Char Jackson <none@none.invalid> wrote:
> On Mon, 26 Jun 2023 15:11:27 -0700, Ken Blake <Ken@invalid.news.com>
> wrote:
>
> >On Mon, 26 Jun 2023 15:16:54 -0500, VanguardLH <V@nguard.LH> wrote:
> >
> >> I hate 2FA.
> >
> >
> >Double ditto.
>
> *shrug* 2FA is fine with me. I appreciate the extra security. It's
> possible, even likely, that my password could become compromised, most
> likely due to a data breach, but it's not likely that someone will have
> both my password and my phone.

Indeed. In many cases extra security/privacy is essential, i.e. for
example bank transactions, medical/private information, etc., etc..

So the question is really, does a particular activity need 2FA/2SV and
if so, what is the most practical 2FA/2SV method for the user?

While smartphones are used more and more, most organizations should be
able to offer SMS as a (less secure) 2SV method.

> I guess it goes without saying that my phone goes where I go. For me,
> there's no such thing as "go look for my phone".

I'm still less tied to my phone, but if I'm using my laptop, the phone
is close by and if I'm using my phone, ... :-)

VanguardLH <V@nguard.lh> wrote:
> Char Jackson <none@none.invalid> wrote:
>
> > On Mon, 26 Jun 2023 15:11:27 -0700, Ken Blake <Ken@invalid.news.com>
> > wrote:
> >
> >>On Mon, 26 Jun 2023 15:16:54 -0500, VanguardLH <V@nguard.LH> wrote:
> >>
> >>> I hate 2FA.
> >>
> >>
> >>Double ditto.
> >
> > *shrug* 2FA is fine with me. I appreciate the extra security. It's
> > possible, even likely, that my password could become compromised, most
> > likely due to a data breach, but it's not likely that someone will have
> > both my password and my phone.
> >
> > I guess it goes without saying that my phone goes where I go. For me,
> > there's no such thing as "go look for my phone".
>
> Since mobile devices are now generate 68% of Web traffic (i.e., most Web
> users are on phones), the users are on the same phone to which the 2FA
> code gets sent via text. Someone that stole your phone whether
> temporarily or permanently gets the 2FA code to complete the login to
> get into your accounts. So, logging in by phone and getting the 2FA
> code on the same phone obviates the entire 2FA scheme, and you're left
> with just the login credentials used in the first place. In fact, there
> are apps used with 2FA to facilitate its use on phones.
>
> Oh, yeah, that's secure, like leaving the keys in your car that
> facilitates its theft.

Don't bash what you don't use and don't know how it works and is used.

Your horror scenarios don't exist, at least not for users with a clue.

In short: The phone is locked when not in use, so it can't be (ab)used
when someone steals it.

And as AJL mentioned, the '2FA hoopla' is *less* with a smartphone,
because for most services, you only do the 'hoopla' only *once* per
service. (Some services also offer 'only-once' 2FA for non-phones, i.e.
computers/laptops. Google (account/Gmail/others?) is an example.)

And BTW, you say '2FA' all the time, but what you see/use is probably
mostly 2SV, 2 *Step* (not Factor) Verification. In many cases, the
difference between 2FA and 2SV is not too important, but sometimes it
is, especially in cases where 2SV can be somewhat easily circumvented.

Bottom line: *If* a service requires 2FA/2SV when there no real
security/privacy concern, you are right to complain. Likewise if a
service requires a smartphone and doesn't offer SMS-fallback or some
such.

[Much deleted.]

VanguardLH <V@nguard.lh> wrote:
[...]
> It's obvious you are using your phone for the majority of your Web
> transactions. My phone only get used when I'm away from home and not at
> work; else, I move up from a toy computer to a desktop PC. That your
> phone stores a 2FA token is irrelevant to phones that don't, and to
> desktop PC users. While mobile devices now generate 68% of Web traffic,
> I still use my desktop PC as my primary computing platform. That's why
> 2FA is a nuisance to me. I have no intention to moving to my phone as
> my primary web surfing or computing platform. I know a lot of phone
> users consume bandwidth watching videos on their phones. I don't want
> videos on my phone.
>
> Your focus is you using your phone to use all those web-centric apps.
> My focus is me using my desktop PC for all those Web activities. As
> mobile devices have taken over the Web, us desktop users are getting
> nuisanced more and more.

*If* a particular service requires 2FA/2SV because of the needed
security/privacy for that service *and* it doesn't offer SMS-fallback or
some other non-smartphone fallback, *then* you are indeed "getting
nuisanced".

Else, you will just have to live with the reality that password-only
is no longer secure enough for those situations. Don't like it? Tough,
blame it on the crims.

On 6/26/23 15:16, VanguardLH wrote:
> Peter Jason <pj@jostle.com> wrote:
>
>> From ebay, the bank and others in Outlook365
>>
>> "a new device is using your account"
>>
>> Does this mean I am using a different browser?
>
> My bank forced me to 2FA (two-factor authentication) which incorporates
> my smartphone. Yeah, every time I want to login using a web browser on
> my desktop PC, I have to go find my phone. There's no option to opt out
> of 2FA. Because of forced 2FA, I don't get any alerts from my bank
> regarding what host from where I login. Instead I have to enter the
> code into their login that got sent via text to my phone. The 2FA code
> expires in a few minutes, or immediately upon use. I hate 2FA. Means
> my desktop PC is tied to my phone.

