Tell HN: Somebody implemented something I wrote a blog about

852 points by rexfuzzle ↗ HN
So a while ago I wrote about how 2FA was missing a key feature: https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781...

Having not had any feedback on it in a while and the idea not taking off, today somebody messaged me to say that had implemented it in their product.

1. Obviously I think this is great and more secure

2. Tell people about things you do that they played a part it- it might just make their day.

252 comments

[ 3.3 ms ] story [ 271 ms ] thread
That’s awesome. I was expecting a lament on how an amazing startup idea was stolen and monetized by someone else. Glad I’m wrong and the world is a little bit better.
Hey me too, a little sunshine this morning :).
Same here. Came to say the same and to explain how i publicly share all my 'great' ideas publicly even though so many friends think I'm nuts in case someone 'steals it' and makes a successful startup from my idea. My answer: "Great for them. At least they had the determination and focus to follow through with bringing the idea to fruition when I couldn't."
People tend to overvalue ideas. I see this all the time in writing where people are worried someone will steal their great idea for a story. The truth of the matter is that it’s unlikely that you’ve come up with something truly new and in any event, ideas tend to breed and multiply. I will never write all the stories and novels that I have jotted down in my notebook before I die and there are more every day.
On that note though, is there a way to protect your story if you want to pitch it to a publisher, or anywhere else ? Like a registry for story ideas ?
Not really, and it’s not a problem. Ideas for stories are abundant, the ability to turn them into finished books or scripts is much rarer.
There's no IP protection for ideas for stories. Regardless, almost no fiction shop is going to agree to print a book on spec, just off a story pitch. Write the book first. Then you already have protection, in the form of copyright (which is automatic and doesn't require registration).
If an idea is any good, you generally have to fight tooth and nail to get anybody to listen to it, and put in a hundred times that to get anybody to understand it, and that again to act on it.

If you don't directly control how that happens they will implement it fundamentally wrongly.

But after it is finally implemented more or less correctly, everyone will agree that the idea was trivial and obvious, and they had already thought of it themselves, in exactly the form where they first encountered it, even if that is actually not quite right.

Victory has a hundred fathers, but defeat is an orphan.
Same. I'll often share relevant ideas in comments here and elsewhere in the hope that I inspire someone to go implement something I might like but will never find the time+organisation to get around to creating!
Congratulations! Really good to hear, and definitely a nudge to me to let people know when their blog was useful.
Cool, well done. Hope the idea gets picked up by a few more developers here.

If you don't mind I'm just just pasting the URL into a comment to make it a link:

https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781...

The comment is a link in the HTML I am served. However there is no underline which is confusing.
I could be wrong, but I'm fairly sure that wasn't the case originally.
Yes! That’s such a nice feeling.

One of my GitHub projects was used in a demo at Google Cloud next a while ago. the presenter was considerate enough to attribute the project to me by name during the demo and even sent me an issue just letting me know about it. That was so nice! Absolutely people should do this.

I actually had someone take one of my personal iOS apps from GitHub (https://github.com/wcochran/calfoo) and submit it to the app store as if it was theirs. Someone else told me -- I was gobsmacked that someone was so brazen. Oh well, I didn't license it. It had special features that only mattered to me (and would be inappropriate for general use).
Just fyi, if something is unlicensed, then other people can only use it under fair use. You’re the copyright holder automatically upon publishing and retain all rights. If you intend to let people do anything, then you need to explicitly put it in the public domain or use an appropriate license.

It’s very unlikely they can legally do what you’re describing… but it’s up to you to enforce it.

Most people wouldn't enforce it.

Thousands in legal fees, chasing someone across different timezones and the sheer amount of work isn't worth it unless it's a legit business.

Copyright laws really fail for those without money.

I would consider that as a bug, not as a feature. If the login panel behaves differently on a correct password than on a wrong password, that's an information leak that must be fixed.

Authentication must be evaluated and rejected only when all factors are already provided, and the rejection error should not disclose which of the factors failed.

So, with a proper login panel, my 2FA being asked does not mean that someone has my password.

Edit: this is, for example, the recommendation from PCI to separate "Multi-Step Authentication" from true "Multi-Factor Authentication": https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authe...

You make a good point, but does anyone do that? I’ve been using a PW manager so long, I don’t really enter incorrect passwords.
I don't know of anyone who does 2FA this way.
My employer does it for products requiring PCI certification. Our PCI auditor recommends it even though it's not a formal requirement of PCI v3.
That sounds like a terrible trade-off that makes people more likely to write down passwords on post-it notes or in a clear-text file to cut-n-paste. Especially if you lock accounts after a 10 tries or so (or PCI's ridiculous low number of tries).
I think the majority of places I use 2FA, the 2FA prompt is on a screen after the password login. This is because the use of 2FA is an account option, so not all accounts will have it active.
If I've understood the linked post, the login panel doesn't have to behave or look different if someone gets the username and password right. You could still show everyone the 2FA input.

