The rise of 2FA
Discussion
Right I’m pissed off
Giffgaff have now forced this so when logging onto your account you have no choice. Stupid f
kers. On some things I want it eg paypal on some things eg mobile phone sim only I don’t. It should be my choice on my various services, depending on what I want to do. Gradually it’s spreading “for security”
s
Giffgaff have now forced this so when logging onto your account you have no choice. Stupid f
kers. On some things I want it eg paypal on some things eg mobile phone sim only I don’t. It should be my choice on my various services, depending on what I want to do. Gradually it’s spreading “for security”sDon't get me started, work has implemented this so now I have to put my password in my phone everyday, then authenticate it, I also have to do this on my laptop and ipad.
I wouldn't mind but my authenticator times out because work decided we need 20 character passwords so it's a fking nightmare that takes up 10 minutes every morning.
I often think what's the worst thing that can happen if I don't login to my email in the morning.
I wouldn't mind but my authenticator times out because work decided we need 20 character passwords so it's a f
king nightmare that takes up 10 minutes every morning.I often think what's the worst thing that can happen if I don't login to my email in the morning.
Yes, it’s essential for some things but annoying for others. Similar to British Gas putting me through the mill when they asked me to supply two different passwords ‘for security’. I told them that was ridiculous because if someone wanted to log in and pay my energy bills, they were more than welcome.
There are so many dim witted implementations out there. I can’t stand it. And muppetry people like you usually get in HR etc will stupidly say “for security” even though they haven’t got a bloody scooby
In this particular case I manage the giffgaff accounts of two other people, one my daughter and one an oap (my mum) who barley knows how to find her gmail. My mum can’t fking understand all this st, but now what - she would have to get a code etc? She doesn’t even know about this, her phone just works.
Also does anyone know as I’m half-heartedly interested - is it possible for 2fa to only be enabled for purchase/ transactions above a certain amount? (If you were setting up a shop / website). Cos that would solve this type of crap. Enable it above 50 quid or whatever, fine. But not for adding 10 quid on the shagging account for gods sake.
In this particular case I manage the giffgaff accounts of two other people, one my daughter and one an oap (my mum) who barley knows how to find her gmail. My mum can’t f
king understand all this st, but now what - she would have to get a code etc? She doesn’t even know about this, her phone just works.Also does anyone know as I’m half-heartedly interested - is it possible for 2fa to only be enabled for purchase/ transactions above a certain amount? (If you were setting up a shop / website). Cos that would solve this type of crap. Enable it above 50 quid or whatever, fine. But not for adding 10 quid on the shagging account for gods sake.
I still remember the fun it caused us at work when one of the big mobile operators changed their PAYG top-up process so that, in order to complete the top-up payment, you had to enter a passcode sent to the SIM you were topping up.
Which isn't much good when the SIM you're trying to top up is sat inside a prototype embedded system nowhere near the PC you're sat at trying to complete the top-up process. And even if the system had been sat right next to me on my workbench, accessing the passcode would still have been non trivial given that, as an embedded cellular gateway for a voice band comms system, it had no use for SMS and so no native way to display them. Not that
And bear in mind that this passcode was required *only* to top-up the SIM, it wasn't required in order to log into the account page and gain access to all of the other information present there - my name and contact details, SIM details etc... Quite why they felt it unnecessary to 2FA protect *that* information, whilst making it more difficult to allow someone to give them money, remains one of those mysteries in life. Suffice it to say, we moved to a different SIM provider shortly after... Not that the loss of our business would have been seen even as a rounding error on their balance sheets, but you do have to wonder a) how many customers were similarly negatively impacted by this change, and b) how many others genuinely benefitted from it.
Which isn't much good when the SIM you're trying to top up is sat inside a prototype embedded system nowhere near the PC you're sat at trying to complete the top-up process. And even if the system had been sat right next to me on my workbench, accessing the passcode would still have been non trivial given that, as an embedded cellular gateway for a voice band comms system, it had no use for SMS and so no native way to display them. Not that
And bear in mind that this passcode was required *only* to top-up the SIM, it wasn't required in order to log into the account page and gain access to all of the other information present there - my name and contact details, SIM details etc... Quite why they felt it unnecessary to 2FA protect *that* information, whilst making it more difficult to allow someone to give them money, remains one of those mysteries in life. Suffice it to say, we moved to a different SIM provider shortly after... Not that the loss of our business would have been seen even as a rounding error on their balance sheets, but you do have to wonder a) how many customers were similarly negatively impacted by this change, and b) how many others genuinely benefitted from it.
CoolHands said:
There are so many dim witted implementations out there. I can’t stand it.
This is the issue, many use a very cheap and nasty method and it’s clunky to the point I would close my account for anything I use regularly. Surprisingly our work IT have it really slick, pops up as a notification on my phone with a yes or no button. If our IT dept can manage this then surely anyone can.
CoolHands said:
There are so many dim witted implementations out there. I can’t stand it. And muppetry people like you usually get in HR etc will stupidly say “for security” even though they haven’t got a bloody scooby
In this particular case I manage the giffgaff accounts of two other people, one my daughter and one an oap (my mum) who barley knows how to find her gmail. My mum can’t fking understand all this st, but now what - she would have to get a code etc? She doesn’t even know about this, her phone just works.