The intended effect of security measures is to make things hard to use.
You hope that this has a stronger effect on criminals. It's not always
like that.

--
Mark Lloyd
http://notstupid.us/

"If God exists, what objection can he have to saying so?" [Lemuel K.
Washburn, _Is The Bible Worth Reading And Other Essays_]

On 6/27/2023 2:07 AM, VanguardLH wrote:

> It's obvious you [AJL] are using your phone for the majority of your
> Web transactions.

Nope. I use the same sensitive apps and websites requiring 2FA on many
of my toys (devices) including Chromebooks, Android tablets,
Windows laptops, and my phone of course.

> My phone only get used when I'm away from home and not at work;
> else, I move up from a toy computer to a desktop PC.

I'm retired (31 years now) so my phone gets used everywhere, but then
not all that much these days...

> I still use my desktop PC as my primary computing platform. That's
> why 2FA is a nuisance to me.

YMMV.

> I know a lot of phone users consume bandwidth watching videos on
> their phones. I don't want videos on my phone.

Videos on phones are great babysitters when out and about with the
grandkids/greatgrandkids. Well worth the bandwidth IMO...

> As mobile devices have taken over the Web, us desktop users are
> getting nuisanced more and more.

Not sure what you mean here. Things seem much better to me now than in
my good old DOS days...

On Tue, 27 Jun 2023 08:17:33 +0100, Graham J <nobody@nowhere.co.uk>
wrote:

>VanguardLH wrote:
>> Peter Jason <pj@jostle.com> wrote:
>>
>>> From ebay, the bank and others in Outlook365
>>>
>>> "a new device is using your account"
>>>
>>> Does this mean I am using a different browser?
>>
>> My bank forced me to 2FA (two-factor authentication) which incorporates
>> my smartphone. Yeah, every time I want to login using a web browser on
>> my desktop PC, I have to go find my phone. There's no option to opt out
>> of 2FA. Because of forced 2FA, I don't get any alerts from my bank
>> regarding what host from where I login. Instead I have to enter the
>> code into their login that got sent via text to my phone. The 2FA code
>> expires in a few minutes, or immediately upon use. I hate 2FA. Means
>> my desktop PC is tied to my phone.
>
>My phone has to live by the window in the front room, being the only
>place where it gets a signal. So even less convenient.

No WiFi at your house? Or are you saying your phone can't do what it
needs to do with -only- WiFi?

I don't have an overly strong cellular signal at my house, especially
indoors, but I have a WiFi mesh system that works everywhere inside the
house, plus the entire back yard, side yards, garage, driveway, and
front yard. As a result, if I'm anywhere in or near the house, I have
excellent coverage.

You can test your phone by enabling Airplane mode, which disables all
radios, then enable just the WiFi to see if your phone can do everything
you expect of it. If it's a relatively recent model, say within the past
5 or 10 years, I expect it will do just fine and you'll no longer need
to worry about windowsills.

Worst case, if you have an older or lower end phone, you might be able
to contact your provider and request a mini-cell or femto-cell or
whatever they call it. It's a small device, usually provided on request
at no charge, that uses your Internet connection for backhaul and
provides a usable cell signal where you need it.

On 27 Jun 2023 10:41:02 GMT, Frank Slootweg <this@ddress.is.invalid>
wrote:

>Char Jackson <none@none.invalid> wrote:
>> On Mon, 26 Jun 2023 15:11:27 -0700, Ken Blake <Ken@invalid.news.com>
>> wrote:
>>
>> >On Mon, 26 Jun 2023 15:16:54 -0500, VanguardLH <V@nguard.LH> wrote:
>> >
>> >> I hate 2FA.
>> >
>> >
>> >Double ditto.
>>
>> *shrug* 2FA is fine with me. I appreciate the extra security. It's
>> possible, even likely, that my password could become compromised, most
>> likely due to a data breach, but it's not likely that someone will have
>> both my password and my phone.
>
> Indeed. In many cases extra security/privacy is essential, i.e. for
>example bank transactions, medical/private information, etc., etc..
>
> So the question is really, does a particular activity need 2FA/2SV and
>if so, what is the most practical 2FA/2SV method for the user?
>
> While smartphones are used more and more, most organizations should be
>able to offer SMS as a (less secure) 2SV method.
>
>> I guess it goes without saying that my phone goes where I go. For me,
>> there's no such thing as "go look for my phone".
>
> I'm still less tied to my phone, but if I'm using my laptop, the phone
>is close by and if I'm using my phone, ... :-)

Thanks, Frank. I appreciate another voice of reason.