It's suggesting that if the username and password are right but 2FA isn't the system should let the account owner know.

Correct. The blog suggests letting them know out-of-band, like via email, not in the login flow.
I have read the linked post too quickly before sending my initial comment. Indeed, a back-channel notification to the legitimate account owner is probably a good idea.

On the other hand, disclosing to the attacker that they got the password right is not acceptable.

Unless you're an especially high-value target, I'd rather you gave quicker feedback about whether or not I have remembered my password correctly than you make it impossible to determine whether or not a password is correct without also having to input the 2FA token.
I'm under the impression you misread the original blog post, which by the way does not really do a very good job in terms of explaining how this should be implemented.

IMHO, the idea is not to display the info about wrong 2FA code on the login page but to use a separate channel to inform the account owner about this recent, failed login attempt. So, no info on the login page of the website (adversary would still not know that they have a good password but wrong 2FA) but e.g. an email, a text message, a push notification, etc. with this info. I would certainly like to know that someone, somewhere is trying to login to my account and that this adversary is in possession of my actual password.

The Iceland NIC does this (https://www.isnic.is/en/site/login).

Customer support burden when the lose the 2FA key is solved by adding a hefty fee (around €100) to recover it. No webauthn support yet though.

Interesting- I think that is the first time I've seen password and 2FA code on the same page. Guess that means you may not know if your password or 2FA code is incorrect depending on the error page
Or the login process should just go ahead and ask the 2FA either way - and just fail you in the end without explaining why. And then notify only behind the scenes via mail that the password was correct but the 2fa wrong. That would be the way to handle it. I'd receive such notifications from time to time - I mix up the 2FA accounts sometimes, other times I'm slow typing and it expires - but I can live with that little extra email.
All my TOTP prompts (on websites I run) account for such delays and clock skews by checking against the previous and next TOTP. So even if the user is a little bit late to enter the OTP, I can still validate it and complete authentication.
This is standard practice with big corporate RSA remote login.
Honestly I'm shocked reading this. I _NEVER_ considered that scenario. Now I will be doing this in all my apps. Thank you!
Gmail has those features for some years.
Not AFAIK- they email you when a new device logs in, or a new location, but I've never seen one from a wrong 2FA code
Related: I think it's surprising how many services leak whether or not a password is correct. E.g. bad password => error, good password => 2FA prompt.

You should verify a user's second factor before password.

> leak whether or not a password is correct

Errm, could you elaborate what is the issue here?

(comment deleted)
tl;dr: The code should verify the user's second factor before the user's password.

Consider this, scenario A:

1. When attacker enters a username and bad password. then they receive a bad password error.

2. When attacker enters a username and good password, then they receive a 2FA prompt.

And then scenario B:

1. When attacker enters a username and bad password, then they receive a 2FA prompt.

2. When attacker enters a username and good password, then they receive a 2FA prompt.

In scenario A, the website leaks password validity to the attacker. In the case of a brute force attack, the attacker can use the 2FA prompt as a signal that they found a good password. Scenario B does not leak that information, because the second factor was wrong or missing.

More concretely, this pseudo-code:

    if user.authenticate_with_password(password)
      if user.authenticate_with_second_factor(code)
        # ...
      else
        raise InvalidSecondFactorError
      end
    else
      raise InvalidPasswordError
    end
Should instead be this pseudo-code:

    if user.authenticate_with_second_factor(code)
      if user.authenticate_with_password(password)
        # ...
      else
        raise InvalidPasswordError
      end
    else
      raise InvalidSecondFactorError
    end
Hope that makes sense. :)
But which 2FA prompt should they receive?

If MFA can be configured using myriad choices, should a user be prompted to "Insert security key" or "Input security code" or "Send code to your email/SMS" or "Tap YES on your mobile device"?

Since you can't know a priori what the second factor will look like, I'd say it's troublesome to try and present a challenge to every user regardless of their MFA configuration.

Note that this is not universal to all systems.

If your 2FA options all require the user to enter a code, you can simply display a "Please enter your 2FA code" dialog without divulging what kind of 2FA the user has.

How would you prevent someone from spamming a user just by knowing their username? Say, if the 2FA is done by SMS, or email.

An attacker brute-forcing the password could flood the user with multiple messages. The usual response is doing a password reset, but that wouldn't work in your system.

I wonder how systems that use magic links handle this.

Your authentication system should have per-user and per-IP rate limits.
> How would you prevent someone from spamming a user just by knowing their username?

Wasn't something like this how Uber got hacked recently? Spamming the target until they clicked "yes" on the 2FA prompt?

