Ask HN: Does anyone else think this 2FA everywhere is getting out of hand?
I probably have to enter 20-30 different 6 digit codes every day logging into various accounts. It's ridiculous. I can't believe it's come to this. It's about as annoying as the cookie bar.
Why does it have to be 6 digits? Especially if it expires in like 5 minutes? And why can't we have some sort of centralised solution to all this? The authenticator apps are probably worse than SMS in terms of the interface.
I am starting to think the amount of manpower wasted on this globally is way more than the fraud preventing in terms of economic cost.
Thanks for listing. Rant over.
91 comments
[ 3.0 ms ] story [ 131 ms ] threadIf anything, the codes should be longer - 8 digits would be far better (8-10 digits bumps up against what a person can easily keep in their mind at one time for long enough to type it)
I'm not so much concerned with brute force as that 8 is better than 6
"The HOTP value must be at least a 6-digit value. It is also desirable that the HOTP value be 'numeric only' so that it can be easily entered on restricted devices such as phones."
6 was defaulted to in the TOTP for being 'secure enough' and easy enough for most people to remember.
There are scenarios where that doesn’t provide sufficient assurance, but those scenarios are also not really suited for TOTP in the first place!
They may have an issue where session timeouts are too long and cannot be fixed, or outsource the payment function to another provider though a mechanism that they probably shouldn’t use.
I last saw that happen with a big commercial bank (HSBC maybe) a decade ago. The credit unions I use now don’t have that issue.
If you have a way to receive/generate (SMS or App or Token) the Pin, you can clean out the account just fine, how does this change?
From what I understand the 2FA Pin purpose is that the bank wants to make sure that I am actually the person that can authorize the payment, and asks for this confirmation immediately before processing the payment(s).
I could understand if there were some limits (I think there are but they are way higher than any payment I ever made), but I cannot see why I need 3 Pins to make 3 payments of 100 Euro each (let's say water, gas, electricity) when the same Pin is good for a single - say - 10,000 Euro payment.
On the other hand... it may not be the brightest idea to have both password manager AND 2FA in the same baseket, but it may be a good compromise for a lesser secure-demanding services (i.e. those that, if breached, won't affect you in any way other than internet points; think forums, reddit and such).
Edit: oops, I was wrong, as pointed out, it’s a premium feature ($10 yearly subscription).
Or alternatively you can host VaultWarden and get it for “free”.
Non-nerds get very confused with 1Password, as you can easily have multiple versions that work slightly differently at once.
Changing password managers is a PITA.
> The authenticator apps are probably worse than SMS in terms of the interface.
I don't share your opinion. I use andOTP[2] and it does exactly what it needs. Password managers may also allow you to store them next to your passwords, but this is not something I do nor something KeePassXC recommends[3].
[1]: https://en.wikipedia.org/wiki/Time-based_one-time_password
[2]: https://f-droid.org/en/packages/org.shadowice.flocke.andotp/
[3]: https://keepassxc.org/docs/#faq-security-totp
2FA protects your users from silent account compromises via phishing. Network security does nothing to stop phishing attacks on consumer users outside your company’s firewall and email filtering.
If a company’s network actually is breached and their password database dumped, the 2FA secrets are usually in a column right next to the password hashes and don’t provide any additional security.
2FA protects against attacks like trying passwords from a hacked database on other accounts with the same username.
See https://www.rfc-editor.org/rfc/rfc4226#section-7.5 and https://www.rfc-editor.org/rfc/rfc4226#section-9 for bidirectional authentication
And apart from Steam, all my codes are Google Authenticator compatible, meaning there are several different options for an authenticator app that will hold all my codes. Seems as centralized as I would ever want.
I have considered going the Yubikey route, but it seems like it might be cumbersome when used across a range of devices.
When accounts get hacked, the company is almost always blamed (in both the user’s and the public’s mind), even if they had nothing to do with it (the user was reusing a password from another site that got hacked). So there’s almost no choice but to require it, else they face a large reputational risk.
I find it odd you need to enter it so many times every day. Most sites allow you to “trust this browser” for some period of time. Are you clearing cookies all the time? Sounds like you might be making it worse due to some other habits.
It is trivial to set a long random cookie on a machine that provides 2FA for all repeated use of a service until the user deletes tokens or changes device. No need for bad UX.
Passwords were the problem to begin with. Easy to implement, but extremely hard to remember and use correctly.
MFA is part of the solution to this problem.