On Tue, 27 Jun 2023 04:07:25 -0500, VanguardLH <V@nguard.LH> wrote:

>AJL <noemail@none.com> wrote:
>
>> On 6/27/2023 12:09 AM, VanguardLH wrote:
>>> AJL <noemail@none.com> wrote:
>>>> On 6/26/2023 9:10 PM, VanguardLH wrote:
>>
>>>>> Someone that stole your phone whether temporarily or permanently
>>>>> gets the 2FA code to complete the login to get into your
>>>>> accounts.
>>
>>>> The thief would have to know my lock screen code to enter my phone
>>>> before they could do ANYTHING. (They only get 15 tries before a
>>>> factory reset.) That alone should give me enough time to deactivate
>>>> it and transfer my number (and any 2FAs) to a new phone.
>>
>>> So, you've just described how 2FA is even a more nuisance on your
>>> phone. To get the 2FA code sent to your phone, you have to first
>>> unlock it.
>>
>> The phone is already unlocked because you have to first put in the
>> correct password to the new app before the 2FA is sent. But I only have
>> to do it once per new app that requires it. So I haven't needed a 2FA in
>> some months now. However if I get a new device there will be lots of
>> 2FAs needed for the same apps that are installed on the new device.
>>
>>> In addition, how do you copy-n-paste the 2FA code sent in the text to
>>> the web login form on your desktop PC to complete the login?
>>
>> I memorize the code (it's just a few numbers) for the few seconds it
>> takes for me to enter it for the new app.
>>
>>> Should the hacker reset your phone, your phone still has the same
>>> phone number.
>>
>> Nope. I will have cancelled it within an hour of the theft.
>>
>>> The hacker gets to use your phone just as when it was new, and gets
>>> the 2FA code on a login attempt.
>>
>> He can't get a 2FA sent without knowing the CORRECT app password.
>>
>>> So, the 2FA code (until it expires) remains stored on your phone.
>>> If someone grabs your phone while using it, it isn't yet locked.
>>
>> True. But all my sensitive apps still require a password to use.
>>
>>> Seems storing the 2FA token on the device defeats the purpose of
>>> 2FA. Why bother with 2FA if the same token gets repeatedly used?
>>
>> Many apps can be set to require 2FA every time for added security. But I
>> think the one time 2FA is a good compromise between security and ease of
>> use.
>>
>>> My bank sends me a 2FA. It is THEIR choice on expiration, not
>>> yours, because they track the 2FA code they issued on their side.
>>> They expire the 2FA code in something like 10 minutes.
>>
>> I can get the 2FA code entered in seconds so that's not a problem for
>> me. Like my other apps my bank apps now only require a password since
>> the device they're on has been 2FA certified...
>>
>> Another advantage of 2FA: If I get one that I didn't request I know that
>> someone has entered the CORRECT password on one of my apps on his
>> phone/device. Time to change that password...
>
>It's obvious you are using your phone for the majority of your Web
>transactions.

I see that that was an incorrect assumption in AJL's case. It would also
be an incorrect assumption in my case.

What's clear is that all of this is a nuisance to you because you don't
understand how it all works. When you log in to a service (on your
desktop PC) that requires 2FA/2SV (thanks, Frank), and the service sends
a code, typically 6 or 4 numeric digits, in an email or text or
whatever, it's not a big stretch to view the code on your phone and type
it into your desktop browser.

Receiving a code on your phone doesn't mean you have to use the browser
on your phone. That may have been the basis of your misunderstanding.

On Tue, 27 Jun 2023 02:09:04 -0500, VanguardLH <V@nguard.LH> wrote:

>AJL <noemail@none.com> wrote:
>
>> On 6/26/2023 9:10 PM, VanguardLH wrote:
>>
>>> Someone that stole your phone whether temporarily or permanently gets
>>> the 2FA code to complete the login to get into your accounts.
>>
>> The thief would have to know my lock screen code to enter my phone
>> before they could do ANYTHING. (They only get 15 tries before a factory
>> reset.) That alone should give me enough time to deactivate it and
>> transfer my number (and any 2FAs) to a new phone.
>
>So, you've just described how 2FA is even a more nuisance on your phone.
>To get the 2FA code sent to your phone, you have to first unlock it.

How do you unlock your phone? If unlocking is a nuisance, perhaps you
could start there to relieve some of your pain. There are fingerprint
sensors, facial recognition, 4-digit PIN codes, etc. How is any of that
a nuisance?

>So, another step to implement 2FA. In addition, how do you copy-n-paste
>the 2FA code sent in the text to the web login form on your desktop PC
>to complete the login?

I don't want to speak for you, but in my case it's not a mental stretch
to view a 6-digit numeric code on my phone and type it into an app,
usually a browser page, on my PC.

836549 - I can view that on my phone and type it on my PC keyboard, no
problem. It's a one-time use, so no need to commit it to long-term
memory.

4613 - some codes are only 4 digits. My mental clipboard has no problems
with those, as well.

313 - I even had one where it was only 3 digits. Most people can look at
3 digits and remember it long enough to turn their head back to their PC
and type it.

[Rest deleted as it shows that you don't understand this stuff. I'm sure
you're not alone!]

KenW wrote:
> Forgot, their original 2FA worked fine. It screwed up when they tried
> to add inputting three letters that messed it up. DOPES !
>
>
> KenW

Security and safety are ruining many things.
NHS for one. Doctors and nurses spend so much time and energy on it
(covering their asses for what might occur) that patient queues grow and
grow.
Window-cleaning. We had an excellent couple of cleaners, but they got
replaced for "safety reasons". Now we have some drips with poles and
tubes; and they leave the windows dirtier than when they start, as well
as destroying flowers and fences as they pull the tubes around.
Lost in a maze of restrictions. So many people these days just give in.
Instead of the pride that used to motivate the better workers, we have a
dismal drippiness of couldn't-care-less; engendered by that vast list of
health and safety restrictions.