In my pseudo-code example, we're raising a couple errors, InvalidSecondFactorError and InvalidPasswordError. You could imagine there could be finer grained errors, such as TotpRequiredError or HardwareKeyRequiredError, depending on the user's second factors, which could then propagate down to the UI via specific error codes.

The UI could then use these error codes to display the correct prompt, and then resend the request with the appropriate second factor.

You would have to randomize the error when the wrong password is inputed and ensure that for a particular username the returned error is invariant. Else an attacker could infer that when you get a different error you have a correct password.
The bad password error would only be sent if the second factor is valid, though.
It sounds good for stopping attackers, but if I am the real user and enter a bad password it is going to be pretty infuriating spending time troubleshooting the 2FA not working problem that doesn't actually exist. I suspect your service will get a reputation for completely unreliable 2FA which may have unintended consequences.
This can be solved with an error message at the end with something like "You either provided an incorrect password or your 2FA code is incorrect. Check and try again". This still ensures that someone is not able to guess the correct password and reuse it somewhere else where 2FA may not be enabled.
If you input a username and wrong password, in some cases, the service won't prompt you for your 2FA code.

If you input the right username and password, it will then go forward in the flow and prompt you for the 2FA.

I believe parent comment is suggesting the system should prompt for 2FA even if the password was incorrect, so that you can't infer whether you guessed the correct password without also compromising the 2FA method.

This only matters if you re-use passwords, though.

Well, doesn't it also matter if the 2FA method sucks? For example, maybe you can use a SIM swap to get the one-time code, but if you don't have the password, too, then that doesn't help you. In the above scenario, they can figure out whether they have the password or not, and once they do, then use a SIM swap to get the second factor (or whatever), and then they're in. If the login never tells them which factor is bad, it's a bit harder, right?
Correct, ideally it should always prompt for both the MFA and the password before failing
While this is true in the absolute sense, it's one of those things where you have to think about non-technical users: something like this would just confuse them, unless you make it very clear in the message that either one of those are bad, and provide a clear path to recovery... Having a good UX/security UX is hard.
Same thing goes for email address when registering. Correct email => “already in use” is still frequent, although some websites (such as github) have changed it to “incorrect or already in use email”
This is the real leakage. I guess we solve it by sending an email to the address to continue account creation.
This is technically superior for things like TOTP but falls apart if not all users use TOTP.

1. Users who aren't using 2FA have a confusing box to leave empty.

2. SMS, Email and similar OTP codes should only be sent after the password is verified.

3. U2F requires the site to share which devices are registered which can only be done after the password is verified.

You may be able to make it work UX-wise if you separate username from auth information (such as a lot of sites do to support SSO auth). But even then it isn't clear to me if you should be leaking information about their 2FA configuration (especially their U2F device) list without a password.

Your login form doesn't need to display an empty second factor input. Your server can send back a specific error code on first login attempt that can be used by the UI to prompt for the user's second factor, whatever that may be (or even give a choice, in the case of multiple second factor types).

For example, given this /login request to our server:

    POST /login
    Authorization: Basic Zm9vQGJhci5leGFtcGxlOmJhego=
Depending on the user's second factor, the server could send back a response like this:

    { "error": { "code": "TOTP_REQUIRED" } }
Then, depending on the error code, our UI could prompt for the second factor and we could send a new /login request:

    POST /login
    Authorization: Basic Zm9vQGJhci5leGFtcGxlOmJhego=
    { "totp": "123456" }
This flow can work for any type of second factor, not just TOTP. It also works for good and bad passwords, and doesn't leak any information (well, other than the fact the user exists, but that road introduces a lot of other UX issues.)
Good point.

It does leak a little information. It leaks the type of 2FA the user has configured and a list of devices for U2F (since that needs to be provided to authenticate). But that is likely acceptable.

This is not a huge deal in practice and can be a good honeypot/alarm system.

Most services today have fairly low "lockout" + "notify" thresholds on wrong passwords so brute force spraying passwords is already out of the question.

Now, if someone fails the password check, clearly the user's current password is still secure so leaking that the attempted password was wrong to an attacker is not particularly helpful to them. If, however, the password is correct, then the attacker gets hit with the 2FA surprise. Assuming the great suggestion in this post is implemented (it really should be), the attacker now is stuck--abandoning the login or trying an incorrect 2FA could all trigger notifications to the user that their password was breached [re: the "Was this login you?" prompts implemented by major services after these situations]. Attackers would need to also solve the 2FA in some reasonable period to "disarm" such an alarm.

Real users who happen to fumble once or twice are also fine, since they won't be surprised about the login confirmation as it really was them.

> Now, if someone fails the password check, clearly the user's current password is still secure so leaking that the attempted password was wrong to an attacker is not particularly helpful to them.

