help you - it's not for your security. All of that is bullshit - and demonstrably so[1][2].
What is actually happening is that FAANGs, etc., have a brutal, unrelenting spam/scam problem which they have no idea how to solve.
Forcing every user to burn a phone number tied to a physical SIM card is their last-ditch attempt to throw enough sand in the gears and stay above water.
It sort of works.
It's very painful for end users, introduces all kinds of strange inconveniences and probably doesn't stop determined abusers ... but it seems to work better than anything else they've come up with thus far.
But make no mistake: It's not for you. It is not for your security or safety.
[1] Post-signup challenge to user - help us prove your identity by entering in a phone number you've never shown us before.
[2] Interestingly, very high value logins like brokerage and banking typically allow other forms of 2FA that don't involve burning a mobile number because those firms already have many other routes of identification and verification.
2FA exists because sometimes ne'er do wells get your password. Phishing, guessing weak passwords, password reuse from sites that are hacked, the list goes on.
It's pretty obvious what is a 2FA code and what is not. If I'm being sent a code on my email or phone, I know not to tell it to someone on the phone. Indeed, even that very email she was sent contained a reminder not to tell it to someone on the phone.
I read the entire article, I am just unimpressed by the justifications as to how this "could happen to anybody."
When you read the posts and when you don't rely on titles, you can see the point that the author argues.
2FA does suck, it's not a pleasant experience but it is necessary. If something sucks, it does not mean that you don't have to or should not have to use it. There are things that hinder user experience but are immense for security, like 2FA is.
Making judgment based on title is silly, and if the spirit of HN is to judge without facts - then I apologize. Carry on as you were.
The strawman argument against the author, based on the title that provokes thought, is not a sign of intellectual discussion.
Agreed: 2FA protects against password leaks on other sites from being applied to the system in question. In this case it would have been more reassuring to hear them disclose what was the attack vector (e.g. social engineering, email trojans, etc) and explain how they will reduce the chance of a similar compromise in the future.
This 100%. Yes those functions are easy but that isn't the issue with 2fa, it's the people. I just had a customer send in a ticket that their account from 3 years ago had 2fa enabled. They didn't remember setting that up, clearly had a new phone since then. These quick clickbait articles never bring up those subjects and how to properly address them.
Also had a firewall rule that dropped NTP packets and took 3 months for the click to drift before anyone with 2fa codes couldn't log in anymore.
2FA can also be a way to get more private data, like phone numbers, out of users; which will be used for things having nothing to do with security or helping the user. Facebook did exactly this and I'm sure other companies have as well.
2FA increases risk of the account owner losing access to their account. There are a huge amount of posts online from people livid about getting locked out of their account because of some mundane reason like their phone breaking. That risk rarely seems to be considered by the crowd pushing 2FA everywhere and anywhere, probably because it happens most often to non-techies.
Things that seem easy or obvious to folks working in tech are often a huge hurdle for regular users, who make up the majority of users for many products. Many tech companies could do a much better job of considering the needs of their users, rather than building what the devs and product managers personally think is cool.
https://security.stackexchange.com/questions/49521/does-two-...
It gets worse if you search around for people talking about how they use 2FA codes to protect their accounts when logging into services on public computers.
The perception of the security added by 2FA emboldens people to make all kinds of poor security choices.
reply