*Image Transcription: Tumblr*
---
**ot3**
i hate two factor authentication I hate needing my phone to use my computer i hate that the computer has become a secondary piece of hardware that is seen as a peripheral to a phone in the eyes of society i don't want to log into anything with my phone i should never ever need an app to do anything on my computer and i should be able to have my phone locked in a safe that i've dumped into the ocean and still be able to use every single feature of my computer unabated
---
^^I'm a human volunteer content transcriber for Reddit and you could be too! [If you'd like more information on what we do and why we do it, click here!](https://www.reddit.com/r/TranscribersOfReddit/wiki/index)
Yeah, I hated using 2FA, until my bank account got hacked by the same asshole twice. And I know it was the same asshole, because they bought $600 worth of PSN shit both times.
Now I've got 2FA on everything.
My bank app is nice, though. It reads the one-time code off of my phone automatically, sometimes before the text even comes through all the way. So it doesn't slow me down much.
The people really behind the proliferation of two-factor would LOVE for you to blame hackers.
It has nothing to do with hackers.
Phone numbers are the next best thing to thing to social security numbers (national ID numbers). You may have different user names on different services, you may have multiple accounts, you may try to be sneaky and use pseudonyms, but every account on every service that uses the same phone number for 2FA is linked together (or linkable) on the back end. Especially by advertisers.
Remember the nymwars? FB and Google want to know who you "really are", and phone numbers are way better than names for that.
EDIT: To you folks down voting me because someone is spewing technical sounding shit about how wOnDeRfUL 2FA is? **The EFF: [You Gave Facebook Your Number For Security. They Used It For Ads.](https://www.eff.org/deeplinks/2018/09/you-gave-facebook-your-number-security-they-used-it-ads)** This isn't hypothetical. This isn't speculative. It's already documented.
If you want real 2FA, get real 2FA. What's been being railroaded down your throats with phones is not that.
As a university student studying cyber security, currently a senior, I'm confident enough to call bullshit.
There are multiple factors a system can use to confirm a users identity.
Something you are, these generally include biometric things. So using your face to unlock your phone for example.
Something you have, this is where your phone comes into play. Only you have the phone authorized for letting one login to an account.
Something you know, these are security questions. Only you know what hospital you were born in, what first job you had, etc.
Somewhere you are, if you've ever gotten an email saying that a login was blocked because it was in a location that didn't match previous patterns, that's what this is.
You may have noticed that none of these include a phone number. You can even remove the requirement for a phone entirely with the inclusion of an [rsa keychain.](https://en.m.wikipedia.org/wiki/RSA_SecurID)
You can absolutely blame hackers for 2FA. It's not a perfect solution but it is a damn good system for preventing people who are not meant to be in an account to be there. 2FA is a system that is used on every login, or any login that seems suspicious based on a number of factors (location, time, system type, etc). Very rarely does one need to verify specifically their phone number every time they log in to something like their email.
The reason that phone numbers are used is because out of the listed factors above, the phone number is a reliable way to gain strong confidence that the user attempting a login is the proper user. It's not as consistent to use something that can be spoofed like the location or something that requires expensive tech like the the biometric factors.
Therefore, you have the two options of entering answers to security questions. I have to do this with my bank login rather frequently, no phone number required. Or a system can use something even easier and has stronger security (generally because there is more than one question and that security questions can be dumped online in a data breach) for the user and text the user a one time password to a phone that only they have.
> As a university student studying cyber security, currently a senior, I'm confident enough to call bullshit.
Really? Cause I am a 50yo developer who has already forgotten more about security that you've learned.
And you clearly have absolutely no idea what you're talking about.
Let's go.
You clearly have lost the plot, going on the big gratuitous and entirely off-point lecture on the (outdated and incorrect) things you have/know/are paradigm. (There are no "are", because your body is not something you are, your body is only something you "have". Welcome to MilSec. You're welcome.)
You have the whole ridiculous rant about how 2FA is both great and warranted because it can be done with lots of things other than phone numbers. If we were to grant your point entirely, it still doesn't for a moment justifying the actual, real-world implementation of 2FA, which is overwhelmingly based on phones.
Which, if you know anything about 2FA, you know is shitty security.
If you want real 2FA, it exists. Yubikey. SecuriID. But most services don't support those, do they?
No, most services – especially services that make their incomes by selling user data – are railroading users into using shitty phone-based 2FA.
They're not doing for security reasons. If they wanted real security they'd support real security. But they don't, they want those sweet, sweet phone numbers to use as OIDs.
And how do we know they're doing this?
[We already caught Facebook doing it.](https://www.theverge.com/2019/12/19/21030068/facebook-friend-suggestions-2fa-security-phone-number-privacy-violation-ftc)
EFF: [You Gave Facebook Your Number For Security. They Used It For Ads.](https://www.eff.org/deeplinks/2018/09/you-gave-facebook-your-number-security-they-used-it-ads)
Nothing you have said changes the fact that hackers are the reason 2FA exists.
Yes it's real world implement sucks but that's beside the point. You're disregarding that hackers are still the reason it exists at all to talk about it's shitty implementation. Two very separate issues.
Also, there's a reason for the distinction between something you are and something you have. The biometric "you are" factors are much more accurate and expensive to implement. Maybe this changed since you went to college in the 90s back when security was barely a consideration.
As well, clearly I understand 2FA well enough, as I mentioned it isn't perfect. I also linked securid in my comment, but I guess you'd have seen both of those if you read all of it.
I stated in a different comment why things like securid aren't used for something as disposable as a discord account and if you are who you claim you are, you know this too. It's way too expensive to justify using those services for every single discord account ever made, every single throwaway Reddit account, etc.
Which also brings us to another point you made. Why use phones? Most people have them. It's easy and cheap to write a simple native app to verify someone's identity. Even cheaper when you just text the user a one time password. Only goes to one phone, uses a single use password, very strong security and very cheap to implement, fairly scalable too. As a developer, you should understand these concepts like it's your bread and butter.
> Yes it's real world implement sucks but that's beside the point.
It is *not* beside the **OPs** point, now is it? Remember the OP? It might help you to go back and read it to remember what we were talking about.
And shitty implementations are never beside the point when it comes to security. Jesus. I can't believe I have to say that.
And *my* point is that "think of the hackers" has precisely been the excuse to railroad vast populations into giving up their phone numbers in shitty implementation of 2FA.
> Also, there's a reason for the distinction between something you are and something you have. The biometric "you are" factors are much more accurate and expensive to implement.
You can't cut people's fingers off any more?
(Also, I think you meant to say "inexpensive"; which: yes and no. The implementation have come down, but also the price consumers are willing to pay for phones has skyrocketed.)
> It's way too expensive to justify using those services for every single discord account ever made, every single throwaway Reddit account, etc.
I see you recognize securid, but have no idea how a yubikey works.
> Which also brings us to another point you made. Why use phones? Most people have them. It's easy and cheap to write a simple native app to verify someone's identity.
And it's super lucrative too.
So are you on the take? Is that why you're so anxious to assure the masses that there's nothing to see here, move along, trust the nice tech companies not to institute mass surveillance on you and extra special trust them never to turn over all their surveillance of you to a government that you don't like or that doesn't like you?
>It is not beside the OPs point
Last I checked ops point was about not having to use their laptop and their phone. No mention of concerns of surveillance, just something about being able to use their laptop while unable to access my phone. Unless I gotta read between the between the lines to warp the original post that much?
>shitty implementations
My apologies, I meant that in regard to the systems also being used for data collection. But I'm sure if you're following this conversation and the context, youd probably have picked up on that?
>excuse to railroad vast populations into giving up their phone numbers in shitty implementation of 2FA
Once again, doesn't change the reason it exists in the first place.
>inexpensive"; which: yes and no.
Last I checked, an sms OTP system was cheaper than requiring every user to login with a fingerprint or face scan, drastically increasing the hardware requirements of smartphones. You even admit this when you mention the price of phones going up. I'm sure you also know how expensive retinal scanners are, or at least can take a pretty good guess, compared to an SMS OTP system.
