From ebay, the bank and others in Outlook365

"a new device is using your account"

Does this mean I am using a different browser?

Peter Jason wrote:
>
> From ebay, the bank and others in Outlook365
>
> "a new device is using your account"
>
> Does this mean I am using a different browser?

I get that because I delete all cookies after each session.
No cookies = no tracking = new device.

Peter Jason wrote:

> From ebay, the bank and others in Outlook365
>
> "a new device is using your account"
>
> Does this mean I am using a different browser?

probably just means you clear cookies often, and they report that
message every time you login without them ...

On 6/25/23 21:37, Peter Jason wrote:
>
> From ebay, the bank and others in Outlook365
>
> "a new device is using your account"
>
> Does this mean I am using a different browser?

I get that message almost every time I use Netflix (or my Google
account) on my computer. As others have said, it's probably that you
deleted cookies. I don't get such messages from my bank, possibly
because I have an exception and don't delete those cookies.

--
Mark Lloyd
http://notstupid.us/

"I say quite deliberately that the Christian religion, as organized in
its churches, has been and still is the principal enemy of moral
progress in the world." [Bertrand Russell]

Peter Jason <pj@jostle.com> wrote:

> From ebay, the bank and others in Outlook365
>
> "a new device is using your account"
>
> Does this mean I am using a different browser?

My bank forced me to 2FA (two-factor authentication) which incorporates
my smartphone. Yeah, every time I want to login using a web browser on
my desktop PC, I have to go find my phone. There's no option to opt out
of 2FA. Because of forced 2FA, I don't get any alerts from my bank
regarding what host from where I login. Instead I have to enter the
code into their login that got sent via text to my phone. The 2FA code
expires in a few minutes, or immediately upon use. I hate 2FA. Means
my desktop PC is tied to my phone.

On 6/26/2023 2:16 PM, VanguardLH wrote:
> Peter Jason <pj@jostle.com> wrote:
>
>> From ebay, the bank and others in Outlook365
>>
>> "a new device is using your account"
>>
>> Does this mean I am using a different browser?
>
> My bank forced me to 2FA (two-factor authentication) which incorporates
> my smartphone. Yeah, every time I want to login using a web browser on
> my desktop PC, I have to go find my phone. There's no option to opt out
> of 2FA. Because of forced 2FA, I don't get any alerts from my bank
> regarding what host from where I login. Instead I have to enter the
> code into their login that got sent via text to my phone. The 2FA code
> expires in a few minutes, or immediately upon use. I hate 2FA. Means
> my desktop PC is tied to my phone.

+1
--
Jeff Barnett

On Mon, 26 Jun 2023 15:16:54 -0500, VanguardLH <V@nguard.LH> wrote:

>Peter Jason <pj@jostle.com> wrote:
>
>> From ebay, the bank and others in Outlook365
>>
>> "a new device is using your account"
>>
>> Does this mean I am using a different browser?
>
>My bank forced me to 2FA (two-factor authentication) which incorporates
>my smartphone. Yeah, every time I want to login using a web browser on
>my desktop PC, I have to go find my phone. There's no option to opt out
>of 2FA. Because of forced 2FA, I don't get any alerts from my bank
>regarding what host from where I login. Instead I have to enter the
>code into their login that got sent via text to my phone. The 2FA code
>expires in a few minutes, or immediately upon use. I hate 2FA. Means
>my desktop PC is tied to my phone.

2FA is a BIG Pain in the ass.

KenW

VanguardLH wrote:
> Peter Jason <pj@jostle.com> wrote:
>
>> From ebay, the bank and others in Outlook365
>>
>> "a new device is using your account"
>>
>> Does this mean I am using a different browser?
>
> My bank forced me to 2FA (two-factor authentication) which incorporates
> my smartphone. Yeah, every time I want to login using a web browser on
> my desktop PC, I have to go find my phone. There's no option to opt out
> of 2FA. Because of forced 2FA, I don't get any alerts from my bank
> regarding what host from where I login. Instead I have to enter the
> code into their login that got sent via text to my phone. The 2FA code
> expires in a few minutes, or immediately upon use. I hate 2FA. Means
> my desktop PC is tied to my phone.

