Bitrot@lemmy.sdf.org
on 23 Aug 2023 16:30
collapse
If your account is frozen they should still be on the device. That would be a good time to change all your passkeys over to a yubikey, or to add one as a secondary token.
The keys being locked in a Secure Enclave is generally considered a feature, not a bug. That passkeys sync at all is somewhat concerning. I wouldn’t expect them to be exportable any time soon.
argv_minus_one@beehaw.org
on 23 Aug 2023 22:01
nextcollapse
The use of a “secure enclave” for any purpose is a bug at best, because secure enclaves aren’t just secure against your adversaries; they’re also secure against you. This is intolerable. All machines must obey their owner, and “secure enclaves” by design don’t.
Bitrot@lemmy.sdf.org
on 23 Aug 2023 23:49
collapse
Hard disagree. That rules out yubikey, smart cards, and most any other credential storage systems.
Apple also describes the keychain recovery process in depth (I think this is when you’ve lost all devices?): support.apple.com/guide/security/…/1
The Secure Enclave can apparently return the private key. For most keys it is encrypted with a key pair that is permanently stored in the Secure Enclave. For synchronized keys it is apparently encrypted with a key that is also stored in iCloud in such a way that Apple themselves cannot get to it.
It does sound like they could potentially enable exporting the passkeys, I think it’s unlikely they would because they provide a method to move them to other devices already and it does introduce more avenues for misuse. I don’t think it’s a huge requirement anyway, most hardware tokens provide no way to export at all by design. Apps that use them for 2FA should provide for enrolling multiple tokens.
ReversalHatchery@beehaw.org
on 23 Aug 2023 00:23
nextcollapse
And not the twitch way, where you have to have in an identifier, your phone number, but using proper, standards ways for it, like TOTP and such
SkaveRat@discuss.tchncs.de
on 23 Aug 2023 01:35
collapse
twitch has TOTP
cwagner@lemmy.cwagner.me
on 23 Aug 2023 02:41
nextcollapse
But you can only enable it, after you give them your phone number.
Also, apparently years of subscribing to channels is not as verified as giving them your phone number. They should just say “We really want your phone number and don’t give a shit about anything else”.
SkaveRat@discuss.tchncs.de
on 23 Aug 2023 02:42
nextcollapse
true. But I think that’s mostly to make bots harder to create. Not as easy to get a phone number than an email address
HughJanus@lemmy.ml
on 23 Aug 2023 03:46
nextcollapse
A convenient scapegoat for getting your PII so they can sell your data at a higher value.
cwagner@lemmy.cwagner.me
on 23 Aug 2023 03:51
nextcollapse
Subscribing is more expensive than getting a phone number in most places. Hell, even in expensive Germany, a phone number is only about 2 months of subscribing.
moosetwin@lemmy.dbzer0.com
on 23 Aug 2023 18:57
collapse
Before I deleted my accounts there, I remember twitter and facebook deactivated your account for “suspicious activity” if you did not provide a phone number when making it, and the only way to reactivate it was to give them your phone number.
ReversalHatchery@beehaw.org
on 23 Aug 2023 10:20
collapse
As the other commenter said, only if you give them your phone number, and only through that garbage authy that does not use standard TOTP, but some proprietary crap, specifically made for twitch.
And if you give them a phone number, which another user will also try to use in the future, then the secret used for TOTP can change in any moment, which means if you exported the secret to e.g. Aegis and deleted that tracking filled garbage that is named authy, at one point the codes just won’t work anymore, and you’re practically locked out. Apparently support should be able to help, but they don’t give a single fuck.
SkaveRat@discuss.tchncs.de
on 23 Aug 2023 12:20
nextcollapse
and only through that garbage authy
you can use any TOTP app. I use bitwarden
ReversalHatchery@beehaw.org
on 23 Aug 2023 17:21
collapse
How? How do you import the secret key to it? Are they finally showing a proper QR code when setting it up?
My account is still locked to authy, and the support pages I have read are written as if it would still work through authy for everyone.
SkaveRat@discuss.tchncs.de
on 23 Aug 2023 17:28
collapse
Are they finally showing a proper QR code when setting it up?
At least that was the case for me. I removed 2FA to make the authy key invalid and activated it again. and they do the normal TOTP setup stuff during setup
ReversalHatchery@beehaw.org
on 23 Aug 2023 17:53
collapse
That sounds good. I still have a working login somehow, but unfortunately I can’t disable authy, because they want a code to do that, and they won’t accept those that I have, even though it was working when I have set it up.
SkaveRat@discuss.tchncs.de
on 23 Aug 2023 17:58
collapse
do you have the backup codes somewhere? Could help
ReversalHatchery@beehaw.org
on 23 Aug 2023 18:09
nextcollapse
I don’t. Not sure whether they even provided those when I have set it up, maybe they thought that since it’s stored online you can’t just lose it, but I really don’t remember whether there was any I could have saved. It way years ago.
ReversalHatchery@beehaw.org
on 23 Aug 2023 18:11
collapse
Also, thinking about it, the prompt does not give an option to use a recovery code, but only to try with the phone number (which is dead by now), or contact support.
SkaveRat@discuss.tchncs.de
on 23 Aug 2023 19:20
collapse
tbf, that’s a bit on you. The whole point of 2FA is to prove that you are you. and if you completely killed that factor without deactivating it first or having a backup in any way, I can see the support not doing much. I’d be pissed if someone could just contact support and deactivate my 2FA method
ReversalHatchery@beehaw.org
on 23 Aug 2023 22:44
collapse
I didn’t enable it because I wanted it for security, but because twitch required it. And then I have set it up with TOTP for security while I was doing it, which does not work anymore either.
Also, I did not kill the phone number, it is a public phone number that doesn’t receive messages anymore. And if you blame me for not wanting to give up my own phone number, I don’t know that to tell you. My privacy matters much more than caring about the possibility that someone finds out my 30 long random password and catches the SMS code from the website where they were shown.
I can see the support not doing much. I’d be pissed if someone could just contact support and deactivate my 2FA method
The 2FA prompt itself tells to contact support in cases like this.
Other than that, email verification is perfectly fine for verifying that it’s me. The address was never changed. Actually, as I have seen in a friend’s account they are using email already as 2FA for logins, if you don’t have any other way set up, maybe for other functions too.
ReversalHatchery@beehaw.org
on 23 Aug 2023 18:05
collapse
First of all, that they are totally unnecessary for twitch to be able to provide 2fa authentication.
Other than that, their app has tracker components, all secret keys are stored in the cloud, who knows whether that’s encrypted, but on your phone’s storage surely not, if yours is rooted you can just view it in a file manager and copy it to a normal code generator app.