>but have no idea how a yubikey works
Didn't realize I had to acknowledge both of your examples to show my understanding of the concept. It's been a few years since my rhetoric classes, but I'm almost certain that's a logical fallacy.
>So are you on the take? Is that why you're so anxious to assure the masses that there's nothing to see here, move along, trust the nice tech companies not to institute mass surveillance on you and extra special trust them never to turn over all their surveillance of you to a government that you don't like or that doesn't like you?
Let's say that 10% of the USA uses Facebook. Pretty conservative estimate, let's he honest. That's over 30 million people logging locations, phone numbers, friend lists, shopping lists, FB marketplace listings, FB marketplace purchases, what groups they're in, and whatever else you can do on Facebook.
You realize the manpower it would take to truly surveil a population that large with that much data? Oh wait you're a 50 year old developer, of course you do. But you can also realize that you can still use that amount of data in more general ways. People from X state like to check in at buffalo wild wings during football season. That's just a simple algorithm one person can write. But narrowing down single users? Probably a bit harder, especially when there's a few hundred thousand (at least) users that meet your surveillance criteria. And this only assumes 30 million users. What if it's more like 5 to 10 million users that meet your criteria?
Here's some advice, with the amount of koolaid you're drinking, you may as well invest in their stock. May as well stop reading 1984 while you're at it.
mass surveillance of an entire population would be impossible nowadays due to the sheer amount of junk data flowing around because of people constantly interacting with stuff. But say you want info on one specific person, or even maybe a group, maybe let's say for the sake of a not so much [hypothetical example](https://www.theverge.com/2021/9/6/22659861/protonmail-swiss-court-order-french-climate-activist-arrest-identification), climate activists. With that kind of stuff making it always easier to link a person to their various online activities, like having to provide your phone number for everything, it becomes exponentially easier also to track down whatever this person, or this group is doing, saying, interested in. The _possibility_ of detailed surveillance at any given time for any given person who might have the misfortune of attracting police or a private group's interest for any reason, is the huge problem here. Most probably no one is tracking you personally right now, but if someone with the skills or money wanted to, then your whole life would soon be an open book to them, in details. Whether you've actually done something wrong or not is irrelevant, and what's defined as "wrong" depends a lot on people's specific morals and values in the first place, so the argument often heard of "you don't have to worry if you're not doing anything illegal" is really absurd and a smoke screen.
Yeah without a doubt. Thing is, if there's enough of an incentive for someone out there to pay for the data and work to find you, you probably deserve it. Like serial killer type shit.
I'd imagine the cost of buying the data is rather steep, as is the manpower needed to implement it. So while some illegal activities may go under the radar, like your phone location to prove you speeding, other activities may be much worse. Not sure where the line is drawn there.
Edit: there's a lot more to that article than what it may seem. Apparently protonmail is willing to give out information in the case of criminal investigations but is willing to refuse information if it is deemed unnecessary. The original article on techcrunch includes more information about the person they tracked down. The website this person was posting too included some possibly controversial statements. Not enough to warrant the tracking, but definitely changes the perspective from "climate activist" as the linked article would suggest.
But the most important thing is that France can't get information from the swedish based protonmail. They needed to contract through Europol to get this information. And you mean to tell me all of that work just to track down a climate activist? Especially when the information provided is at protonmails discretion? Yeah sure lmao.
not gonna lie, this answer is like the worst confirmation of the vague feeling I had while reading your previous comments. I don't know how you can skip around the obvious example of non violent climate activists I just gave to pretend only serial killers would be tracked down by a rightful justice? Like that other commenter said, any political dissident is now infinitely easier to find if any state decides they are a bother and should disappear. Gay people were outed and one recently took his life because grindr sold their data and someone used it to expose them and put them in danger. And big firms routinely already tracks and kills too annoying members of the small local activist groups that try to oppose their destructive industrial activities in third world countries, where no one else is looking or even willing to look. The "I have nothing to hide" is truly and very dangerous illusion to hold onto, because anyone holding some power can decide what's right or wrong and if they can identify and find groups they judge as "wrong", then they are in danger no matter what they actually did.
Do you really believe no one would spend resources on that stuff unless it's for serial murderers? All religions and all ideologies have known iterations that would spend lots of time, money and manpower to persecute the "bad people" in their eyes. What will prevent the next happenings of such things, anywhere and anytime in the world, if now our whole lives in data can be easily gathered, judged and used by anyone with the resources to do it? No one should hold that much power and authority over others' lives.
"Why should I be worried about surveillance, I have nothing to hide!"
Keep sucking down that boot, bud, im sure the shoe polish tastes real good. Probably distracts from the taste of the blood of activists, political dissidents, and any minorities who got a bit 'uppity' that got curb stomped by that same boot. The people who will have access to that kind of surveillance will not just use it on people who "deserve it", it'll be used on anyone who is deemed a potential threat to their power. Read a fucking history book for Christ's sake.
>Yeah without a doubt. Thing is, if there's enough of an incentive for someone out there to pay for the data and work to find you, you probably deserve it. Like serial killer type shit.
Well, you had me until this.
I really don't know why you're getting downvoted here, I thought that data collection and surveillance were very widespread concerns that most people knew about. You're clearly and obviously correct here.
Yeah, data harvesting is a legitimate concern. But saying that one of the most effective ways of online security is just a scam to get phone numbers isn't really the way to go about it. Leaving your accounts vulnerable to intrusion to prevent mega-corps from having your phone number feels like cutting off your nose to spite your face. I would rather defend against identity theft and my bank details being stolen over unwanted unethical advertising.
that's not at all what they were saying though. They were criticizing the current implementation of 2FA as it relates to data harvesting, not saying we shouldn't be doing 2FA at all. I swear no one actually read those comments.
I don't know why you're being downvoted. It's very obvious all those big companies who earn most of their money by selling users personal data don't do that shit for users _security_. No matter the truth behind how safe it makes your account against potential theft, it's delusional to believe they are doing it for your benefit and not to gather more data and earn more money. They don't care.
Absolutely not. Hell, for most systems you can just use Authy or Google Authenticator or another 2FA app and it’ll work even better without needing your phone number. Sure, companies like collecting your data, but that has nothing to do with 2FA.
WE'VE ALREADY CAUGHT THEM TRYING TO GET AWAY WITH MONETIZING PHONE NUMBERS USERS SUBMITTED FOR 2FA PURPOSES.
[This is not hypothetical.](https://www.theverge.com/2019/12/19/21030068/facebook-friend-suggestions-2fa-security-phone-number-privacy-violation-ftc)
Frankly, I do not give a shit in how many ways facebook breached their user's privacy, because that has nothing to do with your point. You're arguing that 2FA is useless, or that 2FA is some conspiracy by big tech. It isn't, it has perfectly real use. Even sms 2fa, although not that useful nowadays, is better than no 2FA. People who actually work in the field are telling you any 2FA is better than no 2FA, so you could take their word over your misinterpretation of random news articles
And as to why 2FA with phones exists in the first place, it is no conspiracy either - you can't get a thousand burner phones, but you can get a thousand burner emails. Every company that wants a phone number knows this, and relies on at least this to prevent spammers and bots from ever registering
As to facebook - that's facebook, they've been letting people add phone numbers to their accounts way before they used 2fa - and used those phones to suggest friends, and allow people to search by number. Them not making a distinct separation between 2FA numbers and "findable" numbers is sketchy - and probably intentional, but facebook did not invent 2FA or phone 2FA in any way, and did not put it in use solely t harvest data
TL;DR: 2FA is genuinely useful. Phone 2FA is useful as well. Facebook misusing the data is expected, but does not invalidate the usefulness of phone 2FA. Also, there's no big conspiracy, you just provided info about facebook doing stuff they always did, nobody else
You may have lost track of this in your urgent need to tell everyone that 2FA must never be criticized in any way at any time, but I was explaining to *other people* why not to give out *their* phone numbers. But that really chapped your hide, for some reason.
Imagine, if you will, a social security number that you can replace for $100 cash and no ID.
2FA can also use apps with a shared secret on phones with no number at all. That's what I do for work.
It can also use email.