By bank, as well as the 2FA through my phone, has further security. One
that always bugs me is whenever I do an online money transfer, it warns
me to beware of scams, that this might be a fraudulent website.
OK, but that just seems to scream loudly that they won't be responsible
if I do get scammed. It's up to me whether I proceed or not.

Ed

On Mon, 26 Jun 2023 21:43:49 +0100, Ed Cryer <ed@somewhere.in.the.uk>
wrote:

>VanguardLH wrote:
>> Peter Jason <pj@jostle.com> wrote:
>>
>>> From ebay, the bank and others in Outlook365
>>>
>>> "a new device is using your account"
>>>
>>> Does this mean I am using a different browser?
>>
>> My bank forced me to 2FA (two-factor authentication) which incorporates
>> my smartphone. Yeah, every time I want to login using a web browser on
>> my desktop PC, I have to go find my phone. There's no option to opt out
>> of 2FA. Because of forced 2FA, I don't get any alerts from my bank
>> regarding what host from where I login. Instead I have to enter the
>> code into their login that got sent via text to my phone. The 2FA code
>> expires in a few minutes, or immediately upon use. I hate 2FA. Means
>> my desktop PC is tied to my phone.
>
>By bank, as well as the 2FA through my phone, has further security. One
>that always bugs me is whenever I do an online money transfer, it warns
>me to beware of scams, that this might be a fraudulent website.
>OK, but that just seems to scream loudly that they won't be responsible
>if I do get scammed. It's up to me whether I proceed or not.
>
>Ed
Wells Fargo Bank which I had for over 20 years wanted to increase
their security. Instead of just doing 2FA they had 3 letters that we
had to type in before going to 2FA. I put up this for two months
emailed their president and worked with them. Wound up saying bye bye
and writing that their IT dept was idiots. I now get 4% interest
instead of .01%.

KenW

Ed Cryer <ed@somewhere.in.the.uk> wrote:

> VanguardLH wrote:
>> Peter Jason <pj@jostle.com> wrote:
>>
>>> From ebay, the bank and others in Outlook365
>>>
>>> "a new device is using your account"
>>>
>>> Does this mean I am using a different browser?
>>
>> My bank forced me to 2FA (two-factor authentication) which incorporates
>> my smartphone. Yeah, every time I want to login using a web browser on
>> my desktop PC, I have to go find my phone. There's no option to opt out
>> of 2FA. Because of forced 2FA, I don't get any alerts from my bank
>> regarding what host from where I login. Instead I have to enter the
>> code into their login that got sent via text to my phone. The 2FA code
>> expires in a few minutes, or immediately upon use. I hate 2FA. Means
>> my desktop PC is tied to my phone.
>
> By bank, as well as the 2FA through my phone, has further security. One
> that always bugs me is whenever I do an online money transfer, it warns
> me to beware of scams, that this might be a fraudulent website.
> OK, but that just seems to scream loudly that they won't be responsible
> if I do get scammed. It's up to me whether I proceed or not.
>
> Ed

My bank is even more stupid, but they don't charge any fees nor require
a minimum balance. When I want to transfer money in or out, I have to
login again. I enter the amount to transfer, and get to the point where
I can okay the transfer, but they interrupt with a prompt to login
again. After doing so, I have to start the transfer all over again, but
the 2nd time I don't have to login again.

Forgot, their original 2FA worked fine. It screwed up when they tried
to add inputting three letters that messed it up. DOPES !

KenW

On Mon, 26 Jun 2023 15:16:54 -0500, VanguardLH <V@nguard.LH> wrote:

> I hate 2FA.

Double ditto.

On Mon, 26 Jun 2023 15:11:27 -0700, Ken Blake <Ken@invalid.news.com>
wrote:

>On Mon, 26 Jun 2023 15:16:54 -0500, VanguardLH <V@nguard.LH> wrote:
>
>> I hate 2FA.
>
>
>Double ditto.

*shrug* 2FA is fine with me. I appreciate the extra security. It's
possible, even likely, that my password could become compromised, most
likely due to a data breach, but it's not likely that someone will have
both my password and my phone.

I guess it goes without saying that my phone goes where I go. For me,
there's no such thing as "go look for my phone".