Ed

Char Jackson <none@none.invalid> writes:

> *shrug* 2FA is fine with me. I appreciate the extra security. It's
> possible, even likely, that my password could become compromised, most
> likely due to a data breach, but it's not likely that someone will have
> both my password and my phone.
> I guess it goes without saying that my phone goes where I go. For me,
> there's no such thing as "go look for my phone".

But when your phone gets broken, you just CAN'T log in with the desktop
when the phone is needed for extra authentication.

--
Jukka Lahtinen

Char Jackson <none@none.invalid> wrote:

> What's clear is that all of this is a nuisance to you because you don't
> understand how it all works. When you log in to a service (on your
> desktop PC) that requires 2FA/2SV (thanks, Frank), and the service sends
> a code, typically 6 or 4 numeric digits, in an email or text or
> whatever, it's not a big stretch to view the code on your phone and type
> it into your desktop browser.

Sorry, my phone is not grafted to my hand, attached to me at all times,
in my pocket, or otherwise always with me. I have to go find my phone
to bring to my desktop PC to complete the 2FA login.

And it seems everyone else has never encountered a dead phone because
it's battery got drained. Just how do you get a text on a dead phone?

Amazing the kowtowing to which users have become accustomed. Not a big
stretch to look at a phone after opening a text to eyeball the 2FA
string to enter in a login field on the desktop PC. That such is not a
nuisance means you're been well engrained in being nuisanced. As this
crap gets worse, you'll get trained more in kowtowing more.

> Receiving a code on your phone doesn't mean you have to use the
> browser on your phone. That may have been the basis of your
> misunderstanding.

No, not what I said. When logging in using a web browser on my deskto
PC, and a site forces 2FA:

- Go get my phone to bring to my desktop PC.
- If my phone is dead, attach it to a charger, and wait until there is
enough charge for the phone to be usable.
- Unlock the phone.
- Open the text.
- Get my reading glasses to read the text. My arm is not as long as my
desktop monitor is far away.
- Eyeball the 2FA code to manually copy into the waiting login screen
in the web browser on my desktop PC. Of course, there is never any
error in manually copying a string. Oops, didn't like the code I
entered, try again.

While I'm whole, this would be a bitch of a process for a paraplegic, or
a blind person with a desktop PC setup for the blind but having to read
a text on a phone.

Today it's tethering your phone to your desktop PC to complete 2FA
logins. Tomorrow they'll add another hardware device, like a USB stick,
and then they'll want you to upgrade to a phone with retinal, voice, and
finger biometrics to verify you are allowed to see the 2FA code. And
one and on goes the acts in the security theater.

Imagine the same stupidity when trying to enter your locked car. Insert
key, wait until a text shows up on your phone (after powering it up,
charging it, or unlocking it), get a code to use on a pad next to the
key slot, you've got 1 minute to enter the correct code, you flubbed the
code, but now that code is unusable and you have to flick the key again
to restart the process. Instead of using the key to enter in a moment,
you spend 15 minutes trying to get into your car. Yep, sounds like a
comedy skit, but not really funny if some other hardware was forcibly
involved in using the key to get into your car.

Also remember that texting is NOT a guaranteed delivery service. Just
because the site said it would send you a text to give you the 2FA code
doesn't mean you actually get the text, or that delivery is immediate.
You could be waiting for several minutes waiting to get the text, or you
never get it, and have to tell the site the resend the code.

You could be vacationing in your cabin where you have cable Internet
service, but no cell towers within reach. You see the login page, they
force 2FA, but there are no cell towers in your area. You need to do a
bank transfer to pay a critical bill, but a tornado took out the nearby
cell tower. And now we have to deal with malcontents that roam around
with cell/wifi jammers. Your Ethernet connection is working just fine,
but you'll won't get the text with the 2FA code, so you wait and wait.

On 28-Jun-2023 8:54 am, Jukka Lahtinen wrote:
> Char Jackson <none@none.invalid> writes:
>
>> *shrug* 2FA is fine with me. I appreciate the extra security. It's
>> possible, even likely, that my password could become compromised, most
>> likely due to a data breach, but it's not likely that someone will have
>> both my password and my phone.
>> I guess it goes without saying that my phone goes where I go. For me,
>> there's no such thing as "go look for my phone".
>
> But when your phone gets broken, you just CAN'T log in with the desktop
> when the phone is needed for extra authentication.
>

My gripe with 2FA is not 2FA as such, but the assumption that Google and
others make that SMS is the only way of doing it. Some of us live in
places where there's no mobile coverage and little interest from telcos
and governments of ever providing it. Some organisations offer 2FA using
automated voice calls over land lines, but very few compared with SMS only.

Char Jackson <none@none.invalid> wrote:

> On Tue, 27 Jun 2023 02:09:04 -0500, VanguardLH <V@nguard.LH> wrote:
>
>>AJL <noemail@none.com> wrote:
>>
>>> On 6/26/2023 9:10 PM, VanguardLH wrote:
>>>
>>>> Someone that stole your phone whether temporarily or permanently gets
>>>> the 2FA code to complete the login to get into your accounts.
>>>
>>> The thief would have to know my lock screen code to enter my phone
>>> before they could do ANYTHING. (They only get 15 tries before a factory
>>> reset.) That alone should give me enough time to deactivate it and
>>> transfer my number (and any 2FAs) to a new phone.
>>
>>So, you've just described how 2FA is even a more nuisance on your phone.
>>To get the 2FA code sent to your phone, you have to first unlock it.
>
> How do you unlock your phone? If unlocking is a nuisance, perhaps you
> could start there to relieve some of your pain. There are fingerprint
> sensors, facial recognition, 4-digit PIN codes, etc. How is any of that
> a nuisance?