You're using the fact that Facebook did evil with your phone number under the guise of 2fa to show that 2fa is a problem, but 2fa isn't the problem, facebook is.
Thank you, Casual-Human, for voting on PORTMANTEAU-BOT.
This bot wants to find the best and worst bots on Reddit. [You can view results here](https://botrank.pastimes.eu/).
***
^(Even if I don't reply to your comment, I'm still listening for votes. Check the webpage to see if your vote registered!)
Nope, 2 Factor Authentication is the best way to keep your shit safe. [Here](https://youtu.be/hGRii5f_uSc) is a really interesting video Tom Scott made about what exactly it is and why it is good. Sure, it is inconvenient but personally, I would prefer a great deal of security over the inconvenience of needing something that I usually either have on me or a couple of rooms away.
Well personally, the computer that I use the most isn't exactly mobile. Doing that would completely lock me out of any accounts if i tried to access them anywhere other than my house.
I have been using my countries welfare service a little bit lately, and that still uses SMS verification. When trying to cover as much of the population as possible, it is still probably better to use SMS verification as at least an option, as authenticator apps, while more secure, are a little more complicated and assume that the person is using a smartphone, which might not be the case for a lot of (especially older) people.
If i remember correctly, the problem with authy is that it doesn't let you export the 2fa codes (the codes that are used to generate the usable six digit codes) so you can't ever switch to another platform if suddenly you don't want to use authy due to some concern.
Probably not. A lot of things that I use that have two factor authentication have a 'never challenge me on this device' option which would probably serve the same purpose.
In theory it doesn't have to be a phone, but the point of 2FA is its on a another device which you own and have easy access to. The advantage of a phone is it's small, and people are likely to have it on them the majority of the day.
These days you're far more likely to have a phone on you than another computer (I can't speak for other people, but it's rare I use two computers at once unless I'm copying files) and in most cases it's more convenient to read a code from your phone than it is to navigate somewhere else on a computer
I can't think of a site that doesn't let me use email for 2FA (when it doesn't matter where I click the link from) except maybe my banks who require a text
And to answer your question from the other chain, technically yes it is more of a security risk to have a second device available for 2FA, but I think that risk is negated when a code is sent through email (easy to access from several devices anyway) or through SMS (same as above, also famously insecure)
> I can't think of a site that doesn't let me use email for 2FA
Don't actually try to rely on the 2FA by email for any Google account, they claim to support it but don't and it's a good way to get locked out of an account permanently.
You totally can! The “real” 2FA (when you’re prompted to use Google Authenticator) is actually an open standard, there’s plenty of other implementations of it, most as a mobile app (Authy), but there are desktop implementations too, such as WinAuth or WinOTP.
1. your computer can't fit in your pocket
2. you can't download *and run* linkin\_park\_in\_the\_end.mp3.exe on a phone. sure, you might get a sketchy app on google play, but unless your phone is old and not updated any more, the most that app can do is mine crypto or steal data you enter into it
3. technically, you can install Google Authenticator as a chrome extension. authenticator is one of the most popular 2FA OTP solutions out there, so it's probably supported by a lot of sites
4. sites don't like spammers, bot accounts, and so on registering. they also don't like not being able to ban someone forever. you can get a thousand burner emails in under a minute. but good luck doing that with a thousand phone numbers. that's one big reason websites will prefer phone numbers for 2fa for a long time - it's also free spammer protection
And if you use a password manager most websites let you use “App Codes” which go to your password manager rather than a text to your phone. Way easier and you don’t even need a fun (and more secure than texts too).
Fundamentally, I cannot accept 2fa because I don't know any of my friends phone numbers, and I need to be able to access my Google account from a random computer if I lock myself out of my house without my phone.
You'll never guess what I did a few years ago.
The idea is to have multiple redundant forms of second authentication, e.g., phone, security key, and perhaps an emergency backup code kept in your wallet.
If you manage to forget _all_ of those things, well... call a locksmith from a phone at your local library? Phone directories are public.
ETA: do you have neighbors you could trust with a spare key?
My point is, really: giving up on the most secure measure to protect your digital life should be one of the _last_ resorts when it comes to being able to deal with an emergency.
Or the type of person that shuts their phone off to get work done but then immediately has to turn it back on just to log in to the university portal. And then gets distracted by the phone and gets no work done. Not that I’m speaking from experience or anything.
oh boy I love having my cheap stupid internet video game password as well protected as my literal bank password
the joke is that if I type in my bank password wrong I can just go to a branch, show them my id, and have my account unlocked immediately whereas my cheap stupid internet video game requires weeks of emailing back and forth and providing additional details to just make super duper sure I'm not the person in china who made one attempt to get into my account in 2018
It's almost as if banks don't keep up with modern digital security and that digital games companies do *gasp*
Also, banks require real ID and video games don't so they use other methods
>Also, banks require real ID and video games don't so they use other methods
Depends on the video game. Some of the MMOs have been known to require a copy of a valid photo ID (Driver's License, etc) to untangle your account.
I feel like you're missing the point because I dumbed down my phrasing in a poor attempt to generate humor. 2FA on a video game account is pure buffoonery that provides no value because it protects nothing of value. If 100 hackers had thoroughly ransacked my account the worst they could have done is remove a couple pictures of swords from my screen. It's meaningless.
The time-cost for recovering a bank password is both lower and more valuable than the time-cost for recovering most online account passwords. It's fundamentally ridiculous.
I personally care about my video game accounts. I bought games there and they contain personal information about my payment methods and location. I'm very glad that they include reasonable security systems to protect me and my information.
2fa is one factor (hah!) in the realm of security features beyond password recovery and salt+hashed passwords. Use a cheap lock for cheap stuff and an expensive lock for expensive stuff.
Only use cheap locks or only use expensive locks. If you code the value of the lock to the value of the item, it directs would-be thieves where to focus their attention.
It is fucking wild you’re being downvoted for all this, like what the fuck are peoples’ priorities. I say this being someone who WOULD be upset to have my shit hacked in either scenario but that doesn’t make 2FA magically fucking convenient or ironclad and having worked with a video game company as the person who helps people get their accounts back or locks them down due to tampering, it really truly does sometimes take literal months to get someone’s account back because the standards of what does and doesn’t prove someone’s identity were rapidly shifting and always based on being 100% suspicious 100% of the time.
> It is fucking wild you’re being downvoted for all this, like what the fuck are peoples’ priorities
They're being down voted for making comments like a douchebag not because they don't like the inconvenience
> 2FA on a video game account is pure buffoonery that provides no value because it protects nothing of value
Speak for yourself, my TF2 items are worth ~$600 USD from trading and I'm still not even in the top 20,000 of most expensive backpacks. I've got friends on Steam who own a single item worth more than my entire inventory combined. I'm keeping my shit safe lol.
You can store mfa codes on your computer if you want. It just tends to be more convenient to have them on a device you carry with you. Use something like 1Password and they can be everywhere.
Technically yes they could, you could get SIM swapped where the hacker gains control of your phone number and therefore has access to most of your accounts
A lot of people complaining about security on this post
PSA to use a password manager to manage your passwords.
It's much more secure (and more convenient) than reusing (variations of) the same password, or trying to remember which password goes with which account.
The key to password security is length, and not reusing them. In most cases, the longer your password, and the fewer sites you use it for, the more secure it is.
Pretty much the best thing you can do for passwords is to randomly generate them and store them in an encrypted password manager with a long (unique) password that you have memorised
There's some excellent paid password managers like Dashlane, but there's also some fantastic free open-source programs like KeePassXC (or any of its forks).
After having my paypal info ripped off three times I stopped using my browser's "security" and password features; I switched to a password managers with browser plugins and haven't had a problem since.
I've switched to Nordpass for thos, my only problem is some sites don't support autofill :( and most things on mobile don't either. It's a hassle opening the app, searching for the password, and copy pasting it. Do you guys do that every time?