Maybe I misunderstand your post, but I think the parent comment is talking about leaking whether a password is correct and not whether it's wrong. (If I did misread your comment, apologies in advance and disregard the rest.)

The parent comment is basically suggesting that if there are two possibilities for password entry with two different experiences, then we may be telling hackers that passwords are correct, too.

Scenario 1: Password is incorrect and user sees "Oops, wrong password!" message.

Scenario 2: Password is correct and user sees 2FA prompt.

You are correct in that Scenario 1 doesn't help the hacker -- but Scenario 2 does! It tells them that the for username jabbany@email.com, password hunter2 is a valid password. Even if they do hit the 2FA surprise and can't crack it, they can now take jabbany@email.com to any other website and try password hunter2, and any other site using the same credentials that is NOT secured by 2FA is now compromised!

There's also username leakage here. Imagine you had an OnlyFans account, and your coworkers or friends or parents were to put jabbany@email.com into it, and it simply said "Oops, wrong password" instead of something more generic. Now they know you have an OnlyFans account -- which, depending on your relationships, could be problematic, regardless of whether they actually accessed the account.

So to the parent comment's point, it is amazing how often credential leakage happens. And to OOP's point, we should go to 2FA every time, whether the credentials are correct or not. And the error messages should (generally) be more vague than specific, so as not to leak info unintentionally.

Does that make sense? I'm not sure I explained it very well, but I think the parent and I are making a different point than yours -- which is also a valid point, just not what we were talking about.

That’s a tough decision. Going straight to the 2fa page immediately tells the attacker the account exists and does or does not have 2fa enabled… assisting them in narrowing down their efforts to less secure accounts and/or telling them which accounts they need to start phishing/etc for the 2fa code.

So you’re asking for the business to implement something that makes their own users less secure so that sites that don’t provide 2fa can be more secure. Maybe it would be better for those sites to improve their own security instead of asking others to compromise theirs to help cover for someone else’s lack of effort.

I agree with the general thought process here, but there is a greater leakage: no service will allow you to create an account with an email that is already registered.

So all this discussion about how to handle the failed login is somewhat pointless.

But the moment the attacker knows the password is correct, you/the platform would also know the password is compromised assuming they cannot get past 2FA. There is an extremely limited amount of situations that end up with "passed password authentication but failed 2FA" and all the platform needs to tell them apart is a simple "Hmm, were you attempting to login?" email or notification.

The leak of the password's correctness here is ultimately not problematic as it acts as a tripwire and a surprise for the attacker. In fact the platform can take action on the user's behalf and lock logins with that password until the user confirms it was them trying to login via a separate channel (if you used Google 2FA this is what they do). It also protects accounts without 2FA because it becomes risky for the attacker to just try a password list they find. Maybe they're lucky and get in, or maybe the account has 2FA and you've just burned the password by trying it and alerting the user/platform about the compromise.

If it were the other way around with 2FA first, you would have no way of knowing your password is compromised somewhere. Even if the attacker knew the right password, the would not attempt to login unless they defeated the 2FA. Now you have no early warning system, and it becomes all-or-nothing: attacker get full access or they wait silently.

To sum it up: The login is no weaker if you put 2FA after password auth (same amount of compromises needed to get in). 2FA after password can leak password validity information for a short duration of time (on the scale of 15mins), but it also sets in motion an alarm that invalidates that password when an attack is attempted. 2FA after password also provides a tiny bit of extra protection to non-2FA accounts by letting them hide among the 2FA ones.

(Also, the original purpose of 2FA after password is to cut down costs for the platform back when SMS 2FA was the only 2FA. This is largely irrelevant today with TOTP and FIDO2 relegating SMS based authentication as the least secure option.)

This is fine as long as you notify the account holder based on both a failed 2FA OR just ignoring the 2FA prompt rather than making an attempt.

Personally I don't know enough to know if that's the case?

(comment deleted)
I think we're still talking past each other. In both of your comments, you seem focused on the particular site with the 2FA. I'm suggesting that that vector is irrelevant.

I'm not concerned about someone hacking this site with the 2FA tripwire, but instead about leaking password's correctness could impact usage of that password on other sites that use the same username/password and do not have 2FA.

Imagine if I go to Amazon and put in jabbany@email.com / hunter2 and then come up against a 2FA prompt instead of a password error prompt. Okay. I have a signal that suggests that hunter2 is, in fact, your password. I bail immediately. No point in randomly trying to guess a 2FA auth code.

Now I go to Walmart.com and put in jabbany@email.com / hunter2, and it works -- because there's no 2FA on Walmart.com and you re-used the password!

