ArgonianVoter
kiwifarms.net
- Registrado
- 24 de Feb, 2025
finally someone else understands why CISA is a bad thing, i've spoken out against them multiple times now but all I get for it is flak.
2FA is a problem
- Iniciador del tema ArgonianVoter
- Fecha de inicio
-
🔧 Site instability resolved. You can report double-posts and broken attachments. For bigger issues, use the Technical Grievances thread.
🇵🇦 Nuestro primer dominio localizado está en español en kiwifarms.pa. Our first localized domain is on Spanish on kiwifarms.pa. -
Want to keep track of this thread?
Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
Create account
Mad as a Swan
kiwifarms.net
- Registrado
- 16 de Ago, 2025
Can't stand services that lock you from logging in from a different device
I GAVE YOU MY FUCKING PASSWORD LET ME IN
It's also so retard cysec dont have to secure the data
I lost 2 old yahoo emails because one would link to the other and I had to log into one to log into the other etc... Yahoo has no support whatsoever so...
I GAVE YOU MY FUCKING PASSWORD LET ME IN
It's also so retard cysec dont have to secure the data
I lost 2 old yahoo emails because one would link to the other and I had to log into one to log into the other etc... Yahoo has no support whatsoever so...
- Registrado
- 13 de Dic, 2022
i kind of get it due to security redundancy but they do that shit just to sell data, although i had outlook ask me about some random number recently similar to google login on different device with account tied with phone, didn't even need to change password and whoever was the faggot tried to hack my account got the hint i would be on top of him anytime he tried it.
felt like steamguard to be honest, while annoying that you will get the shitty type the code from email/phone it works to stop your account from being hacked by some scriptkiddie and you don't even need to arse yourself much other than checking the email/device.
if only they updated 2FA to fingerprint shit, my bank lets me do it, why can't the shitty app on my phone do it too?
- Registrado
- 19 de Abr, 2019
You should have linked them across different providers.
- Registrado
- 4 de Ago, 2024
What happens if I lose my phone, or my house burns down with everything etc... and I've lost my backup codes? How do I then get in with 2FA.
It's why I keep an encrypted USB at work with my passwords in my locker just in case I lose it all on my computer. I also keep another (also encrypted) USB of with needed info sitting below my computer tower.
Although, I do see the need for 2FA despite the inconvenience. I know someone who nearly got their Facebook account hacked. They were blocked solely by 2FA. The hacker actually managed to get their own 2FA number set up on his account somehow.
It's why I keep an encrypted USB at work with my passwords in my locker just in case I lose it all on my computer. I also keep another (also encrypted) USB of with needed info sitting below my computer tower.
Although, I do see the need for 2FA despite the inconvenience. I know someone who nearly got their Facebook account hacked. They were blocked solely by 2FA. The hacker actually managed to get their own 2FA number set up on his account somehow.
ArgonianVoter
kiwifarms.net
- Registrado
- 24 de Feb, 2025
actually this is another problem to be pointed out, if you link stuff across multiple providers you also must trust multiple providers and in 2026 do you even trust the website you're logging into? probably not.
- Registrado
- 3 de Jul, 2021
You can use 2FA without a smartphone. You can use a hardware key or a desktop passkey app.
- Registrado
- 19 de Abr, 2019
Yes, but they are still multiple providers. If one bans you or does some other shit to your account or data, you still have another and another. As long as you do not use the same username and password combination, you should be relatively safe.
- Registrado
- 3 de Feb, 2013
Stonehenge was the original 2FA authenticator, unfortunately it took a whole year to generate a new code.
- Registrado
- 13 de Dic, 2022
FIDO Passkey USB
damn, i would wonder about redundancy BUT this isn't really meant for the slow niggers anyway especially since shit like hacking and whatnot is a possibility to get your passkeys stolen, also USB's losing data if not powered for a while, maybe keeping them on a power outlet until needed, no?
still, a nice thing to consider and i hope the tech for this stuff gets better, being able to use passkey on random sites with your fingerprint is lowkey cool.
damn, i would wonder about redundancy BUT this isn't really meant for the slow niggers anyway especially since shit like hacking and whatnot is a possibility to get your passkeys stolen, also USB's losing data if not powered for a while, maybe keeping them on a power outlet until needed, no?
still, a nice thing to consider and i hope the tech for this stuff gets better, being able to use passkey on random sites with your fingerprint is lowkey cool.