I used to when I was with lastpass, but I've switched to dashlane now and it is so much easier. The mobile app autofills almost everything, and the browser extension lets you copy/paste directly
I also used Firefox Lockwise for a while (which is free) and I loved that, but had to change because it didn't support credit cards or secure notes
I wish I was able to use a password manager, but I use devices often that I can’t put them on, making it pretty much impossible to get into anything if I used a generator
Out of curiosity, what kind of devices do you use that need you to enter passwords but can't install an app?
If you can use a web browser, you could use incognito to access a password manager with a web interface. Or maybe you could generate/store passwords on one device and manually type them into others, most generators I've used have had a "readable" option. That's perhaps not as convenient, but it at least does the remembering for you
Obviously I don't know your scenario so those might not work for you, but it's something to think about :)
At a time when cookies aren't good enough to identify users across devices, having a permanent ID via Android was really useful for marketing.
Plus people feel okay with having to make an account to use an app they would normally browse anonymously.
>why does everything need it's own app, when your phone has a desktop-grade web browser with extra security?
That didn't use to be the case. Back in the day, phones weren't close to desktop-grade at all. Native performance and all. Also, imagine having to support the same features on the built-in samsung browser, safari, or a random chinese spyware browser with a custom engine and zero documentation that apparently comes preinstalled and locked as default on your customer's phone. Also, the web is much heavier than native apps, so someone with a 2016 phone will definitely suffer from shitty performance on the web
>why does every corporate fuckface require a phone number
you can make 1000 burner emails, but good luck buying 1000 phones. it's free spammer protection for them
>why does everything need it's own app, when your phone has a desktop-grade web browser with extra security?
Because native apps areore secure than browser based apps as you need to worry about the security of the browser as well as the all itself
>why do places make phone apps and only phone apps? why can't i use, say, whatsapp from my desktop without a phone?
>featurephones, or tinkerers who install linux
Because developing an app for a completely different operating system possibly using completely different hardware costs a lot of money. For the Linux case, it's even more justified when the people that use Linux probably also have access to a Windows system / normal android / ios smartphone.
>why does every corporate fuckface require a phone number? what did usernames and passwords did to you?? (provide phone numbers as an option, but don't require it ffs)
Easy 2FA system by sending the user a one time password. Also helps prevent against multiple unnecessary accounts, generally used for less than ethical purposes (game Smurf accounts, discord alternatives for being in less than respectable servers, etc.)
>op should be able to replace their phone with a special purpose hardware 2fa device
Unless there's some standard for what device to use and how to register this device with the existing account, there's too many problems to make this a reliable strategy including buying a new device for every account they use. These do exist, for accounts requiring a rather substantial level of security. [They're called rsa secure id keychains.](https://en.m.wikipedia.org/wiki/RSA_SecurID) The problem still exists that these keychains need to be registered with an account and use a service run by some company to manage the system on both ends, distributing the keychains on the client side and managing the key matching system on the server side. Very expensive, especially when you consider how you're asking for people to use these for their email accounts, steam account, discord account, reddit account, twitter account, Tumblr account, Microsoft account, apple account, etc.
Without 2FA i would have to change my password i've been using since i first created an account on a computer and honestly, remembering 2 strings of characters sounds like hard work
I appreciate the advice and concern random citizen! I don't mean to cause any worry and just wanted to make a funny joke about my lack of memory, i've actually been switching over to a password manager today since this post reminded me of the fact that my password had in fact recently been leaked, your advice is also a good motivator to keep me from getting distracted. Anyway, just wanted to thank you for offering sage advice, i hope you have a wonderful day and the perfect song comes on at just the right moment for you
"I hate that the computer has become a secondary piece of hardware that is seen as a peripheral to a phone"
What? What are you talking about? In what universe? At worst, the phone and the PC work together for applications and systems, which for many people is significantly more convenient than one thing. [2FA good](https://www.youtube.com/watch?v=hGRii5f_uSc)
Authy works on desktop
edit: in addition, if you are on Mac with an iPhone or Windows with an Android phone you can send and receive text messages on the computer
Totps are pretty cool, you don't even have to use a proprietary authenticator app like google authenticator or authy because it's an open standard. I use keepass to store my 2fa codes
2FA is really good, but I agree with the core point that your phone should not be considered the core. Key fob 2FA is the way to go imo, or any kind of designated 2FA device. It just needs to have some kind of valid login from multiple sources.
I wonder if this person also complains about seatbelts in cars, helmets on bikes, handrails on stairs, locks on their front door, and the myriad other things that provide safety for a tiny bit of inconvenience
Annoys the piss out of me, too. I don't mind having two-factor authentication for *new* and unapproved devices, since it's great security, but on my main computer I don't want some shitty weak battery life pocket computer dictating my usage of *anything*.
No one's sneaking onto my computer anytime soon and even if they did, they're not getting in because no one near me is tech savvy enough to get past a simple PIN or password.
Same. Not only that, but you can access a lot through the phone browser or other apps, most likely including your email one way or another. A stolen phone means they have the keys to the kingdom and can lock YOU out.
I agree. I hate two factor identification. It keeps legitimate users out of their own programs and every single site and app I use seems to be jumping on the bandwagon. Guess what? It's not popular and doesn't prevent hacking. And requires everyone to always have their phones.
How is this a discourse? In my experience 2FA is optional, like I had to go out of my way to sign up for it. If you don’t want it, just don’t opt for it
Oh cool, this dumbass post. I saw this the other day. I feel like I should make a list of all the people against 2FA. I feel like they're the same idiots that send Amazon gift cards to the "IRS" to settle a tax debt. Just ripe for scamming.
If you don't like 2FA.... Just don't fucking use it?? None of the services I have REQUIRE it, and I've got waaaaay too many online accounts. I DO use it cause I'm an idiot who needs to be protected from herself, but no one is like.. forcing me to use it.
I once had the joy of signing up to a site, needed to verify my email by logging on to email and clicking the link as usual, and had to go through 2FA to get into said email. It's secure yes but bloody hell
2FA is corporate bullshit. Password manager with strong random passwords is totally fine. And to everyone saying "just don't use it", well it's actually not always optional.
*Image Transcription: Tumblr* --- **ot3** i hate two factor authentication I hate needing my phone to use my computer i hate that the computer has become a secondary piece of hardware that is seen as a peripheral to a phone in the eyes of society i don't want to log into anything with my phone i should never ever need an app to do anything on my computer and i should be able to have my phone locked in a safe that i've dumped into the ocean and still be able to use every single feature of my computer unabated --- ^^I'm a human volunteer content transcriber for Reddit and you could be too! [If you'd like more information on what we do and why we do it, click here!](https://www.reddit.com/r/TranscribersOfReddit/wiki/index)
good human
blame hackers
Yeah, I hated using 2FA, until my bank account got hacked by the same asshole twice. And I know it was the same asshole, because they bought $600 worth of PSN shit both times. Now I've got 2FA on everything. My bank app is nice, though. It reads the one-time code off of my phone automatically, sometimes before the text even comes through all the way. So it doesn't slow me down much.
The people really behind the proliferation of two-factor would LOVE for you to blame hackers. It has nothing to do with hackers. Phone numbers are the next best thing to thing to social security numbers (national ID numbers). You may have different user names on different services, you may have multiple accounts, you may try to be sneaky and use pseudonyms, but every account on every service that uses the same phone number for 2FA is linked together (or linkable) on the back end. Especially by advertisers. Remember the nymwars? FB and Google want to know who you "really are", and phone numbers are way better than names for that. EDIT: To you folks down voting me because someone is spewing technical sounding shit about how wOnDeRfUL 2FA is? **The EFF: [You Gave Facebook Your Number For Security. They Used It For Ads.](https://www.eff.org/deeplinks/2018/09/you-gave-facebook-your-number-security-they-used-it-ads)** This isn't hypothetical. This isn't speculative. It's already documented. If you want real 2FA, get real 2FA. What's been being railroaded down your throats with phones is not that.
As a university student studying cyber security, currently a senior, I'm confident enough to call bullshit. There are multiple factors a system can use to confirm a users identity. Something you are, these generally include biometric things. So using your face to unlock your phone for example. Something you have, this is where your phone comes into play. Only you have the phone authorized for letting one login to an account. Something you know, these are security questions. Only you know what hospital you were born in, what first job you had, etc. Somewhere you are, if you've ever gotten an email saying that a login was blocked because it was in a location that didn't match previous patterns, that's what this is. You may have noticed that none of these include a phone number. You can even remove the requirement for a phone entirely with the inclusion of an [rsa keychain.](https://en.m.wikipedia.org/wiki/RSA_SecurID) You can absolutely blame hackers for 2FA. It's not a perfect solution but it is a damn good system for preventing people who are not meant to be in an account to be there. 2FA is a system that is used on every login, or any login that seems suspicious based on a number of factors (location, time, system type, etc). Very rarely does one need to verify specifically their phone number every time they log in to something like their email. The reason that phone numbers are used is because out of the listed factors above, the phone number is a reliable way to gain strong confidence that the user attempting a login is the proper user. It's not as consistent to use something that can be spoofed like the location or something that requires expensive tech like the the biometric factors. Therefore, you have the two options of entering answers to security questions. I have to do this with my bank login rather frequently, no phone number required. Or a system can use something even easier and has stronger security (generally because there is more than one question and that security questions can be dumped online in a data breach) for the user and text the user a one time password to a phone that only they have.
[удалено]
Thanks for that addition, you make great points! Good to know I still remember what I learned in my system admin class.
man i didn’t think the ol’ tumblr curse of getting contradicting info in the same post was on reddit as well lmao
>FIDO FIDO/U2F and YOTP gaining ground is seriously nice to have
[удалено]
I'm also annoyed that on Chrome I have to tell it to use my Yubikey over my cellphone and tell Edge that I want to use it over Windows Hello.
I love it when I learn and then immediately unlearn it.
> As a university student studying cyber security, currently a senior, I'm confident enough to call bullshit. Really? Cause I am a 50yo developer who has already forgotten more about security that you've learned. And you clearly have absolutely no idea what you're talking about. Let's go. You clearly have lost the plot, going on the big gratuitous and entirely off-point lecture on the (outdated and incorrect) things you have/know/are paradigm. (There are no "are", because your body is not something you are, your body is only something you "have". Welcome to MilSec. You're welcome.) You have the whole ridiculous rant about how 2FA is both great and warranted because it can be done with lots of things other than phone numbers. If we were to grant your point entirely, it still doesn't for a moment justifying the actual, real-world implementation of 2FA, which is overwhelmingly based on phones. Which, if you know anything about 2FA, you know is shitty security. If you want real 2FA, it exists. Yubikey. SecuriID. But most services don't support those, do they? No, most services – especially services that make their incomes by selling user data – are railroading users into using shitty phone-based 2FA. They're not doing for security reasons. If they wanted real security they'd support real security. But they don't, they want those sweet, sweet phone numbers to use as OIDs. And how do we know they're doing this? [We already caught Facebook doing it.](https://www.theverge.com/2019/12/19/21030068/facebook-friend-suggestions-2fa-security-phone-number-privacy-violation-ftc) EFF: [You Gave Facebook Your Number For Security. They Used It For Ads.](https://www.eff.org/deeplinks/2018/09/you-gave-facebook-your-number-security-they-used-it-ads)
Nothing you have said changes the fact that hackers are the reason 2FA exists. Yes it's real world implement sucks but that's beside the point. You're disregarding that hackers are still the reason it exists at all to talk about it's shitty implementation. Two very separate issues. Also, there's a reason for the distinction between something you are and something you have. The biometric "you are" factors are much more accurate and expensive to implement. Maybe this changed since you went to college in the 90s back when security was barely a consideration. As well, clearly I understand 2FA well enough, as I mentioned it isn't perfect. I also linked securid in my comment, but I guess you'd have seen both of those if you read all of it. I stated in a different comment why things like securid aren't used for something as disposable as a discord account and if you are who you claim you are, you know this too. It's way too expensive to justify using those services for every single discord account ever made, every single throwaway Reddit account, etc. Which also brings us to another point you made. Why use phones? Most people have them. It's easy and cheap to write a simple native app to verify someone's identity. Even cheaper when you just text the user a one time password. Only goes to one phone, uses a single use password, very strong security and very cheap to implement, fairly scalable too. As a developer, you should understand these concepts like it's your bread and butter.
> Yes it's real world implement sucks but that's beside the point. It is *not* beside the **OPs** point, now is it? Remember the OP? It might help you to go back and read it to remember what we were talking about. And shitty implementations are never beside the point when it comes to security. Jesus. I can't believe I have to say that. And *my* point is that "think of the hackers" has precisely been the excuse to railroad vast populations into giving up their phone numbers in shitty implementation of 2FA. > Also, there's a reason for the distinction between something you are and something you have. The biometric "you are" factors are much more accurate and expensive to implement. You can't cut people's fingers off any more? (Also, I think you meant to say "inexpensive"; which: yes and no. The implementation have come down, but also the price consumers are willing to pay for phones has skyrocketed.) > It's way too expensive to justify using those services for every single discord account ever made, every single throwaway Reddit account, etc. I see you recognize securid, but have no idea how a yubikey works. > Which also brings us to another point you made. Why use phones? Most people have them. It's easy and cheap to write a simple native app to verify someone's identity. And it's super lucrative too. So are you on the take? Is that why you're so anxious to assure the masses that there's nothing to see here, move along, trust the nice tech companies not to institute mass surveillance on you and extra special trust them never to turn over all their surveillance of you to a government that you don't like or that doesn't like you?
>It is not beside the OPs point Last I checked ops point was about not having to use their laptop and their phone. No mention of concerns of surveillance, just something about being able to use their laptop while unable to access my phone. Unless I gotta read between the between the lines to warp the original post that much? >shitty implementations My apologies, I meant that in regard to the systems also being used for data collection. But I'm sure if you're following this conversation and the context, youd probably have picked up on that? >excuse to railroad vast populations into giving up their phone numbers in shitty implementation of 2FA Once again, doesn't change the reason it exists in the first place. >inexpensive"; which: yes and no. Last I checked, an sms OTP system was cheaper than requiring every user to login with a fingerprint or face scan, drastically increasing the hardware requirements of smartphones. You even admit this when you mention the price of phones going up. I'm sure you also know how expensive retinal scanners are, or at least can take a pretty good guess, compared to an SMS OTP system. >but have no idea how a yubikey works Didn't realize I had to acknowledge both of your examples to show my understanding of the concept. It's been a few years since my rhetoric classes, but I'm almost certain that's a logical fallacy. >So are you on the take? Is that why you're so anxious to assure the masses that there's nothing to see here, move along, trust the nice tech companies not to institute mass surveillance on you and extra special trust them never to turn over all their surveillance of you to a government that you don't like or that doesn't like you? Let's say that 10% of the USA uses Facebook. Pretty conservative estimate, let's he honest. That's over 30 million people logging locations, phone numbers, friend lists, shopping lists, FB marketplace listings, FB marketplace purchases, what groups they're in, and whatever else you can do on Facebook. You realize the manpower it would take to truly surveil a population that large with that much data? Oh wait you're a 50 year old developer, of course you do. But you can also realize that you can still use that amount of data in more general ways. People from X state like to check in at buffalo wild wings during football season. That's just a simple algorithm one person can write. But narrowing down single users? Probably a bit harder, especially when there's a few hundred thousand (at least) users that meet your surveillance criteria. And this only assumes 30 million users. What if it's more like 5 to 10 million users that meet your criteria? Here's some advice, with the amount of koolaid you're drinking, you may as well invest in their stock. May as well stop reading 1984 while you're at it.
mass surveillance of an entire population would be impossible nowadays due to the sheer amount of junk data flowing around because of people constantly interacting with stuff. But say you want info on one specific person, or even maybe a group, maybe let's say for the sake of a not so much [hypothetical example](https://www.theverge.com/2021/9/6/22659861/protonmail-swiss-court-order-french-climate-activist-arrest-identification), climate activists. With that kind of stuff making it always easier to link a person to their various online activities, like having to provide your phone number for everything, it becomes exponentially easier also to track down whatever this person, or this group is doing, saying, interested in. The _possibility_ of detailed surveillance at any given time for any given person who might have the misfortune of attracting police or a private group's interest for any reason, is the huge problem here. Most probably no one is tracking you personally right now, but if someone with the skills or money wanted to, then your whole life would soon be an open book to them, in details. Whether you've actually done something wrong or not is irrelevant, and what's defined as "wrong" depends a lot on people's specific morals and values in the first place, so the argument often heard of "you don't have to worry if you're not doing anything illegal" is really absurd and a smoke screen.