On Mon, 26 Jun 2023 12:37:47 +1000, Peter Jason <pj@jostle.com> wrote:

>
>From ebay, the bank and others in Outlook365
>
>"a new device is using your account"
>
>Does this mean I am using a different browser?

...I am using Edge "inPrivate", if this matters.

On 6/26/2023 11:32 PM, Peter Jason wrote:
> On Mon, 26 Jun 2023 12:37:47 +1000, Peter Jason <pj@jostle.com> wrote:
>
>>
>>From ebay, the bank and others in Outlook365
>>
>> "a new device is using your account"
>>
>> Does this mean I am using a different browser?
>
>
>
>
>
> ..I am using Edge "inPrivate", if this matters.
>

Yes, it matters.

I don't think that keeps cookies, does it ? That is why it is "inPrivate". No cookies.

It looks like, according to this, you can view the cookies in your browser.
The cookies that are stored at the moment. But making sense of what is in there,
is another matter entirely (some organizations use more than one domain,
for tracking you).

https://learn.microsoft.com/en-us/microsoft-edge/devtools-guide-chromium/storage/cookies

Paul

Char Jackson <none@none.invalid> wrote:

> On Mon, 26 Jun 2023 15:11:27 -0700, Ken Blake <Ken@invalid.news.com>
> wrote:
>
>>On Mon, 26 Jun 2023 15:16:54 -0500, VanguardLH <V@nguard.LH> wrote:
>>
>>> I hate 2FA.
>>
>>
>>Double ditto.
>
> *shrug* 2FA is fine with me. I appreciate the extra security. It's
> possible, even likely, that my password could become compromised, most
> likely due to a data breach, but it's not likely that someone will have
> both my password and my phone.
>
> I guess it goes without saying that my phone goes where I go. For me,
> there's no such thing as "go look for my phone".

Since mobile devices are now generate 68% of Web traffic (i.e., most Web
users are on phones), the users are on the same phone to which the 2FA
code gets sent via text. Someone that stole your phone whether
temporarily or permanently gets the 2FA code to complete the login to
get into your accounts. So, logging in by phone and getting the 2FA
code on the same phone obviates the entire 2FA scheme, and you're left
with just the login credentials used in the first place. In fact, there
are apps used with 2FA to facilitate its use on phones.

Oh, yeah, that's secure, like leaving the keys in your car that
facilitates its theft.

2FA is security theater: using pyschological engineering to effuse
security. Besides tracking and getting additional information from a
user (i.e., phone number), 2FA was to thwart ignorant or lazy users that
reuse the same password at every site where they login instead of a
password that is unique to every domain which is also a strong password.
But its reliance on SMS to send texts to the very phone that is trying
to login is stupid and misleads the user into thinking additional
security was added.

If you're getting the 2FA code sent to the same phone on which you're
attempting to login, gee, for sure, that current user of the phone just
must be the owner of the phone and the owner of the account. Uh huh.
If you're getting the 2FA code sent to your phone when trying to login
on your desktop PC, yep, that's oh-so convenient. Uh huh.

Not all phone users have their phones grafted to their hand to have it
immediately available at all times what at any desktop PC. In fact, 2FA
will fail where you get striped of phones, and other paraphernalia, upon
entering a secure facility.

2FA is a nuisance for desktop PC users.
2FA is security theater on the same phone that is trying to login.

Peter Jason wrote:
> On Mon, 26 Jun 2023 12:37:47 +1000, Peter Jason <pj@jostle.com> wrote:
>
>>
>>From ebay, the bank and others in Outlook365
>>
>> "a new device is using your account"
>>
>> Does this mean I am using a different browser?

> ..I am using Edge "inPrivate", if this matters.

No cookies = no tracking = new device.

