I just hate that some apps/services require 2FA. My 32 random characters which are unique to each service are secure enough. Adding another service on top just increases risk (as shown here; Authy was never going to do anything to protect me, but it has now leaked info about me.)
No. TOTP MFA’s mechanics make it a significant security improvement regardless of how impressively large (???) your password is. It doesn’t inherently implicate “another service”. That’s the beauty of it. This issue is SPECIFICALLY due to forced use of Authy. Forced MFA for high-value accounts is a good thing. “A long password will protect me” is 2006 thinking.
Not the parent, but I write recovery codes down and store in a safe at my home.
The difference compared to a password is that these recovery codes are single use, used only in exceptional cases and physically airgapped. On the other hand my password is multi use, is used daily by me and in the event of a breach will be exposed to the attacker.
I will know if someone steals my recovery codes. I'll have no idea if someone gains knowledge of my password though.
> Forced MFA for high-value accounts is a good thing.
No. I agree the MFA is big improvement and I use it for many of my accounts, but I still don't want you forcing me to do something "for my own good".
Make it the default or show me scary warnings, but still give me the option to make my own decision in the end. Sometimes, it's okay for convenience to take precedence over security, and the user is the only one who should make that determination.
Well, phishing attacks are still prevelent and it's still at the top for compromising credentials. And phishing attacks have evolved. Most of them will hijack your session, which will make TOTP useless (FIDO will protect you tho)
I just don’t buy the argument that because most sophisticated attacks exist, then 2FA isn’t useful.
2FA protects you from someone getting access to a leaked password. They still can’t connect even with user and password, without doing a very elaborate hack. That’s a huge benefit.
My recollection is that someone reversed their algorithm and they used almost TOTP which hurts me even more because that implies that they knew about the standard and still chose violence
There's this small web portal in Poland that for years provides a simple free email service (and an instant messenger with same login) with occasional "messages from our sponsors" in your inbox - you had to tick your "interests" during registration. In time banners started to appear and that was still fine because the Web was still a pretty innocent place and tracking was years ahead of us. At some point inbox was getting flooded with spam; either one you had to have or outside the service because the domain was popular and probably addresses were scrapped from the associated instant messenger. Then, banners started to be aware of inbox content and sponsored messages included tracking - milking your habits and activity become a thing.
Fast forward to some 10 years ago the service offers a premium plan where you can turn off banners around inbox, the permanent banners that pretend to be emails at the top of the list. Of course paying turns off only these banners and sponsored messages and every other spam will pile up. There's a built-in filtering option but since people started to using it to get rid of these mandatory messages - it stopped working at all. And any filter entry is a dummy one. At this point it's more an ads and spam gallery with an optional email service. Instant messenger was killed off in 2016 as people preferred global networks, and so were small but popular discussions forums turned off.
Around same time portal was bought by what for year was a bigger competition to them (not the only one ofc). The idea that both portals should use a single login appears. So people saw messages at login saying that you should transfer your account to this unified platform because it's more secure and there are some "benefits". Later, a darkpattern message was displayed saying that the unified login service will be the only way to use all services including email. And this unified login comes with company's own 2FA mobile app which you can't replace with a generic generator of any kind. Aaand in the end, nothing really happens. The darkpattern messages disappear and you can still log into the email with same plain password you used for years. The 2FA becomes suddenly optional but "recommended". People complaining in Appstore reviews about login issues and fact that no generic generator works are suggested to talk with support where apparently something can be arranged.
What my hot guesses are is that the company believed that domestic service popularity combined with mandatory 2FA app that does collect a lot of additional unnecessary information will provide a steady source of money for this service. People accustomed for years to an attractive short local domain won't force themselves to move elsewhere. But that didn't work as planned and honestly, I don't know how they managed to survive till today.
I did created few addresses there but over the years I managed to move elsewhere; what was once cool and fast and plausible become obnoxious to use.
If you remember poczta o2 you surely remember tlen emoticon: [10ton] - that's the best way to sum up what happen to this portal and service.
All the big email services in Poland (WP, Onet, Interia, O2, ...) were always crap riddled with ads. I don't know why people still stick with it instead of migrating to something like Gmail.