That you don't see it is a nuisance exhibits how easy it is to train
consumers to bend over.

I use a fingerprint to unlock. Yet there are times when my phone
doesn't recognize my fingerprint, so I have to try several times. Also,
although fingerprint is enabled, occasionally I'm presented with a
screen to enter the PIN code. When you add fingerprints to the phone,
you are also mandated to enter a PIN. Fingers get damaged. PINs are
occasionally presented as an anti-hack mechanism. And all the while you
are trying to unlock the phone, open the text, and eyeballing the 2FA
code to manually copy, you have not yet logged in, have you? You went
to the site on your desktop PC, and now have to pause the login going
through all this security theater on a different device.

When a site says it will send you a 2FA code, you think that is always
immediate and never fails? I have often waited for the text, it doesn't
show up, and I have to request the site to resend the text. More time
wasted while my desktop is paused waiting to complete a login.

>>So, another step to implement 2FA. In addition, how do you copy-n-paste
>>the 2FA code sent in the text to the web login form on your desktop PC
>>to complete the login?
>
> I don't want to speak for you, but in my case it's not a mental stretch
> to view a 6-digit numeric code on my phone and type it into an app,
> usually a browser page, on my PC.

After clicking the login button in a web page on your desktop PC, how
long before you actually hit another button to enter the 2FA code in
that web page? Is it as instantaneous as from when you clicked on the
login button on the web page? Obviously not. You wait for the site to
generate and send a text. You wait for the text to get to you, and you
may have to request the site to resend if the text doesn't show up in a
few minutes. You get your phone (no, for some folks their phones aren't
grafted onto them), open the text, eyeball the 2FA code, manually punch
it into the login form, and hopefully it worked and you can finally
procede. Now magnify that same delay in login at many site you log
into. It's not just one site that is using 2FA.

> 836549 - I can view that on my phone and type it on my PC keyboard, no
> problem. It's a one-time use, so no need to commit it to long-term
> memory.
>
> 4613 - some codes are only 4 digits. My mental clipboard has no problems
> with those, as well.
>
> 313 - I even had one where it was only 3 digits. Most people can look at
> 3 digits and remember it long enough to turn their head back to their PC
> and type it.
>
> [Rest deleted as it shows that you don't understand this stuff. I'm sure
> you're not alone!]

No, it shows how easily it is to get consumers to bend over.

Frank Slootweg <this@ddress.is.invalid> wrote:

> And as AJL mentioned, the '2FA hoopla' is *less* with a smartphone,
> because for most services, you only do the 'hoopla' only *once* per
> service. (Some services also offer 'only-once' 2FA for non-phones, i.e.
> computers/laptops. Google (account/Gmail/others?) is an example.)

Yep, as I noted, for phone users 2FA is less a nuisance. They're
getting the 2FA code on the same device where they are trying to login.

Guess you've never had a text that went missing, and had to request the
site to resend yet another and different 2FA code. When the site sends
the text is not immediate. Getting texts is not guaranteed, just like
e-mail delivery is not guaranteed.

Instead of hitting the login button, you are interrupted. Amazing how
much you can nuisance users as long as you profess it's for their own
good.

Want to delete a file. Get a prompt asking if you really want to
delete. Answer yes. Get another prompt asking if your really sure you
want to delete. Answer yes. And repeat. Want to login? Hold on while
we send a 2FA code that you get on a wholly different platform and then
have to convey the info to the prior platform.

Did I say it was an insurmountable nuisance? No. I said it was a
nuisance, like having swat away gnats on a picnic. That you can do a
thing doesn't mean you should do a thing.

> Bottom line: *If* a service requires 2FA/2SV when there no real
> security/privacy concern, you are right to complain. Likewise if a
> service requires a smartphone and doesn't offer SMS-fallback or some
> such.

I don't like getting forced to conglomerate platforms to commit an
action. Using a desktop PC, but have to incorporate a phone. Well, why
stop there? Add more devices into the login process, and surely it must
be more secure.

Frank Slootweg <this@ddress.is.invalid> wrote:

> Char Jackson <none@none.invalid> wrote:
>> On Mon, 26 Jun 2023 15:11:27 -0700, Ken Blake <Ken@invalid.news.com>
>> wrote:
>>
>>>On Mon, 26 Jun 2023 15:16:54 -0500, VanguardLH <V@nguard.LH> wrote:
>>>
>>>> I hate 2FA.
>>>
>>>
>>>Double ditto.
>>
>> *shrug* 2FA is fine with me. I appreciate the extra security. It's
>> possible, even likely, that my password could become compromised, most
>> likely due to a data breach, but it's not likely that someone will have
>> both my password and my phone.
>
> Indeed. In many cases extra security/privacy is essential, i.e. for
> example bank transactions, medical/private information, etc., etc..
>
> So the question is really, does a particular activity need 2FA/2SV and
> if so, what is the most practical 2FA/2SV method for the user?
>
> While smartphones are used more and more, most organizations should be
> able to offer SMS as a (less secure) 2SV method.
>
>> I guess it goes without saying that my phone goes where I go. For me,
>> there's no such thing as "go look for my phone".
>
> I'm still less tied to my phone, but if I'm using my laptop, the phone
> is close by and if I'm using my phone, ... :-)

Ah, there lies the rub: the phone is nearby the original platform that
initiated the login. And it must be powered on. And it must not
require charging to become usable. And the site must instantly generate
and send the 2FA code (not true). And you must receive the text
(delivery is NOT guaranteed) to eliminate requesting a resend.