Generally they support standard TOTP code generation, but for twitch they are using some weird shit that generates 8 long numbers (instead of the standard 6), of which the middle 2 is the same so they drop one of them, and then also codes expire in third the time as it is normally.
mtchristo@lemm.ee
on 23 Aug 2023 00:59
nextcollapse
I don’t like how a lot of things require their own custom app, especially when there’s no automatic notification. I need to try and remember what the app is called, open it, navigate through, then approve it
Otome-chan@kbin.social
on 23 Aug 2023 01:15
collapse
I like the app setup rather than shoving everything into a browser. But I'm not a fan of this 2fa stuff. I get the point is security, but let me decide which app/method to use, and whether I want to use it at all. Otherwise it's just annoying.
sugar_in_your_tea@sh.itjust.works
on 23 Aug 2023 23:49
collapse
I’m absolutely a fan of choosing which method to use, and also a fan of requiring choosing one. I prefer Google Authenticator-style 2FA (I use Aegis, but there are plenty of options), and I get annoyed when I need something else (e.g. Fidelity only offers Symantec, Steam only offers Steam Guard, etc).
Xylight@lemmy.xylight.dev
on 23 Aug 2023 00:20
nextcollapse
Use a password manager that lets you autofill 2fa, like Bitwarden.
residentmarchant@lemmy.world
on 23 Aug 2023 00:24
nextcollapse
1password does this, too and it’s magical. I’ve had my SMS go to my browser via Google Messages for a while, but it’s so much easier to just auto-fill it instead of copy/paste
Also, 1password logs you out when you stare at it wrong, so I’m not worried about someone who would somehow get local access abusing it.
library_napper@monyet.cc
on 23 Aug 2023 02:40
collapse
That’s bad advice
subtext@lemmy.world
on 23 Aug 2023 03:42
nextcollapse
Is it less secure than it could be? Yes.
Is it better than no 2FA? Also yes.
In the end if it doesn’t work for your security model, than more power to you. But if it helps to increase the security of the average Joe, it’s good advice.
argv_minus_one@beehaw.org
on 23 Aug 2023 22:11
collapse
Allowing a smartphone access to anything sensitive is even worse advice. Smartphones are notoriously insecure.
library_napper@monyet.cc
on 23 Aug 2023 23:22
collapse
You’re right. Dont grant your smartphone access to your GitHub. Just give it one factor.
cmnybo@discuss.tchncs.de
on 23 Aug 2023 01:02
nextcollapse
You can use KeePassXC to generate the TOTP codes on your PC. With the browser plugin, you can generate the code and fill the textbox with one click when the password database is unlocked.
Sites that don’t use standard TOTP for 2FA are a pain in the ass though.
Rootiest@lemm.ee
on 23 Aug 2023 03:56
nextcollapse
Get a hardware 2FA key instead of using your phone for TOTP
bilzen@lemmy.world
on 23 Aug 2023 04:53
nextcollapse
This! Authy is very very nice. Syncing accounts is a life saver, both as backup, and not having to pick up the phone all the time.
Cut and pasting with a click instead of reading and typing, is so much faster.
Easily search the very long list of entries.
Not open source tho, but free as in beer.
If Aegis had the sync option, i would have used that. But it did not last time i checked.
argv_minus_one@beehaw.org
on 23 Aug 2023 22:12
collapse
…through a third-party cloud server that you have no good reason to trust. No bueno. Keep sensitive information off the cloud unless you want it to become public.
yup, that’s the tradeoff, this or reaching for your procrastinating device, but yeah, maybe Bitwarden could be better alternative, now i’m too lazy to migrate + it’s paid
argv_minus_one@beehaw.org
on 24 Aug 2023 07:14
collapse
KeePassXC seems reputable, so I guess I’ll try to use that when the time comes.
reversebananimals@lemmy.world
on 23 Aug 2023 00:41
nextcollapse
Probably just someone at Microsoft trying to get promoted.
Otome-chan@kbin.social
on 23 Aug 2023 01:14
nextcollapse
they want your phone number so they can track you.
SkaveRat@discuss.tchncs.de
on 23 Aug 2023 01:33
nextcollapse
how would they track you?
The reason they want a phone number is, that it’s a relatively cheap way to ensure people not signing up bots galore, as getting phone numbers en masse is a lot harder than getting email accounts
Otome-chan@kbin.social
on 23 Aug 2023 02:54
collapse
phone numbers are typically tied to your name/identity, and phone companies can locate you using their towers and such. Giving a company your phone number is identical to giving a company your full legal name and address.
SkaveRat@discuss.tchncs.de
on 23 Aug 2023 03:08
nextcollapse
me giving, let’s say, twitch my phone number gives them exactly 0 ways of tracking me in any way whatsoever
Source: worked for a mobile company
cryptiod137@lemmy.world
on 23 Aug 2023 08:05
nextcollapse
First part is not quite true, varies by country.
Second part is full on Olympic mental gymnastics
HellAwaits@lemm.ee
on 23 Aug 2023 21:05
nextcollapse
I can hear the tinfoil hat from here
argv_minus_one@beehaw.org
on 23 Aug 2023 22:10
collapse
That’s a pretty absurd take in 2023. Tracking and surveillance is rampant these days.
_number8_@lemmy.world
on 16 Sep 2023 15:17
collapse
yeah, no idea why you’re getting downvoted, it’s clear why companies are so eagerly embracing and requiring 2FA – if the benefits were only for the consumers, it wouldn’t be mandated anywhere near this quickly. but when they know they get a real human phone tied to every account, that’s a huge motivation
Better to use an authentication app. SMS can be intercepted.
vinniep@lemmy.world
on 23 Aug 2023 01:28
nextcollapse
Too many people were making poor choices. When there’s an incident of an account that should have been secured but wasn’t getting compromised, that’s bad for the platform, ecosystem, and community. This is just another level beyond not allowing you to set a password of “password”
randombullet@feddit.de
on 23 Aug 2023 04:04
nextcollapse
Just use a YubiKey and keep it plugged in
progandy@feddit.de
on 23 Aug 2023 05:10
nextcollapse
At least you should be able to use your local password manager as well if you don’t care about keeping your 2fa on separate hardware. KeePass 2, KeePassXC, Bitwarden, …
Bitrot@lemmy.sdf.org
on 23 Aug 2023 16:32
collapse
Github supports totp and Bitwarden, at least, can store that.
vanontom@geddit.social
on 23 Aug 2023 09:16
nextcollapse
Bitwarden has 2FA (for paid tier, like $10/year). I don’t consider it “real” 2FA, but it’s more secure than just a password, and super quick to copy code using browser addon. Useful for certain sites, that don’t stay logged in, require every time, etc.
Though people that have authority over important projects should have proper security, considering how large the internet is, with how many individual parts, the chance of someone being in charge of a large and important project - may it be a browser, compiler/interpreter, utility, library etc. is not even close to zero.
