Installed Steam on a new computer. Signed in. It sent a passcode to my GMail. I signed into GMail. It wanted me to 2FA because I hadn’t signed into Google on that device. It sent a notification to my phone, which I never received. I had it resend the notification twice, still nothing. Tried again with my phone’s offline passcodes. Neither worked. Tried the QR code/Bluetooth connection, and that finally did it.

At least I got through in the end, but fuck, it’s annoying.

  • peeonyou [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    2
    ·
    6 hours ago

    yeah, its a bit of a clusterfuck. Half the time when I sign into gmail I get a code sent to my phone, but when i open the notification on my phone the code flashes for the briefest second before prompting me to hit yes. I hit yes, then it goes away, but my computer is still asking what code is showing on my phone.

    so goddamned annoying

  • keepcarrot [she/her]@hexbear.net
    link
    fedilink
    English
    arrow-up
    28
    ·
    1 day ago

    I remember getting pretty stressed when my local welfare app (which you need to engage with to get welfare money) used 2FA and my phone network was delaying every message by several hours. Risking eviction for the very low risk that someone was scalping welfare passwords and fraudulently logging job applications or work hours.

    • SerLava [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      20
      ·
      1 day ago

      my favorite is that when you try to pay off a fucking bill it’s like WHOA now we wouldn’t want someone else to sneak in here and pay off your debts?? Please make a 24 character password

    • 4am@lemm.ee
      link
      fedilink
      English
      arrow-up
      19
      ·
      1 day ago

      SMS 2FA is insecure bullshit anyway the only reason anyone does SMS 2FA is to track your phone number.

      We also learned that the backdoor that was left in the modern phone network for the FBI was exploited by foreign hackers; so yeah pretty easy to bypass SMS 2FA this way.

    • SorosFootSoldier [he/him, they/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      32
      ·
      edit-2
      1 day ago

      Discord wanted my fucking phone number and since I use a free voip service it couldn’t send it to that so I had to use my dad’s phone. So fucking stupid and backwards. I’ve been using email for decades now and I’ve never been hacked, what was wrong with that, why you gotta enshittify everything so?

      • edge [he/him]@hexbear.net
        link
        fedilink
        English
        arrow-up
        27
        ·
        edit-2
        1 day ago

        A phone number requirement is to stop people from making a bunch of accounts. Emails are free and unlimited, but phone numbers mostly cost money and like you said they have some way to know which numbers come from free voip services.

        Of course phone numbers are also more closely linked to your private identity, as they usually have to be in your or someone close to you’s name. So that makes data gathering easier and makes it easier for feds to snoop on your shit if they really wanted (Discord will comply ofc).

        • quarrk [he/him]@hexbear.net
          link
          fedilink
          English
          arrow-up
          4
          ·
          21 hours ago

          VoIP is not supported for 2FA by some institutions like banks because it may be less secure than a conventional phone line, since it is connected to the internet. In practice, I think SMS is insecure regardless whether it is over the internet or phone line, but in any case that is why VoIP is not fully supported.

          • edge [he/him]@hexbear.net
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 hours ago

            SMS is very unsecure but companies use it. I think that’s what Discord uses on sign up, but they don’t allow free numbers like Google Voice.

        • hello_hello [comrade/them]@hexbear.net
          link
          fedilink
          English
          arrow-up
          13
          ·
          1 day ago

          Discord doesn’t even have to comply, there’s zero E2EE in any part of the network, anyone can snoop in on it if they get any level of access to chat logs.

          I wonder why Discord is known for being home to predators.

          • edge [he/him]@hexbear.net
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            10 hours ago

            There’s still TLS, so even without end to end encryption of the messages, the only parties that should be able to see the contents are you, the recipient(s), and Discord. So either Discord has to willingly give over the messages, or a larger data breach of Discord has to happen.

      • hello_hello [comrade/them]@hexbear.net
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 day ago

        Discord hasn’t asked me for a phone number and I have 2 burner accounts on there with email aliases. I think you just got flagged because you connected with a VPN or something. I use Vesktop as well so that might be why.

    • glans [it/its]@hexbear.net
      link
      fedilink
      English
      arrow-up
      21
      ·
      1 day ago

      Ya its a big problem IMHO. Last time my phone was fucked I could pay rent or anything because I couldn’t log into my bank because I couldn’t get the SMS. I use a password manager and have TOTP set up for important account but a lot of these big institutions only support SMS.

