• randon31415@lemmy.world
    link
    fedilink
    English
    arrow-up
    31
    ·
    3 days ago

    Authentication for my work email: Enter 28 character password, receive sms, enter message, log in

    Authentication for my Battle.net account:

    -Enter email made before 2000 because they don’t let you change email

    -Enter password

    -Get rejected

    -Solve CAPTCHA

    -Try backup passwords, get rejected

    -Request new password

    -Send request to 24 year old email

    -Try to log on to 24 year old email, email is suspicious and sends Authentication request to my newer email

    -Open newer email, Authenticate older email

    -open old email, Put in code to battle.net

    -Battle.net requests Authenticator code from Battle.net app

    -Open battle.net app (no requests)

    -Try manual code, doesn’t work

    • Realize Battle.net app Authenticator not connected

    -Try to connect Battle.net app Authenticator to account

    -Realize you cannot connect Authenticator without signing in AND signing in requires Authenticator

    -Close Battle.net app

    -Open Blizzard Authenticator

    -Close warning that this app got depreciated in January

    -Enter manual code

    -it works

    -Attempt to change password to password I first attempted

    -Won’t let me use same password

    -Try logging in using that password

    -Still doesn’t work - Solve one more CAPTCHA

    -Change password to backup password and back to original password - have to solve 2 more Captchas

    -Finally works

    -Log in

    • λλλ@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 days ago

      That just kept going. I feel you, but maybe try a password manager? You open it up, type blizzard and it tells you exactly what password you used. Even better, it can generate really good passwords for you.

      I use bitwarden.

  • Chaotic Entropy@feddit.uk
    link
    fedilink
    English
    arrow-up
    10
    ·
    edit-2
    3 days ago

    So many services still don’t even offer 2FA at all. Any service that stores payment information and PII without any 2FA options, let alone a secure one, at this point are a disgrace.

  • someguy@pleroma.someotherguy.xyz
    link
    fedilink
    arrow-up
    210
    arrow-down
    1
    ·
    5 days ago

    @return2ozma @technology
    10 years ago, the Feds wanted backdoors to all of phones so they could read all of our text messages. Now, the Feds want everyone not to use software that has backdoors so the Chinese cannot read our phones. The Feds don’t want competition.

  • archchan@lemmy.ml
    link
    fedilink
    English
    arrow-up
    42
    arrow-down
    5
    ·
    4 days ago

    I hate forced 2FA that you can’t disable anyway. I don’t want to waste time waiting for an insecure text, I don’t want to input an unencrypted code you sent to my email, I don’t want to click your damn notification that runs through Play Services, and no I’m not enrolling in passwordless auth. I don’t need to be babied into securing my accounts. Any account I do actively and willingly secure is already using TOTP. Let me put in my username and password, then kindly fuck off.

    • Charlatan@lemm.ee
      link
      fedilink
      English
      arrow-up
      20
      arrow-down
      1
      ·
      4 days ago

      Yeah. So you, myself, and some others are the exception to the rule. But, you can’t look at it that way because its a ‘lowest common denominator’ problem. The least secure of us means we are all only as secure. Others need to be hand held.

      It’s definitely time to raise all boats and drop SMS 2fa like a hot rock.

      • rottingleaf@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        4 days ago

        The most natural authentication mechanism for humans is a key. That thing you carry with yourself. A physical key containing, well, the actual secret (shouldn’t be retrievable, should be used for decrypting access request and signing the response) that, maybe combined with your password (another natural for humans authentication mechanism) or maybe, yes, TOTP, gives you access.

        Like those “security keys” Imperial officers in Jedi Outcast carry with them. Maybe a bad example.

        Phone numbers are used as identifiers because governments like it, nerds don’t like it, and normies explicitly like what nerds don’t like and also want everything to be insecure, they call it “having nothing to hide”.

        Also “normal and social” people have that idea that their social prowess is more elegant, smarter at ensuring their security that those dumb and boring nerd technical solutions. So them always choosing things logically opposite of sane, like social media instead of forums, and phone numbers instead of any other identifier, is literally a matter of principle. It’s really not that hard to use something else. They do the stupidest possible thing technically to prove a point that you only have to do the smart thing socially. I mean, in Galileo Galilei’s case the other side of the disagreement is generally considered right, but that’s not an argument effective in society.