So if a (co-)maintainer of a project included as standard utility in Linux Servers, let’s say bash for example, is somehow breached, the attacker could push and force merge a malicious obfuscated commit, maybe even with normal content included. As it’s from a reputable source, it’s not going to be checked as thoroughly as commits from other people. One hour later, every Arch system, desktop and server, has a trojan. Four hours later also all Gentoo systems (got to compile it first). 2 years weeks later regularly updated debian servers now contain malware. A chain of events, fragile to being detected by people monitoring their own activity, other maintainers activity and people reading the source - eg. for security reasons -, but yet, not that unlikely considering the amount of packages present even in a standard install, and needed as dependencies for typical server packages.
sugar_in_your_tea@sh.itjust.works
on 23 Aug 2023 23:46
collapse
Organizations can already require 2FA for members of the org. We already had the tools.
Yep. If people care about supply chain attacks or so, just add features that allow only commits from accounts with 2FA to certain repositories.
gamey@feddit.rocks
on 23 Aug 2023 01:02
nextcollapse
Good, people are fucking stupid and if it effects others it’s often better to choose the security for them!
nekusoul@lemmy.nekusoul.de
on 23 Aug 2023 05:16
collapse
Yup. I’m actually a bit baffled by how much negativity/misinformation there’s around 2FA even in a place like this, which should naturally have a more technically inclined userbase.
daYMAN007@feddit.de
on 23 Aug 2023 15:38
nextcollapse
Well negativity is there because every app wants it.
I don’t care if account x is compronised, as it has absolutly no value
argv_minus_one@beehaw.org
on 23 Aug 2023 16:54
collapse
I dislike MFA because it creates a risk of losing access to my account. I can back up my passwords; I can’t back up a hardware device.
nekusoul@lemmy.nekusoul.de
on 23 Aug 2023 17:05
nextcollapse
Normally you get a handful of recovery codes when you set up 2FA. If not, you can just create a backup of the QR-Code or secret when setting up 2FA and store it in a safe location. And even if all that fails there’s usually a way to recover an account by going through support.
Although I wouldn’t recommend it, there’s also 2FA apps out there that have cloud-sync.
argv_minus_one@beehaw.org
on 23 Aug 2023 22:06
collapse
It’s pretty hard to hand-write a QR code, I don’t wish to pay the printer cartel $50 for the privilege of printing it, and it would of course be horribly insecure to print it with someone else’s printer.
And how would I use the QR code? I can’t scan it with my phone’s camera because allowing my phone access to my GitHub account is a security risk, and I can’t scan it with my desktop because it doesn’t have a camera.
So, how is this going to work? How do I recover my GitHub account without making it less secure than it is with just a password?
nekusoul@lemmy.nekusoul.de
on 24 Aug 2023 05:16
nextcollapse
Is this some kind of joke that’s going over my head?
If not: The QR code alone doesn’t give you access to the account. That’s the entire point of 2FA. Plus, you always get a ~20 character code that can be backed up instead of the QR code. Screenshots are also a thing.
TheAnonymouseJoker@lemmy.ml
on 24 Aug 2023 17:36
collapse
There is no printer ink cartel if you pick an older HP LaserJet/Brother printer. Once you buy, printer is yours and laser cartridge is cheap.
meteokr@community.adiquaints.moe
on 23 Aug 2023 17:47
collapse
A hardware device is a physical key. Its no different than backing up your home key. Get two keys and copy them. Keep one on you, and the other in a safe somewhere in case you lose the first.
argv_minus_one@beehaw.org
on 23 Aug 2023 19:02
collapse
Hardware tokens are specifically designed to resist copying. Any means of copying it would be considered a security vulnerability.
Bits rot. A hardware token kept in a bank vault may or may not still work when I need it 10 years later, and there is no reasonable process for regularly verifying the integrity of its contents. Backup drives’ checksums are verified with every backup cycle, and so are the checksums on the file system being backed up (I’m using btrfs for that reason).
Hardware tokens are expensive. Mechanical lock keys are not.
meteokr@community.adiquaints.moe
on 24 Aug 2023 00:26
collapse
Not literally copy, as in have an extra set of keys. A spare key. A bank vault is total overkill. I just bought 2 fido2 keys and register both for the services that support them. Have one on your keychain and another in your desk. 2FA is often way over thought, any adversary needs both factors so something you know and something you own is plenty for most people.
argv_minus_one@beehaw.org
on 24 Aug 2023 01:33
collapse
How will I notice when the spare fails, if it’s only a spare and I don’t regularly use it? Then I’m down to only one key, and as any grumpy backup admin will tell you, if you have only one copy of something, you have zero copies.
I would have a key plugged into the computer pretty much all the time when I’m working, so anyone who compromises the computer can impersonate me as long as I’m at work. This would be mildly inconvenient to the attacker, but wouldn’t actually stop the attacker. And if the computer isn’t compromised, how is anyone going to get into my GitHub account even without 2FA? They certainly aren’t going to do it by guessing my 16-character generated password or Ed25519 SSH key.
Something-I-know is worthless for authentication in the age of GPU password cracking. Most humans, including myself, do not have photographic memories with which to memorize cryptographically secure passwords. We’re all using password managers for a reason, and a password database is something you have, not something you know.
Otome-chan@kbin.social
on 23 Aug 2023 01:13
nextcollapse
No offense to companies but I'm honestly sick of companies forcing 2fa. Every single one seems to have a different shitty way of doing it. Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)? Some do sms/phone number, but then yell at you and prevent you from doing 2fa if you have a "bad phone number". This happened on discord where I'm locked out of certain servers because I can't do phone verification, and I can't do it because discord doesn't like my phone number. Twitter was the same way for a long while (couldn't do 2fa/phone verification due to them not liking my number).
From the article it sounds like they're doing authenticator app or sms. I'm guessing sms won't work for me, so app it is. I decided to dig to see which authenticator app they use and they list: 1password, authy, lastpass, and microsoft.... no google?
Honestly, even email requirements for accounts is annoying because you know it just ends up spamming you. is the future where we're gonna have to have 30 different authenticator apps on our phone?
vinniep@lemmy.world
on 23 Aug 2023 01:31
nextcollapse
Google Auth works just fine. The standard for app generated 2FA is, well, standard. They’re only listing a non-complete list of options for people that don’t know what an authenticator app is and need to get one for the first time.
Otome-chan@kbin.social
on 23 Aug 2023 02:52
nextcollapse
do all authenticators work for all services?
Trexman@lemmy.world
on 23 Aug 2023 03:38
nextcollapse
Mostly. The 6 digit standard ones that you see almost everywhere are standard TOTP codes and most apps work for them. There are some proprietary things out there too but you typically see those with a matching app from the same company. Those are far less common though so for practical reasons you can assume they are all interchangeable.
