Technology
This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.
Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.
Rules:
1: All Lemmy rules apply
2: Do not post low effort posts
3: NEVER post naziped*gore stuff
4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.
5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)
6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist
7: crypto related posts, unless essential, are disallowed
Yep, should be standard everywhere
..... for accounts you actually give a shit about
emphasis on the
… for accounts you actually give a shit about
And not the twitch way, where you have to have in an identifier, your phone number, but using proper, standards ways for it, like TOTP and such
twitch has TOTP
2FA is the biggest bane to my productivity in the last 15 years, no part of my work life should require me to pull out my magic distraction device.
I don't like how a lot of things require their own custom app, especially when there's no automatic notification. I need to try and remember what the app is called, open it, navigate through, then approve it
Use a password manager that lets you autofill 2fa, like Bitwarden.
That's bad advice
No offense to companies but I'm honestly sick of companies forcing 2fa. Every single one seems to have a different shitty way of doing it. Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)? Some do sms/phone number, but then yell at you and prevent you from doing 2fa if you have a "bad phone number". This happened on discord where I'm locked out of certain servers because I can't do phone verification, and I can't do it because discord doesn't like my phone number. Twitter was the same way for a long while (couldn't do 2fa/phone verification due to them not liking my number).
From the article it sounds like they're doing authenticator app or sms. I'm guessing sms won't work for me, so app it is. I decided to dig to see which authenticator app they use and they list: 1password, authy, lastpass, and microsoft.... no google?
Honestly, even email requirements for accounts is annoying because you know it just ends up spamming you. is the future where we're gonna have to have 30 different authenticator apps on our phone?
Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)?
you... don't?
Both of these implement exactly the same protocol (TOTP). Used authy for all my ~~Top Of The Pops~~ Time-based one-time password needs exclusively, before moving everything to bitwarden
Anyone who claims they're doing OTPs over SMS for "security" ia lying to you. Discord wants your phone number; it has nothing to do with your security
there's quite a lot of services that want phone for verification/2fa/whatever. whenever I run into them I usually just refuse to use the service altogether.
I personally am afraid of this. What if something gets botched? I'll be permanently locked out of my account!
I'd prefer me getting permanently locked out over someone who isnt me getting allowed in. Even more so to services which have my credit card number.
But unlikely anyway, as long as I save my pass and 2fa to a password manager, and keep the backup codes backed up.
Print off your recovery codes and keep them safe. If you want to be extra, hammer them into metal plates like the crypto weirdos do.
Printing recovery codes would require me to either be price gouged by the printer ink cartel or use someone else's printer, and using someone else's printer is begging to get my account stolen.
I have no idea how to hammer things into metal plates, but I'm guessing that's even more expensive than printer ink.
Just use your pen and paper.
I can do that with alphanumeric codes, yeah, but can I get alphanumeric codes from GitHub, or is it going to be a QR code? I can't write down a QR code…
QR codes are just an encoding. Just use any half-competent QR code app, and it will give you it's content, which you can then write down. For the reverse you can use any QR code generator.
How do I feed the generated QR code back to GitHub, then? Can I upload an image of it?
Have you ever used any website with 2FA? You don't need to upload QR codes.
I've only used SMS and Steam 2FA so far. I've been avoiding 2FA as much as I can.
Okay, so generally the way it works is you have some app (e.g. Google Authenticator, 1password, Aegis, Bit warden -- anything that supports TOTP). When you enable 2FA for a site, it'll give you a QR code. You scan that with your app and then the app gives you a six digit code that changes every 30 seconds.
The QR code is really just an easy way to get a long string of characters into your app, though, and if the QR code doesn't work there should be an option to see the raw code and manually enter it.
You enter that code in once to confirm that you have actually set up the 2FA. Then it will show you a list of recovery codes. It'll only show you these once; it doesn't store them anywhere. You need to note them down in whatever way suits you best (I print mine; you could also just write them down). You cannot see these again. The best you can do, if you still have access to your account, is generate new ones (probably by disabling and re-enabling 2FA)
Now, whenever you login, you'll be asked for your authenticator code (much like an SMS). You just open whatever app you used and enter in whatever code it's currently showing (remember it's time based).
If your authenticator app gets messed up somehow, you can recover it using your recovery codes.
Good, people are fucking stupid and if it effects others it's often better to choose the security for them!
Yup. I'm actually a bit baffled by how much negativity/misinformation there's around 2FA even in a place like this, which should naturally have a more technically inclined userbase.
Well negativity is there because every app wants it.
I don't care if account x is compronised, as it has absolutly no value
2fa should be mandatory everywhere
Hard disagree. I do not want to have 2FA for every shittly little thing I do not care about.
Specifically app-based 2FA, ideally Google Authenticator based. There are tons of great authenticator apps available that are all compatible, so it should absolutely be preferred over SMS or email.