I hate, hate, hate two-factor verification

Well, I get asked all the time. I just tried logging into iCloud to check and it made me login from scratch, showed me a little map of where my login attempt was coming from, asked me to click “verify” on it, then sent me a 6-digit passcode to use as two-factor authorization.

This is after I constantly have clicked on “trust this browser” after confirming my login details. It’s been this way for years. Seems after a little while of not logging into iCloud (I normally only log in to find my Phone or my kids’ iPad, but that’s once every two weeks maybe.) I can’t just stay logged in or have it remember this device and browser so I don’t have to jump through a bunch of hoops to get in.

I haven’t visited iCloud via a browser in a long time, so I just tried it. Safari asked if I wanted to log in with Touch ID, I said yes, and was immediately logged in, with no 2FA required.

They could set it up better! Ours is predicated on the device. Once you sign in with 2-step on your district device and accept the query on your phone, you never have to do it again for that device. If you go home and decide to log in with your desktop/laptop/whatever, you are asked once and, if the query is accepted, you never have to ask again for that device, either.

The logic is predicated on the fact that, even if you are hacked, the hacker does not have YOUR approved device, so a query would have to be made and, unless the user is a complete idiot, would subsequently be rejected and a report made by the user. The only way to defeat that would be for a hacker to hack your account, figure out who you are, stalk you, and mug you for your device. I have a feeling we’'d be bright enough to disable the login for that device within 60 seconds of that highly unlikely possibility. LOL

Much of what I’m reading here is, not to be indelicate, complete bullshit.

There’s 2FA and there’s 2FA…

The cheap-and-dirty “send an SMS to a device” 2FA is not very secure, and can be defeated by SIM cloning. The much better, but not nearly as well supported 2FA requires an app to generate a time-stamped passcode. This is much harder to defeat, since the app’s passcode seed is tied to the device - just cloning the SIM to another phone won’t work.

Apple supports this in iOS, without requiring a separate app, but the steps required to get the passcode are not very user-friendly.

My desktop does not have touchID. Of the six Macs I have, only the laptop bought last year does.

I’ll have to check on my older machine…

OK, I just tried it on my ancient 2011 MacBook Pro running High Sierra.
I went to iCloud.com using Safari. My Apple ID and password were auto-filled by Safari, Apple sent a code to that machine, which I had to type in, and that was that.

Before there was the phone, we used to have to carry these little fobs around with an LCD that would randomly generate a new 6-digit code every 60 seconds. Then, when you logged in, you were prompted for that code.

I am thrilled that I can just use DUO now. Yes, I have to pay more attention to my phone. But holy fuck, it’s a $1000 piece of hardware. You better believe I pay attention to it. I dropped it once and broke the screen, which was awful and I had to do an expensive same-day repair. It’s in a much more secure case with a screen protector now.

Phones and stupid people are the reason for 2FA. Instead of following best practices for passwords (don’t re-use, make them complicated and long) people opted for being lazy because it’s hard to memorize and type complex passwords on a phone.

I am beyond annoyed that my bank will only use text messaging for 2FA which is the most insecure form of it. I have an authenticator app (I use Authy) that I use for 2FA - where I can place my 2FA for things like Reddit and Twitter, but my massive bank can’t be bothered, smh.

I love 2FA. It provides an additional layer of security and I don’t have to worry about someone figuring out my password and then getting in.

I also had to click an “allow” along the way, but what’s the freaking point of having a “trust this browser” option if I have to go through this circus every time? (Or it resets after a period of time.) I just want to be logged in with the auto-fill.

I heartily endorse this pitting

This is what is happening. People are being watched to see what their passcode is, then their phone snatched. In about 2-3 minutes their Apple ID has been changed (as all you need is your passcode) and they are locked out of their device + the thief has access to all passwords saved to the device, typically clearing out their accounts.

OK, I get it; it’s like automobile immobilizers keeping away “casual” car thieves.

I still find it annoying that it (seemingly) has to be done through a cell phone, though. But presumably most 2-factor methods must have a backup method to use when the phone itself is lost, yes?

Who enters a passcode on an iPhone these days?

While is it reduced, it is still needed at times.

Wow. I completely forgot all about those!

I use my passcode almost every day when the Face ID doesn’t quite recognize me or is taking too long. That’s only like 10% of the time, but I find I use my passcode quite a bit.

I do it every time my wife asks me to take a picture of her (with her iPhone).

I bank with a bank that still does that (Rabobank). I have a physical device that I have to enter my code and then a number and then put the code in. I bank with another bank, (HSBC), who’ve recently moved to the same system (after using a physical) but on your phone, so I open the app on my phone and it has the code to input. Better than having a physical device, but it still sucks.

I’ve never had any particular issues with iCloud and have only just purchased a keyboard with fingerprint technology.

My employer’s setup is pretty good to be honest. It uses Microsoft and I only seem to have to use the authenticator app once per device.

This is because your password is only protecting the few thousand dollars that you have in your account (could be more, could be less, but it’s probably small cheese comparatively speaking) and the bank doesn’t particularly care about it. I bet the bank’s own corporate security is much more involved.

I’m still bitter that we now have to dial an area code when making a local phone call.

mmm