Those values are computed separately what the app is really storing is just the input values which are then combines with the current time to create the 6 digit code. That means that keeping that input value (seed) safe is a big deal, and how and where that is done is one of the major differentiators between the various options.
That is the specific app the person I replied to was asking about, so yea. Would have been a little weird if I was talking about some other app.
SkaveRat@discuss.tchncs.de
on 23 Aug 2023 01:31
nextcollapse
Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)?
you… don’t?
Both of these implement exactly the same protocol (TOTP). Used authy for all my Top Of The Pops Time-based one-time password needs exclusively, before moving everything to bitwarden
Otome-chan@kbin.social
on 23 Aug 2023 02:53
nextcollapse
websites explicitly said to get one or the other so I did.
Well the good news for you is that a website specifying one or the other is nothing more than marketing from that app maker! So long as there is a QR code (or a long random-ish string), you can use any authenticator app that supports that website’s 2FA algorithms!
That last bit is important because I think Lemmy had a non-standard 2FA algorithm (SHA-256?) that wouldn’t work with Google Authenticator.
Rootiest@lemm.ee
on 23 Aug 2023 03:58
nextcollapse
Lemmy works with Google Authenticator, but not with Authy.
Annoyingly Authy fails silently and ignores the part of the code that specifies SHA-256 and just generates a SHA-1 code that won’t work with no warning or indication to the user.
Otome-chan@kbin.social
on 23 Aug 2023 04:24
collapse
that's good to know. I'll just switch everything over to google authenticator then.
Unfortunately there are some websites that require Authy (probably because Authy wined and dined some business executive). I absolutely loathe these sites but if it’s a site you’re not willing to live without, you’re stuck with having Authy plus your main 2FA app.
SkaveRat@discuss.tchncs.de
on 23 Aug 2023 04:09
collapse
which ones are that? I’d love to check, because afaik, they have a feature that enables push-2fa via authy, but should generally work on other apps as well
Sendgrid’s only options for 2FA are Authy (their proprietary token generation, no option for TOTP) or SMS. Tried signing up the other day and was surprised to find no option to use standard TOTP.
SkaveRat@discuss.tchncs.de
on 23 Aug 2023 12:23
collapse
Are you sure that you can’t use a different TOTP generator? There’s a difference between telling you to use Authy and still being able to use a different app
Yes I’m sure, hence why I specifically mentioned that. Try the sign up procedure yourself. It REQUIRES 2fa and it has to be Authy’s non-standard token or SMS. No option for regular TOTP.
SkaveRat@discuss.tchncs.de
on 23 Aug 2023 14:22
collapse
thx. just making sure. I already saw a lot of people annoyed about a specific app, just because that was the one being advertised, but in the end it was TOTP
Kalkaline@programming.dev
on 23 Aug 2023 02:30
nextcollapse
Oh noes, 2 different authenticators? Between my two jobs I need: Google Authenticator, Microsoft Authenticator, Duo, CyberArk, Okta, Impriviata, and I must have LastPass for password management. Everyone demands their particular flavor of security. Not to mention I have to login to all of these 40 something accounts every 29 days so they don’t expire. Please, someone just everyone switch to a password-free security system like Microsoft Authenticator has and let’s just get rid of the song and dance of picking a new password all the time.
You might want to migrate away from LastPass. And change every account password. They were hacked horribly and the only thing standing between your encrypted passwords and hackers is time.
Kalkaline@programming.dev
on 23 Aug 2023 14:02
collapse
Well that and 2FA on everything.
library_napper@monyet.cc
on 23 Aug 2023 02:40
nextcollapse
Anyone who claims they’re doing OTPs over SMS for “security” ia lying to you. Discord wants your phone number; it has nothing to do with your security
Otome-chan@kbin.social
on 23 Aug 2023 02:53
collapse
there's quite a lot of services that want phone for verification/2fa/whatever. whenever I run into them I usually just refuse to use the service altogether.
dandroid@dandroid.app
on 23 Aug 2023 04:46
nextcollapse
How do you even use the internet? I mean, you could never book a flight, use any food rewards program, book a ride share, etc. Almost everything uses my phone number for 2FA.
totallynotarobot@lemmy.world
on 23 Aug 2023 05:13
collapse
There is literally no bank in my country that doesn’t use sms for 2fa.
Bitrot@lemmy.sdf.org
on 23 Aug 2023 16:36
nextcollapse
Yes banks are terrible about this, and it makes no sense
Otome-chan@kbin.social
on 23 Aug 2023 23:12
collapse
what happens if you don't have a phone number? you're just prevented from having a bank account?
totallynotarobot@lemmy.world
on 24 Aug 2023 02:03
collapse
You can have a bank account, but you wouldn’t be able to do online or mobile banking.
Sms is the only 2fa option (some offer email as well, but last I checked all fall back on sms), and it’s mandatory for online/mobile.
Xylight@lemmy.xylight.dev
on 23 Aug 2023 03:44
collapse
BTW, any authenticator app works when it tells you to use one. They all use a standard, so it doesn’t matter which one you use.
BTW, any authenticator app works when it tells you to use one. They all use a standard, so it doesn’t matter which one you use.
Eh, it’s a little more nuanced than that, there’re more standards for MFA code generation than just TOTP.
And even within the TOTP standard, there are options to adjust the code generation (timing, hash algorithm, # of characters in the generated code, etc.) that not all clients are going to support or will be user-configureable. Blizzard’s Battle.net MFA is a good example of that.
If the code is just your basic 6-digit HMAC/SHA1 30-second code, yeah, odds are almost 100% that your client of choice will support it, but anything other than that I wouldn’t automatically assume that it’s going to work.
Oha@lemmy.ohaa.xyz
on 23 Aug 2023 10:12
nextcollapse
2fa should be mandatory everywhere
sugar_in_your_tea@sh.itjust.works
on 23 Aug 2023 22:50
nextcollapse
Specifically app-based 2FA, ideally Google Authenticator based. There are tons of great authenticator apps available that are all compatible, so it should absolutely be preferred over SMS or email.
Yeah. GitHub makes sense because most users are writing code that can be executed by others. That makes GitHub accounts security critical.
But a Lemmy account? Naw, you lose almost nothing if that gets compromised. A little bit of history and subscriptions, mostly.
I’m in a discord that for some reason “requires” 2FA. Based on searching, I think they give everyone some kinda admin role or something? It doesn’t actually require 2FA, but it shows a very annoying warning that covers up a bunch of the channel selection screen. But despite that, I don’t really wanna deal with the hassle of 2FA on a chat app that’s basically consequence free for me if it gets exploited.
argv_minus_one@beehaw.org
on 23 Aug 2023 16:58
nextcollapse
I personally am afraid of this. What if something gets botched? I’ll be permanently locked out of my account!
jana@leminal.space
on 23 Aug 2023 20:27
nextcollapse
Print off your recovery codes and keep them safe. If you want to be extra, hammer them into metal plates like the crypto weirdos do.
argv_minus_one@beehaw.org
on 23 Aug 2023 22:22
collapse
Printing recovery codes would require me to either be price gouged by the printer ink cartel or use someone else’s printer, and using someone else’s printer is begging to get my account stolen.
