24 comments

[ 3.2 ms ] story [ 66.2 ms ] thread
2FA means "you lock yourself out of your account forever"

I just had the hole my Yubikey attaches to my keyring break. If I wasn't lucky it might have fallen off my keyring and disappeared. (No more Github for you!)

As it was I managed to stuff it into one of the pockets of my gym bag.

How long until the designers rethink the design and make it as thin/robust as credit cards. I think there are already some adopters of keyboards with a credit card chip reader, though not sure how mainstream popularity of it would be jump started.
Lots of keyboards with smart card readers already, for customers like the US DoD. They're not pretty though. Don't expect to see one on display at the Apple Store.
I see cheap ones on sale for 20 bucks or so. Cheaper than an NFC reader. Programmable "Java cards" are affordable.
To solve this I keep multiple yubikeys and track which ones are registered by tagging services with specific values in my password manager: "yubikeyA", "yubikeyB", etc.

I keep the backup yubikeys in safe places and periodically when they are available I search in keepassxc for entries tagged with A but not B, for example, and add the missing yubikey to that service.

The following search in keepassxc will show entries with the attribute "yubikeyA" but lacking "yubikeyD":

  attr:yubikeyB !attr:yubikeyD
To be safe from fires, natural catastropies, etc. you ideally place your 2fA devices to multiple people you trust, that you may have to travel to. But sadly, webauthn doesn't let you enroll devices without having direct access to them. So it makes this setup a bit harder than it could be.
> you ideally place your 2fA devices to multiple people you trust

That's a really good point. I keep a key with a friend in another city. When I visit them I use a query like the one above to determine any services that need to be registered with the normally unavailable key.

> So it makes this setup a bit harder than it could be.

I wish there was a way to enroll keys without them being present.

Out of curiosity, how old was your yubikey? I have had one attached to my keyring since 2016, and it show no sign of breaking.
I got it as part of this promotion

https://arstechnica.com/staff/2018/01/introducing-ars-pro-th...

so I'd guess 2018. I guess I could have reinforced the hole and I probably still could.

The build quality is still awful and given all the varieties of badUSB out there I'm not enthusiastic about a USB connector that lacks a grounding shell. (That said, at our public library all of the Dell machines have AC current floating on the USB shells that give a gentle little shock... That might not be so gentle if you were standing in a puddle)

(comment deleted)
(comment deleted)
Shill/bot/propaganda accounts don't care about 2FA. Those constitue a huge percentage of Twitter, so I'm not surprised at the low adoption rate.
Also, I would suggest, most mainstream users. My non-tech savvy friends' only experience with 2FA is for work things and they complain about it. I don't think most people are clamouring to add that extra layer of security to their personal accounts.
Can no longer edit, but I should add troll accounts to that list as well.
How much does 2FA really gain us users? What's the more likely scenario, that i) someone guesses or steals my password or ii) some organization breaks into Twitter and steals all passwords and the keys as well? Why would Twitter face better than Yahoo!, Alibaba, LinkedIn, etc.?
For the vast majority of users, isn't it 1, by a _lot_? OS-integrated password managers that generate unique secure passwords are slowly helping here, but I suspect most people have approximately the same password for their email, bank, and Netflix.
I don't think that it's this obvious. The number of passwords stolen from the server goes in the hundreds of millions annually on average (well, at least the cases made public). While I don't have any numbers and reusing a password is clearly unwise, I don't think that there are that many Netflix employees getting a kick out of posting on Twitter under their customer's name.
It hinders keyloggers, protects against password stuffing, and if enough Twitter accounts are hacked they're just sold off to the highest bidder.
I don't trust twitter and every time they ask for my phone number I just kill the app and restart it to hide the unclosable pop up asking for my phone number.

SMS is a terrible 2FA anyways

Is this a regional thing? I've multiple Twitter accounts, all of them with TOTP 2FA, and none of them has any information about my phone number.
You can effectively no longer sign up for a new account without a non-VOIP phone number

If you remove it after adding it to get through verification, your account is likely suspended a day or two later

This. Twitter isn't getting my phone number. So, I'm not using Twitter. It's really that simple.

Somehow my account is "blocked" for "security reasons", yet Twitter is still fine sending me spam from it.

Besides, all SMS 2FA does is open you up to getting social engineering SIM hacked when you weren't before.