Sick of 2FA
-
My employer switched from a local domain server to one based in Azure. This essentially made my machine new to me. I hand to find/re-install all my programs. Worse than all of that is the insane number of 2FA requests required to use my machine. And it seems like where we used to have username/password, companies are creating their own stuff. Slack assumes your email is secure and only requires a username now, then emails you a temp password. BitBucket was authenticated so long on my machine, I didn't realized I had 2FA, but not text based. I had to dig through my phone to find an app I've used about twice to find the code before I could view source code. Windows thinks the Hello 6 digit pin is more secure than my password. I think I'm done ranting now. But seriously, just bring back good old fashioned passwords.
Hogan
-
Company IT plan was to put everything on MS auth. So all of the following 1. Email 2. Computer log in 3. Slack My question was not answered when I asked how someone who got locked out of their PC due to a pwd change was supposed to request assistance.
Something similar but with a bigger collateral damage: The Insider News[^]
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
My employer switched from a local domain server to one based in Azure. This essentially made my machine new to me. I hand to find/re-install all my programs. Worse than all of that is the insane number of 2FA requests required to use my machine. And it seems like where we used to have username/password, companies are creating their own stuff. Slack assumes your email is secure and only requires a username now, then emails you a temp password. BitBucket was authenticated so long on my machine, I didn't realized I had 2FA, but not text based. I had to dig through my phone to find an app I've used about twice to find the code before I could view source code. Windows thinks the Hello 6 digit pin is more secure than my password. I think I'm done ranting now. But seriously, just bring back good old fashioned passwords.
Hogan
Company had to dich such authentication for two reasons... Not all have a smart phone to use that grate app to authenticate Some refused to use personal phones
"Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid." ― Albert Einstein
-
Company IT plan was to put everything on MS auth. So all of the following 1. Email 2. Computer log in 3. Slack My question was not answered when I asked how someone who got locked out of their PC due to a pwd change was supposed to request assistance.
-
My employer switched from a local domain server to one based in Azure. This essentially made my machine new to me. I hand to find/re-install all my programs. Worse than all of that is the insane number of 2FA requests required to use my machine. And it seems like where we used to have username/password, companies are creating their own stuff. Slack assumes your email is secure and only requires a username now, then emails you a temp password. BitBucket was authenticated so long on my machine, I didn't realized I had 2FA, but not text based. I had to dig through my phone to find an app I've used about twice to find the code before I could view source code. Windows thinks the Hello 6 digit pin is more secure than my password. I think I'm done ranting now. But seriously, just bring back good old fashioned passwords.
Hogan
I feel your pain, not a fan of all the "work" involved. However... Setting up 2FA is the way to go to avoid having your account compromised. The Hello 6-digit pin probably only works on your machine, while your password roams across devices. The way Slack handles it requires a hacker to have access to your Slack and email account, which is another barrier. 2FA can usually be set up in a way that remembers your location or device, so you don't have to authenticate every minute. Like it or not, about 99% of hacks could've been avoided by 2FA. Not because it's impossible to get past 2FA, but because it's a lot harder, so hackers tend to simply move on to someone who doesn't have 2FA.
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
To make it worse, now you're expected to use your personal phone for work, for that reason. Used to be keeping things separate was the way to go.
Jeremy Falcon
Even Banks lately ASSUMES an Adroid/iOS device to run their "MoneyApp" to do stuff, I rocked up with a MobiCell, they had to go fetch them old card re-encoder from the back room to assist me after I threw my toys all over their support lines. Back to 2FA: I got to love BitWarden (1Password apparently also) as it include the TOTP (google auth) thus I have less to type/search/etc. and best of all: As I have BitWarden "everywhere" (after my password - long one and only pass I remember :D ) I don't worry about them phones getting lost/stolen anymore
-
My employer switched from a local domain server to one based in Azure. This essentially made my machine new to me. I hand to find/re-install all my programs. Worse than all of that is the insane number of 2FA requests required to use my machine. And it seems like where we used to have username/password, companies are creating their own stuff. Slack assumes your email is secure and only requires a username now, then emails you a temp password. BitBucket was authenticated so long on my machine, I didn't realized I had 2FA, but not text based. I had to dig through my phone to find an app I've used about twice to find the code before I could view source code. Windows thinks the Hello 6 digit pin is more secure than my password. I think I'm done ranting now. But seriously, just bring back good old fashioned passwords.