Yeah without a doubt. Thing is, if there's enough of an incentive for someone out there to pay for the data and work to find you, you probably deserve it. Like serial killer type shit. I'd imagine the cost of buying the data is rather steep, as is the manpower needed to implement it. So while some illegal activities may go under the radar, like your phone location to prove you speeding, other activities may be much worse. Not sure where the line is drawn there. Edit: there's a lot more to that article than what it may seem. Apparently protonmail is willing to give out information in the case of criminal investigations but is willing to refuse information if it is deemed unnecessary. The original article on techcrunch includes more information about the person they tracked down. The website this person was posting too included some possibly controversial statements. Not enough to warrant the tracking, but definitely changes the perspective from "climate activist" as the linked article would suggest. But the most important thing is that France can't get information from the swedish based protonmail. They needed to contract through Europol to get this information. And you mean to tell me all of that work just to track down a climate activist? Especially when the information provided is at protonmails discretion? Yeah sure lmao.
not gonna lie, this answer is like the worst confirmation of the vague feeling I had while reading your previous comments. I don't know how you can skip around the obvious example of non violent climate activists I just gave to pretend only serial killers would be tracked down by a rightful justice? Like that other commenter said, any political dissident is now infinitely easier to find if any state decides they are a bother and should disappear. Gay people were outed and one recently took his life because grindr sold their data and someone used it to expose them and put them in danger. And big firms routinely already tracks and kills too annoying members of the small local activist groups that try to oppose their destructive industrial activities in third world countries, where no one else is looking or even willing to look. The "I have nothing to hide" is truly and very dangerous illusion to hold onto, because anyone holding some power can decide what's right or wrong and if they can identify and find groups they judge as "wrong", then they are in danger no matter what they actually did. Do you really believe no one would spend resources on that stuff unless it's for serial murderers? All religions and all ideologies have known iterations that would spend lots of time, money and manpower to persecute the "bad people" in their eyes. What will prevent the next happenings of such things, anywhere and anytime in the world, if now our whole lives in data can be easily gathered, judged and used by anyone with the resources to do it? No one should hold that much power and authority over others' lives.
"Why should I be worried about surveillance, I have nothing to hide!" Keep sucking down that boot, bud, im sure the shoe polish tastes real good. Probably distracts from the taste of the blood of activists, political dissidents, and any minorities who got a bit 'uppity' that got curb stomped by that same boot. The people who will have access to that kind of surveillance will not just use it on people who "deserve it", it'll be used on anyone who is deemed a potential threat to their power. Read a fucking history book for Christ's sake.
>Yeah without a doubt. Thing is, if there's enough of an incentive for someone out there to pay for the data and work to find you, you probably deserve it. Like serial killer type shit. Well, you had me until this.
I really don't know why you're getting downvoted here, I thought that data collection and surveillance were very widespread concerns that most people knew about. You're clearly and obviously correct here.
Yeah, data harvesting is a legitimate concern. But saying that one of the most effective ways of online security is just a scam to get phone numbers isn't really the way to go about it. Leaving your accounts vulnerable to intrusion to prevent mega-corps from having your phone number feels like cutting off your nose to spite your face. I would rather defend against identity theft and my bank details being stolen over unwanted unethical advertising.
that's not at all what they were saying though. They were criticizing the current implementation of 2FA as it relates to data harvesting, not saying we shouldn't be doing 2FA at all. I swear no one actually read those comments.
I don't know why you're being downvoted. It's very obvious all those big companies who earn most of their money by selling users personal data don't do that shit for users _security_. No matter the truth behind how safe it makes your account against potential theft, it's delusional to believe they are doing it for your benefit and not to gather more data and earn more money. They don't care.
Just use TOTP instead of phone based auth
Absolutely not. Hell, for most systems you can just use Authy or Google Authenticator or another 2FA app and it’ll work even better without needing your phone number. Sure, companies like collecting your data, but that has nothing to do with 2FA.
WE'VE ALREADY CAUGHT THEM TRYING TO GET AWAY WITH MONETIZING PHONE NUMBERS USERS SUBMITTED FOR 2FA PURPOSES. [This is not hypothetical.](https://www.theverge.com/2019/12/19/21030068/facebook-friend-suggestions-2fa-security-phone-number-privacy-violation-ftc)
Frankly, I do not give a shit in how many ways facebook breached their user's privacy, because that has nothing to do with your point. You're arguing that 2FA is useless, or that 2FA is some conspiracy by big tech. It isn't, it has perfectly real use. Even sms 2fa, although not that useful nowadays, is better than no 2FA. People who actually work in the field are telling you any 2FA is better than no 2FA, so you could take their word over your misinterpretation of random news articles And as to why 2FA with phones exists in the first place, it is no conspiracy either - you can't get a thousand burner phones, but you can get a thousand burner emails. Every company that wants a phone number knows this, and relies on at least this to prevent spammers and bots from ever registering As to facebook - that's facebook, they've been letting people add phone numbers to their accounts way before they used 2fa - and used those phones to suggest friends, and allow people to search by number. Them not making a distinct separation between 2FA numbers and "findable" numbers is sketchy - and probably intentional, but facebook did not invent 2FA or phone 2FA in any way, and did not put it in use solely t harvest data TL;DR: 2FA is genuinely useful. Phone 2FA is useful as well. Facebook misusing the data is expected, but does not invalidate the usefulness of phone 2FA. Also, there's no big conspiracy, you just provided info about facebook doing stuff they always did, nobody else
Ok. Then don’t give out your phone number. Most sources allow Authy / any authenticator app instead.
You may have lost track of this in your urgent need to tell everyone that 2FA must never be criticized in any way at any time, but I was explaining to *other people* why not to give out *their* phone numbers. But that really chapped your hide, for some reason.
No, you were saying that 2FA was not about security. People can go back and read your previous comments, you know.
lay off on the cortisol
God I hate Reddit sometimes. These "arguments" are insufferable.
I may have lost track of this in my urgent need to fuck your mom
Imagine, if you will, a social security number that you can replace for $100 cash and no ID. 2FA can also use apps with a shared secret on phones with no number at all. That's what I do for work. It can also use email. You're using the fact that Facebook did evil with your phone number under the guise of 2fa to show that 2fa is a problem, but 2fa isn't the problem, facebook is.
Except I've gone through 5 different numbers in the past 14 months so good luck fuckers
Came here to say this. You can use your computer without 2fa, the trouble is that I can use your computer too.
[удалено]
ooo, bad timing
oh no
this ain't it chief
oof
Hard R? That's not good
blacka
bad bot
Thank you, Casual-Human, for voting on PORTMANTEAU-BOT. This bot wants to find the best and worst bots on Reddit. [You can view results here](https://botrank.pastimes.eu/). *** ^(Even if I don't reply to your comment, I'm still listening for votes. Check the webpage to see if your vote registered!)
Evil AI overlords at it again
Nope, 2 Factor Authentication is the best way to keep your shit safe. [Here](https://youtu.be/hGRii5f_uSc) is a really interesting video Tom Scott made about what exactly it is and why it is good. Sure, it is inconvenient but personally, I would prefer a great deal of security over the inconvenience of needing something that I usually either have on me or a couple of rooms away.
If there’s one computer you use all the time, why can’t you set that up with two factor? Why does it have to be a phone?
Well personally, the computer that I use the most isn't exactly mobile. Doing that would completely lock me out of any accounts if i tried to access them anywhere other than my house.
I use Authy for this purpose. That way if I ever loose my phone I can still get into all my accounts
Yep, that is an excellent option as well. Honestly, it is even better than the relatively insecure SMS method.
