Sick of 2FA
-
old fashioned passwords for old fashioned hackers. :doh: MFA/2FA is essential these days, whether you like it or not. I, personally, like it. It's way better than just a plain old password. Passwords get bought and sold every day on the dark web, etc. Our software shop is in the process of converting all of our existing legacy web apps to use MFA. We already have 2FA at work for all work related accounts. Its not a hassle at all.
-
To make it worse, now you're expected to use your personal phone for work, for that reason. Used to be keeping things separate was the way to go.
Jeremy Falcon
Three bosses ago, I had a company phone for about a year. I received one company call and one company text (both from my boss) during that time. During one of the cost-reduction manias that followed, it was decided I no longer needed a company phone (which was a Samsung Galaxy). They also decided to 'economize' on the most current iPhone, but I digress.
Software Zen:
delete this; -
My employer switched from a local domain server to one based in Azure. This essentially made my machine new to me. I hand to find/re-install all my programs. Worse than all of that is the insane number of 2FA requests required to use my machine. And it seems like where we used to have username/password, companies are creating their own stuff. Slack assumes your email is secure and only requires a username now, then emails you a temp password. BitBucket was authenticated so long on my machine, I didn't realized I had 2FA, but not text based. I had to dig through my phone to find an app I've used about twice to find the code before I could view source code. Windows thinks the Hello 6 digit pin is more secure than my password. I think I'm done ranting now. But seriously, just bring back good old fashioned passwords.
Hogan
-
Three bosses ago, I had a company phone for about a year. I received one company call and one company text (both from my boss) during that time. During one of the cost-reduction manias that followed, it was decided I no longer needed a company phone (which was a Samsung Galaxy). They also decided to 'economize' on the most current iPhone, but I digress.
Software Zen:
delete this;And IMO I don't think cost reduction will stop any time soon. Despite what the TV says. Companies are even more brazen with nagging people about sales these days. I get spammed a lot more than I did 5 years ago, and despite the lies from TV there's a reason for that and price increases.
Jeremy Falcon
-
My employer switched from a local domain server to one based in Azure. This essentially made my machine new to me. I hand to find/re-install all my programs. Worse than all of that is the insane number of 2FA requests required to use my machine. And it seems like where we used to have username/password, companies are creating their own stuff. Slack assumes your email is secure and only requires a username now, then emails you a temp password. BitBucket was authenticated so long on my machine, I didn't realized I had 2FA, but not text based. I had to dig through my phone to find an app I've used about twice to find the code before I could view source code. Windows thinks the Hello 6 digit pin is more secure than my password. I think I'm done ranting now. But seriously, just bring back good old fashioned passwords.
Hogan
One employer demanded I use my personal phone for Visual Studio 2FA authentication because his wasn't recognized by Microsoft as a valid number. I refused, he yelled at me, I refused again. He went to the next underling who was too scared to refuse and used her phone. I now have another employer, a huge company that has initiated 2FA, expecting me to install Microsoft's MFA app on my phone. (And yes, they demand you have an Android phone or an iPhone.) Rather than use my cell phone I installed Android Studio, created a virtual phone, and used it to help me figure out how to write my own. I now have a tiny program that puts the 6-digit code onto the clipboard (with a beep so I'm sure it ran) whenever I click its Quick Launch icon. Works great. It seems to me that an institution's database of users' secret keys (or their generator algorithm) is just another target for hackers. I have a hard time appreciating how this really increases security. - Owen -
-
And IMO I don't think cost reduction will stop any time soon. Despite what the TV says. Companies are even more brazen with nagging people about sales these days. I get spammed a lot more than I did 5 years ago, and despite the lies from TV there's a reason for that and price increases.
Jeremy Falcon
Jeremy Falcon wrote:
Especially with WFH now, those waters about to get mo' muddy
Yup. I use my personal machine to Remote Desktop to the machine on my desk and work from there. This keeps the corporate IT yabbo's mitts off my box, especially the McAfee malware they insist on using. Somebody was definitely schtupping someone else when that deal went through.
Software Zen:
delete this; -
To make it worse, now you're expected to use your personal phone for work, for that reason. Used to be keeping things separate was the way to go.
Jeremy Falcon
I've told all my bosses that if you want me to use a phone for business then you have to provide the phone. I refuse to put business apps on my personal computers (phones included). My company is really good about this, so they have key fobs for the people without smart phones, and issue decent smartphones with management approval.
Bond Keep all things as simple as possible, but no simpler. -said someone, somewhere
-
Amen. I worked in a classified government vault so (A) we can't bring cell phones into our office and (B) personal email websites are usually unavailable. So getting 2FA codes is quite challenging...
-
I feel your pain, not a fan of all the "work" involved. However... Setting up 2FA is the way to go to avoid having your account compromised. The Hello 6-digit pin probably only works on your machine, while your password roams across devices. The way Slack handles it requires a hacker to have access to your Slack and email account, which is another barrier. 2FA can usually be set up in a way that remembers your location or device, so you don't have to authenticate every minute. Like it or not, about 99% of hacks could've been avoided by 2FA. Not because it's impossible to get past 2FA, but because it's a lot harder, so hackers tend to simply move on to someone who doesn't have 2FA.
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
And how many people have their email on their phone already logged in (gmail). If you have somebody's phone, you have all of their security.
Hogan
So make sure you have your phone locked well. I'm pretty sure most hacks aren't done by stealing someone's phone though. A brute force attack or unencrypted database leak is far more common. Especially in that last scenario 2FA is your only protection. You can whine and make excuses all you want, but 2FA is simply a security best practice that may save your life one day :)
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
MS Auth has a URL you can visit to reset your password. Security questions or some other method, but probably won’t work if you forgot to set it up.
If I recall, and it is the same, it has a favorite color secret question to which the answer must be at least 5 letters. "oh you mean my favorite if my first two are eliminated by a restriction I have no idea even exists at the point you are asking me to answer a challenge?" Oh yeah? Green then.
-
In many top secret locations where personal digital devices are not allowed, they "usually" provide a RSA SecureID dongle or something similar and that is stored at the government site and does not leave there, usually. That is how it was done back in the day, not sure how it is done now, but I would be surprised if it is much different.
-
To make it worse, now you're expected to use your personal phone for work, for that reason. Used to be keeping things separate was the way to go.
Jeremy Falcon
Nope, my cell phone is for MY use. I still had a land line so that was the only phone number the company had for me. Since they didn't have my cell number, any 2fa at work went through the company phone on my desk. The 'important' people at work had company provided cell phones and I was glad not to be considered 'important'. My boss would get work related calls as late as 10pm.
-
And how many people have their email on their phone already logged in (gmail). If you have somebody's phone, you have all of their security.
Hogan
-
MS Auth has a URL you can visit to reset your password. Security questions or some other method, but probably won’t work if you forgot to set it up.
englebart wrote:
MS Auth has a URL you can visit to reset your password
So you expect the HR person to know that? Keep in mind there is no way for IT (help) to know there is a problem so they won't be telling them about that. But to be fair as a developer I am unlikely to even think of that possibility myself. I would expect that my company's IT is responsible for that so I would not even look. I do know for a fact that at least the way my company AWS account is set up if my password expires then company help(IT) must reset it. No way for me to do it. So no reason for me not to expect the same.
