Two factor authentication in some scenarios are actually helping thieves a lot

 ( carlcolt | 2018. október 10., szerda - 12:22 )


iPhone lost scenarios:

Imagine you only have an iPhone, no iMac, no MacBook, no iPad. Or you lose the bag with your iPhone and iPad

2014: Apple ID, Password, Find My iPhone login, "lost"

2018: Apple ID, Password, - "see the two factor auth code on your iPhone" --> "okay, we can also send it in SMS" (new sim card from provider is losing a lot of time here, also SMS) --> "lost" after lots of extra annoyance and thief had more time to reset everything


Lost Android phone - similar

But sometimes it is enough to fly your laptop to another country. You can report to a bank, that it is safe that you are using next week your card in another country, but there is no such option for Google.

And sometimes you just need the access. 10 people know the same password for emergency as they all need to login via GMail somewhere. And you cannot even opt out of Google's security features. In case of Apple's ones it is also problematic, like I need two factor auth for "iMessage in the cloud" for no reason at all.

In case of banks it is still really needed to have the two factor auth. They need to pay a lot if someone pays instead of you. Better ones use their own token generators, not a plain text SMS catchable on air. That's fine.

But needing two factor auth to report an iPhone lost or "enable iMessage in the cloud" and Google accounts blocking access from other countries "just for a simple email address" even if the password was correct for the first time - this is wrong.

Common misconception: "if something is more annoying, it is more secure"

This theory failed many times:

-rotating time limited passwords --> passwords on post it
-unmemorable passwords (instead of FOurWordsW1thL33t) --> passwords on post it
-security questions (pre-defined list of very few elements, not even custom editable) --> easy to find answers on social media account of lots of users

Hope IT world will realise that two-factor authentication (apart from banks) forced to everyone and made it close to impossible to opt-out even for power users is not the solution either. We want our "I know what I'm doing and what I'm risking" buttons back, that's all

To be constructive: the best working solution so far:

You have 10 attempts in 24 hours then you are locked out for 24 hours to attempt any new password or you need very serious documents (Passport level) to identify yourself earlier. There the only risk is ones using the same password for more services. But an awareness campaign against using the same password everywhere would be much more useful than forcing two factor auth where it does not belong to.

Hozzászólás megjelenítési lehetőségek

A választott hozzászólás megjelenítési mód a „Beállítás” gombbal rögzíthető.

Illene linkelni az eredeti forrást, ha nem te írtad.


En irtam

A two factor auth mondjuk ne a telefon legyen amirol magarol elered azt a contentet amihez kell a two factor.

Nekem yubikey van beallitva pl. Illetve van 10 kinyomtatott sec kodom ha esetleg szuksegem lenne ra.



"After successfully ignoring Google, FAQ's, the board search and leaving a undecipherable post in the wrong sub-forum don't expect an intelligent reply."

akkor megnyugodtam, hogy a google authenticator-ral nem tettem rossz lora...

"dolgozni mar reg nem akarok" - HZuid_7086 'iddqd' zoli berserk mode-ba kapcsol

Meg az azert is jo, mert opt-in.

En az auto enabled annoying feature-okrol irtam rosszat.