Who's worse, Google, Nintendo, or everyone else? A mixed rant.
-
@PleegWat said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Vixen said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
it's got walls, a ceiling and a floor..... what more could we want?
Well, unless you like lying on the hard floor, or standing bent over with your hands against the wall...
I'd prefer not to be lying on the hard floor. But I could do it being pressed up against the wall, yes.
-
@dfdub said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
I came here for rants about Google and Nintendo. Now I need an exorcism.
How so? The topic just drifted to discussing a different kind of playing together~
-
@Atazhaia The NSFW and kink threads are
-
@PleegWat said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Vixen said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
it's got walls, a ceiling and a floor..... what more could we want?
Well, unless you like lying on the hard floor, or standing bent over with your hands against the wall...
I'm still not seeing a problem with the room itself....
-
@Atazhaia said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@lolwhat said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Vixen said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Atazhaia said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Vixen I could use some stamina training, yes...
I can help with that
ObGetARoomYouTwo
Which one?
A different one.
-
So to make this a little less about rooms and a little more
Retards, Inc.Google related again:Google sent me a mail yesterday to said throwaway account: (loosely translated)
Help us protect your account: security note from Google
Please allow us to verify your identity if necessary. With additional options to verify your identity, you reduce the risk your account is getting hacked or you lose access to it.Okay, how exactly can the account possibly be hacked if you deny all access anyway? And I must presume by "lose access" you don't mean me forgetting the password and not having a recovery option set, but instead that I do know the password but you just won't accept valid credentials, right?!
So out of curiosity I click their link for the security checkup and log in. It does log me in this time and asks me for recovery phone number and email address. Okay, at least they didn't automatically put in not-my-phone-number as the 2FA phone number. That would've been even more stupid than simply accepting arbitrary phone numbers like they did. I also checked the settings and 2FA (well "validation in two steps", literally "Bestätigung in zwei Schritten") is turned off.
Not sure what would be worse, if this had been on by default even though it's literally impossible, or that it isn't and so I can't turn it off even though they blocked me with it earlier.
-
@dfdub said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
I came here for rants about Google and Nintendo. Now I need an exorcism.
Just make sure to pay the exorcist's bill on time. Otherwise, you might get repossessed!
-
@Mason_Wheeler said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@dfdub said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
I came here for rants about Google and Nintendo. Now I need an exorcism.
Just make sure to pay the exorcist's bill on time. Otherwise, you might get repossessed!
The exorcism-as-a-service bill will be paid for with unskippable ads.
-
@dfdub said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Atazhaia The NSFW and kink threads are
FTFY.
-
@topspin said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Mason_Wheeler said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@dfdub said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
I came here for rants about Google and Nintendo. Now I need an exorcism.
Just make sure to pay the exorcist's bill on time. Otherwise, you might get repossessed!
The exorcism-as-a-service bill will be paid for with unskippable ads.
This future we live in... it's horrible.
-
So apparently Nintendo is doing another mobile game, with a monthly subscription
Nintendo to add monthly subscription to Fire Emblem Heroes, its biggest mobile game
Fire Emblem Heroes, Nintendo's biggest mobile game, will soon feature a monthly subscription pass that offers exclusive content.
Launching on February 5th at a cost of $9.49 USD/month (about $12.60 CAD), the ‘Feh Pass’ will offer a variety of exclusive content.
-
@topspin said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@loopback0 wrong kind of doctor.
Is he really?
I mean, just look at those puppy dog eyes...
-
@M_Adams said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@topspin said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@loopback0 wrong kind of doctor.
Is he really?
I mean, just look at those puppy dog eyes...I mean, not what I had in mind, but can't disagree with that.
-
I hate 2 factor authentication.
Just when I wanted to write this, I saw that @boomzilla had just happened to create a new thread about MFA. But that’s about their implementation being not MFA enough and my complaint is the opposite. But then I remembered I already have a rant thread dedicated to this from a few years ago.
Earlier today I wanted to log into my Google account on the phone. (I’m normally not logged in. I usually log out after I’ve finished what I need it for. Not that that would prevent them from tracking me on third party sites, but at least they can’t pretend they’re doing it legitimately.) I click my account name, then enter the password. It says something along the lines of there’s a problem and it can’t verify my account. Presumably because I’m on vacation and not in Germany. Never mind that that’s none of their fucking business and I entered the correct credentials. There’s only one button that says “recover my account”. I don’t quite remember what happened after I clicked that. Either it shoved me back to the account selection screen, or it did nothing at all and I manually navigated back to that screen, but it certainly didn’t do anything useful.
So I click on my account again. This time, I open KeePass to copy+paste over my password, just to be sure. That’s just superstition at this point, though, since the first time it was filled in by the Apple keychain, which definitely didn’t have the wrong password saved. This combined with the fact that the account selection screen already offered my account name also makes it clear that I’ve had successfully logged in on this phone before, and they know it. It again gives me the error message and I try “recover my account” again.
It tells me to open the YouTube app on “[topspin’s] iPhone 13 mini” and select the recovery code “87”.What the absolute fuck!?!
Why don’t you send a 2FA check to the email account associated with this account, to which I have access?! You know, like people who are not insane. Also, normally you use the secondary channel to send digits which you enter on the login screen, not the other way around, but I guess that’s a minor wtf at this point.
Okay, I guess I happen to be logged into the YouTube app. I might as well not have been, at which point I guess they’d have told me: “Yes, you have the correct credentials to your account, but we won’t let you in. For absolutely no reason at all, and there’s nothing you can do about it. Fuck off!”
So I open YouTube. It tells me it’s offline. Of course, I don’t want it to stream shit when I’m not on Wi-Fi, so I didn’t allow mobile data in case it randomly loses connection without me noticing and inadvertently blasts through my mobile data. I look for the option in the settings app, enable mobile data, and go back to YouTube. It takes a minute to think, then loads some stupid screen where I can select between three buttons, one of which displays 87. In the background, it’s already loaded and is autoplaying some stupid video. Thank you very much! That’s exactly what I wanted. I now go back to the Google login screen, it also takes a while to think, then tells me to do the same shit again and select 80. Did the first one not go through? Did it time out because it took me a minute? (In which case you’re doubly screwed if you’re on low data / slow connection) Or is this just a normal second step because they realized two digits is bad enough, but with the buttons you got a 1 in 3 chance of guessing correctly. Anyway, I go back to YouTube, select 80, and back to google again. It finally works.2FA is just a fucking setup to blackmail you to tell them your phone number or otherwise lose access to your count. Even if you have the right credentials.
My password is secure. My KeyPass DB is unlikely to get hacked. The only real risk to my account it Google’s 2FA shit deciding it won’t let me log in even though I’ve never activated this crap.At this point, even Microsoft feels sane compared to the absolutely outrageous retardery Google pulls off.
Oh, and two weeks or so ago, GitHub told me I need to activate MFA or I’d lose access. And I better activate as many factors as I can, because if I lose access to the MFA stuff, they cannot recover my account.
Isn’t that nice? Back when credentials were email / username and password, you could just click “forgot my password” and you recover it with your email address.Brave New World. Fuck all this. To paraphrase @Arantor: password auth forever.
-
@topspin said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
I hate 2 factor authentication.
You too?
Google account on the phone.
Oh. Found your mistake, I guess.
At this point, even Microsoft feels sane compared to the absolutely outrageous retardery Google pulls off.
It does, and it's disturbing, because MS is at 'eats paper glue while masturbating' level of retarded.
Brave New World. Fuck all this. To paraphrase @Arantor: password auth forever.
-
@topspin said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
At this point, even Microsoft feels sane compared to the absolutely outrageous retardery Google pulls off.
Microsoft is now badgering me to set up the "click a number" thing on Outlook on my phone. Which it triple retarded as I can't get there without logging in, which, you'll never guess, will occasionally mfa me.
Screw that noise! I have a perfectly functional TOTP secret that works just fine!
I can't disable the nagification either, so now whenever I load in I Gotta click the Close button. There's not even an option to "never"!
Left feedback, not like I expect it to be read.
-
@topspin said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
Isn’t that nice? Back when credentials were email / username and password, you could just click “forgot my password” and you recover it with your email address.
Hey, but SEH-KYOO-REE-TTY!
Do you remember the story where my company phone could not be reset? I used a Google account withBernie.Initech@gmail.comas recovery email, with the password for the email account stored on the phone (likely also on my work computer, but they had installed Windows freshly,...)
-
This past week I onboarded with a new client at work, and had to install Microsoft Authenticator in order to do the other-more-different version of Microsoft's MFA than the one I already have to do. So now I can either receive a text with a 6-digit code, get a two digit number and punch it into the app, or sometimes both, multiple times in rapid succession
-
As someone that actually worked on a small 2FA app years ago, involving phone number is entirely unnecessary. As is the silly code entry bit. You can make an app that is set up with a QR code to link the app for login and then you get push notifications that you just press YES or NO. on for Auth. No need for mail or phone number.
Edit;
And if you want to make sure that the 2fa gizmo is at the place where the login happens, put a swapping QR code up on the login screen that has to be scanned for the login.
-
@Carnage MS's 2FA can be configured by admin to require code entry or a yes/no notification. So it's not even MS being inept, it's their customers being hostile to the idea of convenience.
-
@Gustav said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
So it's not
evenjust MS being inept, it's their customers being hostile to the idea of convenience.
-
@dkf FWIW, MS's implementation of 2FA is very solid, both on server and client side. People just set it to be awful.
-
Amazing stuff:
If you lose your device and don't have the recovery codes, you will lose access to your account.
So I have 3 different email adresses set up, but having access to all of them plus my password doesn't matter, if I lose access to the fucking authenticator app, I'm fucked.
Yes, I've stored the recovery codes in my password manager now. On my phone, so if I were to lose that, I'd lose both the authenticator and recovery codes at the same time.How does this benefit me?!
And thanks to clever web devs, you can't even copy+paste these codes correctly. But thankfully there's a "download" button you're forced to click.
Oh, and there's an option to add a "passkey", although I'm not sure if that'd change password+TOTP to fingerprint+TOTP (making it useless, because it replaces the not-annoying part) or just fingerprint (making it single-factor):
Of course, it doesn't work. Touching the fingerprint reader just doesn't do anything.
-
I continue to be less than 100% convinced about the security value of MFA.
-
@Arantor said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
I continue to be less than 100% convinced about the security value of MFA.
MFA is the security world version of political bills. It shows you're Doing Something and therefore must be Not The Problem(tm)
-
@topspin said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
Oh, and there's an option to add a "passkey", although I'm not sure if that'd change password+TOTP to fingerprint+TOTP (making it useless, because it replaces the not-annoying part) or just fingerprint (making it single-factor):
It's just fingerprint, but since passkeys are device-specific your device (and ability to authenticate to it) is the second factor.
-
@TwelveBaud quick mafs.
-
@Gustav said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@dkf FWIW, MS's implementation of 2FA is very solid, both on server and client side. People just set it to be awful.
There's also a reason why they changed the defauklt to "Enter a number" instead of "Yes or No" / "Press on the number you see on your PC's screen" - namely that some business clients had their passwords leaked through other means and then repeatedly got the 2FA notification (initiated by the hostile 3rd party). And some of them then press on "OK" instead of asking themselves: "Why am I getting this notification when I'm not actively trying to log in?"
-
@topspin said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
How does this benefit me?!
I'm not sure that I fully understand the thought process behind this: You're supposed to save the recovery codes in a safe spot. It even tells you so.
You seem to confuse "convenience" for "security". Of course it's a PITA when you lose your device - it's a feature. What did you think the "2" stands for?
-
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
You're supposed to save the recovery codes in a safe spot.
We should all know that putting something in a safe spot is the number one guaranteed way to lose it.
-
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@topspin said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
How does this benefit me?!
I'm not sure that I fully understand the thought process behind this: You're supposed to save the recovery codes in a safe spot. It even tells you so.
You seem to confuse "convenience" for "security". Of course it's a PITA when you lose your device - it's a feature.
You know what’s the best “security”? A computer that’s off. So I guess for security I should just delete the account. You (and github) seem to know better than me how much security I need for this?
What did you think the "2" stands for?
My guess would be “cargo cult”.
The “feature” is that this increases my “security” from getting “hacked” by 0.0001%, but also increases the risk of losing access to my account by a lot.
Look, this isn’t my bank account. It’s just a fucking personal GitHub. If I lost the whole thing, I … wouldn’t upload more stuff under that account? I guess? I’d still even have access to the public repos.
The thought process is simple: previously, my password credentials were safe enough to authenticate me. And if I had ever lost it, I could recover it with my email. If I lost access to that, I’d have bigger problems than GitHub. (Coincidentally, see above, Gmail is trying hard to prevent me from signing in with all valid credentials, because for them the “2” stands for harvesting data. And if you read the OP, adding a random-ass “recovery” email that I didn’t register beforehand most definitely doesn’t add to security.)
However, they’re now making it much more likely to shut me out. That is a net increase in risk.I’m not going to print this shit and put it in a bank safe. And buy/rent a bank safe first. And then start doing that for 50.000 other random-ass accounts that start doing that soon. It’s in my password manager, together with my password.
-
@topspin and yet if you were to create a personal access token, they would be able to authenticate you to do things, and that’s functionally 1FA.
-
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Gustav said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@dkf FWIW, MS's implementation of 2FA is very solid, both on server and client side. People just set it to be awful.
There's also a reason why they changed the defauklt to "Enter a number" instead of "Yes or No" / "Press on the number you see on your PC's screen" - namely that some business clients had their passwords leaked through other means and then repeatedly got the 2FA notification (initiated by the hostile 3rd party). And some of them then press on "OK" instead of asking themselves: "Why am I getting this notification when I'm not actively trying to log in?"
Which could also be fixed by QR scan on login.
But not everything needs the same level of security. For some implementations, yes/no is perfectly adequate. Might be a good addition to have a third button for "This is fraudulent, reject logins from this device." to reduce login spam.
-
@topspin You're missing the bigger picture: Yes, it's a personal repo on Github. And we've never seen a malicious takeover of repos which then insert malicious code before, right? And we've also never seen personal repos / projects becoming the cornerstone for several other projects, right?
-
@Carnage said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Gustav said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@dkf FWIW, MS's implementation of 2FA is very solid, both on server and client side. People just set it to be awful.
There's also a reason why they changed the defauklt to "Enter a number" instead of "Yes or No" / "Press on the number you see on your PC's screen" - namely that some business clients had their passwords leaked through other means and then repeatedly got the 2FA notification (initiated by the hostile 3rd party). And some of them then press on "OK" instead of asking themselves: "Why am I getting this notification when I'm not actively trying to log in?"
Which could also be fixed by QR scan on login.
But not everything needs the same level of security. For some implementations, yes/no is perfectly adequate. Might be a good addition to have a third button for "This is fraudulent, reject logins from this device." to reduce login spam.So, instead of typing in a number you now have to hold up your phone and scan a QR code? I don't see how this is more convenient. Would also be problematic if you're on a company's device which disables cameras.
And yes, they added the 3rd button as well. The numbers thing is an option (the default one, mind, but a configurable setting regardless)
-
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Carnage said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Gustav said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@dkf FWIW, MS's implementation of 2FA is very solid, both on server and client side. People just set it to be awful.
There's also a reason why they changed the defauklt to "Enter a number" instead of "Yes or No" / "Press on the number you see on your PC's screen" - namely that some business clients had their passwords leaked through other means and then repeatedly got the 2FA notification (initiated by the hostile 3rd party). And some of them then press on "OK" instead of asking themselves: "Why am I getting this notification when I'm not actively trying to log in?"
