Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Slate)   Multifactor authentication isn't as good as it used to be. Your verification code is: NOSH*T   (slate.com) divider line
    More: Obvious, Two-factor authentication, Authentication, multifactor authentication, Security token, Password, important differences, possible explanation, second authentication factor  
•       •       •

1176 clicks; posted to STEM » on 23 Feb 2022 at 3:50 AM (17 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



19 Comments     (+0 »)
View Voting Results: Smartest and Funniest
 
2022-02-23 12:51:29 AM  
Oh, good I need another app on my phone that links to private double-secret super hush-hush personal data saved on some third party cloud just so I can verify the Gmail address on my bank account login.
 
2022-02-23 1:05:02 AM  
Man in the middle attacks are harder when MFA is involved, so you have to cast a wider net to catch as many little phishies.
 
2022-02-23 4:10:05 AM  
The article missed the incredibly obvious explanation for the apparent huge decrease in effectiveness:

The 2019 dataset was based off of people conscious enough to know what 2FA is and opt in.

The 2022 dataset includes a much larger number who were dropped in because omg it's long past time people.

It's like comparing the Internet pre- and post-September That Never Ended.
 
2022-02-23 4:36:40 AM  
Would also help if everyone killed off SMS 2FA already. Many have, and then there's cases like PayPal and more than a few banks that don't even let you disable it after you've set up some rolling code whatsadoodle.
 
2022-02-23 6:13:45 AM  
It's not clear how exactly Google selected who would be automatically enrolled in the program, but at the very least it had to be users who had provided Google with a phone number, so it can't have been a randomly selected sample.

It was actually just Google incorporating an MFA function into their Gmail iOS email client in my case.  Pretty good idea but I also can't understand the less than impressive 50% reduction this change brings:

From the link in TFA https://blog.google/technology/safety-security/reducing-account-hijacking/

Last year, we accelerated our journey to eliminating password threats by starting to auto-enroll users in 2-Step Verification (2SV), giving people an extra layer of protection when cyber criminals try to hack into their accounts, by requiring a second form of verification beyond the password. Since last year's initiative, we've successfully auto-enabled 2SV for over 150 million people, and we've also required it for over 2 million of our YouTube creators. As a result of this effort, we have seen a 50% decrease in accounts being compromised among those users.
 
2022-02-23 7:52:08 AM  

American Decency Association: It's not clear how exactly Google selected who would be automatically enrolled in the program, but at the very least it had to be users who had provided Google with a phone number, so it can't have been a randomly selected sample.

It was actually just Google incorporating an MFA function into their Gmail iOS email client in my case.  Pretty good idea but I also can't understand the less than impressive 50% reduction this change brings:

From the link in TFA https://blog.google/technology/safety-security/reducing-account-hijacking/

Last year, we accelerated our journey to eliminating password threats by starting to auto-enroll users in 2-Step Verification (2SV), giving people an extra layer of protection when cyber criminals try to hack into their accounts, by requiring a second form of verification beyond the password. Since last year's initiative, we've successfully auto-enabled 2SV for over 150 million people, and we've also required it for over 2 million of our YouTube creators. As a result of this effort, we have seen a 50% decrease in accounts being compromised among those users.


I wonder if with the authentication through the app, that hackers attempted to get into peoples' accounts, people got a pop up notification on their phone asking to grant access, and they just clicked "yes" without thinking about what was going on. On other words, authenticating through the app makes it easier to accidentally let someone in.
 
2022-02-23 7:56:56 AM  
The article appears to be alarmist a bit. It's not explicitly said, but it looks like they're mostly looking at SMS based MFA, not the security tokens.
 
2022-02-23 8:09:03 AM  

felching pen: Oh, good I need another app on my phone that links to private double-secret super hush-hush personal data saved on some third party cloud just so I can verify the Gmail address on my bank account login.


There is this thing called a U2F key. They are affordable and work very well. We should all be demanding that our banks implement them.

After banks eat enough money stolen from accounts because SMS text messages are insecure, they will learn. Well, maybe. Learning in America isn't going so well at the moment.
 
2022-02-23 8:37:55 AM  
thornhill: ...

I wonder if with the authentication through the app, that hackers attempted to get into peoples' accounts, people got a pop up notification on their phone asking to grant access, and they just clicked "yes" without thinking about what was going on. On other words, authenticating through the app makes it easier to accidentally let someone in.