Also does anyone know as I’m half-heartedly interested - is it possible for 2fa to only be enabled for purchase/ transactions above a certain amount? (If you were setting up a shop / website). Cos that would solve this type of crap. Enable it above 50 quid or whatever, fine. But not for adding 10 quid on the shagging account for gods sake.
Our council does 2FA for a few things - but they send the two passwords on the same letter....In this particular case I manage the giffgaff accounts of two other people, one my daughter and one an oap (my mum) who barley knows how to find her gmail. My mum can’t f
king understand all this st, but now what - she would have to get a code etc? She doesn’t even know about this, her phone just works.Also does anyone know as I’m half-heartedly interested - is it possible for 2fa to only be enabled for purchase/ transactions above a certain amount? (If you were setting up a shop / website). Cos that would solve this type of crap. Enable it above 50 quid or whatever, fine. But not for adding 10 quid on the shagging account for gods sake.
I quite like 2FA as it speeds up getting into stuff so long as you have your phone with you and the fingerprint reader setup and I run informal Admin on my wife's IT too and 2FA makes that much easier as I only need to know her phone pin rather than all her various passwords for stuff.
I'm not entirely sure how that makes it more secure though.
My top tip though is to keep a bit of sandpaper in your pocket in case you're kidnapped so you can remove your fingerprints before they remove your finger.....
I'm not entirely sure how that makes it more secure though.
My top tip though is to keep a bit of sandpaper in your pocket in case you're kidnapped so you can remove your fingerprints before they remove your finger.....
WindyMills said:
Our council does 2FA for a few things - but they send the two passwords on the same letter....
Plus, of course, two passwords isn't 2FA. At the very minimum it should require at least two of something you know (a password), something you own (your phone), and something you are (your fingerprint). And even then the password is easily the weakest.
deckster said:
WindyMills said:
Our council does 2FA for a few things - but they send the two passwords on the same letter....
Plus, of course, two passwords isn't 2FA. At the very minimum it should require at least two of something you know (a password), something you own (your phone), and something you are (your fingerprint). And even then the password is easily the weakest.
When I worked for a data processing company a possible customer sent me 2 pages of questions on how we handled data security. We got the contract.
The customer than sent me, by normal 2nd class mail, a package containing a 2 password protected USB memory stick. The enclosed letter stated both passwords.
I sent them back a copy of their sheet of questions with a request for it to be returned, completed, asap. They weren't amused.
Don't get me started....
I work for two clients both requiring a mass of 2fa for email/ vpn/ system access etc etc, I now have about 4 apps on my phone to be able to log into these applications (many being reliant on other 2fa i.e. application doesn't work without vpn etc).
That is all mildly irritating however the other day my phone stopped working and I couldn't get another one for a day or so, I was therefore unable to work for a couple of days whilst I sorted a new phone and got it set up. I tried to order one on line but it then needed the transaction approving in the app... on my phone.
I work for two clients both requiring a mass of 2fa for email/ vpn/ system access etc etc, I now have about 4 apps on my phone to be able to log into these applications (many being reliant on other 2fa i.e. application doesn't work without vpn etc).
That is all mildly irritating however the other day my phone stopped working and I couldn't get another one for a day or so, I was therefore unable to work for a couple of days whilst I sorted a new phone and got it set up. I tried to order one on line but it then needed the transaction approving in the app... on my phone.
We use 2FA for both VPN connections/local logins/admin logins and RDP. We use Duo for this because of it's simplicity.
The push prompt gives you a big red X to reject and a big green Tick to approve.
If a user forgets their phone we simply put them on bypass until they have it in their possession. It's not cheap when you scale it ($50 per user per year) but its so easy to use, we have never had one complaint about it in the years we've been running it.
The push prompt gives you a big red X to reject and a big green Tick to approve.
If a user forgets their phone we simply put them on bypass until they have it in their possession. It's not cheap when you scale it ($50 per user per year) but its so easy to use, we have never had one complaint about it in the years we've been running it.
I have to log on to the work laptop as normal, then connect to the VPN via an authenticator app (luckily I can use face/fingerprints) to get into Outlook/MS Teams, then have to further input different usernames and password to be allowed onto the 'sensitive' intranet pages that I use ever day...which use the same authenticator, but separate session tokens.
...and the sessions expire every 60 minutes
I'm waiting for the next in the Terminator franchise...Terminator 2FA...that comes back in time to wipe out humanity when they can't access their own bank accounts to pay for food & water.
...and the sessions expire every 60 minutes
I'm waiting for the next in the Terminator franchise...Terminator 2FA...that comes back in time to wipe out humanity when they can't access their own bank accounts to pay for food & water.
Edited by mmm-five on Monday 20th June 10:35
Paft Dunk said:
Seems to me GiffGaff is exactly the kind of account you want 2FA on. Given that if someone was able to access your online GG account and initiate something like a sim-swap or number porting that exposes a vulnerability in all other sites that use SMS as an authentication method?
^^Exactly.
Keep in mind too that a lot of people are awful with their own online security.
I get the frustration as I share it myself sometimes but I also get that it's pretty difficult for the sites and services involved to to know the IT literacy levels of their customers.
Overall it's a good thing.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff