I'm not sure where you could "disagree" but I believe you will try.
Trust me, I can disagree. You may disagree with my disagreement but that's fine too.
And the fact that you - like many others, no worry - accepted 2FA because you think it's not a big trouble is not exactly an "agreement".
Not sure if this is a language thing. It kinda is an agreement.
1) harmony or accordance in opinion or feeling.
They think this makes my account more secure and so do I.
2) a negotiated and typically legally binding arrangement between parties as to a course of action.
They said "We'd like you to 2FA your account for security" and I said "Okay" and did.
Some comments seem like missing the fact there is also the backup code - or I'm missing something.
I.e. if you can't use 2FA, for whatever reason, you can use the backup code to log in, disable it (and re-enable with a different method if you like).
I just configure my applications/websites to sent an OTP via email when logging in/registering an account. SMS/Authentication Apps are nice but email verification codes should be more than good enough tbh.
@akhfa said:
Use hardware key like yubikey, it is as simple as touching the key, worth the hassle compared to the security benefits 🙂
Yubikey also can be used to keep TOTP
>
Then you need the backup key (which Yubi does tell you to buy, so they get twice the sell) - good luck finding that. And hopefully all the sites are properly registered.
Yeah it is right. The drawback is that we need more than one hardware key according to your disaster recovery plan. It is like managing backup in server and I already do it anyway, so it is no problem.
The feeling of my accounts are safe as long as I have the key and have good DR plan is really good 🙂
I use it everywhere I can. The more protection the better, especially with all of the data breaches. Of course, if the 2FA secret is stored with the user data, it may not help.
At the cost of being nitpicking - every (layer of) protection usually adds more complexity and impracticality of use, so there's always a point past which more is no longer better, not in practice.
@bikegremlin said: every (layer of) protection usually adds more complexity and impracticality of use
Broadly agree though I think there can be exceptions. e.g. for me getting into gmail is faster since moving to yubikey. Or alternatively SSH'ing into a server via key can be more convenient than pwd once set up
At the cost of being nitpicking - every (layer of) protection usually adds more complexity and impracticality of use, so there's always a point past which more is no longer better, not in practice.
Absolutely true. In the case of 2FA, I'm willing to pay the cost to get what I consider to be significant benefit.
I had a PayPal keyfob token that I used for many years. Press the button, and it displays six random digits that you append to your password. When the battery died, the token disabled itself.
At some point over the years, PayPal added a requirement that you must supply your cellphone number to make any changes to your PayPal account settings. The last thing I want is for PayPal to have my cellphone number. It took a few tries and a little social engineering, but I was able to get a PayPal customer service person who was willing to disable two-factor authentication for me so I could access my account.
Password changes are not coupled to providing a cellphone number, so I changed the password for security. I always use a long, strong, random password. I can use the password to make payments for online purchases, but I can't login to my PayPal account without running into that "Cellphone Number?" wall.
At some point over the years, PayPal added a requirement that you must supply your cellphone number to make any changes to your PayPal account settings. The last thing I want is for PayPal to have my cellphone number. It took a few tries and a little social engineering, but I was able to get a PayPal customer service person who was willing to disable two-factor authentication for me so I could access my account.
Weird, I've never had to do that with my Paypal account. They don't have my phone number and I can make account changes just fine.
Weird, I've never had to do that with my Paypal account. They don't have my phone number and I can make account changes just fine.
It was the same for me, until the PayPal token failed and I locked myself out with too many attempts to login.
Another trick that worked in the past was when you see a prompt for information you do not want to provide (e.g., cellphone number), hit the back button and try loading the desired page again. It used to disable the "needs to see cellphone number prompt" for that session. That trick no longer works at PayPal, but it often works elsewhere.
After I got phone service to unlock my account and disable two-factor authentication, I was able to do the "forgot password" to change my password. I don't try to login to the PayPal main page, to stay away from those cellphone prompts. I just use PayPal for website payments.
@xleet said:
but I can't login to my PayPal account without running into that "Cellphone Number?" wall.
As in need to receive an SMS to proceed? I've never seen that on Paypal (albeit EU).
Paypal EU use TOTP (App based) 2FA and I'm very happy to have that enabled.
I assume that PayPal uses SMS to confirm the cellphone number that you provide. I never got to that step. I run very few apps on my cellphone and never use it for banking or payment services.
My concern is that PayPal could and would provide my cellphone number to merchants and others without my knowledge or consent. The last thing I want is a barrage of ads and notices on my cellphone coming from merchants. At present very few know my cellphone number, and I like keeping it that way.
I was once caught in a situation where I got locked out of a website for some reason. Things went awry when I learned that the "lost password" reset mechanism expected to send an SMS message to that landline phone number. I had expected a phone call where a computer-generated voice reads a random number, but it did not work that way.
Comments
Trust me, I can disagree. You may disagree with my disagreement but that's fine too.