That's actually a very interesting idea.  People who install an MFA app and understand its use can still fall prey to that mistake.  Add that functionality unannounced to some other app, well users have much more of a chance farking up.
 
2022-02-23 8:40:12 AM  
SMS is a very bad form of two factor authentication. It barely qualifies at all.
 
2022-02-23 9:12:37 AM  

American Decency Association: thornhill: ...

I wonder if with the authentication through the app, that hackers attempted to get into peoples' accounts, people got a pop up notification on their phone asking to grant access, and they just clicked "yes" without thinking about what was going on. On other words, authenticating through the app makes it easier to accidentally let someone in.

That's actually a very interesting idea.  People who install an MFA app and understand its use can still fall prey to that mistake.  Add that functionality unannounced to some other app, well users have much more of a chance farking up.


When designing anything related to computer security and someone says "let's make it easier for users" what they'll actually accomplish is making it easier for users and attackers.
 
db2
2022-02-23 9:38:04 AM  
I hate MFA so much. I get why it's important and why it exists, but I hate it.
 
2022-02-23 9:54:58 AM  

erik-k: The article missed the incredibly obvious explanation for the apparent huge decrease in effectiveness:

The 2019 dataset was based off of people conscious enough to know what 2FA is and opt in.

The 2022 dataset includes a much larger number who were dropped in because omg it's long past time people.

It's like comparing the Internet pre- and post-September That Never Ended.


The article devotes an entire paragraph to this.
 
2022-02-23 10:24:58 AM  

Michael J Faux: erik-k: The article missed the incredibly obvious explanation for the apparent huge decrease in effectiveness:

The 2019 dataset was based off of people conscious enough to know what 2FA is and opt in.

The 2022 dataset includes a much larger number who were dropped in because omg it's long past time people.

It's like comparing the Internet pre- and post-September That Never Ended.

The article devotes an entire paragraph to this.


And yet their conclusions are completely wrong. 2FA could provide the world's greatest security but no matter what you do with some users they'll gladly make themselves as vulnerable to attack as an orphaned two day old puppy.
 
2022-02-23 11:07:49 AM  
SMS 2factor is worse than useless. Anyone can see anyone else's SMS es

I've been by my phone carrier plenty of times to swap phones and they don't ask for a password or ID or anything, even though they're *legally required to* here. I can simply walk in with a phone and walk out with a SIM card with your phone number on it.

Which is moot because I can enter any phone number in the US/Canada system online and start getting their text messages, because none of the text-to-email companies bother to do any checking whatsoever, even though they're also technically legally required to.

Which is all moot because I can spoof a return phone number in a signal to a tower with the right equipment, and just have my phone claim to be that phone number.

It still absolutely blows my mind that banks and such somehow think a text message is Two Factor authentication. The SMS system is, quite frankly, not a secure protocol.
 
2022-02-23 11:09:45 AM  

Sim Tree: SMS 2factor is worse than useless. Anyone can see anyone else's SMS es

I've been by my phone carrier plenty of times to swap phones and they don't ask for a password or ID or anything, even though they're *legally required to* here. I can simply walk in with a phone and walk out with a SIM card with your phone number on it.

Which is moot because I can enter any phone number in the US/Canada system online and start getting their text messages, because none of the text-to-email companies bother to do any checking whatsoever, even though they're also technically legally required to.

Which is all moot because I can spoof a return phone number in a signal to a tower with the right equipment, and just have my phone claim to be that phone number.

It still absolutely blows my mind that banks and such somehow think a text message is Two Factor authentication. The SMS system is, quite frankly, not a secure protocol.


Username checks out.
 
2022-02-23 4:00:14 PM  
My favorite are phone apps attempting to do 2FA by... texting my phone.

That said, unless we're going to start passing out those dongles with codes that change every 60 seconds for basically each of our 100 or so active online accounts, 2FA/MFA that actually accomplishes anything is harder to do than it sounds, because the other factors have to be something secure enough that they actually work, but easy enough that people are willing to deal with the hastle. People will probably be fine with something like the dongle for say... their bank account, but you're not going to do it for some random webgame or something.
 
2022-02-23 7:55:45 PM  
The dongles that change codes are just passwords with some math.  As is the google authenticator.  Still better than hunter2.
 
2022-02-24 5:29:06 AM  

DON.MAC: The dongles that change codes are just passwords with some math.  As is the google authenticator.  Still better than *******.


At least Fark auto-censors your password so that only you can see it.
 
Displayed 19 of 19 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking




On Twitter


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.