I personally am fine with this.
Yep, should be standard everywhere
Just FYI, your account shows up as a bot. You should change it in your account settings.
If your account is frozen they should still be on the device. That would be a good time to change all your passkeys over to a yubikey, or to add one as a secondary token.
The keys being locked in a Secure Enclave is generally considered a feature, not a bug. That passkeys sync at all is somewhat concerning. I wouldn’t expect them to be exportable any time soon.
The use of a “secure enclave” for any purpose is a bug at best, because secure enclaves aren’t just secure against your adversaries; they’re also secure against you. This is intolerable. All machines must obey their owner, and “secure enclaves” by design don’t.
And not the twitch way, where you have to have in an identifier, your phone number, but using proper, standards ways for it, like TOTP and such
As the other commenter said, only if you give them your phone number, and only through that garbage authy that does not use standard TOTP, but some proprietary crap, specifically made for twitch.
And if you give them a phone number, which another user will also try to use in the future, then the secret used for TOTP can change in any moment, which means if you exported the secret to e.g. Aegis and deleted that tracking filled garbage that is named authy, at one point the codes just won’t work anymore, and you’re practically locked out. Apparently support should be able to help, but they don’t give a single fuck.
2FA is the biggest bane to my productivity in the last 15 years, no part of my work life should require me to pull out my magic distraction device.
I don’t like how a lot of things require their own custom app, especially when there’s no automatic notification. I need to try and remember what the app is called, open it, navigate through, then approve it
I like the app setup rather than shoving everything into a browser. But I’m not a fan of this 2fa stuff. I get the point is security, but let me decide which app/method to use, and whether I want to use it at all. Otherwise it’s just annoying.
I’m absolutely a fan of choosing which method to use, and also a fan of requiring choosing one. I prefer Google Authenticator-style 2FA (I use Aegis, but there are plenty of options), and I get annoyed when I need something else (e.g. Fidelity only offers Symantec, Steam only offers Steam Guard, etc).
1password does this, too and it’s magical. I’ve had my SMS go to my browser via Google Messages for a while, but it’s so much easier to just auto-fill it instead of copy/paste
Allowing a smartphone access to anything sensitive is even worse advice. Smartphones are notoriously insecure.
This! Authy is very very nice. Syncing accounts is a life saver, both as backup, and not having to pick up the phone all the time.
Cut and pasting with a click instead of reading and typing, is so much faster.
Easily search the very long list of entries.
Not open source tho, but free as in beer.
If Aegis had the sync option, i would have used that. But it did not last time i checked.
…through a third-party cloud server that you have no good reason to trust. No bueno. Keep sensitive information off the cloud unless you want it to become public.
yup, that’s the tradeoff, this or reaching for your procrastinating device, but yeah, maybe Bitwarden could be better alternative, now i’m too lazy to migrate + it’s paid
how would they track you?
The reason they want a phone number is, that it’s a relatively cheap way to ensure people not signing up bots galore, as getting phone numbers en masse is a lot harder than getting email accounts
phone numbers are typically tied to your name/identity, and phone companies can locate you using their towers and such. Giving a company your phone number is identical to giving a company your full legal name and address.
Too many people were making poor choices. When there’s an incident of an account that should have been secured but wasn’t getting compromised, that’s bad for the platform, ecosystem, and community. This is just another level beyond not allowing you to set a password of “password”
At least you should be able to use your local password manager as well if you don’t care about keeping your 2fa on separate hardware. KeePass 2, KeePassXC, Bitwarden, …
Though people that have authority over important projects should have proper security, considering how large the internet is, with how many individual parts, the chance of someone being in charge of a large and important project - may it be a browser, compiler/interpreter, utility, library etc. is not even close to zero.
So if a (co-)maintainer of a project included as standard utility in Linux Servers, let’s say bash for example, is somehow breached, the attacker could push and force merge a malicious obfuscated commit, maybe even with normal content included. As it’s from a reputable source, it’s not going to be checked as thoroughly as commits from other people. One hour later, every Arch system, desktop and server, has a trojan. Four hours later also all Gentoo systems (got to compile it first). 2 years weeks later regularly updated debian servers now contain malware. A chain of events, fragile to being detected by people monitoring their own activity, other maintainers activity and people reading the source - eg. for security reasons -, but yet, not that unlikely considering the amount of packages present even in a standard install, and needed as dependencies for typical server packages.