On Mon, 26 Jun 2023 23:10:43 -0500, VanguardLH <V@nguard.LH> wrote:

>Char Jackson <none@none.invalid> wrote:
>
>> On Mon, 26 Jun 2023 15:11:27 -0700, Ken Blake <Ken@invalid.news.com>
>> wrote:
>>
>>>On Mon, 26 Jun 2023 15:16:54 -0500, VanguardLH <V@nguard.LH> wrote:
>>>
>>>> I hate 2FA.
>>>
>>>
>>>Double ditto.
>>
>> *shrug* 2FA is fine with me. I appreciate the extra security. It's
>> possible, even likely, that my password could become compromised, most
>> likely due to a data breach, but it's not likely that someone will have
>> both my password and my phone.
>>
>> I guess it goes without saying that my phone goes where I go. For me,
>> there's no such thing as "go look for my phone".
>
>Since mobile devices are now generate 68% of Web traffic (i.e., most Web
>users are on phones), the users are on the same phone to which the 2FA
>code gets sent via text. Someone that stole your phone whether
>temporarily or permanently gets the 2FA code to complete the login to
>get into your accounts. So, logging in by phone and getting the 2FA
>code on the same phone obviates the entire 2FA scheme, and you're left
>with just the login credentials used in the first place. In fact, there
>are apps used with 2FA to facilitate its use on phones.

I can't quite tell what you're wrongly assuming, but it looks like you
think mobile devices treat passwords differently from desktop PCs and
laptops? AFAIK, they don't. Regardless of the device I use to login to a
secure site that uses 2FA, I typically need a password, which doesn't
exist on the phone, and then I need to respond to whatever the second
part of 2FA is, which could be a code received via email or SMS (text)
or a fingerprint scan or something else. How is 2FA *less* secure?

>2FA is a nuisance for desktop PC users.
>2FA is security theater on the same phone that is trying to login.

If you don't care about the security of certain logins, then that's fine
with me. Just disable 2FA, where possible. I'll use it where it makes
sense.

On 6/26/2023 9:10 PM, VanguardLH wrote:

> Someone that stole your phone whether temporarily or permanently gets
> the 2FA code to complete the login to get into your accounts.

The thief would have to know my lock screen code to enter my phone
before they could do ANYTHING. (They only get 15 tries before a factory
reset.) That alone should give me enough time to deactivate it and
transfer my number (and any 2FAs) to a new phone.

> 2FA is a nuisance for desktop PC users.

All my apps (PC, phone, tablets, etc.) only require 2FA verification
ONCE. Then after the device has been certified only the password is
required thereafter. Not all that big of a PITA IMO for the added
security...

Char Jackson <none@none.invalid> wrote:

> On Mon, 26 Jun 2023 23:10:43 -0500, VanguardLH <V@nguard.LH> wrote:
>
>>Char Jackson <none@none.invalid> wrote:
>>
>>> On Mon, 26 Jun 2023 15:11:27 -0700, Ken Blake <Ken@invalid.news.com>
>>> wrote:
>>>
>>>>On Mon, 26 Jun 2023 15:16:54 -0500, VanguardLH <V@nguard.LH> wrote:
>>>>
>>>>> I hate 2FA.
>>>>
>>>>
>>>>Double ditto.
>>>
>>> *shrug* 2FA is fine with me. I appreciate the extra security. It's
>>> possible, even likely, that my password could become compromised, most
>>> likely due to a data breach, but it's not likely that someone will have
>>> both my password and my phone.
>>>
>>> I guess it goes without saying that my phone goes where I go. For me,
>>> there's no such thing as "go look for my phone".
>>
>>Since mobile devices are now generate 68% of Web traffic (i.e., most Web
>>users are on phones), the users are on the same phone to which the 2FA
>>code gets sent via text. Someone that stole your phone whether
>>temporarily or permanently gets the 2FA code to complete the login to
>>get into your accounts. So, logging in by phone and getting the 2FA
>>code on the same phone obviates the entire 2FA scheme, and you're left
>>with just the login credentials used in the first place. In fact, there
>>are apps used with 2FA to facilitate its use on phones.
>
> I can't quite tell what you're wrongly assuming, but it looks like you
> think mobile devices treat passwords differently from desktop PCs and
> laptops? AFAIK, they don't. Regardless of the device I use to login to a
> secure site that uses 2FA, I typically need a password, which doesn't
> exist on the phone, and then I need to respond to whatever the second
> part of 2FA is, which could be a code received via email or SMS (text)
> or a fingerprint scan or something else. How is 2FA *less* secure?

