At least it isn’t email or SMS MFA.
Or email OFA. Burger King, Popeyes (I know they are the same company), and just a bit ago, BuyMeACoffee. They let you enter a password; fuck if I know what their requirements are. No tooltip, no failure text. 60 char with special chars? Nope. (a few moments later) 20 chars with no special chars? Nope. Fuck it, let’s try 2FA. Get seed, generate code, go to setup verification page (on phone), first box, paste. ONLY THE FIRST NUMBER PASTES AND MY KEYBOARD CLOSES. SCREAMS
(only factor authentication)
Nothing compared to BOFA, which is arguably even worse and a lot more stupid
For those who don’t know, the BofA app clears the username and password fields every time you switch to a different app, completely thwarting the use of password managers because Bank of America is apparently Hell-bent on forcing everyone to have easily-typed (and therefore easily-brute-forced) passwords.
Android has password managers with keyboard app integration so you can paste both fields from the keyboard itself
I use Keepass2Android and it’s own keyboard app for this. I switch active keyboard app when the login field shows up to paste and then switch back to my normal keyboard after
Dashlane has no problems filling out my bofa passwords on android
Good for them, but there’s no way in Hell I’d trust a proprietary, cloud-hosted password manager.
Ok
Thank you for clarifying because I was expecting a “BOFA dez nutz” joke.
What’s BOFA? (Apart from BOFA deez nuts)
Bank OF America
Aw you’re too good. Can’t you even let your guard down a little? I need this.
My bank requires SMS mfa
Admittedly I kind of see why
I agree with this sentiment. Steam notably falls into the third category, while otherwise being pretty good.
But I’m quite disgusted now seeing an image of a Yubikey for the first time. I’ve heard so many good things about them that it’s a major disappointment to see now that they use that awful noncomplaint shape of USB plug.
There are two very important reasons for the metal shield around USB plugs: 1. For ESD protection, and 2. to hold the receptacle’s tongue in place and prevent it from bending away and losing contact. Every USB device I’ve owned that was a flat plug (like this Yubikey image in this post) has within a month deformed the USB receptacle it’s plugged into to the point that the device no longer works in that port. Compliant USB devices still work in that port’s deformed receptacle, because they have a correct metal shield that bends the tongue back into the correct position.
Yubikey also has usb-c versions with compliant plugs.
YubiKeys have almost every imaginable form factor these days. Here’s the USB-C version without NFC:
Yeah I have an even smaller USB-C one. It sticks out less than 0.5cm from the port.
I’ve had my ubikey fido2 token knocking around on my keychain for about 7 years now. Scratched and beaten, works perfectly and never had a port damaged, it doesn’t put enough pressure on it.
It is kind of annoying that Steam doesn’t enable the usage of third-party OTP apps. To be fair, when they first implemented the feature, that wasn’t widely used and plenty of websites only enabled the use of one specific OTP app like Authy or Google Authenticator. They recently added a QR code login feature, which makes sense, but that still shouldn’t stop them from enabling MFA via third party OTP apps.
iirc it’s possible to somehow export the secret key used by steams 2fa
Uuuuugh. I just had this problem after dropping my phone. Can’t log into the phone without the phone being logged in. Solution: disable 2fa on a logged in device. If I can disable it from another device why can’t I verify it from another device? This is so broken!
At work usually I can login without any input thanks to SSO, but occasionally it will ask for a security check. The default is to press a notification in outlook on my work phone, which I only ever use when travelling, so it’s invariably off… 🙄
My work has something similar, but I can change the default.
My brain needs to boot faster. Took me far too long to figure out that wasn’t Mother Fucking Authentication, and was instead more likely Multi-Factor
You are doing gods work sir!
Fuck Duo authenticator and its proprietary ass shit
Agreed
MFML.
Sorry, as IT person I have to disagree, app based MFA is just way much easier to maintain instead of HW keys.
Edit: forgot to mention that in Finland companies here has to provide phone if your work require that. In IT I don’t want nothing to do with users personal devices, and it sounds insane to me that in US companies force apps to your personal devices.
Re-writing a 6-digit code is easier than tapping a USB device?
They’re talking about operationally. They don’t want to configure and distribute a bajillion dongles to users.
Yup
Often times, yes. I don’t want to always have to have a USB key on me, but I always have access to MFA apps via my phone, watch, or laptop. I have no idea why you’re typing the code out instead of copying and pasting.
Open an app, find the one number for your specific app among the bajillion you have, oh the timer is almost out and you forgot halfway through, tap back in the app, oh the fucking app scroll all the way to the top again.
Open app via sidebar, search for website in search box, enter number once because I’m not super fucking slow at typing
Pretty sure he’s talking about mfa that just asks for confirmation whether that’s you logging in on the phone. No typing required.
App-based TOTP are not phishing resistant and do not require any level of proximity to the login session. The future is more likely passkeys that use device TPMs.
Simple challenge number handles that, for example Azure AD MFA forces that today
Those are better, but are also not phishing resistant.