I have no idea how to hammer things into metal plates, but I’m guessing that’s even more expensive than printer ink.
argv_minus_one@beehaw.org
on 24 Aug 2023 01:09
collapse
I can do that with alphanumeric codes, yeah, but can I get alphanumeric codes from GitHub, or is it going to be a QR code? I can’t write down a QR code…
faerbit@feddit.de
on 24 Aug 2023 01:22
nextcollapse
QR codes are just an encoding. Just use any half-competent QR code app, and it will give you it’s content, which you can then write down. For the reverse you can use any QR code generator.
argv_minus_one@beehaw.org
on 24 Aug 2023 01:35
collapse
How do I feed the generated QR code back to GitHub, then? Can I upload an image of it?
Okay, so generally the way it works is you have some app (e.g. Google Authenticator, 1password, Aegis, Bit warden – anything that supports TOTP). When you enable 2FA for a site, it’ll give you a QR code. You scan that with your app and then the app gives you a six digit code that changes every 30 seconds.
The QR code is really just an easy way to get a long string of characters into your app, though, and if the QR code doesn’t work there should be an option to see the raw code and manually enter it.
You enter that code in once to confirm that you have actually set up the 2FA. Then it will show you a list of recovery codes. It’ll only show you these once; it doesn’t store them anywhere. You need to note them down in whatever way suits you best (I print mine; you could also just write them down). You cannot see these again. The best you can do, if you still have access to your account, is generate new ones (probably by disabling and re-enabling 2FA)
Now, whenever you login, you’ll be asked for your authenticator code (much like an SMS). You just open whatever app you used and enter in whatever code it’s currently showing (remember it’s time based).
If your authenticator app gets messed up somehow, you can recover it using your recovery codes.
Renegade@infosec.pub
on 24 Aug 2023 07:44
collapse
The recovery codes come as a set of numbers
emptyother@programming.dev
on 24 Aug 2023 07:24
collapse
I’d prefer me getting permanently locked out over someone who isnt me getting allowed in. Even more so to services which have my credit card number.
But unlikely anyway, as long as I save my pass and 2fa to a password manager, and keep the backup codes backed up.
doink@lemmy.world
on 23 Aug 2023 17:46
nextcollapse
While you are adding this anyway consider using an open source app instead of google auth like aegis. There are many others but I wish I knew about them sooner.
dyc3@lemmy.world
on 23 Aug 2023 19:33
nextcollapse
I personally love keeweb. Passwords and 2fa all in one place.
I mean you could argue that defeats the purpose of having 2fa, but it’s convenient
technojamin@lemmy.world
on 24 Aug 2023 01:28
collapse
It weakens it a bit, but in my opinion it still has strength where it counts. If an attacker gets access to your password outside your password manager (man-in-the-middle, keylogger, phishing), then you’re still protected. Maybe it’s hubris in my own ability to keep my password manager safe, but I’ve never been worried about storing MFA in my password manager.
jackalope@lemmy.ml
on 24 Aug 2023 17:07
nextcollapse
Bitwarden is also good.
Anon819450514@lemmy.ca
on 24 Aug 2023 18:37
nextcollapse
Bitwarden crew checking in.
The best thing about bitwarden is the 10$/year to have a pro account. It gives you, amongst other things the ability to store up to 1tb of attachments and reports on various risk assessments.
You can even host your own instance.
I recommend it.
UnverifiedAPK@lemmy.ml
on 24 Aug 2023 23:01
collapse
You probably shouldn’t be storing your passwords and 2FA in the same place.
ArtVandelay@lemmy.world
on 25 Aug 2023 00:16
collapse
threaded - newest
Yep, should be standard everywhere
… for accounts you actually give a shit about
.
Just FYI, your account shows up as a bot. You should change it in your account settings.
.
If your account is frozen they should still be on the device. That would be a good time to change all your passkeys over to a yubikey, or to add one as a secondary token.
The keys being locked in a Secure Enclave is generally considered a feature, not a bug. That passkeys sync at all is somewhat concerning. I wouldn’t expect them to be exportable any time soon.
The use of a “secure enclave” for any purpose is a bug at best, because secure enclaves aren’t just secure against your adversaries; they’re also secure against you. This is intolerable. All machines must obey their owner, and “secure enclaves” by design don’t.
Hard disagree. That rules out yubikey, smart cards, and most any other credential storage systems.
.
Apple actually describes the process for sync in some detail: support.apple.com/guide/security/…/web
Apple also describes the keychain recovery process in depth (I think this is when you’ve lost all devices?): support.apple.com/guide/security/…/1
The Secure Enclave can apparently return the private key. For most keys it is encrypted with a key pair that is permanently stored in the Secure Enclave. For synchronized keys it is apparently encrypted with a key that is also stored in iCloud in such a way that Apple themselves cannot get to it.
It does sound like they could potentially enable exporting the passkeys, I think it’s unlikely they would because they provide a method to move them to other devices already and it does introduce more avenues for misuse. I don’t think it’s a huge requirement anyway, most hardware tokens provide no way to export at all by design. Apps that use them for 2FA should provide for enrolling multiple tokens.
.
And not the twitch way, where you have to have in an identifier, your phone number, but using proper, standards ways for it, like TOTP and such
twitch has TOTP
But you can only enable it, after you give them your phone number.
Also, apparently years of subscribing to channels is not as verified as giving them your phone number. They should just say “We really want your phone number and don’t give a shit about anything else”.
true. But I think that’s mostly to make bots harder to create. Not as easy to get a phone number than an email address
A convenient scapegoat for getting your PII so they can sell your data at a higher value.
Subscribing is more expensive than getting a phone number in most places. Hell, even in expensive Germany, a phone number is only about 2 months of subscribing.
I had a lot of success with this: phonegenerator.net
Before I deleted my accounts there, I remember twitter and facebook deactivated your account for “suspicious activity” if you did not provide a phone number when making it, and the only way to reactivate it was to give them your phone number.
As the other commenter said, only if you give them your phone number, and only through that garbage authy that does not use standard TOTP, but some proprietary crap, specifically made for twitch.
And if you give them a phone number, which another user will also try to use in the future, then the secret used for TOTP can change in any moment, which means if you exported the secret to e.g. Aegis and deleted that tracking filled garbage that is named authy, at one point the codes just won’t work anymore, and you’re practically locked out. Apparently support should be able to help, but they don’t give a single fuck.
you can use any TOTP app. I use bitwarden
How? How do you import the secret key to it? Are they finally showing a proper QR code when setting it up?
