2FA is a problem

[ArgonianVoter]

"please give us your phone number or credit card, pleeeeeese."
this companies are out of control, it would be less dangerous to be scammed than to give most of them your phone number or credit card, and less and less of them allow the usage of an email anymore.

2FA is becoming more and more mandatory on the web, and that's a bad thing.
Github mandates it now and is continuing to "boil the frog" until every developer will be forced to comply; even those like me who try to escape to places like Bitbucket or GitLab;
Facebook, Azure, Cloudflare, Discord, Dropbox, Google Cloud Services, WildApricot, have all made it mandatory in some capacity, and many others are now mandating it, they'll go after developers first then they'll come for normal users.

they do this so that they can collect your phone number, credit card/debit card, device, alternative email, etc so that they can sell the information to vendors or store them in their own database in order to advertise to you themselves or get you to purchase micro-transactions.

my advice is that if you can avoid 2FA then do so; it's not a very good security measure anyways as it has a "single point of entry" protocol leaving it vulnerable to MITM attacks anyways.
unless it's for a financial institute you also have the right to complain.

it has nothing to do with your security, it is only about stealing more of your data for resale. feel free to post other sites below that also mandate 2FA that I didn't list off.

 

[Pattern Juggler]

My Okta app has 9 different logins for crap I need at work, and a separate RSA one for a government contract we're on. It's absurd.

 

[Judge Dredd]

I never understood why phones are considered so secure to begin with.

What if someone steals your phone? You're both locked out, and they have access.

 

[BiggestKai]

I will go even further and say 1FA is a problem. Fuck you and your account making, I just want to get into your site, get what I need and get out. Don't force me to sign up and log in if I want to

• view a link
• use your shitty search function that probably just uses google results
• download anything
• enter a (non-premium/members) part of the site

 

[Toolbox]

I will go even further and say 1FA is a problem. Fuck you and your account making, I just want to get into your site, get what I need and get out. Don't force me to sign up and log in if I want to

• view a link
• use your shitty search function that probably just uses google results
• download anything
• enter a (non-premium/members) part of the site

B-bbut their data is so valuable!! Think of all the AI devs that could pay them for it!

 

[monk]

I will go even further and say 1FA is a problem. Fuck you and your account making, I just want to get into your site, get what I need and get out. Don't force me to sign up and log in if I want to

• view a link
• use your shitty search function that probably just uses google results
• download anything
• enter a (non-premium/members) part of the site

Sites like Scribd. I'll never register there, and I've sometimes had to download stuff form it that I couldn't find anywhere else, so I used the inspector and saved the preview images one by one.

I never understood why phones are considered so secure to begin with.

What if someone steals your phone? You're both locked out, and they have access.

They're not, but every boomer CEO fell for the hype of smartphone apps. It was probably an intentional planned push from banking cartels trying to get people used to using a phone for money, so they could more easily push a CBDC or government-issued token currency using smartphone wallets. This would be more useful in the long term for the government than just collecting data from your smartphone.
The other benefit is data collection and location tracking.
Of course standalone hardware tokens (code generators) are the most secure method, much more than any internet-connected communication device, but they can't track you or implement a digital currency with them, so they're not useful to them.

"please give us your phone number or credit card, pleeeeeese."

That's not 2FA, that's just them wanting your PII. Banks, payment processors were required to KYC a long time ago. A phone number is a form of it, CCN a stronger form.

 

[Ferryman]

B-bbut their data is so valuable!! Think of all the AI devs that could pay them for it!

No prob, my boy Vince has got you covered. Just go over to cock.li, make ye olde tonguemyanus@nigge.rs and you're good to go.

 

[Lord of the Large Pants]

2FA is fine as long as it's a token code and not SMS or some bullshit.

 

[We Are The Witches]

Obviously Discord Dicksore.

It's the reason why I stopped using that worthless shit. If you don't have your phone number in it, and you send like 2-3 friend requests to people that are within a server you're also in (for each one, a CAPTCHA will prompt), it will "detect suspicious activity" and completely and irredeemably lock you out, asking you to verify with a phone number.



