Sick of 2FA
-
To make it worse, now you're expected to use your personal phone for work, for that reason. Used to be keeping things separate was the way to go.
Jeremy Falcon
I've told all my bosses that if you want me to use a phone for business then you have to provide the phone. I refuse to put business apps on my personal computers (phones included). My company is really good about this, so they have key fobs for the people without smart phones, and issue decent smartphones with management approval.
Bond Keep all things as simple as possible, but no simpler. -said someone, somewhere
-
Amen. I worked in a classified government vault so (A) we can't bring cell phones into our office and (B) personal email websites are usually unavailable. So getting 2FA codes is quite challenging...
-
I feel your pain, not a fan of all the "work" involved. However... Setting up 2FA is the way to go to avoid having your account compromised. The Hello 6-digit pin probably only works on your machine, while your password roams across devices. The way Slack handles it requires a hacker to have access to your Slack and email account, which is another barrier. 2FA can usually be set up in a way that remembers your location or device, so you don't have to authenticate every minute. Like it or not, about 99% of hacks could've been avoided by 2FA. Not because it's impossible to get past 2FA, but because it's a lot harder, so hackers tend to simply move on to someone who doesn't have 2FA.
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
And how many people have their email on their phone already logged in (gmail). If you have somebody's phone, you have all of their security.
Hogan
So make sure you have your phone locked well. I'm pretty sure most hacks aren't done by stealing someone's phone though. A brute force attack or unencrypted database leak is far more common. Especially in that last scenario 2FA is your only protection. You can whine and make excuses all you want, but 2FA is simply a security best practice that may save your life one day :)
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
MS Auth has a URL you can visit to reset your password. Security questions or some other method, but probably won’t work if you forgot to set it up.
If I recall, and it is the same, it has a favorite color secret question to which the answer must be at least 5 letters. "oh you mean my favorite if my first two are eliminated by a restriction I have no idea even exists at the point you are asking me to answer a challenge?" Oh yeah? Green then.
-
In many top secret locations where personal digital devices are not allowed, they "usually" provide a RSA SecureID dongle or something similar and that is stored at the government site and does not leave there, usually. That is how it was done back in the day, not sure how it is done now, but I would be surprised if it is much different.
-
To make it worse, now you're expected to use your personal phone for work, for that reason. Used to be keeping things separate was the way to go.
Jeremy Falcon
Nope, my cell phone is for MY use. I still had a land line so that was the only phone number the company had for me. Since they didn't have my cell number, any 2fa at work went through the company phone on my desk. The 'important' people at work had company provided cell phones and I was glad not to be considered 'important'. My boss would get work related calls as late as 10pm.
-
And how many people have their email on their phone already logged in (gmail). If you have somebody's phone, you have all of their security.
Hogan
-
MS Auth has a URL you can visit to reset your password. Security questions or some other method, but probably won’t work if you forgot to set it up.
englebart wrote:
MS Auth has a URL you can visit to reset your password
So you expect the HR person to know that? Keep in mind there is no way for IT (help) to know there is a problem so they won't be telling them about that. But to be fair as a developer I am unlikely to even think of that possibility myself. I would expect that my company's IT is responsible for that so I would not even look. I do know for a fact that at least the way my company AWS account is set up if my password expires then company help(IT) must reset it. No way for me to do it. So no reason for me not to expect the same.