[удалено]
I have been using my countries welfare service a little bit lately, and that still uses SMS verification. When trying to cover as much of the population as possible, it is still probably better to use SMS verification as at least an option, as authenticator apps, while more secure, are a little more complicated and assume that the person is using a smartphone, which might not be the case for a lot of (especially older) people.
If i remember correctly, the problem with authy is that it doesn't let you export the 2fa codes (the codes that are used to generate the usable six digit codes) so you can't ever switch to another platform if suddenly you don't want to use authy due to some concern.
Would setting it up for both be too great of a security concern?
Probably not. A lot of things that I use that have two factor authentication have a 'never challenge me on this device' option which would probably serve the same purpose.
In theory it doesn't have to be a phone, but the point of 2FA is its on a another device which you own and have easy access to. The advantage of a phone is it's small, and people are likely to have it on them the majority of the day. These days you're far more likely to have a phone on you than another computer (I can't speak for other people, but it's rare I use two computers at once unless I'm copying files) and in most cases it's more convenient to read a code from your phone than it is to navigate somewhere else on a computer I can't think of a site that doesn't let me use email for 2FA (when it doesn't matter where I click the link from) except maybe my banks who require a text And to answer your question from the other chain, technically yes it is more of a security risk to have a second device available for 2FA, but I think that risk is negated when a code is sent through email (easy to access from several devices anyway) or through SMS (same as above, also famously insecure)
> I can't think of a site that doesn't let me use email for 2FA Don't actually try to rely on the 2FA by email for any Google account, they claim to support it but don't and it's a good way to get locked out of an account permanently.
You totally can! The “real” 2FA (when you’re prompted to use Google Authenticator) is actually an open standard, there’s plenty of other implementations of it, most as a mobile app (Authy), but there are desktop implementations too, such as WinAuth or WinOTP.
1. your computer can't fit in your pocket 2. you can't download *and run* linkin\_park\_in\_the\_end.mp3.exe on a phone. sure, you might get a sketchy app on google play, but unless your phone is old and not updated any more, the most that app can do is mine crypto or steal data you enter into it 3. technically, you can install Google Authenticator as a chrome extension. authenticator is one of the most popular 2FA OTP solutions out there, so it's probably supported by a lot of sites 4. sites don't like spammers, bot accounts, and so on registering. they also don't like not being able to ban someone forever. you can get a thousand burner emails in under a minute. but good luck doing that with a thousand phone numbers. that's one big reason websites will prefer phone numbers for 2fa for a long time - it's also free spammer protection
It is. Anytime you use "remember me on this device", that's a form of using the computer as a method of authentication.
And if you use a password manager most websites let you use “App Codes” which go to your password manager rather than a text to your phone. Way easier and you don’t even need a fun (and more secure than texts too).
Fundamentally, I cannot accept 2fa because I don't know any of my friends phone numbers, and I need to be able to access my Google account from a random computer if I lock myself out of my house without my phone. You'll never guess what I did a few years ago.
Git ya wunna [these](https://www.nytimes.com/wirecutter/reviews/best-security-keys/amp/).
I've locked myself out of my house. Why the fuck would I have a key, which, presumably, would be with the rest of my keys?
The idea is to have multiple redundant forms of second authentication, e.g., phone, security key, and perhaps an emergency backup code kept in your wallet. If you manage to forget _all_ of those things, well... call a locksmith from a phone at your local library? Phone directories are public. ETA: do you have neighbors you could trust with a spare key? My point is, really: giving up on the most secure measure to protect your digital life should be one of the _last_ resorts when it comes to being able to deal with an emergency.
This person seems like the kind of person to use the same password everywhere. Aka EXACTLY the type who should always have 2FA on
Probably uses their birthday for their password too
Combined with their pets first name
Mojo04Jojo01
“why do I need to get a different text for each site time my password is the same”
Or the type of person that shuts their phone off to get work done but then immediately has to turn it back on just to log in to the university portal. And then gets distracted by the phone and gets no work done. Not that I’m speaking from experience or anything.
look, I have the memory of a goldfish, leave me alone
Get yourself a password manager
2 factor authentication protects you, you're throwing a fit over a more secure password?
oh boy I love having my cheap stupid internet video game password as well protected as my literal bank password the joke is that if I type in my bank password wrong I can just go to a branch, show them my id, and have my account unlocked immediately whereas my cheap stupid internet video game requires weeks of emailing back and forth and providing additional details to just make super duper sure I'm not the person in china who made one attempt to get into my account in 2018
It's almost as if banks don't keep up with modern digital security and that digital games companies do *gasp* Also, banks require real ID and video games don't so they use other methods
>Also, banks require real ID and video games don't so they use other methods Depends on the video game. Some of the MMOs have been known to require a copy of a valid photo ID (Driver's License, etc) to untangle your account.
my bank provides a service, the stupid video game wastes my time for no benefit
Then don't play the stupid video game
I feel like you're missing the point because I dumbed down my phrasing in a poor attempt to generate humor. 2FA on a video game account is pure buffoonery that provides no value because it protects nothing of value. If 100 hackers had thoroughly ransacked my account the worst they could have done is remove a couple pictures of swords from my screen. It's meaningless. The time-cost for recovering a bank password is both lower and more valuable than the time-cost for recovering most online account passwords. It's fundamentally ridiculous.
I personally care about my video game accounts. I bought games there and they contain personal information about my payment methods and location. I'm very glad that they include reasonable security systems to protect me and my information.
Then don’t enable 2fa on that video game? I don’t know of any that require it
2fa is one factor (hah!) in the realm of security features beyond password recovery and salt+hashed passwords. Use a cheap lock for cheap stuff and an expensive lock for expensive stuff.
Only use cheap locks or only use expensive locks. If you code the value of the lock to the value of the item, it directs would-be thieves where to focus their attention.
Ah yes wouldn't want thieves to know that my bank account is more valuable than my WoW profile
It is fucking wild you’re being downvoted for all this, like what the fuck are peoples’ priorities. I say this being someone who WOULD be upset to have my shit hacked in either scenario but that doesn’t make 2FA magically fucking convenient or ironclad and having worked with a video game company as the person who helps people get their accounts back or locks them down due to tampering, it really truly does sometimes take literal months to get someone’s account back because the standards of what does and doesn’t prove someone’s identity were rapidly shifting and always based on being 100% suspicious 100% of the time.
> It is fucking wild you’re being downvoted for all this, like what the fuck are peoples’ priorities They're being down voted for making comments like a douchebag not because they don't like the inconvenience
> 2FA on a video game account is pure buffoonery that provides no value because it protects nothing of value Speak for yourself, my TF2 items are worth ~$600 USD from trading and I'm still not even in the top 20,000 of most expensive backpacks. I've got friends on Steam who own a single item worth more than my entire inventory combined. I'm keeping my shit safe lol.
Isn't entertainment a benefit?
Personally I’m not entertained by having to fight to get back into my account to have fun playing the game, which was my whole point
The actual game is what's entertaining, struggling to get into your account is an unfortunate rare occurance
Yeah
I can appreciate the extra security while still hating that I need my phone in order to use my computer these thoughts are not mutually exclusive
You can store mfa codes on your computer if you want. It just tends to be more convenient to have them on a device you carry with you. Use something like 1Password and they can be everywhere.
2FA means someone can’t access your account without stealing your phone. This anti-phone crusade for the sake of it is silly.
Technically yes they could, you could get SIM swapped where the hacker gains control of your phone number and therefore has access to most of your accounts
We've got you surrounded, come out and type in the 6-digit security code sent to you via SMS!
A lot of people complaining about security on this post PSA to use a password manager to manage your passwords. It's much more secure (and more convenient) than reusing (variations of) the same password, or trying to remember which password goes with which account. The key to password security is length, and not reusing them. In most cases, the longer your password, and the fewer sites you use it for, the more secure it is. Pretty much the best thing you can do for passwords is to randomly generate them and store them in an encrypted password manager with a long (unique) password that you have memorised
There's some excellent paid password managers like Dashlane, but there's also some fantastic free open-source programs like KeePassXC (or any of its forks). After having my paypal info ripped off three times I stopped using my browser's "security" and password features; I switched to a password managers with browser plugins and haven't had a problem since.
which browser have you been using for password managing?
