• fucking annoying
  • can’t believe they sold people that it’s BETTER to have to get your phone out to login
  • incredibly annoying
  • if you’re using this willfully you’re clearly just as worried about security as before anyway
  • companies love having real phone numbers to pair with ‘their’ data
  • iwasgodonce@lemmy.world
    link
    fedilink
    arrow-up
    7
    ·
    1 year ago

    I like yubikeys since it means I don’t have to pull out my phone. totp on the laptop also works well enough.

    sms based 2fa is the worst. it seems like to me every ceo and other non-technical c-level person I’ve known personally loves sms based 2fa though because they can’t figure anything else out.

    • Uprise42@artemis.camp
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      They like it because it’s cheap and easy. They pay a phone provider for the 4 digit phone number and type in a script to generate a random code and text it. There is no oversight or maintenance.

      Pairing with an Authenticator app is easy, but a little more work. Pairing with a mobile app can get a little tougher and require development plus maintenance in making sure the app cannot be spoofed and works with updates. Using a physical drive for 2FA is a pain in the ass to set up. From a business standpoint, 2FA only needs to work enough to remove liability from your business. If someone spoofs your cellphone number that’s on the phone provider not them so that’s enough to remove liability

      • HubertManne@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Microsoft gave the option to call and you hit pound. I prefered that overall. works with any kind of phone.

        • Uprise42@artemis.camp
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Phone numbers can be spoofed and calls can be redirected. Or, even better, conditional call forwarding is supported by most carriers. It can be set up and you’ll never know. Then they get the phone call and not you

            • atocci@kbin.social
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Right but the point they’re making is it’s a lot easier for a third party to intercept a code that has to be sent to you than it is for them to get the code from an authenticator app since they’re generated on your device. At that point you pretty much need physical access to the phone.

              • HubertManne@kbin.social
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                im osrry so a hacked device would not show the authenticator code? I really don’t see the difference here. Again its not each bit being so un breachable as much as they would have to have to breach both parts. I really don’t think its taht easy to redirect all the calls that are supposed to go to my phone.

                • atocci@kbin.social
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  1 year ago

                  One is much easier to accomplish than the other and doesn’t give the target the same chance to realize something is going on.

                  • HubertManne@kbin.social
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    1 year ago

                    I don’t think thats necessarily true. If diverting phonecalls were so easy there are a bunch of reasons outside of two factor attacks that it would be used for.