Which could also be fixed by QR scan on login.
But not everything needs the same level of security. For some implementations, yes/no is perfectly adequate. Might be a good addition to have a third button for "This is fraudulent, reject logins from this device." to reduce login spam.So, instead of typing in a number you now have to hold up your phone and scan a QR code? I don't see how this is more convenient. Would also be problematic if you're on a company's device which disables cameras.
And yes, they added the 3rd button as well. The numbers thing is an option (the default one, mind, but a configurable setting regardless)
It's more convenient because you don't have to type a number, so it removes the butter finger effect and is also more secure because the device have to be at the login site if the QR code is being rotated every couple of seconds, instead of the number being possible to forward to whomever. I've come across people sending the login number to a 3rd person a few times, and it's the same type of people that will just press "Yes" even if they did not initiate a login.
And if it's a secure enough location that cameras are disabled, you should probably have a separate device for MFA, since a phone that can be compromised outside of the premises is a bad idea in that case.
-
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@topspin You're missing the bigger picture: Yes, it's a personal repo on Github. And we've never seen a malicious takeover of repos which then insert malicious code before, right? And we've also never seen personal repos / projects becoming the cornerstone for several other projects, right?
I could insert malicious code right now if I wanted to. Next.
You’re missing this:
not everything needs the same level of security.
This certainly isn’t enough security for nuclear launch codes, so obviously we need at least two people turn physical keys before I can access my GitHub account.
It was secure before. Now it’s just as secure, but with a much higher risk of shutting me out. Permanently.
-
@Carnage said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Carnage said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Gustav said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@dkf FWIW, MS's implementation of 2FA is very solid, both on server and client side. People just set it to be awful.
There's also a reason why they changed the defauklt to "Enter a number" instead of "Yes or No" / "Press on the number you see on your PC's screen" - namely that some business clients had their passwords leaked through other means and then repeatedly got the 2FA notification (initiated by the hostile 3rd party). And some of them then press on "OK" instead of asking themselves: "Why am I getting this notification when I'm not actively trying to log in?"
Which could also be fixed by QR scan on login.
But not everything needs the same level of security. For some implementations, yes/no is perfectly adequate. Might be a good addition to have a third button for "This is fraudulent, reject logins from this device." to reduce login spam.So, instead of typing in a number you now have to hold up your phone and scan a QR code? I don't see how this is more convenient. Would also be problematic if you're on a company's device which disables cameras.
And yes, they added the 3rd button as well. The numbers thing is an option (the default one, mind, but a configurable setting regardless)
It's more convenient because you don't have to type a number, so it removes the butter finger effect and is also more secure because the device have to be at the login site if the QR code is being rotated every couple of seconds, instead of the number being possible to forward to whomever. I've come across people sending the login number to a 3rd person a few times, and it's the same type of people that will just press "Yes" even if they did not initiate a login.
And if it's a secure enough location that cameras are disabled, you should probably have a separate device for MFA, since a phone that can be compromised outside of the premises is a bad idea in that case.If you cannot type a mere two numbers correctly on a device then you have larger problems. Seriously, what is this argument?
-
@topspin Only if you do not fucking store your access codes in a secure location. Everyone should have backups in a secure location by default. Jesus Christ, I really do not get this whining and handwringing about basic backup strategies on this fucking site of all places.
-
@Rhywden the issue is that the storage of recovery codes without which permanent, irrevocable loss is possible, is unnecessarily difficult.
-
@Arantor nothing is permanent if you whine at the customer service enough.
-
@Gustav official policy says no but in practice you’re probably right.
-
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Carnage said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Carnage said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@Gustav said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@dkf FWIW, MS's implementation of 2FA is very solid, both on server and client side. People just set it to be awful.
There's also a reason why they changed the defauklt to "Enter a number" instead of "Yes or No" / "Press on the number you see on your PC's screen" - namely that some business clients had their passwords leaked through other means and then repeatedly got the 2FA notification (initiated by the hostile 3rd party). And some of them then press on "OK" instead of asking themselves: "Why am I getting this notification when I'm not actively trying to log in?"