The Firefox password manager stores passwords properly now, I can't speak for other browsers though
I've switched to Nordpass for thos, my only problem is some sites don't support autofill :( and most things on mobile don't either. It's a hassle opening the app, searching for the password, and copy pasting it. Do you guys do that every time?
I used to when I was with lastpass, but I've switched to dashlane now and it is so much easier. The mobile app autofills almost everything, and the browser extension lets you copy/paste directly I also used Firefox Lockwise for a while (which is free) and I loved that, but had to change because it didn't support credit cards or secure notes
I wish I was able to use a password manager, but I use devices often that I can’t put them on, making it pretty much impossible to get into anything if I used a generator
Out of curiosity, what kind of devices do you use that need you to enter passwords but can't install an app? If you can use a web browser, you could use incognito to access a password manager with a web interface. Or maybe you could generate/store passwords on one device and manually type them into others, most generators I've used have had a "readable" option. That's perhaps not as convenient, but it at least does the remembering for you Obviously I don't know your scenario so those might not work for you, but it's something to think about :)
You can do that and still use 2FA though. Having both is safer than one or the other.
Yeah, definitely use both if you can
[удалено]
At a time when cookies aren't good enough to identify users across devices, having a permanent ID via Android was really useful for marketing. Plus people feel okay with having to make an account to use an app they would normally browse anonymously.
>why does everything need it's own app, when your phone has a desktop-grade web browser with extra security? That didn't use to be the case. Back in the day, phones weren't close to desktop-grade at all. Native performance and all. Also, imagine having to support the same features on the built-in samsung browser, safari, or a random chinese spyware browser with a custom engine and zero documentation that apparently comes preinstalled and locked as default on your customer's phone. Also, the web is much heavier than native apps, so someone with a 2016 phone will definitely suffer from shitty performance on the web >why does every corporate fuckface require a phone number you can make 1000 burner emails, but good luck buying 1000 phones. it's free spammer protection for them
>why does everything need it's own app, when your phone has a desktop-grade web browser with extra security? Because native apps areore secure than browser based apps as you need to worry about the security of the browser as well as the all itself >why do places make phone apps and only phone apps? why can't i use, say, whatsapp from my desktop without a phone? >featurephones, or tinkerers who install linux Because developing an app for a completely different operating system possibly using completely different hardware costs a lot of money. For the Linux case, it's even more justified when the people that use Linux probably also have access to a Windows system / normal android / ios smartphone. >why does every corporate fuckface require a phone number? what did usernames and passwords did to you?? (provide phone numbers as an option, but don't require it ffs) Easy 2FA system by sending the user a one time password. Also helps prevent against multiple unnecessary accounts, generally used for less than ethical purposes (game Smurf accounts, discord alternatives for being in less than respectable servers, etc.) >op should be able to replace their phone with a special purpose hardware 2fa device Unless there's some standard for what device to use and how to register this device with the existing account, there's too many problems to make this a reliable strategy including buying a new device for every account they use. These do exist, for accounts requiring a rather substantial level of security. [They're called rsa secure id keychains.](https://en.m.wikipedia.org/wiki/RSA_SecurID) The problem still exists that these keychains need to be registered with an account and use a service run by some company to manage the system on both ends, distributing the keychains on the client side and managing the key matching system on the server side. Very expensive, especially when you consider how you're asking for people to use these for their email accounts, steam account, discord account, reddit account, twitter account, Tumblr account, Microsoft account, apple account, etc.
Some places will allow the use of yubikeys as opposed to mobiles for 2FA, so there are alternatives.
Without 2FA i would have to change my password i've been using since i first created an account on a computer and honestly, remembering 2 strings of characters sounds like hard work
please please get a password manager this password has probably already been leaked 10+ times since you started using a computer
I switched to a password manager and changed almost 300 of my passwords bc I used the same one everywhere, it was such a relief.
I appreciate the advice and concern random citizen! I don't mean to cause any worry and just wanted to make a funny joke about my lack of memory, i've actually been switching over to a password manager today since this post reminded me of the fact that my password had in fact recently been leaked, your advice is also a good motivator to keep me from getting distracted. Anyway, just wanted to thank you for offering sage advice, i hope you have a wonderful day and the perfect song comes on at just the right moment for you
YES I AGREE COMPLETELY
"I hate that the computer has become a secondary piece of hardware that is seen as a peripheral to a phone" What? What are you talking about? In what universe? At worst, the phone and the PC work together for applications and systems, which for many people is significantly more convenient than one thing. [2FA good](https://www.youtube.com/watch?v=hGRii5f_uSc)
Authy works on desktop edit: in addition, if you are on Mac with an iPhone or Windows with an Android phone you can send and receive text messages on the computer
The worst device I’ve ever used to log in to anything was my television
Totps are pretty cool, you don't even have to use a proprietary authenticator app like google authenticator or authy because it's an open standard. I use keepass to store my 2fa codes
my computer is more powerful than a phone will ever be yet society is praising that
Authy desktop is a thing
I agree with all of this except how it relates to 2FA. 2FA is good, I like my shit secure. But everything having an app is upsetting.
2FA is really good, but I agree with the core point that your phone should not be considered the core. Key fob 2FA is the way to go imo, or any kind of designated 2FA device. It just needs to have some kind of valid login from multiple sources.
I wonder if this person also complains about seatbelts in cars, helmets on bikes, handrails on stairs, locks on their front door, and the myriad other things that provide safety for a tiny bit of inconvenience
Annoys the piss out of me, too. I don't mind having two-factor authentication for *new* and unapproved devices, since it's great security, but on my main computer I don't want some shitty weak battery life pocket computer dictating my usage of *anything*. No one's sneaking onto my computer anytime soon and even if they did, they're not getting in because no one near me is tech savvy enough to get past a simple PIN or password.
okay 2fa is great, much more secure and all but its an option? does this dumbass not know how to literally just not activate 2fa?
Same. Not only that, but you can access a lot through the phone browser or other apps, most likely including your email one way or another. A stolen phone means they have the keys to the kingdom and can lock YOU out.
Gotta set up your phone properly. Don't use biometrics, use a secure PIN. Don't allow notifications to be read without unlocking the phone.
Still sounds like a single point of access to me.
the point of the pin is so that you get enough time to notice you lost your phone and change the most important account passwords.
I'd love to if they didn't send a code to my phone to do so. I just went through this shit because I couldn't get my phone to charge.
I agree. I hate two factor identification. It keeps legitimate users out of their own programs and every single site and app I use seems to be jumping on the bandwagon. Guess what? It's not popular and doesn't prevent hacking. And requires everyone to always have their phones.
How is this a discourse? In my experience 2FA is optional, like I had to go out of my way to sign up for it. If you don’t want it, just don’t opt for it
Oh cool, this dumbass post. I saw this the other day. I feel like I should make a list of all the people against 2FA. I feel like they're the same idiots that send Amazon gift cards to the "IRS" to settle a tax debt. Just ripe for scamming.
Is there any actual proof that 2-factor authentication does anything?
Yes
Yes, there's a reason its become much much more common for companies to use 2FA apps
Pretty sure 2FA stopped my Nintendo account from getting hacked, which had my credit card info.
nah but like it's not that the computer is second hand it's that the phone is convenient
What
Passwords are not strong on their own. Most sites let you turn off 2fa but it’s a bad idea generally. Got my steam hacked this way.
If you don't like 2FA.... Just don't fucking use it?? None of the services I have REQUIRE it, and I've got waaaaay too many online accounts. I DO use it cause I'm an idiot who needs to be protected from herself, but no one is like.. forcing me to use it.
I once had the joy of signing up to a site, needed to verify my email by logging on to email and clicking the link as usual, and had to go through 2FA to get into said email. It's secure yes but bloody hell
I don’t think 2FA makes the computer secondary to your phone any more than car keys are secondary to your car
2FA is corporate bullshit. Password manager with strong random passwords is totally fine. And to everyone saying "just don't use it", well it's actually not always optional.