- Registrado
- 15 de Ene, 2019
Use an authenticator app that's not phone dependent and whose data files can be encrypted/synchronized across systems. Think KeePassKC + syncthing.
- Registrado
- 25 de Jul, 2024
I was recently logging into an old Google account. When I entered the password, instead of just allowing me to log into my account, it told me that I did not give Google enough information to confirm that the account was mine. I have never attached a phone number to that account, but the only method that Google gave me to confirm that the account was mine was to give it a phone number.
What the fuck? Even though I have the password to that Google account, Google is holding my account at ransom until I give it a phone number "for security". This doesn't boost security at all, because if my password got leaked than anyone can use any phone number to log into it. All it does is force the person that actually owns the account (me) to give Google more personally identifiable information. Google isn't alone in this because I have had something similar happen to me when I was trying to log into an old Microsoft account.
This should be illegal.
What the fuck? Even though I have the password to that Google account, Google is holding my account at ransom until I give it a phone number "for security". This doesn't boost security at all, because if my password got leaked than anyone can use any phone number to log into it. All it does is force the person that actually owns the account (me) to give Google more personally identifiable information. Google isn't alone in this because I have had something similar happen to me when I was trying to log into an old Microsoft account.
This should be illegal.
- Registrado
- 14 de Ago, 2024
I was trying to get into my HSA account to get a tax form and the custodian decided I needed a passkey. Nigger, I don’t want a passkey; I gave you the correct username and password, let me use my desktop computer to look at the files. Nope. I had to download their fucking app, and create a passkey that way. Now I am trying to zoom in on my fucking phone to determine the year end balance.
I was so pissed off, I called them. The CSA offered to email me the form. Nigger, are you serious? I need a fucking passkey to use my desktop, and you are going to use the most insecure method available to transmit the banking information to me?
I hate what the Internet has become.
I was so pissed off, I called them. The CSA offered to email me the form. Nigger, are you serious? I need a fucking passkey to use my desktop, and you are going to use the most insecure method available to transmit the banking information to me?
I hate what the Internet has become.
- Registrado
- 11 de Jun, 2018
The main professional software I use now requires 2FA. Dealing with it is a pain in the rear, especially when the software temporarily closes itself for updates and then requires yet another 2FA code after it applies the updates and restarts.
As much as I understand the need for security, these increased security standards - 2FA included - seem to be more of a nuisances than a help. I'm convinced hackers and bad actors use this to their advantage in some manner.
(Edited for spelling and clarity.)
As much as I understand the need for security, these increased security standards - 2FA included - seem to be more of a nuisances than a help. I'm convinced hackers and bad actors use this to their advantage in some manner.
If the company used some sort of secure email system, that would probably be okay. However, some businesses require their secure email to be used for any communication no matter how mundane to the point of absurdity. Otherwise, I agree with you its hypocritical for the same companies requiring users to jump through all sorts of security hoops to feel it's totally fine to send information insecurely if push comes to shove.
(Edited for spelling and clarity.)
Última edición:
Stella d'Oro
kiwifarms.net
- Registrado
- 26 de Mar, 2026
2FA is great in theory but it's so often poorly implemented. We have authenticator apps, hardware keys, password managers, so why, in 2026, is SMS still the only option allowed by a lot of services? I get that it's easy for the average user but it's also the least secure with SIM cloning being relatively trivial or in the case of a stolen phone where the passcode is known.
SMS 2FA is also a major PITA when traveling and using a local esim as some services will not send verification codes to out-of-country numbers. It kind of defeats the purpose of buying a local SIM if I have to turn on expensive international roaming to receive 2FA codes. Of course, every single login out of the country will trigger a prompt for a code.