My account is still locked to authy, and the support pages I have read are written as if it would still work through authy for everyone.
At least that was the case for me. I removed 2FA to make the authy key invalid and activated it again. and they do the normal TOTP setup stuff during setup
That sounds good. I still have a working login somehow, but unfortunately I can’t disable authy, because they want a code to do that, and they won’t accept those that I have, even though it was working when I have set it up.
do you have the backup codes somewhere? Could help
I don’t. Not sure whether they even provided those when I have set it up, maybe they thought that since it’s stored online you can’t just lose it, but I really don’t remember whether there was any I could have saved. It way years ago.
Also, thinking about it, the prompt does not give an option to use a recovery code, but only to try with the phone number (which is dead by now), or contact support.
tbf, that’s a bit on you. The whole point of 2FA is to prove that you are you. and if you completely killed that factor without deactivating it first or having a backup in any way, I can see the support not doing much. I’d be pissed if someone could just contact support and deactivate my 2FA method
I didn’t enable it because I wanted it for security, but because twitch required it. And then I have set it up with TOTP for security while I was doing it, which does not work anymore either. Also, I did not kill the phone number, it is a public phone number that doesn’t receive messages anymore. And if you blame me for not wanting to give up my own phone number, I don’t know that to tell you. My privacy matters much more than caring about the possibility that someone finds out my 30 long random password and catches the SMS code from the website where they were shown.
The 2FA prompt itself tells to contact support in cases like this.
Other than that, email verification is perfectly fine for verifying that it’s me. The address was never changed. Actually, as I have seen in a friend’s account they are using email already as 2FA for logins, if you don’t have any other way set up, maybe for other functions too.
What’s wrong with Authy?
First of all, that they are totally unnecessary for twitch to be able to provide 2fa authentication.
Other than that, their app has tracker components, all secret keys are stored in the cloud, who knows whether that’s encrypted, but on your phone’s storage surely not, if yours is rooted you can just view it in a file manager and copy it to a normal code generator app.
Generally they support standard TOTP code generation, but for twitch they are using some weird shit that generates 8 long numbers (instead of the standard 6), of which the middle 2 is the same so they drop one of them, and then also codes expire in third the time as it is normally.
emphasis on the
And not via SMS
2FA is the biggest bane to my productivity in the last 15 years, no part of my work life should require me to pull out my magic distraction device.
I don’t like how a lot of things require their own custom app, especially when there’s no automatic notification. I need to try and remember what the app is called, open it, navigate through, then approve it
I like the app setup rather than shoving everything into a browser. But I'm not a fan of this 2fa stuff. I get the point is security, but let me decide which app/method to use, and whether I want to use it at all. Otherwise it's just annoying.
I’m absolutely a fan of choosing which method to use, and also a fan of requiring choosing one. I prefer Google Authenticator-style 2FA (I use Aegis, but there are plenty of options), and I get annoyed when I need something else (e.g. Fidelity only offers Symantec, Steam only offers Steam Guard, etc).
Use a password manager that lets you autofill 2fa, like Bitwarden.
1password does this, too and it’s magical. I’ve had my SMS go to my browser via Google Messages for a while, but it’s so much easier to just auto-fill it instead of copy/paste
Also, 1password logs you out when you stare at it wrong, so I’m not worried about someone who would somehow get local access abusing it.
That’s bad advice
Is it less secure than it could be? Yes.
Is it better than no 2FA? Also yes.
In the end if it doesn’t work for your security model, than more power to you. But if it helps to increase the security of the average Joe, it’s good advice.
Allowing a smartphone access to anything sensitive is even worse advice. Smartphones are notoriously insecure.
You’re right. Dont grant your smartphone access to your GitHub. Just give it one factor.
You can use KeePassXC to generate the TOTP codes on your PC. With the browser plugin, you can generate the code and fill the textbox with one click when the password database is unlocked.
Sites that don’t use standard TOTP for 2FA are a pain in the ass though.
Get a hardware 2FA key instead of using your phone for TOTP
Yubikey
Authy has a desktop app and syncing across devices
This! Authy is very very nice. Syncing accounts is a life saver, both as backup, and not having to pick up the phone all the time.
Cut and pasting with a click instead of reading and typing, is so much faster.
Easily search the very long list of entries.
Not open source tho, but free as in beer.
If Aegis had the sync option, i would have used that. But it did not last time i checked.
…through a third-party cloud server that you have no good reason to trust. No bueno. Keep sensitive information off the cloud unless you want it to become public.
yup, that’s the tradeoff, this or reaching for your procrastinating device, but yeah, maybe Bitwarden could be better alternative, now i’m too lazy to migrate + it’s paid
KeePassXC seems reputable, so I guess I’ll try to use that when the time comes.
.
Probably just someone at Microsoft trying to get promoted.
they want your phone number so they can track you.
how would they track you?
The reason they want a phone number is, that it’s a relatively cheap way to ensure people not signing up bots galore, as getting phone numbers en masse is a lot harder than getting email accounts
phone numbers are typically tied to your name/identity, and phone companies can locate you using their towers and such. Giving a company your phone number is identical to giving a company your full legal name and address.
me giving, let’s say, twitch my phone number gives them exactly 0 ways of tracking me in any way whatsoever
Source: worked for a mobile company
First part is not quite true, varies by country.
Second part is full on Olympic mental gymnastics
I can hear the tinfoil hat from here
That’s a pretty absurd take in 2023. Tracking and surveillance is rampant these days.
yeah, no idea why you’re getting downvoted, it’s clear why companies are so eagerly embracing and requiring 2FA – if the benefits were only for the consumers, it wouldn’t be mandated anywhere near this quickly. but when they know they get a real human phone tied to every account, that’s a huge motivation
Better to use an authentication app. SMS can be intercepted.
Too many people were making poor choices. When there’s an incident of an account that should have been secured but wasn’t getting compromised, that’s bad for the platform, ecosystem, and community. This is just another level beyond not allowing you to set a password of “password”
Just use a YubiKey and keep it plugged in
At least you should be able to use your local password manager as well if you don’t care about keeping your 2fa on separate hardware. KeePass 2, KeePassXC, Bitwarden, …
Github supports totp and Bitwarden, at least, can store that.
Bitwarden has 2FA (for paid tier, like $10/year). I don’t consider it “real” 2FA, but it’s more secure than just a password, and super quick to copy code using browser addon. Useful for certain sites, that don’t stay logged in, require every time, etc.
Though people that have authority over important projects should have proper security, considering how large the internet is, with how many individual parts, the chance of someone being in charge of a large and important project - may it be a browser, compiler/interpreter, utility, library etc. is not even close to zero.