        I should admit that I’ve been doing the opposite - the stupidest possible thing socially to prove a point that only technical sense matters, which is why nobody would send me encrypted mail except Facebook with its notifications, and nobody would write me in Tox, and nobody would even contact me via XMMP. Which is why I’m now using TG, VK, FB, WA and Signal for communication, of these Signal is secure, and WA is kinda better than the rest of them.

      • Kairos@lemmy.today
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        4 days ago

        You can apply this logic to nearly anything with very bad consequences.

    • dan@upvote.au
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 days ago

      is already using TOTP.

      A lot of things are moving to phishing-resistant technologies like FIDO2/WebAuthn or passkeys. All my important accounts, like my password manager, are secured using Yubikeys (one that I keep with me and one as a backup in a secure place).

  • finitebanjo@lemmy.world
    link
    fedilink
    English
    arrow-up
    24
    arrow-down
    2
    ·
    edit-2
    4 days ago

    The end of an era.

    Or actually, probably not until we redo whole cellular phone technology works and kick out all the bad actors using SS7 vulnerabilities for stuff like spoofing numbers and stealing messages. We really shouldn’t be using a 45 year old system for almost all communications.

    • Agent641@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      edit-2
      3 days ago

      Use Telegram.

      Not the app, the 200 year old wire radio messaging system based on Morse code, E2EE (Elderly man to Elderly man Enciphered)

      • finitebanjo@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 days ago

        I guarantee you that is the opposite of a solution, old man encryption is very easily hacked by other old men for spoofing, redirecting, or listening.

  • Uriel238 [all pronouns]@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    57
    arrow-down
    3
    ·
    edit-2
    5 days ago

    Oh it turns out we needed NSA to do its actual fucking job after all rather than holding onto exploits for the surveillance state.

    Now — for the second time — we have an adversarial administration eager to weaponize government departments while Americans are vulnerable. Why? Because America is the good guys and would never abuse its extrajudicial powers (say, by detaining, rendering and torturing Americans with names similar to those of POIs.)

    We could have had twenty-four years of robust communications security developments if NSA didnt sell the public out like Judas.

      • Uriel238 [all pronouns]@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        5
        ·
        4 days ago

        Extraordinary Rendition is the euphemism from the aughts from which the movie Rendition was titled. It means taking your detainee somewhere else, often across national borders, to a black site, usually to do things there for plausible deniability (e.g. we don’t torture in the United States )

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          4
          ·
          4 days ago

          Looks like I missed that movie, I’ll have to check it out.

          And I don’t think I’ve ever heard the term “rendering” used in that context, I guess we just used other terminology. Thanks!

  • rarbg@lemmy.zip
    link
    fedilink
    English
    arrow-up
    62
    ·
    5 days ago

    Oh man it sure would be nice if the feds had the power to regulate something like this /s

    • da_peda@lemmings.world
      link
      fedilink
      English
      arrow-up
      52
      arrow-down
      3
      ·
      5 days ago

      They did. That’s the reason for this hack, they wanted Lawful Interception, they got their backdoor. It’s what professionals and privacy advocates said all along, if it exists it will be abused.

      • Encrypt-Keeper@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        edit-2
        5 days ago

        This isn’t a hack in the way you’re thinking of, nor is it a product of government mandated interception, or a back door. The salt typhoon event you’re referring to is nothing more than the tip of the iceberg of a much bigger problem, which is abuse of the dated SS7 system we’ve known about for decades.

          • capital@lemmy.world
            link
            fedilink
            English
            arrow-up
            9
            ·
            5 days ago

            Thanks for bringing receipts. In stark contrast to my experience on Reddit, Lemmings usually seem allergic to showing their work for some reason.

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              10
              ·
              5 days ago

              Yeah, I don’t get it. I go out of my way to provide sources even before being asked.

              What’s really frustrating is when others users criticize me for providing evidence that could be used to counter my claim. I’m not trying to win arguments, I’m trying to show my work so others can correct me if I missed something. I’m here to learn and educate, in that order, yet so many only seem interested in engaging in discussion that jives w/ their existing opinions. That was a problem on Reddit too, but at least someone would chime in w/ sources much of the time.