SMS 2FA is also a major PITA when traveling and using a local esim as some services will not send verification codes to out-of-country numbers. It kind of defeats the purpose of buying a local SIM if I have to turn on expensive international roaming to receive 2FA codes. Of course, every single login out of the country will trigger a prompt for a code.
Being too restrictive with security policies leads to less security in the real world when you're dealing with users. Overly strict password policies lead to people writing passwords down because Nancy and Douglas aren't going to set up a password manager. Users themselves are the biggest vulnerability in most cases.
- Registrado
- 3 de Feb, 2013
I know a boomer who got hacked because they got a fake "2FA" prompt that said something like "Select this, hit Control+C, Windows+R, paste it into the verification box, and hit Enter". People are being trained to jump through so many absurd hoops these days that anything seems plausible.
Combustion Engine
kiwifarms.net
- Registrado
- 30 de Sep, 2024
It was a very common one and quite frankly very easy to fall for. All thanks to Cloudflare & Microsoft, of course!
- Registrado
- 12 de Ago, 2023
Aegis and KeepassXC if you can't afford a hardware token like a Nitrokey 3.
I have a Nitrokey 3, it stores the keys in the token, inaccessible to the OS.
Whenever I want a TOTP code, I run the cli app, it asks for the token PIN and user interaction (touch the token with a finger when it blinks) so nobody can just request the TOTP code without you physically touching it, that's called an UIF or User Interaction Factor and it makes the token extra secure.
You can't trust the OS to not be compromised, so any app that runs in an OS you can't be sure doesn't have a virus or vulnerability allowing an attacker to steal your 2FA keys, can't be trusted.
Proprietary apps are banned from all my machines (except Android but I don't install any additional proprietary apps that didn't come with it already), I would never use anything that requires a proprietary app to function.
And SMS 2-factor should be illegal honestly due to how easy it is to intercept with stuff like IMSI catchers and SIM swaps. Or an attacker compromising your cell ISP. SMS are unencrypted so aren't secure at all.
I remember when the bank I use gave out hardware tokens for their online web bank. That was before they started forcing everyone to use the app. I can still use the hw token because the old one still works, but when it dies, I don't know if they'll give me a new one, probably not.
The reason they don't support standard TOTP is because they want to track your usage and data with their proprietary app, or they want to get you used to using the app instead of cash, to normalize cashless app payments, to get everyone ready for when they ban cash altogether.
I have a Nitrokey 3, it stores the keys in the token, inaccessible to the OS.
Whenever I want a TOTP code, I run the cli app, it asks for the token PIN and user interaction (touch the token with a finger when it blinks) so nobody can just request the TOTP code without you physically touching it, that's called an UIF or User Interaction Factor and it makes the token extra secure.
You can't trust the OS to not be compromised, so any app that runs in an OS you can't be sure doesn't have a virus or vulnerability allowing an attacker to steal your 2FA keys, can't be trusted.
Proprietary apps are banned from all my machines (except Android but I don't install any additional proprietary apps that didn't come with it already), I would never use anything that requires a proprietary app to function.
And SMS 2-factor should be illegal honestly due to how easy it is to intercept with stuff like IMSI catchers and SIM swaps. Or an attacker compromising your cell ISP. SMS are unencrypted so aren't secure at all.
I remember when the bank I use gave out hardware tokens for their online web bank. That was before they started forcing everyone to use the app. I can still use the hw token because the old one still works, but when it dies, I don't know if they'll give me a new one, probably not.
The reason they don't support standard TOTP is because they want to track your usage and data with their proprietary app, or they want to get you used to using the app instead of cash, to normalize cashless app payments, to get everyone ready for when they ban cash altogether.
- Registrado
- 11 de Jun, 2018
Yahoo also requires a smartphone number for recovery purposes. Someone in my circle of friends has a yahoo account but no smartphone. Every two weeks, Yahoo signs them out of their account, requires another login, and pops up the screen asking for a mobile recovery number. Although it can be bypassed by entering 111-111-1111 as the number and then clicking the link to skip the next step on the following screen when it wants to send a code to the number, it's only a temporary fix and doesn't address the fact that people who don't or can't use smartphones are having an increasingly difficult time doing the most basic of online tasks.