• enter password for password manager
• verify from email that it's me signing in from a "new location" (VPN)
• use security key
• use password from manager to sign into actual service
• complete image CAPTCHA
• receive text message with 2FA code
• unlock phone with fingerprint to get code
• access service
@molly0xfff it’s extra fun when you do all that and realize it’s for jerseymikes.com or whatever. Like, yes I know I needed to do all this For Reasons but ffs I just wanted a damn sandwich.
@molly0xfff
Unfortunately, the number of sites doing that seems to increase daily. Logins "expiring" on well protected devices (desktop, mobile) does not help UX.
@molly0xfff Unfortunately, this also drives many people to take any easier route offered, any opt out or same password etc. On top of that, some forms of 2FA not working on some devices etc. There has to be a better way.
@molly0xfff Somebody on here pointed out that "MFA means it requires one thing that you can lose, and one thing that you can forget" and I keep thinking about that.
@unlofl@molly0xfff My phone screen stopped working last week. This meant logging into Google required me to dig up an old tablet that was still signed in because:
I couldn't verify from push (can't tap the phone)
I couldn't verify from text (OTP doesn't get pushed to my watch)
@molly0xfff a not insignificant number of the population does not have a viable biometric. Missing fingerprints, damaged retinas, missing digits or dna (twins/chimera).
@molly0xfff and at the end: "we'll just ignore the fact that you did MFA and lock you out because 'we noticed something different' (VPN) because we trust IP address more than actual security"
@molly0xfff wonder if there is a form of digital security that could utilize human network recognition- where you verify who you by showing who you know…. This feels really important for children and elders whose primary caregivers manage their digital data.
@molly0xfff
Wait wait wait... Your online password manager forces 2FA on you?? Not only that but it's email?? I like @keepassxc more and more every day. I keep the file where I want it. #infosec @svenja
@juliewebgirl no, I choose to use 2FA with my PWM, and I use a security key. But they do occasionally also add an email check if they think I'm somewhere unusual (which is somewhat often given the VPN), but that's not in replacement of the 2FA. The SMS 2FA was for the service I was eventually trying to log into
@juliewebgirl recoverable if you replace the device. i think of all steps in that flow that are susceptible to unrecoverable loss, it'd be the security key, not the phone
Bank app freaks out because different IP (seriously, we're a mobile society with constantly changing IPs, this is really Failure Point 1™) and send an SMS
You're in limbo till phone arrives.
Phone replacement takes days, possible weeks if you can't afford the deductible till your next paycheck.
@molly0xfff To unlock my password manager I have to login to the company Okta with password but also 2FA that involves answering a phone call on my mobile phone (which I have to unlock).
To access a software I use every day I also have to use the VPN.
@molly0xfff My collogues look at me like im an idiot when i do my 24 step process when logging in from a new device... and its understandable... but it brings peace to my soul :)
Add comment