2FA is not less secure. It is not more secure. You can install 6
deadbolt locks on your exterior door that has a breakout (aka window).
Adding more locks doesn't make the windowed door less or more secure.

Hopefully you're the only one knowing the login credentials. That may
not be true. Your hacked account isn't secured because 2FA got added,
and you get the 2FA code on the same device that trying to login. 2FA
adds another step on a phone where 2FA is superfluous. When using a
desktop PC for logging it, the nuisance is having to use something else
to complete the login. Yes, there are USB security dongles, but like
crappy passwords, or leaving cheat sheets at the computer, most users of
those dongles leave them plugged in, so anyone at that computer can
incorporate the USB dongle into a login.

>>2FA is a nuisance for desktop PC users.
>>2FA is security theater on the same phone that is trying to login.
>
> If you don't care about the security of certain logins, then that's
> fine with me. Just disable 2FA, where possible. I'll use it where it
> makes sense.

I've seen folks add a 2nd deadbolt to their windowed exterior house
door. Instead of an interior knob that someone could reach in to twist
to unlock, they get deadbolts that require a key on both sides, but then
they leave the key in the lock on the interior side that can be also be
reached through the breakout (aka window). 2FA returned to the same
phone that gets interupted during login is like the knob replaced with a
key, but the key is left in the lock.

I guess if 2FA gives you a warm cozzy feeling then use it. To me, it
doesn't make sense to send a 2FA code to the same phone is that trying
to commit a login. To me, it is a nuisance to go find my phone to bring
to my desktop PC to complete a login. Yeah, might be more secure, but
security and ease-of-use are the antithesis of each other. I can also
so severely lockdown and secure a computer that it could never get
infected, but that impacts my use of that computer.

Biometrics could be added to 2FA, so the user attempting to login has to
use their fingerprint or eye scan instead of returning a character
string to a waiting login page at the site. While extreme, biometrics
don't preclude forced entry (someone makes you press your finger on the
scanner, or holds your head in front of the eye scanner). Those input
methods can be used with a corpse. However, voice print would be harder
since it is very difficult to get a corpse to speak, but you could force
someone to speak. Yeah, these are extremes for security
countermeasures, but 2FA seems more like security theater than security.
Just adding more locks onto the door.

Again, if 2FA makes you feel more comfortable than go for it. Some
folks buy weighted blankets, too. Just as with any security, you have
to determine how much you want for what makes you feel protected enough.
Adding more security reduces ease of use, so you have to define at what
level of nuisance you will tolerate. For my desktop PC, no one else has
access to it inside my locked house, the screen saver is passworded, as
is the BIOS boot before OS load, but I'm not buying a gun safe to store
my desktop PC to bar all but the most extreme physical access to it.

Alas, sites that decide to add 2FA often give the user no choice. Yep,
if I can disable 2FA, I do so. At site with no such option, I'm stuck
with 2FA. Luckily I use Google Voice, and that's the phone number given
to a 2FA site. Copies of SMS texts to my GV number get sent to me via
e-mail, and I can read e-mail on lots of devices. So, I do have a way
to disencumber my desktop PC from my smartphone when 2FA is foisted upon
me. I login using my desktop PC, get interrupted, the site sends a 2FA
code, I get the e-mail with the 2FA code in an e-mail I can view on my
desktop PC, and enter the code to complete the login. And all on my
desktop PC. But that's not the typical scenario for desktop users. The
2FA code gets sent to their phone, they have to unlock their phone and
open the messaging app to see the text, and manually input the 2FA code
on their desktop PC since they can't copy-n-paste from text to web form.
I figured out a workaround using Google Voice to reduce the 2FA
nuisance. The number of phone users that employ Google Voice, or any
PBS style voice system that includes e-mailing of texts, is small. Yet
many users feel 2FA adds security and are willing to suffer the
nuisance. After all, the more you nuisance the user then, yep,
obviously security just must be greater.

AJL <noemail@none.com> wrote:

> On 6/26/2023 9:10 PM, VanguardLH wrote:
>
>> Someone that stole your phone whether temporarily or permanently gets
>> the 2FA code to complete the login to get into your accounts.
>
> The thief would have to know my lock screen code to enter my phone
> before they could do ANYTHING. (They only get 15 tries before a factory
> reset.) That alone should give me enough time to deactivate it and
> transfer my number (and any 2FAs) to a new phone.