Hogan
We have the same crap. I have to change my Windows password every 3 months. This also means that most of my applications require a new 2FA login. So by the end of the day, I have about 20 messages on my personal phone. (I'm not 'important enough' to get a work phone) And for elevated stuff, we have a Yubi key, and for Google crap we have another electronic key. :omg: Where are the days that I could turn on my computer and just start working? I dreading the day that it requires a vial of blood to log-in :((
-
We have the same crap. I have to change my Windows password every 3 months. This also means that most of my applications require a new 2FA login. So by the end of the day, I have about 20 messages on my personal phone. (I'm not 'important enough' to get a work phone) And for elevated stuff, we have a Yubi key, and for Google crap we have another electronic key. :omg: Where are the days that I could turn on my computer and just start working? I dreading the day that it requires a vial of blood to log-in :((
JohaViss61 wrote:
I'm not 'important enough' to get a work phone
I had that problem too. Except that whilst people with work phones could have them on their desks, those of use without work phones were not allowed to have personal mobile phones in the office. So, for 2FA, one had to leave the office, go to the lockers to get you personal phone. write down the 2FA code, get back to the office and hope that the activation code had not expired before you could use it.
-
To make it worse, now you're expected to use your personal phone for work, for that reason. Used to be keeping things separate was the way to go.
Jeremy Falcon
I insisted on a hardware token for 2FA - I am not keen on relying on a personal mobile device for any work as I have had a phone malfunction on me before.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
My employer switched from a local domain server to one based in Azure. This essentially made my machine new to me. I hand to find/re-install all my programs. Worse than all of that is the insane number of 2FA requests required to use my machine. And it seems like where we used to have username/password, companies are creating their own stuff. Slack assumes your email is secure and only requires a username now, then emails you a temp password. BitBucket was authenticated so long on my machine, I didn't realized I had 2FA, but not text based. I had to dig through my phone to find an app I've used about twice to find the code before I could view source code. Windows thinks the Hello 6 digit pin is more secure than my password. I think I'm done ranting now. But seriously, just bring back good old fashioned passwords.
Hogan
old fashioned passwords for old fashioned hackers. :doh: MFA/2FA is essential these days, whether you like it or not. I, personally, like it. It's way better than just a plain old password. Passwords get bought and sold every day on the dark web, etc. Our software shop is in the process of converting all of our existing legacy web apps to use MFA. We already have 2FA at work for all work related accounts. Its not a hassle at all.
-
I feel your pain, not a fan of all the "work" involved. However... Setting up 2FA is the way to go to avoid having your account compromised. The Hello 6-digit pin probably only works on your machine, while your password roams across devices. The way Slack handles it requires a hacker to have access to your Slack and email account, which is another barrier. 2FA can usually be set up in a way that remembers your location or device, so you don't have to authenticate every minute. Like it or not, about 99% of hacks could've been avoided by 2FA. Not because it's impossible to get past 2FA, but because it's a lot harder, so hackers tend to simply move on to someone who doesn't have 2FA.
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
It's also possible to add extra security to your email account if it comes to that. I dislike the interruption that 2FA requires, but it's probably a good thing, forcing me out of auto-think into actually looking at what I'm doing at a time when my attention should be on the task at hand (logging in securely) instead of my original task (the reason for logging in). Security is increasingly important in this world of cyber criminals, so I just cuss quietly and get the thing done. I do think companies should choose tools that do not require their employees to use their personal phones, but that is going to take push-back from the employees, so it's on them. I think I'll start to do that for the two apps we use that require me to use my phone (one is even owned by my company, so that ought to be easier :laugh: )
-
old fashioned passwords for old fashioned hackers. :doh: MFA/2FA is essential these days, whether you like it or not. I, personally, like it. It's way better than just a plain old password. Passwords get bought and sold every day on the dark web, etc. Our software shop is in the process of converting all of our existing legacy web apps to use MFA. We already have 2FA at work for all work related accounts. Its not a hassle at all.
-
To make it worse, now you're expected to use your personal phone for work, for that reason. Used to be keeping things separate was the way to go.
Jeremy Falcon
Three bosses ago, I had a company phone for about a year. I received one company call and one company text (both from my boss) during that time. During one of the cost-reduction manias that followed, it was decided I no longer needed a company phone (which was a Samsung Galaxy). They also decided to 'economize' on the most current iPhone, but I digress.
