• Please review our updated Terms and Rules here

Multi-factor verification on websites

Chuck(G)

Chuck(G)

25k Member
Joined
Jan 11, 2007
Messages
44,491
Location
Pacific Northwest, USA
Can I say in public what I think of this idea? I just came off a website that uses 3-factor ID. You have your gobbledygook password, then a text message for 2FA and then another text for the 3FA. My lovely wife is almost in tears over this. She keeps wanting to write the authorization codes down for future use--she still doesn't seem to get the idea that they're one-time codes.
Yesterday, I damned near threw the system through the window. Apparently the state department of revenue decided to add security questions after I registered. So I get the question "What was your childhood nickname?" Huh? I didn't have one and certainly never supplied one to the state. Spend time on hold getting them to get me a "reset password" email that will allow me to answer security questions that I never answered 5 years ago. (Apparently they introduced the security questions 2 years ago and forgot to tell people).

Good grief, what's next? Supply a drop of blood to log in?
 
Shhh, don't give them any ideas. I think I ran into the security question snafu on some web site. And like you I had never entered any.
 
Are the texts sent to different numbers? If not, I don't see how that is adding anything over 2FA. :cautious:
 
Same number; utter insanity. I wonder if the system would catch me answering all of the security questions with a single answer, say, "nougat".
 
Chuck(G) said:
Can I say in public what I think of this idea? I just came off a website that uses 3-factor ID. You have your gobbledygook password, then a text message for 2FA and then another text for the 3FA. My lovely wife is almost in tears over this. She keeps wanting to write the authorization codes down for future use--she still doesn't seem to get the idea that they're one-time codes.
Yesterday, I damned near threw the system through the window. Apparently the state department of revenue decided to add security questions after I registered. So I get the question "What was your childhood nickname?" Huh? I didn't have one and certainly never supplied one to the state. Spend time on hold getting them to get me a "reset password" email that will allow me to answer security questions that I never answered 5 years ago. (Apparently they introduced the security questions 2 years ago and forgot to tell people).

Good grief, what's next? Supply a drop of blood to log in?
Click to expand...
This whole message made my night. I can't wait for the year when physical security tokens become more popular, but people lose them all the time, and in order to get a new one you have to put your SSN into some company's website so they "know it's you". There are definitely benefits to multi-factor, but sometimes its just overkill.
 
2FA is a complete joke. With a few exceptions, these almost always require to send codes via SMS "Text". Which requires a glorious smart phone. As if a smart phone magically unquestionably proves a persons identity. As someone who does not own a stupid smart phone, I guess that means I don't exist.

The main purpose of 2FA is to sell cell phones and make people feel all smug about having one more little trite purpose for their precious toy smart phone.
 
Actually, I've seen a bit of this "3-factor" in the form of password, ask a question, sms in a number of places if you don't have the magic cookie or the cookie is deemed too old. Another "3-factor" that is gaining ground is requiring a captcha as well. Just because you don't have a cookie they want. It's gotten so bad for me, since I have to log into alot of companies to do work with them, is I have started to consider the option of not working with said companies. I'd better not name names, because some of these companies are well known around here are the worst offenders, and these are the same, well known companies that continue to have breaches. It's not the TFA (t = two or three). It's not the password complexity and frequent changes. I can't even log in for legitimate business for a while it seems (never mind the times I've had to call their IT when they changed something). All I can think is these breaches are internal breaches. (ok ok, phishing is a thing but c'mon! tfa doesn't fix THAT)

tradde said:
We had RSA SecurID cards as our 2nd authentication where I used to work.
Click to expand...

This used to be more common, and reasonable if secure access was desired, without requiring cumbersome rules. Unfortunately my company and other companies have phased them out.
 
Chuck(G) said:
Good grief, what's next? Supply a drop of blood to log in?
Click to expand...
The next level is logging in into web services using a State-issued identity card, as in a SmartCard in whose chip is your personal info an your private key (part of a public-private key pair). The State-issued ID SmartCard's private key is unlocked with a 8 digit PIN key.

Remember, it is for the SECURITY of us all.

And then, the next level is single sign-on with that State-issued ID SmartCard: you present your State-issued ID card to your ISP to be able to CONNECT to the Internet, and then all web services you use will inherit your CONNECTION identity thus validated. Probably a webcam with face recognition will be used every 15 minutes to validate you are the one at the keyboard.

This, of course, is also for the SECURITY of us all.
 
SomeGuy said:
2FA is a complete joke. With a few exceptions, these almost always require to send codes via SMS "Text". Which requires a glorious smart phone. As if a smart phone magically unquestionably proves a persons identity. As someone who does not own a stupid smart phone, I guess that means I don't exist.

The main purpose of 2FA is to sell cell phones and make people feel all smug about having one more little trite purpose for their precious toy smart phone.
Click to expand...
I have to disagree. 2FA is not about proving your true identity, but making it more difficult for someone who is not you to login to your account.

Any digital cell phone can receive texts. Which is all active cell phones in the US since analog service was discontinued in 2008.
 
What's interesting to me is that no one has suggested a way out of the Google 2FA scheme where they send a verification token to a phone you no longer own. Can't change the number because you need to be logged in to the account. Google, of course, is unresponsive. A bit of web searching turns up many people with the problem--and no solution.
 
Chuck(G) said:
What's interesting to me is that no one has suggested a way out of the Google 2FA scheme where they send a verification token to a phone you no longer own. Can't change the number because you need to be logged in to the account. Google, of course, is unresponsive. A bit of web searching turns up many people with the problem--and no solution.
Click to expand...
I think that's why people are encouraged to use the authenticator apps for 2FA (i.e., Google Authenticator) instead of getting a text message to your number. That way if you do have to change phone numbers or phones, you can just download the app, export your accounts, and import them on your new phone. But, if you lose your phone that's a whole different situation...
 
The nutty thing is that I have the google number set to forward to one of my regular ones. So I don't lose anything; just can't access the account.
 
2FA itself isn't a bad thing, though it does get extremely repetitive and annoying if <insert site here> makes you do it too often.

The 'security question' BS is absolutely abysmal though, especially sites like Workday that not only force you to reset your password every so often, they force you to make NEW SECURITY QUESTIONS every so often! And all of that extra security is in vain if you end up getting hacked anyway...
 
TH2002 said:
2FA itself isn't a bad thing, though it does get extremely repetitive and annoying if <insert site here> makes you do it too often.

The 'security question' BS is absolutely abysmal though, especially sites like Workday that not only force you to reset your password every so often, they force you to make NEW SECURITY QUESTIONS every so often! And all of that extra security is in vain if you end up getting hacked anyway...
Click to expand...
Agreed. It's the worst when they also say you can't use one of your previous 4 passwords. Even though you can go in, change your password to something random 4 times, then use the same password as before lol.
 
You must log in or register to reply here.
Back
Top