      I heard about a guy who got his google account deleted because a computer wrongly though he had csam. (During covid his small child had a genital rash so he took a picture and emailed for a virtual medical visit as the clinic requested.) They deleted everything and “dont have backups” so even tho google admitted it was an error will not restore. So he couldn’t log into anything, no email, cross site logins, his phone didn’t work, even totp I think via authy. All just gone.

      Its not the exact same situation but shows what a tangled web has been created and so precarious.

      • crime [she/her, any]@hexbear.net
        link
        fedilink
        English
        arrow-up
        11
        ·
        edit-2
        1 day ago

        it’s part of my job to think about this for companies, and you’d think that would make me feel confident in my ability to create a robust backup system with failsafes for all of these logins. instead i’m hyper-aware of how screwed I’d be with loss of access to any given point of failure and constantly anxious about it, bc it takes a literal team of people to set up and maintain that sort of thing

        twice as bad if you’re concerned about data privacy or opsec. like sometimes the options are “give my phone number to some company i inherently don’t trust” or “accept the risk that it will be impossible to recover this account if I lose access to my email address”

        • glans [it/its]@hexbear.net
          link
          fedilink
          English
          arrow-up
          8
          ·
          1 day ago

          the problem is, and it seems like a legitimate problem, is that in this context a backup is also a back door.

          I don’t know how it is possible to have any amount of security without the possibility of being totally locked out in some situations. how can you assure that you can reset a password but prevent anyone else?

          It seems intractable. Password managers have been available for a long time and if people haven’t started using them yet en masse I see no reason to expect they might any time soon.

    • chickentendrils@lemmy.ml
      link
      fedilink
      English
      arrow-up
      12
      ·
      edit-2
      1 day ago

      If you have any tech literate friends, you can all install Syncthing and quickly each create a personal push-only share. Then everyone you know is helping each other backup their password manager databases or anything else locally encrypted with a strong password that’s small enough to be acceptable. Micro SD cards are 1.5 and even 2TiB now, and work with my 4 year old Xiaomi phone.

      I’m thinking of the WeChat recovery option that just makes a couple people you had in your friends list or were your main contacts open a menu in settings and confirm you contacted them (I think IRL), in order to verify the recovery request.

    • stigsbandit34z [they/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 day ago

      perhaps this is the reason we shouldn’t have turned a useful tool (technology) into a system that controls all aspects of our lives

      I’m convinced that Marx would rethink his takes on technological advancement if he could see how it has become fully integrated with a hyper-capitalist and profit-driven world.

  • Gorb [they/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    6
    ·
    21 hours ago

    Don’t worry its getting even worse some companies are going “passwordless” so you’re entirely reliant on their email servers functioning to log in at all. Once trying to cancel a subscription on such a site but the email wouldn’t send for several days lmao

  • graymess [none/use name]@hexbear.net
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 day ago

    I fucking hate Steam’s 2FA. Forcing you to use their app instead of your preferred authentication service. Years ago I got pretty thoroughly locked out because I switched phones and was logged out of my Steam account on my PC. Can’t remember how I resolved it, but I think it took contacting their support team.

    • edge [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 day ago

      Steam’s preferred 2FA is getting a code from their app. It looks like it might be TOTP technically but they don’t freely give out the secret for use in another app, but there might be ways to extract it.

      Google offers TOTP and used to let you set it as the default, but now I guess they want to push their own in app prompt so you have to pick the “try another way” option every time.

      • chickentendrils@lemmy.ml
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        1 day ago

        Yeah for Steam you have to use 3rd party tools or pull a file off your mobile device/emulator and extract the TOTP secret (and use plugins for password managers to render the alphanumeric code with the characters they want, it’s just a non-standard TOTP representation and sucks so much).

        The maker of that “Authy” shit that’s just TOTP generator/backup once again locked behind your fuckin phone number deserves a special place in hell. It’s Twilio, a virtual phone/SMS API provider… and owner of Sendgrid. Same deal as with Steam where they’ll add the TOTP secret to the Authy app and you have to extract it manually to use in a different app/password manager. At least the codes are part of the IETF standard. Just generated with an uncommon <30s step interval for rolling over and I believe are 7 digits instead of 6. KeepassXC natively had configuration for it at least.