Software Zen:
delete this; -
My employer switched from a local domain server to one based in Azure. This essentially made my machine new to me. I hand to find/re-install all my programs. Worse than all of that is the insane number of 2FA requests required to use my machine. And it seems like where we used to have username/password, companies are creating their own stuff. Slack assumes your email is secure and only requires a username now, then emails you a temp password. BitBucket was authenticated so long on my machine, I didn't realized I had 2FA, but not text based. I had to dig through my phone to find an app I've used about twice to find the code before I could view source code. Windows thinks the Hello 6 digit pin is more secure than my password. I think I'm done ranting now. But seriously, just bring back good old fashioned passwords.
Hogan
-
Three bosses ago, I had a company phone for about a year. I received one company call and one company text (both from my boss) during that time. During one of the cost-reduction manias that followed, it was decided I no longer needed a company phone (which was a Samsung Galaxy). They also decided to 'economize' on the most current iPhone, but I digress.
Software Zen:
delete this;And IMO I don't think cost reduction will stop any time soon. Despite what the TV says. Companies are even more brazen with nagging people about sales these days. I get spammed a lot more than I did 5 years ago, and despite the lies from TV there's a reason for that and price increases.
Jeremy Falcon
-
My employer switched from a local domain server to one based in Azure. This essentially made my machine new to me. I hand to find/re-install all my programs. Worse than all of that is the insane number of 2FA requests required to use my machine. And it seems like where we used to have username/password, companies are creating their own stuff. Slack assumes your email is secure and only requires a username now, then emails you a temp password. BitBucket was authenticated so long on my machine, I didn't realized I had 2FA, but not text based. I had to dig through my phone to find an app I've used about twice to find the code before I could view source code. Windows thinks the Hello 6 digit pin is more secure than my password. I think I'm done ranting now. But seriously, just bring back good old fashioned passwords.
Hogan
One employer demanded I use my personal phone for Visual Studio 2FA authentication because his wasn't recognized by Microsoft as a valid number. I refused, he yelled at me, I refused again. He went to the next underling who was too scared to refuse and used her phone. I now have another employer, a huge company that has initiated 2FA, expecting me to install Microsoft's MFA app on my phone. (And yes, they demand you have an Android phone or an iPhone.) Rather than use my cell phone I installed Android Studio, created a virtual phone, and used it to help me figure out how to write my own. I now have a tiny program that puts the 6-digit code onto the clipboard (with a beep so I'm sure it ran) whenever I click its Quick Launch icon. Works great. It seems to me that an institution's database of users' secret keys (or their generator algorithm) is just another target for hackers. I have a hard time appreciating how this really increases security. - Owen -
-
And IMO I don't think cost reduction will stop any time soon. Despite what the TV says. Companies are even more brazen with nagging people about sales these days. I get spammed a lot more than I did 5 years ago, and despite the lies from TV there's a reason for that and price increases.
Jeremy Falcon
Jeremy Falcon wrote:
Especially with WFH now, those waters about to get mo' muddy
Yup. I use my personal machine to Remote Desktop to the machine on my desk and work from there. This keeps the corporate IT yabbo's mitts off my box, especially the McAfee malware they insist on using. Somebody was definitely schtupping someone else when that deal went through.
Software Zen:
delete this; -
To make it worse, now you're expected to use your personal phone for work, for that reason. Used to be keeping things separate was the way to go.
Jeremy Falcon
I've told all my bosses that if you want me to use a phone for business then you have to provide the phone. I refuse to put business apps on my personal computers (phones included). My company is really good about this, so they have key fobs for the people without smart phones, and issue decent smartphones with management approval.
Bond Keep all things as simple as possible, but no simpler. -said someone, somewhere
-
Amen. I worked in a classified government vault so (A) we can't bring cell phones into our office and (B) personal email websites are usually unavailable. So getting 2FA codes is quite challenging...
-
I feel your pain, not a fan of all the "work" involved. However... Setting up 2FA is the way to go to avoid having your account compromised. The Hello 6-digit pin probably only works on your machine, while your password roams across devices. The way Slack handles it requires a hacker to have access to your Slack and email account, which is another barrier. 2FA can usually be set up in a way that remembers your location or device, so you don't have to authenticate every minute. Like it or not, about 99% of hacks could've been avoided by 2FA. Not because it's impossible to get past 2FA, but because it's a lot harder, so hackers tend to simply move on to someone who doesn't have 2FA.
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