Say you have a car that has both a key lock and numpad on its doors.
You can use either to gain entry. But wait, lets incorporate a phone
into the mix for better, um, security. You turn the key, but the door
doesn't open. You wait for a text to arrive on your phone. You enter
the code using the numpad on the door. Ah, finally you can enter. Oh
yes, the door security has been raised, but amazingly the promise of
higher security means users are most willing to endure the nuisance.

Oops, your phone is off to preserve the battery until you need to use
the phone. Add more delay to power up the phone. Oops, the phone's
battery is dead, so you have to charge the phone enough to power it up.
More delay. You wait for the text. It doesn't show up after a minute,
or longer. More delay. You turn the car key again to resend another
code to your phone. More delay. You still don't get the text, you
retry several times, and more delay on waiting for text that never
arrives. Oh oh, you and your car are in a dead zone. No nearby cell
tower (and they contract with your carrier). Or your car is in a
parking garage, and the cell signal won't penetrate the concrete

2FA relies on the immediate availability of the appended platform
(phone). I have not found phones to be 100% reliable nor 100%
available. I have found SMS to not be 100% reliable on delivery. I
have found sites are not 100% reliable on generating and sending texts.

It's nice you are always in a red zone for cellular coverage. At home,
I'm in a weak zone despite what the carriers claim. If you want to map
signal strength, you can use something like the OpenSignal app. So not
only is there the nuisance of incorporating a second device into a
login, but I might not get the text on my phone unless I go outside and
walk a couple hundred feet away. Yes, oh so convenient. Ah, I could
spend money to construct a tower to install a repeater that I bought to
up the signal strength just to get 2FA to work at home. Yeah, right,
all that expense because of 2FA security theater. And, no, many sites
that foist 2FA have no means of turning it off or electing a different
message delivery scheme, like e-mail (which does not have guaranteed
delivery). They send a text, you must get the text (on a different
device), or you don't get to login.

Mark Lloyd <not.email@all.invalid> wrote:

> On 6/26/23 15:16, VanguardLH wrote:
>> Peter Jason <pj@jostle.com> wrote:
>>
>>> From ebay, the bank and others in Outlook365
>>>
>>> "a new device is using your account"
>>>
>>> Does this mean I am using a different browser?
>>
>> My bank forced me to 2FA (two-factor authentication) which incorporates
>> my smartphone. Yeah, every time I want to login using a web browser on
>> my desktop PC, I have to go find my phone. There's no option to opt out
>> of 2FA. Because of forced 2FA, I don't get any alerts from my bank
>> regarding what host from where I login. Instead I have to enter the
>> code into their login that got sent via text to my phone. The 2FA code
>> expires in a few minutes, or immediately upon use. I hate 2FA. Means
>> my desktop PC is tied to my phone.
>
> The intended effect of security measures is to make things hard to use.
> You hope that this has a stronger effect on criminals. It's not always
> like that.

Yep, more security means less convenience. Those are the antithesis of
each other. However, like kids having lots of time to hack their
parents' computer, criminals are motivated to spend the time to defeat
security measures. If a deadbolt on your exterior door was sufficient
to thwart burglars, why is there still burglarly? How many deadbolts do
you add to your door? Are two really better than one?

Stronger security has the effect of stronger nuisance to non-criminals.
I'm sure you've heard the old complaint "Yeah, let's ban guns from all
our citizens, so only criminals are armed."

A bigger hurdles to criminals means they have to jump higher, but they
will jump higher. Presumably when logging into a site, HTTPS is
employed to encrypt the communication. SMS is not secure. No
end-to-end encryption. SMS does not have guaranteed delivery. The site
supposedly sending the text is not guaranteed to do so. So, yeah,
repurpose an insecure non-guaranteed communication protocol for use in
login security.

https://www.howtogeek.com/709373/why-sms-text-messages-arent-private-or-secure/

There is something else to consider. The premise is that everyone that
does online logins has a phone number. Not true. While the overlap is
likely high, it is not 100%. Yep, there are web surfers that don't have
phones, just like there are homes without a television. If you don't
have a phone, or you don't have a phone with SMS service, but a site
demands they incorporate 2FA, just how are you going to login? I'm not
talking about you or I regarding whether we have smartphones or not.
Some people still have only POTS for a phone, no cell phone, and no
smartphone, either. I'm showing 2FA cripples access for some users.
A billion people don't have a mobile phone, so let's disenfranchise them
from online access by incorporating 2FA. Too many sites don't give
alternate login options. You're screwed if you don't have a smartphone,
pay for cellular service (like using just wifi for calls), live in a
no-coverage zone, are somewhere cell calls can't reach you, or lots of
reasons why your phone is unusable or unavailable at the time you are
trying to log into a 2FA forced site. When it happens to you is when
you'll change your tune.