So, you've just described how 2FA is even a more nuisance on your phone.
To get the 2FA code sent to your phone, you have to first unlock it.
So, another step to implement 2FA. In addition, how do you copy-n-paste
the 2FA code sent in the text to the web login form on your desktop PC
to complete the login?

Should the hacker reset your phone, your phone still has the same phone
number. The hacker gets to use your phone just as when it was new, and
gets the 2FA code on a login attempt.

>
>> 2FA is a nuisance for desktop PC users.
>
> All my apps (PC, phone, tablets, etc.) only require 2FA verification
> ONCE. Then after the device has been certified only the password is
> required thereafter. Not all that big of a PITA IMO for the added
> security...

So, the 2FA code (until it expires) remains stored on your phone. If
someone grabs your phone while using it, it isn't yet locked.

Seems storing the 2FA token on the device defeats the purpose of 2FA.
Why bother with 2FA if the same token gets repeatedly used? So, here we
have 2FA, but then diminish its purpose. Yep, a workaround to
facilitate ease of use and diminish the 2FA nuisance.

My bank sends me a 2FA. It is THEIR choice on expiration, not yours,
because they track the 2FA code they issued on their side. They expire
the 2FA code in something like 10 minutes. You could come back later
trying to reuse the same 2FA code, but it will fail. The site determine
the longevity of the 2FA code they issue, not you.

VanguardLH wrote:
> Peter Jason <pj@jostle.com> wrote:
>
>> From ebay, the bank and others in Outlook365
>>
>> "a new device is using your account"
>>
>> Does this mean I am using a different browser?
>
> My bank forced me to 2FA (two-factor authentication) which incorporates
> my smartphone. Yeah, every time I want to login using a web browser on
> my desktop PC, I have to go find my phone. There's no option to opt out
> of 2FA. Because of forced 2FA, I don't get any alerts from my bank
> regarding what host from where I login. Instead I have to enter the
> code into their login that got sent via text to my phone. The 2FA code
> expires in a few minutes, or immediately upon use. I hate 2FA. Means
> my desktop PC is tied to my phone.

My phone has to live by the window in the front room, being the only
place where it gets a signal. So even less convenient.

--
Graham J

On 6/27/2023 12:17 AM, Graham J wrote:

> My phone has to live by the window in the front room, being the only
> place where it gets a signal.

Does your phone have WiFi Calling capability? If not think about it for
your next phone. Might solve your problem...

On 6/27/2023 12:09 AM, VanguardLH wrote:
> AJL <noemail@none.com> wrote:
>> On 6/26/2023 9:10 PM, VanguardLH wrote:

>>> Someone that stole your phone whether temporarily or permanently
>>> gets the 2FA code to complete the login to get into your
>>> accounts.

>> The thief would have to know my lock screen code to enter my phone
>> before they could do ANYTHING. (They only get 15 tries before a
>> factory reset.) That alone should give me enough time to deactivate
>> it and transfer my number (and any 2FAs) to a new phone.

> So, you've just described how 2FA is even a more nuisance on your
> phone. To get the 2FA code sent to your phone, you have to first
> unlock it.

The phone is already unlocked because you have to first put in the
correct password to the new app before the 2FA is sent. But I only have
to do it once per new app that requires it. So I haven't needed a 2FA in
some months now. However if I get a new device there will be lots of
2FAs needed for the same apps that are installed on the new device.

> In addition, how do you copy-n-paste the 2FA code sent in the text to
> the web login form on your desktop PC to complete the login?

I memorize the code (it's just a few numbers) for the few seconds it
takes for me to enter it for the new app.

> Should the hacker reset your phone, your phone still has the same
> phone number.

Nope. I will have cancelled it within an hour of the theft.

> The hacker gets to use your phone just as when it was new, and gets
> the 2FA code on a login attempt.

He can't get a 2FA sent without knowing the CORRECT app password.

> So, the 2FA code (until it expires) remains stored on your phone.
> If someone grabs your phone while using it, it isn't yet locked.