In this scenario, 2FA doesn't actually stop the hacker from compromising your accounts! It only stops this account with 2FA -- in that sense, you are 100% correct! -- but perhaps only temporarily, because they may be able to compromise other accounts that would allow them to eventually reset your 2FA tokens and get through.

If Amazon were to tell me "hey, someone failed the 2FA auth attempt, you should you change your password," then that's one thing. But we both know most sites don't do that.

Password reuse is a very different issue. You should not be reusing passwords on accounts you care about period. 2FA isn't meant to protect against reuse (though it does help). If a password is reused your 2FA becomes just 1 factor.

This does not make reuse more dangerous either. An attacker with a leaked password list will try them against known sites anyways. If they wanted to try a leaked password against Walmart they'd have done it regardless of the 2FA signal. There's no reason to assume that if a password is (in)correct on one site that it would (not) be on another. The information of whether a password worked or not on a site means nothing to someone trying to hack your account.

Also 2FA sites do do this already. Google and Amazon both do this along with many others (and increasingly many). Also it does not have to force a password reset. A notification email about an attempt is sufficient, you can decide for yourself whether it was you or a suspicious attacker.

> You should verify a user's second factor before password.

the cost of sending those 2fa texts is not zero and also the idea of them is that they are ephemeral so them being tied to the successful entering of username and password and limited in time is a feature... not a bug.

Sure. But I’d argue that nobody should be using SMS 2FA. There are more secure, and cheaper, methods.
that gives the attacker an easy way to check which accounts have 2fa enabled. One attempt on each account and they can tell which accounts will need more work.
I don't know about wrong 2fa codes but bitwarden notifies you if you have an "unfinished" 2fa login. If you type username and password correctly and then don't type in your totp token it will notify you.
Years back, every web browser's built-in password manager locked up the page when submitting a login form, waiting for the user to answer "do you want to save this password?" before proceeding.

I thought that was silly: how do I know if I want to save the password before I've seen whether it's correct? Which I can't see until the form is submitted.

At the time I was using Opera, so I wrote in to their customer support suggesting that the prompt appear after the new page loaded. I never heard back, but a couple months later their next major release implemented exactly that behavior. A few months after that, every other browser followed suit.

I can't have been the only one bothered by the existing behavior, but given how long browsers had worked that way before I wrote in, I like to tell myself that the timing wasn't a coincidence, and that my little suggestion rippled out into a change that made a small thing better for the whole world :)

i still see this behavior in firefox. the save password popup disappears by the time the page is loaded. and it baffles me every time how that is supposed to be useful.
(comment deleted)
The stupid thing is that it already is async and not locking up like it was in the very old days op refers to. They were just so clever as to add a timeout after which that dialog closes, regardless of whether the page actually finished loading. So on a slower page you end up with the popup disappearing while the page is still (mostly) blank and you don't know yet whether the credentials were correct.

I think just clicking in a blank spot (or the text fields) in that dialog stops the timeout, but it's one of these things I'm not actually sure about and it's almost like a cargo cult kind of ritual...

I find that it usually sticks around long enough. But I agree that it should stay open at least until I interact with something else.

On the bright side it just collapses into a "key" icon in the URL bar that you can click to open it back up and save the password.

> On the bright side it just collapses into a "key" icon in the URL bar that you can click to open it back up and save the password.

I've been using Firefox as my main browser since 2010 and I never realized this.

It’s like that Teams pop up that informs you that a colleague started a meeting, the one that always disappears after you finish typing your sentence and start to move your mouse towards it.
you can click it right away, finish your sentence, then click again to join the meeting once you're done :]
The most amusing (for me) behaviour is what OR I need to press Csncel everytime ( my preffered bahaviour, honestly, I don't save passwords) OR never see the dialog again (I'm totally okay with saving the pass for some LAN devices which would be never acessible from the net ever - but I can't)
I found a bug in firefox where the two letters of the weekdays appeared as 3 letters for portuguese (pt-PT). Eventually found that it was an error in the unicode standard, so submited the proposal for change. Probably there's dozen of people involved in this... but seeing it being changed brought me great joy.

I was a tiny part in changing a tiny mostly irrelevant detail that was causing a slight inconvenience to millions of people daily. Improving humanity one bit at a time...

This is great! Imagine how many people had no idea how to get something like that fixed yet noticed the bug.
Do you happen to have a link to the proposal I can see and share with a class? I'm teaching a few lectures about some "weird" stuff this semester, and this would be a great example.
FWIW searching https://rachelbythebay.com/w/ for "magic" finds a bunch of posts that might also fit with that topic.