Which could also be fixed by QR scan on login.
But not everything needs the same level of security. For some implementations, yes/no is perfectly adequate. Might be a good addition to have a third button for "This is fraudulent, reject logins from this device." to reduce login spam.So, instead of typing in a number you now have to hold up your phone and scan a QR code? I don't see how this is more convenient. Would also be problematic if you're on a company's device which disables cameras.
And yes, they added the 3rd button as well. The numbers thing is an option (the default one, mind, but a configurable setting regardless)
It's more convenient because you don't have to type a number, so it removes the butter finger effect and is also more secure because the device have to be at the login site if the QR code is being rotated every couple of seconds, instead of the number being possible to forward to whomever. I've come across people sending the login number to a 3rd person a few times, and it's the same type of people that will just press "Yes" even if they did not initiate a login.
And if it's a secure enough location that cameras are disabled, you should probably have a separate device for MFA, since a phone that can be compromised outside of the premises is a bad idea in that case.If you cannot type a mere two numbers correctly on a device then you have larger problems. Seriously, what is this argument?
Every 2fa number challenge I've used has been 6 digits, I've never seen one use just 2 digits. Our did you mean you have a 2fa that actually has two numbers with several digits?
And what argument is this uncalled for ad hominem?
To me, it's less work to pick the point up and open up the 2fa and scan a QR, than to pick the phone up, open the 2fa and read the number and then type the number in the login.
-
@Carnage said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
Every 2fa number challenge I've used has been 6 digits, I've never seen one use just 2 digits. Our did you mean you have a 2fa that actually has two numbers with several digits?
The 2 digits is referring to the new approach for Microsoft Authenticator's push notification approval, where they require you to confirm the 2 digit number displayed to you on screen while accepting the notification (as an attempt to defend against MFA fatigue attacks)
Which is kind of like trying to defend against the horse getting out of the barn by putting up another barn, but no doors on the barn. Maybe if we had a security paradigm that didn't necessitate MFA for every action we take, people wouldn't be beleaguered into pushing "shut up and go away already" when they got their thirteenth MFA prompt while trying to take a dump.
-
@Rhywden said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
Everyone should have backups in a secure location by default.
You have your WTDWTF access codes printed on paper in your bank safe?
That would explain a lot.Do you understand nuance? To within rounding error, nothing got more secure, but potential for failure got drastically increased.
-
@Arantor said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
GitHub does not support any other means of account recovery, including social or ID verification, by members of GitHub’s staff. This policy is in place to protect your account from unauthorized access through social engineering.
So I need to guard those recovery codes better than my passport, because that's not good enough.
Makes perfect sense.
-
@Arantor said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
@topspin and yet if you were to create a personal access token, they would be able to authenticate you to do things, and that’s functionally 1FA.
They support that. Those expire periodically.
-
@topspin said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
I’m not going to print this shit and put it in a bank safe. And buy/rent a bank safe first. And then start doing that for 50.000 other random-ass accounts that start doing that soon. It’s in my password manager, together with my password.
It doesn't need to go into a bank vault, just a drawer at home. That way, if your phone gets stolen by a bunch of bandits and a giant silver egret, you'll still have access to your account
-
@hungrier
But when your phone gets destroyed in a fire while you're sleeping at night, your drawer is probably going to be in shambles. So now the codes need to be in your fire safe. Except for when it turns out that fire was a wildfire that destroyed the entire area where you live in and now you can't get back to get your fire safe for days (and maybe not your safety deposit box either, depending on where your bank was).If you really have a public repository that's being used by others, maybe the increased security makes sense. But if you're just using it for a private project or with a few friends, where's the there there?
-
@hungrier said in Who's worse, Google, Nintendo, or everyone else? A mixed rant.:
That way, if your phone gets stolen by a bunch of bandits and a giant silver egret, you'll still have access to your account
Nobody expects the
Spanish Inquisitiongiant silver egret!
