171
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 27 Sep 2023
171 points (94.8% liked)
Technology
34438 readers
190 users here now
This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.
Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.
Rules:
1: All Lemmy rules apply
2: Do not post low effort posts
3: NEVER post naziped*gore stuff
4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.
5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)
6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist
7: crypto related posts, unless essential, are disallowed
founded 5 years ago
MODERATORS
Simple answer. Our users complained about downloading an app to login to the app they just downloaded.
Users don’t care. They don’t want to download yet another app just to login. They want to use what they already have, like sms or email.
you only need one totp app.... people baffle me.
Most people simply don't get the point. They don't understand, let alone care about, digital privacy and security.
Anecdotal evidence: I have a short Gmail address (think billg@gmail.com), and a lot of smartasses use it to subscribe to everything, mostly as a throwaway but also on e-commerce sites, fintech bullshit with access to their bank accounts, ...
Once I got curious and reset the password, logged in and the moron had already filled in all his personal info, including his credit card. Another time I sent an SMS to the guy asking him to stop, he replied "it's my address, my nephew set it up for me, I guess we just have the same one".
These guys would never take 10 minutes to set up a 2FA app.
Similar happened to me. I've had a Gmail since the beta days and a fairly common name. I get sensitive documents sent to me, random order confirmation, even a flight confirmation that I signed into to try to find his phone number so I could text him. I'll admit I wanted so badly to cancel his flight. But I didn't. Texted him and told him he needs to reset his pwd. Just so careless.
people are even dumber than I realized holy shit. I knew people weren't willing to go far for security measures but this is actually much worse than I would have guessed.
laziness, ignorance, or privilege? I'm unsure which of the three causes this. I find it hard to believe it's ignorance because online scams and hacks are very well known and I've always hated "laziness" as a concept.
Unless you get a fidelity account. Then you need one totp app for all your other accounts and symmantec VIP proprietary shit for fidelity. Text book example of how not to implement 2fa
You can actually import the Symantec key into your TOTP of choice, it just takes some extra effort. Or you can just buy a TOTP hardware key, which is what I ended up doing (throw it in the keychain and I'm set).
I did do this. Took me forever cause there were no directions for how to do it on windows. I figured it out eventually. I'm also kinda worried whoever created it could see my totp secret key.
You can use hardware keys with fidelity? Like yubico?
No, there's a Symentec OTP fob that just generates tokens when you push a button. So something like this (I bought this one).
You'll need to replace it when the battery dies, but I like that it's not tied to my phone like the Symantec app is.
Oh. No thank you. I'm trying to stay away from symmantec.
And you should be using a password manager anyway, which can generate the token. Granted, it's probably bad practice, since it defeats the two factor aspect.
Perfect security gets in the way of improved security. The best practice is a middle ground of security and convience. At least it depends on the threat level anyways.
Then at least make it an option. Just because someone's grandma doesn't want to use TOTP or any other reasonable 2FA doesn't mean nobody else does.
We do. Our users can configure sms email or totp.
Funny you mention grandmas. Our user base is highly educated and the majority fall in the 30-50 year old range.
Sadly that's true. I'm in that range and most of my friends use the same password for almost everything. Also nobody does backups.
Damnit, trying to convince people to use a password manager at all is like pulling teeth....
Stop setting every service you use to the same hunter2 password Frank! You get "hacked" because you can't remember anything more complex, so use a fucking password manager already you Putz.