Good, people are fucking stupid and if it effects others it’s often better to choose the security for them!
Yup. I’m actually a bit baffled by how much negativity/misinformation there’s around 2FA even in a place like this, which should naturally have a more technically inclined userbase.
I dislike MFA because it creates a risk of losing access to my account. I can back up my passwords; I can’t back up a hardware device.
Normally you get a handful of recovery codes when you set up 2FA. If not, you can just create a backup of the QR-Code or secret when setting up 2FA and store it in a safe location. And even if all that fails there’s usually a way to recover an account by going through support.
Although I wouldn’t recommend it, there’s also 2FA apps out there that have cloud-sync.
A hardware device is a physical key. Its no different than backing up your home key. Get two keys and copy them. Keep one on you, and the other in a safe somewhere in case you lose the first.
No offense to companies but I’m honestly sick of companies forcing 2fa. Every single one seems to have a different shitty way of doing it. Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)? Some do sms/phone number, but then yell at you and prevent you from doing 2fa if you have a “bad phone number”. This happened on discord where I’m locked out of certain servers because I can’t do phone verification, and I can’t do it because discord doesn’t like my phone number. Twitter was the same way for a long while (couldn’t do 2fa/phone verification due to them not liking my number).
From the article it sounds like they’re doing authenticator app or sms. I’m guessing sms won’t work for me, so app it is. I decided to dig to see which authenticator app they use and they list: 1password, authy, lastpass, and microsoft… no google?
Honestly, even email requirements for accounts is annoying because you know it just ends up spamming you. is the future where we’re gonna have to have 30 different authenticator apps on our phone?
Google Auth works just fine. The standard for app generated 2FA is, well, standard. They’re only listing a non-complete list of options for people that don’t know what an authenticator app is and need to get one for the first time.
Mostly. The 6 digit standard ones that you see almost everywhere are standard TOTP codes and most apps work for them. There are some proprietary things out there too but you typically see those with a matching app from the same company. Those are far less common though so for practical reasons you can assume they are all interchangeable.
Those values are computed separately what the app is really storing is just the input values which are then combines with the current time to create the 6 digit code. That means that keeping that input value (seed) safe is a big deal, and how and where that is done is one of the major differentiators between the various options.
The google auth which transmits your totp code in plaintext to there servers?
Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)?
you… don’t?
Both of these implement exactly the same protocol (TOTP). Used authy for all my Top Of The Pops Time-based one-time password needs exclusively, before moving everything to bitwarden
Well the good news for you is that a website specifying one or the other is nothing more than marketing from that app maker! So long as there is a QR code (or a long random-ish string), you can use any authenticator app that supports that website’s 2FA algorithms!
That last bit is important because I think Lemmy had a non-standard 2FA algorithm (SHA-256?) that wouldn’t work with Google Authenticator.
Unfortunately there are some websites that require Authy (probably because Authy wined and dined some business executive). I absolutely loathe these sites but if it’s a site you’re not willing to live without, you’re stuck with having Authy plus your main 2FA app.
which ones are that? I’d love to check, because afaik, they have a feature that enables push-2fa via authy, but should generally work on other apps as well
Anyone who claims they’re doing OTPs over SMS for “security” ia lying to you. Discord wants your phone number; it has nothing to do with your security
there’s quite a lot of services that want phone for verification/2fa/whatever. whenever I run into them I usually just refuse to use the service altogether.
BTW, any authenticator app works when it tells you to use one. They all use a standard, so it doesn’t matter which one you use.
BTW, any authenticator app works when it tells you to use one. They all use a standard, so it doesn’t matter which one you use.
Eh, it’s a little more nuanced than that, there’re more standards for MFA code generation than just TOTP.
And even within the TOTP standard, there are options to adjust the code generation (timing, hash algorithm, # of characters in the generated code, etc.) that not all clients are going to support or will be user-configureable. Blizzard’s Battle.net MFA is a good example of that.
If the code is just your basic 6-digit HMAC/SHA1 30-second code, yeah, odds are almost 100% that your client of choice will support it, but anything other than that I wouldn’t automatically assume that it’s going to work.