Not sure if this is a language thing. It kinda is an agreement.
1) harmony or accordance in opinion or feeling.
They think this makes my account more secure and so do I.
2) a negotiated and typically legally binding arrangement between parties as to a course of action.
They said "We'd like you to 2FA your account for security" and I said "Okay" and did.
Why are agree and disagree in quotation marks?
Some comments seem like missing the fact there is also the backup code - or I'm missing something.
I.e. if you can't use 2FA, for whatever reason, you can use the backup code to log in, disable it (and re-enable with a different method if you like).
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
use KeePassXC + KeePassDX (Android)
I just configure my applications/websites to sent an OTP via email when logging in/registering an account. SMS/Authentication Apps are nice but email verification codes should be more than good enough tbh.
Web Development & SysAdmin services
2FA and an auth key are the only way for the future.
Passwords should be phased out progressively.
♻ Amitz day is October 21.
♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.
Is anyone using (or at least acquainted with) SQRL? (The site gives off strong 90's vibes, but one can look through that)
I thought it to be an interesting technique, got the Android app once I got an Android phone and created a key.
Now I silently wait for the method to be used in the wild.
>
Yeah it is right. The drawback is that we need more than one hardware key according to your disaster recovery plan. It is like managing backup in server and I already do it anyway, so it is no problem.
The feeling of my accounts are safe as long as I have the key and have good DR plan is really good 🙂
Yes i use 2fa, then i break my phone screen.
Not using it
I use it everywhere I can. The more protection the better, especially with all of the data breaches. Of course, if the 2FA secret is stored with the user data, it may not help.
At the cost of being nitpicking - every (layer of) protection usually adds more complexity and impracticality of use, so there's always a point past which more is no longer better, not in practice.
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
Broadly agree though I think there can be exceptions. e.g. for me getting into gmail is faster since moving to yubikey. Or alternatively SSH'ing into a server via key can be more convenient than pwd once set up
Absolutely true. In the case of 2FA, I'm willing to pay the cost to get what I consider to be significant benefit.
I had a PayPal keyfob token that I used for many years. Press the button, and it displays six random digits that you append to your password. When the battery died, the token disabled itself.
At some point over the years, PayPal added a requirement that you must supply your cellphone number to make any changes to your PayPal account settings. The last thing I want is for PayPal to have my cellphone number. It took a few tries and a little social engineering, but I was able to get a PayPal customer service person who was willing to disable two-factor authentication for me so I could access my account.
Password changes are not coupled to providing a cellphone number, so I changed the password for security. I always use a long, strong, random password. I can use the password to make payments for online purchases, but I can't login to my PayPal account without running into that "Cellphone Number?" wall.
Weird, I've never had to do that with my Paypal account. They don't have my phone number and I can make account changes just fine.
It was the same for me, until the PayPal token failed and I locked myself out with too many attempts to login.
Another trick that worked in the past was when you see a prompt for information you do not want to provide (e.g., cellphone number), hit the back button and try loading the desired page again. It used to disable the "needs to see cellphone number prompt" for that session. That trick no longer works at PayPal, but it often works elsewhere.
After I got phone service to unlock my account and disable two-factor authentication, I was able to do the "forgot password" to change my password. I don't try to login to the PayPal main page, to stay away from those cellphone prompts. I just use PayPal for website payments.
As in need to receive an SMS to proceed? I've never seen that on Paypal (albeit EU).
Paypal EU use TOTP (App based) 2FA and I'm very happy to have that enabled.
I assume that PayPal uses SMS to confirm the cellphone number that you provide. I never got to that step. I run very few apps on my cellphone and never use it for banking or payment services.
My concern is that PayPal could and would provide my cellphone number to merchants and others without my knowledge or consent. The last thing I want is a barrage of ads and notices on my cellphone coming from merchants. At present very few know my cellphone number, and I like keeping it that way.
I was once caught in a situation where I got locked out of a website for some reason. Things went awry when I learned that the "lost password" reset mechanism expected to send an SMS message to that landline phone number. I had expected a phone call where a computer-generated voice reads a random number, but it did not work that way.
Yes, I use 2FA (Google Authenticator) on both websites and ssh login.
My servers ssh/PAM setup are
I use nullok (Google Authenticator) and Match Users/Group in sshd_config to disable 2FA for users or a group on servers where scripts log in via ssh.
I actually maintain a cheap cellphone with a dirt cheap plan just for 2FA purposes. No data on it, just talk and text.
I don't use my main phone for 2FA.
♻ Amitz day is October 21.
♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.
I will enable TOTP anywhere supported. Security is the most important thing.
Silicon Cloud - OpenStack Iaas Provider
Cloud vServer/Dedicated vServer, Private Cloud/Colocation, DDoS Mitigation(optional), Managed Service
I think enable 2FA is the best way to secure your accounts