  • harsh3466@lemmy.ml
    link
    fedilink
    English
    arrow-up
    13
    ·
    edit-2
    1 day ago

    I feel this. I was trying to set up and test sso on my phone using my usb-c Yubikey, and holy hell the UI for using the Yubikey on android is hot fucking garbage. The keyboard keeps popping up and blocking essential page elements I need to interact with, when I try to enter the pin for the yubikey the authentication request times out.

    After several failed attempts I scrapped the whole idea.

    Edit: removed redundant words.

  • RedWizard [he/him, comrade/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 day ago

    As many of my 2fa tokens are stored in my 1password account so I don’t have to do all the text and email code verification. Its more annoying when I can’t store the 2fa and the service insists on doing text or email codes.

  • Llituro [he/him, they/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 day ago

    i’m locked out of a github account because stupid me made it be attached to a school email address that i don’t have access to. that is something you can change of course, but github’s 2FA is email for that account, which means i can’t receive the code to log in so i can change it. there exists literally no recourse for this

    • edge [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 day ago

      Maybe try contacting your school’s tech support? I imagine it’s a common scenario for all kinds of accounts, maybe they’d give you temporary access (after verifying your identity and previous enrollment) to move any accounts off it.

      • Llituro [he/him, they/them]@hexbear.net
        link
        fedilink
        English
        arrow-up
        11
        ·
        1 day ago

        i guess i should edit my post, i did actually manage to pull my private repos off it. i found out a couple weeks ago that i was still logged in with stored credentials for the github cli program. so i was able to use that to clone them. i hadn’t even thought of asking them for temp access, but you’re right.

  • hello_hello [comrade/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    1 day ago

    I don’t use 2FA on anything that doesn’t force it, garbage security theater because people don’t use password managers or use the same passwords for everything.

    I don’t know what hurts more: People who don’t use Ublock Origin or people who don’t use a password manager. Such simple tools that eliminate 99% of the bs.

    • quarrk [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      5
      ·
      21 hours ago

      Security theater is an overstatement. If your password manager has a data breach (which happened a couple years ago with LastPass) then 2FA offers an extra layer of protection. E.g. if hackers get your email password, and it’s short enough to be decrypted, then 2FA would save you. Of course a longer password makes 2FA less necessary, but redundancy doesn’t really hurt anything

      • hello_hello [comrade/them]@hexbear.net
        link
        fedilink
        English
        arrow-up
        2
        ·
        15 hours ago

        which happened a couple years ago with LastPass

        That’s the thing, I use KeepassXC which is a local-only libre password manager. So someone would need physical access to my machine in order to copy the encrypted password database file. I’m the only one responsible for syncing the file across my devices.

        Why someone would trust a proprietary always-online password manager that requires personal information and probably has ties to the Zionist entity is beyond me.

        • quarrk [he/him]@hexbear.net
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 hours ago

          Like most things, it’s a balance between security, convenience, and reliability. A local password manager is a great option and I’m glad it exists, but I wouldn’t recommend it for everyone. If your password manager is locally stored and you have a hardware failure (say, you live in Asheville and your hard drive is underwater with your house) then you’re completely screwed. A cloud option is a bit more disaster proof because those services typically have mitigation plans to prevent that kind of disaster. Plus you have the convenience of device agnostic passwords.

  • blobjim [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 day ago

    I guess our tech overlords have determined that “Passkeys” are going to be the replacement and fix for this kind of multi-factor authentication hell. Should be nice once everything actually adopts and implements it well. Still need like an email-based password reset or something like that.

    • chickentendrils@lemmy.ml
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 day ago

      I really like GRC’s Secure Quick Reliable Login (SQRL). It’s older than most examples but basically just the open version of the prompt on your phone. Authentication requests are made for a specific domain and sent back to that domain only. So much more phishing resistance than has been typical, similar to passkeys. It’s as seamless as scanning any QR code with a phone, or it integrates with a browser or local password manager/daemon. The prompts on the phone show you the unobfuscated domain name of what generated the QR code/auth request and if it’s never been used before like a phishing site, it’ll only offer user registration (usually with one-click).

      The backups of your credentials are just QR codes and can be printed on standard printer paper.

      It is used internally at a midsize organization for their internal systems authentication. Way less hassle than the Microsoft authenticator, no added hardware like a passkey.