I remember on a vacation that I couldn't access my e-mail. Gmail saw I
was in a different physical location, and required it send an e-mail to
my alternate e-mail address to click on a confirmation link. Hotmail
was my alternate e-mail. However, I couldn't log into Hotmail because
it saw I was in a different physical location, and wanted to send a
confirmation e-mail to my alternate e-mail address which was Gmail. So,
I was locked out. Couldn't login into Gmail because of its security.
Couldn't login into Hotmail because of the same geolocation security.
Couldn't get the e-mail at either e-mail provider to okay my new
location with the e-mail provider. Couldn't log into either account to
change the alternate e-mail address to Comcast, my ISP, who didn't do
this geolocation security crap. Had to wait until I was back home for
where Hotmail and Gmail would let me login, change my alternate e-mail
address in both accounts to my Comcast account, and later I actually had
a usable account to which the geolocation lockout could send a
confirmation e-mail.

How do I get an SMS text to complete a 2FA login when my phone is
unavailable (lost, stolen, dead battery, at home while I'm somewhere
else trying to login, etc)? Just because I have a smartphone doesn't
mean it will be available at a desktop PC where I'm trying to login.
Does every cellular provider include web access to SMS texts to your
account with them? What if they also incorporated 2FA into their login
process? You're using their web client to see your texts, but they want
to send a 2FA code to your phone that you don't have with you and is the
reason you wanted to use the web client to see your texts.

I can come up with many scenarios, and they aren't that far fetched, of
why 2FA will fail, but you're fucked by a site that demands use of 2FA.
Yeah, let's make logins more secure by adding more devices and using an
insecure and non-guaranteed delivery protocol.

On Mon, 26 Jun 2023 23:55:12 -0400, Paul <nospam@needed.invalid>
wrote:

>On 6/26/2023 11:32 PM, Peter Jason wrote:
>> On Mon, 26 Jun 2023 12:37:47 +1000, Peter Jason <pj@jostle.com> wrote:
>>
>>>
>>>From ebay, the bank and others in Outlook365
>>>
>>> "a new device is using your account"
>>>
>>> Does this mean I am using a different browser?
>>
>>
>>
>>
>>
>> ..I am using Edge "inPrivate", if this matters.
>>
>
>Yes, it matters.
>
>I don't think that keeps cookies, does it ? That is why it is "inPrivate". No cookies.
>
>It looks like, according to this, you can view the cookies in your browser.
>The cookies that are stored at the moment. But making sense of what is in there,
>is another matter entirely (some organizations use more than one domain,
>for tracking you).
>
>https://learn.microsoft.com/en-us/microsoft-edge/devtools-guide-chromium/storage/cookies
>
> Paul

I have downloaded the latest MSft upgrade (June 27, 2023—KB5027303)
and way down the list it says.....

*****
This update addresses an issue that affects File Explorer
(explorer.exe). It stops working.
*****

Maybe they've fixed it?

On 6/27/2023 7:32 PM, Peter Jason wrote:
> On Mon, 26 Jun 2023 23:55:12 -0400, Paul <nospam@needed.invalid>
> wrote:
>
>> On 6/26/2023 11:32 PM, Peter Jason wrote:
>>> On Mon, 26 Jun 2023 12:37:47 +1000, Peter Jason <pj@jostle.com> wrote:
>>>
>>>>
>>> >From ebay, the bank and others in Outlook365
>>>>
>>>> "a new device is using your account"
>>>>
>>>> Does this mean I am using a different browser?
>>>
>>>
>>>
>>>
>>>
>>> ..I am using Edge "inPrivate", if this matters.
>>>
>>
>> Yes, it matters.
>>
>> I don't think that keeps cookies, does it ? That is why it is "inPrivate". No cookies.
>>
>> It looks like, according to this, you can view the cookies in your browser.
>> The cookies that are stored at the moment. But making sense of what is in there,
>> is another matter entirely (some organizations use more than one domain,
>> for tracking you).
>>
>> https://learn.microsoft.com/en-us/microsoft-edge/devtools-guide-chromium/storage/cookies
>>
>> Paul
>
> I have downloaded the latest MSft upgrade (June 27, 2023—KB5027303)
> and way down the list it says.....
>
> *****
> This update addresses an issue that affects File Explorer
> (explorer.exe). It stops working.
> *****
>
> Maybe they've fixed it?

The last explorer.exe bug I saw, was "Extended Access" adjustments
in the Enterprise version, on a domain. If you were fiddling with
Properties on your Enterprise desktop, then Explorer could rail on
one core (stops working).

That's not supposed to affect regular (non-domain) users.

Paul

On Tue, 27 Jun 2023 23:54:07 +0300, Jukka Lahtinen
<jtfjdehf@hotmail.com.invalid> wrote:

>Char Jackson <none@none.invalid> writes:
>
>> *shrug* 2FA is fine with me. I appreciate the extra security. It's
>> possible, even likely, that my password could become compromised, most
>> likely due to a data breach, but it's not likely that someone will have
>> both my password and my phone.
>> I guess it goes without saying that my phone goes where I go. For me,
>> there's no such thing as "go look for my phone".
>
>But when your phone gets broken, you just CAN'T log in with the desktop
>when the phone is needed for extra authentication.

That would be a good point, but I don't remember a time when my phone
was the only option. It's the first and best option, to be sure, but is
it ever the only option?