          • granolabar@kbin.melroy.org
            link
            fedilink
            arrow-up
            5
            ·
            4 days ago

            The public broohaha surrounding that event makes me think Apple is providing a back door and this psyop was to make people comfortable trusting Apple.

            Just a theory though. But apple is all proprietary so nothing is stopping them from doing whatever they want or what ever FISA order said.

            • Screen_Shatter@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              arrow-down
              1
              ·
              4 days ago

              I still don’t trust them, especially when they announced they were scanning images. I don’t really care their reasons for it, that’s intrusive. I can’t trust any closed source tech, no matter what they say.

    • Agent641@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      3 days ago

      Something you know, something you are, something you have, and something you saw in a dream once when you were a kid at summer camp during a feverish Dr Pepper-overdose-driven fitful sleep at age 12.

  • Cocodapuf@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    arrow-down
    1
    ·
    edit-2
    4 days ago

    Since when was sms ever secure? My understanding is that messages are sent in the clear, meaning your carrier and the recipient’s carrier both have the opportunity to intercept messages.

    I mean that’s the message content, not the authentication, but still, sms is the opposite of secure, always has been.

    • brie@programming.dev
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      2
      ·
      4 days ago

      Not true. SMS is encrypted in 3G, LTE, 5G. Block cyphers like Kasumi and A/9 are used. SMS is reasonably secure, because it’s hard to infiltrate telecom systems like S7

      • john89@lemmy.ca
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        3 days ago

        because it’s hard to infiltrate telecom systems like S7

        cough You can pay a few grand and get access to SS7 networks.

        Might be out of reach for most of us, but we can rest assured that any and all security firms and goverrnment agencies have access to this information at a moment’s notice.

        • brie@programming.dev
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 days ago

          Simply paying is not sufficient. You need to be a telecom company, or a researcher afaik.

          In what world would the US gov care to get into your bank account? Or your Facebook account when it’s already tightly controlled?

        • brie@programming.dev
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 days ago

          Watch the video again to see how hard it was for Derrick to get access. He got it via his telecom/academia researcher contact.

      • Abnorc@lemm.ee
        link
        fedilink
        English
        arrow-up
        5
        ·
        4 days ago

        It’s hard, but not hard enough from what I’ve been able to gather. We should want something better IMO. I’m surprised that TOTP isn’t more common.

        • brie@programming.dev
          link
          fedilink
          English
          arrow-up
          4
          ·
          4 days ago

          S7 will be retired or extended with access control. TOTP apps don’t work for edge cases like broken phone. Dedicated token devices get lost. SMS will continue being the main solution for 2FA.

          • JasonDJ@lemmy.zip
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            3 days ago

            Nah what we need is good privacy-focussed companies getting into the public IAM space.

            You know how you can sign into stuff with your Google or Facebook account? And get a 2FA push to your phone?

            Like that. Except by a company with a shred of ethics and morality. Like Proton.

            I do also think that we all should have a cryptographically secure federally issued identity for official uses such as signing documents or signing into financial accounts and other things that must use your official identity, and not an online pseudonym. Like SSN but on a smartcard. Basically CAC or ECA but for general civilian use.

            • brie@programming.dev
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 days ago

              Proton is already used for identity management: OTP via email. They’ll implement OAuth if there’s enough demand for it. A company’s purpose is to be profitable, ethics side is largely irrelevant.

              Many countries already have digital government ID: Australia, Estonia, Russia.

              • JasonDJ@lemmy.zip
                link
                fedilink
                English
                arrow-up
                2
                ·
                edit-2
                2 days ago

                A company’s purpose is to be profitable, ethics side is largely irrelevant.

                Maybe so, but companies such as Proton’s biggest asset is their reputation…a reputation of being privacy-focussed. Without that they are nothing, and they know that. As a result, they try to live up to that reputation as well as possible.

                Being as it was started by Sir Tim Berners-Lee (among some of CERN’s other founding fathers of the web) is just icing on the cake.

          • HotChickenFeet@sopuli.xyz
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 days ago

            You can use TOTP with multiple devices. For example with an app on your phone and something like KeePass on your laptop/desktop.

            Still not convenient since you don’t walk around with this in your pocket - but it doesn’t have to be just one point of failure.

            • brie@programming.dev
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 days ago

              What about people who only have one device? Kids, elderly, people with only work computer.