If you try to give it to them, an error message might pop up with "Invalid phone number" that no, you can't fix by doing what a YouTube tutorial told you to do. If you thought this was a mistake and want to contact support, forget it, it is impossible to contact a human (or one that has at least 2 braincells), locking you out of the account permanently.

Not even after wanting to relinquish such data you'll be able to fix it, it's atrocious.

 

[Slav Power]

The bad thing is that phone verification is being forced more and more. First of all, it's just blatant data mining. Second of all, SMS 2FA is insecure. Once you get SIM swapped, you're fucked. In case of proper 2FA which relies on token codes, it's actually safe as those codes are only generated locally from software installed on a given device, so you'd have to gain physical access to it to be able to get the 2FA codes. In fact, KeePassXC/KeePassDX support token based 2FA TOTP codes, and while keeping them right next to your passwords, if you choose this method, invalidates the point of 2FA, it's still a valid defense method against database leaks. Let's say that there's a password leak. Will some random Brahjeet or Ivan get into your account? No, because they need that 2FA code, and that's one of the main reasons why 2FA is good, even if you don't isolate it from your passwords. Obviously if your password database gets leaked and gained access to then you're SOL either way, so it's up to you to keep it away from untrusted networks and keep a strong main password on it.

 

[Tsukasa Kadoya]

The bank i work at implemented 2fa and it broke the entire fucking system because most bank customers are tech illiterate boomers or are sub iq apes who instantly forget their passwords and security questions.
It also doesn't help when retards don't fucking update their phone numbers and then chimp out when the 2fa fails.

 

[Dreamland]

Totp is fine, especially if you're allowed to make a long-lived session.
Webauthn/Passkeys are pretty cool too except yubikeys are pricey and MS Entra still has no default enablement for it.

SMS/Mail auth is cancer, easy to intercept and subvert, and everyone who glows in the dark will know when and how you use the service.

TAN-lists are based and Kaczynski-pilled.

 

[Tremolo]

2FA is a problem

*SMS 2FA is a problem, authenticator apps are fine (hell, kiwifarms has TOTP)

 

[Celebrate Nite]

every boomer CEO fell for the hype

That's pretty much the reason why everything sucks now.

Just say "boomer CEO" and everything makes more sense.

 

[Gamergate Retiree]

All of this because people can't remember their passwords so they make them way too easy to crack.

We should have normalized that XKCD comic strip about using passphrases which are just as hard to crack as B10|_|Cl3 but are much easier to remember instead.

 

[StacticShock]

That's pretty much the reason why everything sucks now.

Just say "boomer CEO" and everything makes more sense.

if you think "boomer CEO's" were the ones that figured out data selling and are on the gold rush for it because of their gayish fiduciary duty.
you are wrong.
it's the silicon faggots that are to blame for this.

 

[monk]

if you think "boomer CEO's" were the ones that figured out data selling and are on the gold rush for it because of their gayish fiduciary duty.
you are wrong.
it's the silicon faggots that are to blame for this.

Of course not all, just some of them. Then most of them fell for social media, then giving away all their personal info to whoever wants in on the internet, then the remaining boomer CEOs sold out to big tech. It started a long time ago, in the late 80s to early 90s, in all tech fields, computer hardware and software. Local computer HW and SW makers were outcompeted by big multinationals (most from Silicon Valley) using unfair and often outright criminal market practices.

 

[crowabunga]

Second of all, SMS 2FA is insecure. Once you get SIM swapped, you're fucked.

Fuck my bank, it's the one 2FA I can't manage with Aegis: I can get 2FA via phone number and be vulnerable to SIM swapping, or I can install their app and be locked in to phones that support it; also, if my phone breaks I'm fucked, no backups or physical SIM swaps to save me!

I wish to God that my bank would support a proper cryptographic 2FA solution that was application and platform-agnostic. Yes, some boomers would save their 2FA key in "safe secure password manager no virus" and lose their credentials, but they're hopeless anyway, I've seen their opsec, and I'd get better security and the capacity to back up my 2FA key vault!

 

[Kalsarikännit]

Authenticator apps are not fine, as someone who has lost their phone to damage before.

 

[MrTroll]

We should just do away with online authentication entirely and switch to the honor system. I trust that you fine people would not lie to access my bank account.