On Wed, 28 Jun 2023 09:25:57 +1200, malone <malone@nospam.net.nz> wrote:

>On 28-Jun-2023 8:54 am, Jukka Lahtinen wrote:
>> Char Jackson <none@none.invalid> writes:
>>
>>> *shrug* 2FA is fine with me. I appreciate the extra security. It's
>>> possible, even likely, that my password could become compromised, most
>>> likely due to a data breach, but it's not likely that someone will have
>>> both my password and my phone.
>>> I guess it goes without saying that my phone goes where I go. For me,
>>> there's no such thing as "go look for my phone".
>>
>> But when your phone gets broken, you just CAN'T log in with the desktop
>> when the phone is needed for extra authentication.
>>
>
>My gripe with 2FA is not 2FA as such, but the assumption that Google and
>others make that SMS is the only way of doing it. Some of us live in
>places where there's no mobile coverage and little interest from telcos
>and governments of ever providing it. Some organisations offer 2FA using
>automated voice calls over land lines, but very few compared with SMS only.

Is your phone not capable of SMS over WiFi? Or, do you not have WiFi
available?

On 28-Jun-2023 3:48 pm, Char Jackson wrote:
> On Wed, 28 Jun 2023 09:25:57 +1200, malone <malone@nospam.net.nz> wrote:
>
>> On 28-Jun-2023 8:54 am, Jukka Lahtinen wrote:
>>> Char Jackson <none@none.invalid> writes:
>>>
>>>> *shrug* 2FA is fine with me. I appreciate the extra security. It's
>>>> possible, even likely, that my password could become compromised, most
>>>> likely due to a data breach, but it's not likely that someone will have
>>>> both my password and my phone.
>>>> I guess it goes without saying that my phone goes where I go. For me,
>>>> there's no such thing as "go look for my phone".
>>>
>>> But when your phone gets broken, you just CAN'T log in with the desktop
>>> when the phone is needed for extra authentication.
>>>
>>
>> My gripe with 2FA is not 2FA as such, but the assumption that Google and
>> others make that SMS is the only way of doing it. Some of us live in
>> places where there's no mobile coverage and little interest from telcos
>> and governments of ever providing it. Some organisations offer 2FA using
>> automated voice calls over land lines, but very few compared with SMS only.
>
> Is your phone not capable of SMS over WiFi? Or, do you not have WiFi
> available?
>

Yes, I have wifi and my Samsung Note 10 phone is capable of wifi-calling.

But here in New Zealand our largest ISP provider is pretty primitive and
although offering wifi-calling over my ADSL, it doesn't support SMS just
"voice and video".

https://www.spark.co.nz/help/mobile/understand/wifi-calling/

It's a bit of a joke really.

[snip]

> Not sure what you mean here. Things seem much better to me now than in
> my good old DOS days...
I like the command line, its like telling the computer what to do. A GUI
is more like making a selection from those things the computer wants to do.

--
Mark Lloyd
http://notstupid.us/

Forget about life after death, is there life before death?

On Wed, 28 Jun 2023 08:53:40 -0500, Mark Lloyd <not.email@all.invalid>
wrote:

>[snip]
>
>
>> Not sure what you mean here. Things seem much better to me now than in
>> my good old DOS days...
>I like the command line, its like telling the computer what to do.

Yes, something like that,

>A GUI
>is more like making a selection from those things the computer wants to do.

Perhaps true for same GUIs, but not all. A good GUI can provide all
the possible choices.

And as far as I'm concerned, a good GUI is much faster and easier to
use than the command line.

VanguardLH <V@nguard.lh> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
>
> > And as AJL mentioned, the '2FA hoopla' is *less* with a smartphone,
> > because for most services, you only do the 'hoopla' only *once* per
> > service. (Some services also offer 'only-once' 2FA for non-phones, i.e.
> > computers/laptops. Google (account/Gmail/others?) is an example.)
>
> Yep, as I noted, for phone users 2FA is less a nuisance. They're
> getting the 2FA code on the same device where they are trying to login.

Nope, also when logging in on their computer. Yet another example of
you not knowing what you're talking about, but still critizing,
complaining, etc..

[More (yes, I've also read all your other rants/diatribes) endless,
uninformed, misguided, pompous, obnoxious twattery deleted.]

> > Bottom line: *If* a service requires 2FA/2SV when there no real
> > security/privacy concern, you are right to complain. Likewise if a
> > service requires a smartphone and doesn't offer SMS-fallback or some
> > such.
>
> I don't like getting forced to conglomerate platforms to commit an
> action. Using a desktop PC, but have to incorporate a phone. Well, why
> stop there? Add more devices into the login process, and surely it must
> be more secure.

Get a clue, will you!? Note the emphasis ('If*'). It's irrelevant
whether you like it or not. The security/privacy *requires* it and
nobody gives a toss that 'VanguardLH' doesn't like it.

In such cases, the *minimum* 2SV is via SMS and yes, SMS can fail (Get
over it!) and yes, it requires a phone.

As you have a smartphone, get it to connect to your computer for SMS
messages (and more), so you don't have to 'look for it' (BIG bother,
NOT!) and you can do everthing on your computer. 'Problem' solved.

And yes, some, most or even all of the failure modes you 'describe'
can occur, including (but not mentioned, why not!?) your *computer*
failing. Such is life, prepare for the likely scenarios and live with
the less likely scenarios, if and when they occur.