              • HotChickenFeet@sopuli.xyz
                link
                fedilink
                English
                arrow-up
                2
                ·
                3 days ago

                I agree, it’s not a perfect system. Even if you do have multiple devices - you may be locked out if you lose your phone while traveling, can have multiple failures.

                Although I don’t know what is remotely secure and is elderly friendly. Email or SMS 2FA would have been the closest in mind, but it’s not secure, and plenty of elderly struggle with both.

                • brie@programming.dev
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  2 days ago

                  Pedantic types always mention that secure is only relevant in the context of a particular threat model. The elderly can use hardware authentication like those RSA devices or ubikey. Unfortunately, this is expensive, and banks don’t believe there’s demand for that. Would you switch banks for this feature?

    • Screen_Shatter@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      ·
      5 days ago

      SMS spoofing and SIM swapping have been around for ages. It was never secure and that’s always been known. The number of companies that rely on it despite sending me a zillion other fucking useless emails is too damn high! Email, or better yet, an authenticator app, are far more secure. Not perfect, but better.

      • shortwavesurfer@lemmy.zip
        link
        fedilink
        English
        arrow-up
        5
        ·
        5 days ago

        One big reason I’m hesitant to keep my money in banks is because banks think the best form of two-factor authentication is text message based 2FA and I’m like that’s barely any 2FA at all.

        • Screen_Shatter@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          5 days ago

          My banks are like that too. Of course I can’t speak to anyone who might influence that decision. Steam has better security than almost any other account I have. I appreciate them for that but it also seems ludicrous to me that my video games are more secure than my bank accounts.

          • shortwavesurfer@lemmy.zip
            link
            fedilink
            English
            arrow-up
            4
            ·
            5 days ago

            I keep my money in Monero. That way, it’s me who has to be targeted instead of an institution. And if I fuck up and lose it, it’s my own damn fault.

            • Screen_Shatter@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              4 days ago

              I have some crypto, some stocks, etc. For many things I still need standard banking though. Crypto just isn’t there yet. Maybe someday… But having money distributed is still smart either way, so I have many baskets for my eggs.

        • Screen_Shatter@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          4 days ago

          https://en.m.wikipedia.org/wiki/SMS_spoofing

          So, it’s not that the message itself is insecure, but the inability to verify the sender makes phishing attacks possible or similar things. I get a text from a random number saying “click this link to pay your bill!” And I don’t have any way to trust its legit.

          SIM swaps make it so people can take over your phone number temporarily and then generate 2fa requests to gain access to accounts. Doing the swap usually involves bribing someone or gaining access to a providers database by other means, but its been done a lot.

          There are ways to prevent this, but the most straight forward is using a MFA app. Barring that 2FA via email is the next best thing.

          • frostysauce@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 days ago

            Forgive my ignorance, aren’t emails sent in plain text that can be read by any of the networks they are passed between? I’ve always been taught email is the least secure of any communication.

            • Screen_Shatter@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              3 days ago

              I’m not a security expert so my ability to explain is limited, but no, emails have long used encryption protocols like SSL to prevent such problems. However, your email provider may scan and read your emails. That’s not much different than a text message service reading those messages, but you can choose your provider. From what I can tell proton.me is the way to go for resolving that issue - they provide encryption which prevents their own machines and employees from being able to read your messages and other data. Otherwise, your email is basically as secure as your passwords are.

  • umbrella@lemmy.ml
    link
    fedilink
    English
    arrow-up
    27
    arrow-down
    1
    ·
    5 days ago

    of course it is. forced 2fa BY SMS OF ALL THINGS is one of the stupidest ideas

    • capital@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      ·
      5 days ago

      I assume businesses only jumped at the chance to enable SMS 2FA to get their greedy little fingers on our phone numbers.

      • WhatAmLemmy@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 days ago

        It was the simplest/cheapest form of 2FA to implement. Grandma will never understand how to setup TOTP.

        Capitalism requires regulations, otherwise it will ALWAYS do what is cheapest or most profitable, regardless of how dangerous or destructive.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      10
      ·
      5 days ago

      Even stupider is supporting hardware keys for MFA, but having SMS fallback which can’t be disabled (looking at you, Vanguard). I’d much rather have email as my second factor than SMS, and I literally abandoned a bank (Ally) for removing email as an alternative to SMS.