(The rest of the posts are an interesting rabbithole if you're not aware, apologies in advance)

Well, that's going to be a very cool class I best !
This still sometimes happens on iOS Safari. I don’t know what is different about the pages where it happens, but it’s annoying.
Even MacOS Safari does this. I don't know whether the latest update fixed it though.
Every few years I get an automated email from Wordpress where someone finally fixed a bug I submitted over a decade ago, lol
In a similar vein, I wrote to Microsoft suggesting their "Authenticator" TOTP app for Android would benefit from a search feature. I can't have been the only one, but it did make me happy when they actually implemented it a few months later
I also suggested it but their iOS app still does not have it. Really annoying with >20 totp tokens.
Opera was the most innovative web browser ever. They brought so many new things to the world of web browsing. Tabbed-browsing, mouse gestures, colored tabs, browser themes, in-built security integration with anti-virus software, an extensible browser - so many wonderful innovative features. It was a paid software initially, but then they made it free for everyone. I used to use it as my default browser, maybe 13-15 years ago.
its my default browser now. It still great!
Well, I used to love Opera as well, it was my first "serious" browser as I became a netizen. But now I wouldn't even dare to try it as it's owned by a consortium of Chinese investors, rather than a Norwegian company.
Vivaldi is pretty good and though it's based on chromium, is the new opera in spirit.
No coincience. Vivaldi is co-founded by ex-CEO and co-founder of Opera.

I quit using Opera after he did not keep his promise to swim across the Atlantic in 2005: https://www.zdnet.com/article/opera-boss-starts-atlantic-swi...

I might try Vivaldi out after your comment and because of their completely sarcastic pricing section on the download page.

Genius.

Built in email and rss feeds are really nice as is the calendar base history page.
(comment deleted)
Are you sure tabbed browsing was Opera? I mean, Mozilla browser (predating Firefox) had it in 1998.
(comment deleted)
Opera also had tab groups, MRU tab switching, and saved sessions. Those exist in some form or fashion now, but the implementations are not as smooth.
Mozilla had multiple documents first, by just following Windows' MDI standard.

Then Netscape and IE got into a war for mindshare, and part of that was to ignore MDI and splash their browser windows all over the taskbar instead, to be more visible and grab more user attention.

Tabbed browsing was never a new invention, it was just a re-implementation of what we already had by way of MDI.

Spatial navigation is a feature I really do miss. I don't think any other browser supports this. It made keyboard-based browsing possible without resorting to stuff like hit-a-hint. You could just hit Shift+Arrow Key (which I mapped to the home row) and select a the nearest link (or anything interactive) in that direction. I think it worked in a visual fashion so order in the DOM didn't matter at all. It behaves exactly like one would expect.
The Opera CTO is now building Vivaldi, which is basically Opera. It has all the features I remember (spatial navigation, mail/RSS client, gestures, split tabs, etc) and is very good.
Something I really miss from Opera is that the content of every page you visited was saved and stored for search! This helped me so often to find pages that I had visited, and remembered a few words from, but didn't bookmark or save otherwise. No idea why browsers today did not copy this feature.
What an amazing idea! I would love to have that feature.
Web browsers are strange. They are sophisticated pieces of engineering, but they refuse to implement the lowest hanging fruit features UX wise.
They are built by people who are excited about the web, so it sort of makes sense that anything off the critical path of: “make websites and web applications great” would be deemed less important. Why make local search when there is a web application called Google?

Ferraris probably aren’t know for having sufficient cup holders.

A cynical take is that they purposely hold back bookmarks/offline-search so that you use their web search engine instead.
Text reflow on mobile browsers. I still miss that feature and much prefer that with desktop mode vs crappy mobile mode sites.
"Reading mode" is still very much a feature of mobile Chrome and Firefox, and almost a neccessity.
I discovered a bug in Java 1.0.1's GridBagLayout and posted about it to USENET. It was fixed in JDK 1.0.3.

I also emailed the GIMP maintainers about a bug in their select color region tool in GIMP 0.99.x that made it ignore 1-pixel-wide barriers. By 1.0 it was fixed.

I was chuffed when it happened, but the internet was a smaller, chummier place back then, so we expected that kind of response more than we do today, I think.

I submit suggestions, features, bugs, detailed reports, new use cases etc. I'm more than happy to write detailed submissions, or do some traces when there's a bug.

But if I notice there's no feedback or implementation within a reasonable period of time, I will stop doing that ever again for that company (large, small, doesn't matter).

I refuse to waste my energy on that kind of process.