True. But all my sensitive apps still require a password to use.

> Seems storing the 2FA token on the device defeats the purpose of
> 2FA. Why bother with 2FA if the same token gets repeatedly used?

Many apps can be set to require 2FA every time for added security. But I
think the one time 2FA is a good compromise between security and ease of
use.

> My bank sends me a 2FA. It is THEIR choice on expiration, not
> yours, because they track the 2FA code they issued on their side.
> They expire the 2FA code in something like 10 minutes.

I can get the 2FA code entered in seconds so that's not a problem for
me. Like my other apps my bank apps now only require a password since
the device they're on has been 2FA certified...

Another advantage of 2FA: If I get one that I didn't request I know that
someone has entered the CORRECT password on one of my apps on his
phone/device. Time to change that password...

AJL <noemail@none.com> wrote:

> On 6/27/2023 12:09 AM, VanguardLH wrote:
>> AJL <noemail@none.com> wrote:
>>> On 6/26/2023 9:10 PM, VanguardLH wrote:
>
>>>> Someone that stole your phone whether temporarily or permanently
>>>> gets the 2FA code to complete the login to get into your
>>>> accounts.
>
>>> The thief would have to know my lock screen code to enter my phone
>>> before they could do ANYTHING. (They only get 15 tries before a
>>> factory reset.) That alone should give me enough time to deactivate
>>> it and transfer my number (and any 2FAs) to a new phone.
>
>> So, you've just described how 2FA is even a more nuisance on your
>> phone. To get the 2FA code sent to your phone, you have to first
>> unlock it.
>
> The phone is already unlocked because you have to first put in the
> correct password to the new app before the 2FA is sent. But I only have
> to do it once per new app that requires it. So I haven't needed a 2FA in
> some months now. However if I get a new device there will be lots of
> 2FAs needed for the same apps that are installed on the new device.
>
>> In addition, how do you copy-n-paste the 2FA code sent in the text to
>> the web login form on your desktop PC to complete the login?
>
> I memorize the code (it's just a few numbers) for the few seconds it
> takes for me to enter it for the new app.
>
>> Should the hacker reset your phone, your phone still has the same
>> phone number.
>
> Nope. I will have cancelled it within an hour of the theft.
>
>> The hacker gets to use your phone just as when it was new, and gets
>> the 2FA code on a login attempt.
>
> He can't get a 2FA sent without knowing the CORRECT app password.
>
>> So, the 2FA code (until it expires) remains stored on your phone.
>> If someone grabs your phone while using it, it isn't yet locked.
>
> True. But all my sensitive apps still require a password to use.
>
>> Seems storing the 2FA token on the device defeats the purpose of
>> 2FA. Why bother with 2FA if the same token gets repeatedly used?
>
> Many apps can be set to require 2FA every time for added security. But I
> think the one time 2FA is a good compromise between security and ease of
> use.
>
>> My bank sends me a 2FA. It is THEIR choice on expiration, not
>> yours, because they track the 2FA code they issued on their side.
>> They expire the 2FA code in something like 10 minutes.
>
> I can get the 2FA code entered in seconds so that's not a problem for
> me. Like my other apps my bank apps now only require a password since
> the device they're on has been 2FA certified...
>
> Another advantage of 2FA: If I get one that I didn't request I know that
> someone has entered the CORRECT password on one of my apps on his
> phone/device. Time to change that password...

It's obvious you are using your phone for the majority of your Web
transactions. My phone only get used when I'm away from home and not at
work; else, I move up from a toy computer to a desktop PC. That your
phone stores a 2FA token is irrelevant to phones that don't, and to
desktop PC users. While mobile devices now generate 68% of Web traffic,
I still use my desktop PC as my primary computing platform. That's why
2FA is a nuisance to me. I have no intention to moving to my phone as
my primary web surfing or computing platform. I know a lot of phone
users consume bandwidth watching videos on their phones. I don't want
videos on my phone.

Your focus is you using your phone to use all those web-centric apps.
My focus is me using my desktop PC for all those Web activities. As
mobile devices have taken over the Web, us desktop users are getting
nuisanced more and more.