My rant with that is that the normal, regular user won't configure the fall-back solution. Nobody remembers to write down those numbers-and-codes; when they do, they don't keep it safe and leave the paper over the desk.
When you travel abroad, is out of battery, break your phone, etc, etc, you're 100% out of your digital life until you can overcome the 2FA limit. And this happens in the moments you need it most.
I love Authy and used it for a ton of stuff, but some places started not supporting it. I'm looking at you coinbase. For some reason I have three 2FA apps on my phone now. I purposely didn't have 2FA setup on some accounts while I was living abroad because so many SMS based 2FA for sites don't support international numbers.
I'm just glad google caved allowing you to use authy. For a while they only allowed you to use their authenticator and I just hated it. I don't care how much integration went in with Android. Authy I can install on linux, windows, mac, android, and IOS. What is there not to love there?
> 2FA sucks for so many reasons. Privacy is destroyed and losing your phone is multiplied into an even bigger disaster.
How is privacy destroyed by using a well implemented 2FA solution? I understand TOTP standard supports generating tokens locally with no network access required.
Exactly. And this goes beyond the company itself abusing your trust. There's a major data breach at a large company almost every month now. Unless absolutely necessary, never give any personally identifiable data to any company, because they will get hacked, and that info will end up on the net, where it can be abused.
I know how posting a phone number destroys privacy.
From the article, Google "standard" 2FA uses your mobile device. So by your own admission, giving others (and particularly Google) your number or access to your phone destroys privacy.
Yeah, this is the conclusion that I'm coming to as well. It's better to just move on from Google and attempt to find alternatives to all their services.
That's why they give you recovery keys, and tell you to back up the private key (securely) on a different device if feasible. If you can't recover because you lost one device, you aren't even trying to follow basic practices in this security space.
If its SMS we're all fucked. Cell carriers are not hardened against attack and nobody's life savings, communication, social life, etc should be wrapped up in their incompetence.
My bank mandated some “phone code” for a transaction; only problem was that it didn’t arrive. So I tried again and again. 20 minutes later, like 7 of the things arrived all at once on my phone. The bank locked my account for “suspicious activity”, and it could only be unlocked with a phone call. Then I call them, the minimum estimated wait is 50 minutes (oh, and the estimate got worse each time I tried later; and they are not open on Sundays). It ended up taking days to fix something caused by THEIR unreliable mechanism.
I also had an issue with an account that had a 2FA option but via an app that proved dangerous because I accidentally forgot about it when switching phone devices (same number) and just about locked up my entire account trying to get it working again.
If you mandate 2FA, it has to work and it has to leave the customer better off. If not, why bother?
Wasn't there a wave of articles just a few months ago about how it was time to give up on two-factor because phones/sims were too easy to hack, spoof etc? Regardless, the day a service or site (other than my bank) requires a phone or other physical device to be tied to my account is the day I stop using the service. It's a profoundly bad idea for so many reasons. Passwords are like democracy: the worst idea, except for all the others.
29 comments
[ 3.6 ms ] story [ 66.2 ms ] thread(I imagine someone at Google made sure this is possible and I thank them for it)
When you travel abroad, is out of battery, break your phone, etc, etc, you're 100% out of your digital life until you can overcome the 2FA limit. And this happens in the moments you need it most.
Why do you think they did this?
Do you think building Google Analytics into Authy had anything to do with it?
Repeat after me --- until proven otherwise, assume everything Google does has privacy invasion built into it. This includes "caving".
But just say "no" to Google and a lot of the issue goes away.
How is privacy destroyed by using a well implemented 2FA solution? I understand TOTP standard supports generating tokens locally with no network access required.
Most 2FA; including Google, default to using your phone number or worse, access to your device from their software.
Post your phone number and I will show you how this destroys your privacy.
They probably already have all your personal info so why not verify it so they can be sure they have it right?
It's really what's best for your own protection. It's not like Google is "evil" or something. Mooo!
> Privacy is destroyed
How?
> and losing your phone is multiplied into an even bigger disaster
Not if you are using a U2F key instead of your phone as your second factor.
Post your phone number and I will show you.
Not if you are using a U2F key instead of your phone as your second factor.
Same problem, different device. Phones and hardware keys are both easy to lose or break/destroy.
I know how posting a phone number destroys privacy.
What I want to know is how 2FA does. For which you have provided no explanation.
From the article, Google "standard" 2FA uses your mobile device. So by your own admission, giving others (and particularly Google) your number or access to your phone destroys privacy.
People are bad enough with passwords. They'll be worse with recovery keys.
Otherwise, you'll have a bigger problem than ever before.
And this is called "progress"?
I also had an issue with an account that had a 2FA option but via an app that proved dangerous because I accidentally forgot about it when switching phone devices (same number) and just about locked up my entire account trying to get it working again.
If you mandate 2FA, it has to work and it has to leave the customer better off. If not, why bother?