Oh, that's so cool! :-) Could you please write to Whatsapp or Telegram and ask them not to delete the EXIF information from shared images on their platform? I understand that they compress images so they don't take too long to transmit and load, but I think there's a big group of their users (especially for Whatsapp) that use their platform to share family pictures. For this purpose, having the EXIF date (if it's available) could be very handy, since the picture could be properly timestamped and archived without having to ask again to the original poster for the specific files.
As a general privacy rule I like stripping this by default. Couldn't you just zip up some images to retain this?
I think the EXIF data is removed because, for the vast majority of people that don't think to remove it, it's a safety risk. Posting a picture of your house? Your kid arriving at their first day of school? Some other location you'd rather a bad person not have info on? Most people don't think to remove that data before posting (and sometimes post directly from their phone camera?)... removing that data removes a lot of risk for them. Leaving it in is only considered a small benefit to a smaller subset of people (comparatively)
We could always strip the location information (or any other identifying data like camera/phone model). But I can't see how having the date information attached to the image could be a safety risk. Especially when that information is already available within the app. The issue is that the app's UI is cumbersome to provide both pieces of information at the same time for a set of images.
Oh no this is a bad idea. There's a bunch of data (including location!) that is often included in EXIF.
I don't think is a bad idea at all. Just keep the timestamps if you want, and strip all the rest. But I feel that having the date attached to the image is a good idea. Is not technically complex nor bandwidth demanding and provides a very useful context to the picture.
People would doxx the hell out of themselves without knowing it all the time if you did that.
And now we’ve come full-circle as 1Password 8 requires you to save your password prior to submitting the form instead of offering to save it after submission. Which is a huge regression as it results in this exact issue all over again.

https://support.1password.com/save-fill-passwords/

Sadly, 1Password seems to just get worse and worse in terms of usability with each release. The latest incarnation has so many little annoyances that makes me seriously consider switching. The one thing it's got going for it that really is kind of a killer feature for me is SSH key handling. It's super nice being able to sign your commits with Touch ID. Everything else is meh at best.
It's truly baffling how they manage to consistently make the software worse every single release. I was a huge fan of 1Password many years ago (and have been happy to pay for it throughout), but each successive release is more confusing and less reliable.
Agreed. Especially on iOS has it become obtrusive. Form inputs being obscured by mini pop-ups. I could go on.

I’m waiting for the release of the new macOS and I’m going to evaluate using the native implementation and ditching 1P.

The promlem with using apple password management on macos is that I need vertical tabs. Only vivaldi and Firefox provide them now and they don't use the macos key chain
What do you mean by vertical tabs?
The tabs are to the side rather than along the top.

This allows you to see the text in the tab when you have several tabs open.

Ideally tabs should be indented so you can see which tab you linked the page from.

The best implementation is the Firefox extension Tree Style tab https://addons.mozilla.org/en-GB/firefox/addon/tree-style-ta...

But simpler vertical tabs are on Vivaldi, OmniWeb which had them since the mid 1990s but unfortunately has not kept up with allowing other extensions, Opera used to have them when it was not Chrome. Chrome had them at one stage but reading the issues on that the developers really showed a complete lack of understanding.

Gotcha. Thanks for clearing that up. And yes, the indentation of tabs is actually a good idea.

Although, iOS has tab groups now. I rarely use them because the menu is out of sight so I forget. But on macOS they’re convenient for when I’m researching a topic.

Bitwarden is by no means perfect but I really appreciate their user engagement and excellent documentation.
How is it not perfect? I haven't noticed a flaw yet.
The UI isn't all that intuitive, the 'ask to save'/'ask to update' prompts don't work that well, but I don't really blame them because they are injecting into the DOM which usually changes. As someone else mentioned, it's a bit slow to sync and load sometimes. I wish it was more obvious when I have an existing session with the desktop app which can send a token to the browser extension to keep it loaded.

You can tell i'm really reaching for bad things to say about it, haha

everybody seems to be complaining about the latest release, but i find it just fine. what's wrong with it?
They may have come full circle but I certainly haven’t.
Any person/company/thing that uses 1Password needs to take a look around. Bitwarden is where it is at.
I love Bitwarden, but I don't understand why it takes 10 seconds to search a database with 100 entries (Android app, when searching for a saved password). It's aggravating.
Something's wrong as I have many hundreds of passwords and have no noticeable lag searching them.
If only Roku and Android TV boxes had a way to display pdf's on the TV!

Hint hint hint!!!

After all, they can display movies, pictures, and music. PDFs, please! I'd even pay for it.

I understand it not working on a Roku but why couldn’t you use an android pdf reader?
I looked up the android tv box on Amazon. Doesn't support pdfs.
You could always open the pdf on your phone and cast your phone screen.
Yes, and I could hook up my laptop to the TV, too. But I bought the Roku box because it's so much more convenient than dinking around with the laptop.
I usually cast them from my ipad to the tv.