So if a (co-)maintainer of a project included as standard utility in Linux Servers, let’s say bash for example, is somehow breached, the attacker could push and force merge a malicious obfuscated commit, maybe even with normal content included. As it’s from a reputable source, it’s not going to be checked as thoroughly as commits from other people. One hour later, every Arch system, desktop and server, has a trojan. Four hours later also all Gentoo systems (got to compile it first). 2
yearsweeks later regularly updated debian servers now contain malware. A chain of events, fragile to being detected by people monitoring their own activity, other maintainers activity and people reading the source - eg. for security reasons -, but yet, not that unlikely considering the amount of packages present even in a standard install, and needed as dependencies for typical server packages.Organizations can already require 2FA for members of the org. We already had the tools.
Yep. If people care about supply chain attacks or so, just add features that allow only commits from accounts with 2FA to certain repositories.
Good, people are fucking stupid and if it effects others it’s often better to choose the security for them!
Yup. I’m actually a bit baffled by how much negativity/misinformation there’s around 2FA even in a place like this, which should naturally have a more technically inclined userbase.
Well negativity is there because every app wants it.
I don’t care if account x is compronised, as it has absolutly no value
I dislike MFA because it creates a risk of losing access to my account. I can back up my passwords; I can’t back up a hardware device.
Normally you get a handful of recovery codes when you set up 2FA. If not, you can just create a backup of the QR-Code or secret when setting up 2FA and store it in a safe location. And even if all that fails there’s usually a way to recover an account by going through support.
Although I wouldn’t recommend it, there’s also 2FA apps out there that have cloud-sync.
It’s pretty hard to hand-write a QR code, I don’t wish to pay the printer cartel $50 for the privilege of printing it, and it would of course be horribly insecure to print it with someone else’s printer.
And how would I use the QR code? I can’t scan it with my phone’s camera because allowing my phone access to my GitHub account is a security risk, and I can’t scan it with my desktop because it doesn’t have a camera.
So, how is this going to work? How do I recover my GitHub account without making it less secure than it is with just a password?
Is this some kind of joke that’s going over my head?
If not: The QR code alone doesn’t give you access to the account. That’s the entire point of 2FA. Plus, you always get a ~20 character code that can be backed up instead of the QR code. Screenshots are also a thing.
There is no printer ink cartel if you pick an older HP LaserJet/Brother printer. Once you buy, printer is yours and laser cartridge is cheap.
A hardware device is a physical key. Its no different than backing up your home key. Get two keys and copy them. Keep one on you, and the other in a safe somewhere in case you lose the first.
Hardware tokens are specifically designed to resist copying. Any means of copying it would be considered a security vulnerability.
Bits rot. A hardware token kept in a bank vault may or may not still work when I need it 10 years later, and there is no reasonable process for regularly verifying the integrity of its contents. Backup drives’ checksums are verified with every backup cycle, and so are the checksums on the file system being backed up (I’m using btrfs for that reason).
Hardware tokens are expensive. Mechanical lock keys are not.
Not literally copy, as in have an extra set of keys. A spare key. A bank vault is total overkill. I just bought 2 fido2 keys and register both for the services that support them. Have one on your keychain and another in your desk. 2FA is often way over thought, any adversary needs both factors so something you know and something you own is plenty for most people.
How will I notice when the spare fails, if it’s only a spare and I don’t regularly use it? Then I’m down to only one key, and as any grumpy backup admin will tell you, if you have only one copy of something, you have zero copies.
I would have a key plugged into the computer pretty much all the time when I’m working, so anyone who compromises the computer can impersonate me as long as I’m at work. This would be mildly inconvenient to the attacker, but wouldn’t actually stop the attacker. And if the computer isn’t compromised, how is anyone going to get into my GitHub account even without 2FA? They certainly aren’t going to do it by guessing my 16-character generated password or Ed25519 SSH key.
Something-I-know is worthless for authentication in the age of GPU password cracking. Most humans, including myself, do not have photographic memories with which to memorize cryptographically secure passwords. We’re all using password managers for a reason, and a password database is something you have, not something you know.
No offense to companies but I'm honestly sick of companies forcing 2fa. Every single one seems to have a different shitty way of doing it. Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)? Some do sms/phone number, but then yell at you and prevent you from doing 2fa if you have a "bad phone number". This happened on discord where I'm locked out of certain servers because I can't do phone verification, and I can't do it because discord doesn't like my phone number. Twitter was the same way for a long while (couldn't do 2fa/phone verification due to them not liking my number).
From the article it sounds like they're doing authenticator app or sms. I'm guessing sms won't work for me, so app it is. I decided to dig to see which authenticator app they use and they list: 1password, authy, lastpass, and microsoft.... no google?
Honestly, even email requirements for accounts is annoying because you know it just ends up spamming you. is the future where we're gonna have to have 30 different authenticator apps on our phone?
Google Auth works just fine. The standard for app generated 2FA is, well, standard. They’re only listing a non-complete list of options for people that don’t know what an authenticator app is and need to get one for the first time.
do all authenticators work for all services?
Mostly yes. I use Duo for everything.
Mostly. The 6 digit standard ones that you see almost everywhere are standard TOTP codes and most apps work for them. There are some proprietary things out there too but you typically see those with a matching app from the same company. Those are far less common though so for practical reasons you can assume they are all interchangeable.
Those values are computed separately what the app is really storing is just the input values which are then combines with the current time to create the 6 digit code. That means that keeping that input value (seed) safe is a big deal, and how and where that is done is one of the major differentiators between the various options.
The google auth which transmits your totp code in plaintext to there servers?
That is the specific app the person I replied to was asking about, so yea. Would have been a little weird if I was talking about some other app.
you… don’t?
Both of these implement exactly the same protocol (TOTP). Used authy for all my
Top Of The PopsTime-based one-time password needs exclusively, before moving everything to bitwardenwebsites explicitly said to get one or the other so I did.
Well the good news for you is that a website specifying one or the other is nothing more than marketing from that app maker! So long as there is a QR code (or a long random-ish string), you can use any authenticator app that supports that website’s 2FA algorithms!
That last bit is important because I think Lemmy had a non-standard 2FA algorithm (SHA-256?) that wouldn’t work with Google Authenticator.
Lemmy works with Google Authenticator, but not with Authy.
Annoyingly Authy fails silently and ignores the part of the code that specifies SHA-256 and just generates a SHA-1 code that won’t work with no warning or indication to the user.
that's good to know. I'll just switch everything over to google authenticator then.