Rather, I would advocate password managers. For me personally, the simple usability of Firefox's integrated password manager (auto-suggests a strong password on account creation, auto-saves the credentials and syncs them across devices) has done more to improve my passwords than all education. I guess I am lazy, but many people are.
https://wiki.c2.com/?LazinessImpatienceHubris
If the user has to remember any password aside from a single unique password used in only one place, they’re doing passwords horrendously wrong.
We have had at least twenty years of password managers by now (KeePass), a good ten of them with browser integrations of various degrees of effectiveness, and almost as long with some form of mobile phone support.
At this point, not using a password manager to save totally-random passwords that don’t need remembering is no different than not using a seatbelt. It’s stupidity and ignorance in action.
2FA without a recovery path that people will actually prepare for is a recipie for locked out users, and that's going to mean your customer service gets all the sad stories and hopefully has no ability to do anything about them.
https://xkcd.com/936/
I still remember the XKCD password.
Now try remembering 436 different ones.
In case you have this clever scheme and use it on some malicious or insecure website, your scheme could be leaked and then it's only marginally harder to break into your other accounts. Randomly generated passwords don't have this weakness.
I can't honestly say I know of a better way, though. Something involving identification using asymmetric keys would be a good start to replace username/password, but that doesn't really solve the problem of losing or compromised private key in a way that's any better than we have currently for passwords.
Then as long as both the username/password and certificate authentication were required, then password reuse wouldn't matter.
Doxxing/insecure (SMS/e-mail) and inaccessible (Google/Apple required)? 110%. Sick of it. More often than not that these are required I'm certain that "2FA" and "for your security" are just pretexts to be able to tie accounts to meat-space individuals.
If you are talking about TOTP and want some centralized solution where you're OK with ceding some control, it exists. Authy seems to be the most popular. I'm sure there are other options where you can get it synced between your smartphone and browser extensions, if that is what you prefer.
Except for Steam AND Battle.net (Blizzard) which both have their own dedicated 2FA apps.
I use 1password to manage all of this and the only thing compliant is about some sites that seem to break a password manager's ability to auto-populate form fields.
Granted, I don't know if those features involve security sacrifices, and I'm sure I'd get annoyed if I needed a separate app for every tool, but the user experience is more pleasant there for me.
- Companies that deliberately offer a subpar webapp experience (including, not keeping you logged in and spamming you with 2FA) to push you to download their mobile app
- every fucking company that saves your credit card info - I mean I understand why (you wouldn't want credit cards to be easily abused) but it just points out to the actual market failure - Visa/Mastercard duopoly and subsequent lack of innovation (obviously the correct solution here is to have phone-app confirmation of every purchase even for stored credit cards)
This is exactly what happens in Europe for online purchases, with SCA being part of PSD2.
Only a few banks have phone-app based pre-transaction 2FA.
TransferWise is my favourite, but even they only check for the first transaction, not subsequent ones (e.g. for "recurring" one-off purchases e.g. UberEats).
That sounds painful for subscriptions or even the handful of places that don't check the card until they verify inventory.
But still, I wouldn't be opposed to that being user configurable (with e.g. spending limits).
However, it's worth noting that you can get desktop apps for TOTP, and some password managers also support it. So you don't necessarily have to go via your phone.
Things have gotten way easier with password managers and proper MFA in my opinion.
https://www.go350.com/posts/now-they-have-2fa-problems/
Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.
The article quotes it, but doesn't mention the source. Jamie says he was repurposing an older "sed" quote. Safe testicle-free link:
http://regex.info/blog/2006-09-15/247#comment-3085
I bet I've written more and harrier PostScript code than he has, though! And as a monster raving loony, I'll defend PostScript as being “readable” any day! ;)
https://www.donhopkins.com/home/pub/NeWS/litecyber/cyber.ps
When passwords for computers were first introduced RMS objected. His password was "password", and anyone could log in using it.
Remember that RMS is correct (when it comes to computers) and reflect.
Why did he do that?
Because he knew that passwords on computers were stupid make-believe (we call it "security theater" now), pernicious nonsense.
Computers are where you put secrets to give them to hackers. Computers don't keep secrets.
Yes, makes no sense in terms of security (storing both on the same place) but hey, it's life.
I basically use two devices so if I just set up my TOTP on both of them (and they both had OS integration), I'd then get 2FA security without me having to do anything.
Usually those websites allows you to skip the 2FA from a known computer if you keep the session cookies.
I currently use Bitwarden Premium and the TOTP authentication has been mostly hassle-free.