My ipad may be a very expensive PDF reader but it's bloody good at it.

you are literally one of my new fav people !
During the Edge beta in transition to Chromium engine, I requested they add green to the icon. I did get an automated thank you when it was finally released. That really made my day.
As 2FA adoption spreads, the possibility increases that someone could be using 2FA but not know the rule about not reusing a password. This feature improves the spread of that gospel. It seizes the opportunity to impress an abstract concept to the technically-challenged in a way that is no longer abstract. I like it.
Bravo!!! Such a simple (and more secure) change to the way 2FA works. This should be the standard and also mandatory in many similar cases. Good for you and for sharing this improvement, that’s the mentality all of us should have. Reminds me on how Volvo shared the 3 point safety belt patent with everyone else so as to make all cars safer, instead of keeping it to themselves I order to profit [ https://www.forbes.com/sites/douglasbell/2019/08/13/60-years... ].
Re: Volvo's good deed -- In contrast, Edward Land (the Polaroid camera guy) came up with a system for polarizing car headlights and windshields to lessen glare from oncoming headlights in 1948. Apparently, none of the car manufacturers implemented it because there was nothing to gain financially from such a safety feature. https://www.polarization.com/land/land.html
OWASP actually includes this suggestion in their guidance for implementing MFA:

https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_A...

> When a user enters their password, but fails to authenticate using a second factor...:

> ...

> Notify the user of the failed login attempt, and encourage them to change their password if they don't recognize it.

> The notification should include the time, browser and geographic location of the login attempt.

> This should be displayed next time they login, and optionally emailed to them as well

Yeah I thought it weird that you only get an e-mail that someone logged in under a new account - passing the 2fa. But they should send one after correct username / password too.

I don't mind getting an e-mail as another form of 2fa, but that has its own issues.

I think the email is just a failure notification, not a second factor.
It's a nice courtesy from the product authors/implementors. Not only it's polite, it also acknowledges your contribution to the idea, not sure to which extent it is formally.

All in all it is a great feeling to see your idea getting a concrete life. In a way, reporting an issue and a possible improvement to any product you care about is an essence of collaboration. Open source further helps to contribute by augmenting such effort with a skill to implement it.

I havnt done this in many years but for a while I was making creative content that was published online. Once in a while someone would contact me saying they liked what I did. I started doing the same. If I read an article I liked a lot I would contact the person and tell them I liked it and why. About half the time they responded with Thanks.

I didnt do this with NYT writers or anything. Just people who clearly dont get paid/paid much to make this content but I found it useful/interesting/helpful. I think that stuff goes a long way and it really doesnt take that long to do.

I've got a tech podcast now and about once every month or two someone contacts me to say they liked it or something nice. It's a huge reason why I keep doing it. I know that sounds silly but the internet can be such a black hole. A little feedback goes a long way.

This was a good comment. Keep it up!
I tend to see a lot more negativity than positivity as the default response so I like this thread.
I have a little blog that occasionally gets hits when the SEO winds blow my way and twice people have reached out thanking me for a post. It's made my whole month! And encourages me to keep posting stuff. So I really appreciate that you do that, I should make an effort to do the same.

I write the blog as more of documentation for myself than something to share, but knowing that I've helped someone else is icing on the cake.

Really enjoyed the insightful view. I bet it starts a fire on the internet.
AFAIR, a 1980's MIT AI Lab "how to do research" memo, suggested as one way to build things: describe what you'd like to build, and maybe someone else will be inspired to do it, long before you'd have gotten around to it.
I'm still waiting for the Memex, you would think someone did it between 1945 and now, but nope. 8(
We implemented something that avoids the original articles, 2FA notification.

After your password is approved before 2FA you get an email. So even if someone is somehow using the right 2FA you are aware.

Our thinking was the mosly likely outcome was someone would hit 2FA, not have the code and so close the request without even entering a bad code.

Apart from that though, it is always nice to get recognition for the stuff you put out there. I know I should do it more myself too.

But email can be delayed for hours or days.
That's pretty rare in our scenario, also it still would apply to the original post ?
If you are going to send login notifications anyways this makes sense. Since the user will either want to know about the login or the failed 2FA. However if the user doesn't enable login notifications I think it makes sense to give a short timeout to wait and see if the authentication is successful. If the auth is successful you can skip the alert.
I agree but there is an even more serious security feature almost all 2FA misses:

Telling the user what action they are authorizing by reading back the numbers.

That “bank rep” on the phone? They are probably trying to log into your account, or withdraw cash, not verify that you are the right person to send the refund back to.

It would save a lot of problems.

Also you should be getting an alert on all your devices whenever transactions over X amount per Y time occur, and you should have an opportunity to reverse them for 24 hours (even for debit cards). Also you should be able to make windows during which time it would be longer than 24 hours, such as a Jewish holiday or when out of range. This wouldn’t apply to recurring transactions.

Yes, that's a cool feature - the Smart-ID app used by many banks in Baltic countries as a second factor does that, it states e.g. the payment and amount you're authorizing before you do so.