Unfortunately there are some websites that require Authy (probably because Authy wined and dined some business executive). I absolutely loathe these sites but if it’s a site you’re not willing to live without, you’re stuck with having Authy plus your main 2FA app.
which ones are that? I’d love to check, because afaik, they have a feature that enables push-2fa via authy, but should generally work on other apps as well
Sendgrid’s only options for 2FA are Authy (their proprietary token generation, no option for TOTP) or SMS. Tried signing up the other day and was surprised to find no option to use standard TOTP.
docs.sendgrid.com/ui/…/two-factor-authentication
Are you sure that you can’t use a different TOTP generator? There’s a difference between telling you to use Authy and still being able to use a different app
Yes I’m sure, hence why I specifically mentioned that. Try the sign up procedure yourself. It REQUIRES 2fa and it has to be Authy’s non-standard token or SMS. No option for regular TOTP.
thx. just making sure. I already saw a lot of people annoyed about a specific app, just because that was the one being advertised, but in the end it was TOTP
Oh noes, 2 different authenticators? Between my two jobs I need: Google Authenticator, Microsoft Authenticator, Duo, CyberArk, Okta, Impriviata, and I must have LastPass for password management. Everyone demands their particular flavor of security. Not to mention I have to login to all of these 40 something accounts every 29 days so they don’t expire. Please, someone just everyone switch to a password-free security system like Microsoft Authenticator has and let’s just get rid of the song and dance of picking a new password all the time.
You might want to migrate away from LastPass. And change every account password. They were hacked horribly and the only thing standing between your encrypted passwords and hackers is time.
Well that and 2FA on everything.
Anyone who claims they’re doing OTPs over SMS for “security” ia lying to you. Discord wants your phone number; it has nothing to do with your security
there's quite a lot of services that want phone for verification/2fa/whatever. whenever I run into them I usually just refuse to use the service altogether.
How do you even use the internet? I mean, you could never book a flight, use any food rewards program, book a ride share, etc. Almost everything uses my phone number for 2FA.
There is literally no bank in my country that doesn’t use sms for 2fa.
Yes banks are terrible about this, and it makes no sense
what happens if you don't have a phone number? you're just prevented from having a bank account?
You can have a bank account, but you wouldn’t be able to do online or mobile banking.
Sms is the only 2fa option (some offer email as well, but last I checked all fall back on sms), and it’s mandatory for online/mobile.
BTW, any authenticator app works when it tells you to use one. They all use a standard, so it doesn’t matter which one you use.
Eh, it’s a little more nuanced than that, there’re more standards for MFA code generation than just TOTP.
And even within the TOTP standard, there are options to adjust the code generation (timing, hash algorithm, # of characters in the generated code, etc.) that not all clients are going to support or will be user-configureable. Blizzard’s Battle.net MFA is a good example of that.
If the code is just your basic 6-digit HMAC/SHA1 30-second code, yeah, odds are almost 100% that your client of choice will support it, but anything other than that I wouldn’t automatically assume that it’s going to work.
.
It’s not the problem it’s trying to solve
2fa should be mandatory everywhere
Specifically app-based 2FA, ideally Google Authenticator based. There are tons of great authenticator apps available that are all compatible, so it should absolutely be preferred over SMS or email.
Hard disagree. I do not want to have 2FA for every shittly little thing I do not care about.
Yeah. GitHub makes sense because most users are writing code that can be executed by others. That makes GitHub accounts security critical.
But a Lemmy account? Naw, you lose almost nothing if that gets compromised. A little bit of history and subscriptions, mostly.
I’m in a discord that for some reason “requires” 2FA. Based on searching, I think they give everyone some kinda admin role or something? It doesn’t actually require 2FA, but it shows a very annoying warning that covers up a bunch of the channel selection screen. But despite that, I don’t really wanna deal with the hassle of 2FA on a chat app that’s basically consequence free for me if it gets exploited.
I personally am afraid of this. What if something gets botched? I’ll be permanently locked out of my account!
Print off your recovery codes and keep them safe. If you want to be extra, hammer them into metal plates like the crypto weirdos do.
Printing recovery codes would require me to either be price gouged by the printer ink cartel or use someone else’s printer, and using someone else’s printer is begging to get my account stolen.
I have no idea how to hammer things into metal plates, but I’m guessing that’s even more expensive than printer ink.
Just use your pen and paper.
I can do that with alphanumeric codes, yeah, but can I get alphanumeric codes from GitHub, or is it going to be a QR code? I can’t write down a QR code…
QR codes are just an encoding. Just use any half-competent QR code app, and it will give you it’s content, which you can then write down. For the reverse you can use any QR code generator.
How do I feed the generated QR code back to GitHub, then? Can I upload an image of it?
Have you ever used any website with 2FA? You don’t need to upload QR codes.
I’ve only used SMS and Steam 2FA so far. I’ve been avoiding 2FA as much as I can.
Okay, so generally the way it works is you have some app (e.g. Google Authenticator, 1password, Aegis, Bit warden – anything that supports TOTP). When you enable 2FA for a site, it’ll give you a QR code. You scan that with your app and then the app gives you a six digit code that changes every 30 seconds.
The QR code is really just an easy way to get a long string of characters into your app, though, and if the QR code doesn’t work there should be an option to see the raw code and manually enter it.
You enter that code in once to confirm that you have actually set up the 2FA. Then it will show you a list of recovery codes. It’ll only show you these once; it doesn’t store them anywhere. You need to note them down in whatever way suits you best (I print mine; you could also just write them down). You cannot see these again. The best you can do, if you still have access to your account, is generate new ones (probably by disabling and re-enabling 2FA)
Now, whenever you login, you’ll be asked for your authenticator code (much like an SMS). You just open whatever app you used and enter in whatever code it’s currently showing (remember it’s time based).
If your authenticator app gets messed up somehow, you can recover it using your recovery codes.
The recovery codes come as a set of numbers
I’d prefer me getting permanently locked out over someone who isnt me getting allowed in. Even more so to services which have my credit card number.
But unlikely anyway, as long as I save my pass and 2fa to a password manager, and keep the backup codes backed up.
While you are adding this anyway consider using an open source app instead of google auth like aegis. There are many others but I wish I knew about them sooner.
I personally love keeweb. Passwords and 2fa all in one place.
I mean you could argue that defeats the purpose of having 2fa, but it’s convenient
It weakens it a bit, but in my opinion it still has strength where it counts. If an attacker gets access to your password outside your password manager (man-in-the-middle, keylogger, phishing), then you’re still protected. Maybe it’s hubris in my own ability to keep my password manager safe, but I’ve never been worried about storing MFA in my password manager.
.
Bitwarden is also good.
Bitwarden crew checking in. The best thing about bitwarden is the 10$/year to have a pro account. It gives you, amongst other things the ability to store up to 1tb of attachments and reports on various risk assessments.
You can even host your own instance.
I recommend it.
You probably shouldn’t be storing your passwords and 2FA in the same place.
Just moved my github MFA to aegis.
Passkeys supported?
docs.github.com/en/…/managing-your-passkeys
What’s the difference between a passkey and a security key?
Edit: ohh, it’s passwordless. I won’t do this for my Google account. Github: maybe. but not Google