It it’s a newer device, it has a Trusted Platform Module (TPM). As MFA can be something you have, something you know, or something you are, the TPM+fingerprint counts as two factors.
Yes, this is a problem with iCloud in a browser, as opposed to using the Mac apps (Photos, Calendar, Notes, etc) directly. The damned browser authentication resets all the damned time (“trust this browser”) and you have to have your browser plus an Apple device to authenticate it. It sucks. I run into this because my main desktop machine is Windows, so the only way to get to my phone apps on desktop is via the browser.
My company makes those. The market has moved away from physical to virtual tokens, mine is on my phone. Some companies still use physical tokens for hardened applications, but the same technology exists in virtual space.
I find it inconvenient, because I am not joined-at-the-hip to my phone, but I view it as a necessary evil. Maybe someday they’ll replace numeric codes with iris scans. Not sure I would like that, either.
Facial or fingerprint scans are already in use.
2FA is nearly security theater. Depending on the type of messaging used, the security level runs from “not as good as it should be” to non existent.
A family member couldn’t transfer their old phone number to their new phone for … reasons. Got locked out of their Google account and a bunch of other things. Took a week to get it somewhat straightened out.
2FA is a really poorly thought out idea.
No, 2FA is an excellent idea. Certain implementations of 2FA suck.
Good 2FA (or more properly Multi-Factor Authentication or MFA) is proven to reduce the likelihood of being compromised by a factor of 100 for a targeted account e.g. a high-value hack. It probably protects the average Joe by x1000.
Microsoft Authenticator on my phone requires number matching on a push alert AND a biometric. Takes about 5 seconds starting with my phone in my pocket.
How long does it take without your phone?
There are alternate verification methods, but the normal answer is you can’t.
I own an IT consulting firm focusing on cloud solutions. My credentials can access hospitals, customs brokers, manufacturers, and banks. I’d be uninsurable if I didn’t use MFA.
Many sites that require MFA will allow you to set up multiple factors. I have 10 on my personal Office 365 account (I like testing stuff). For Google I can use any device that is already signed into the Google app - I can even use my digital audio player.
While some of the issues with MFA are due to poor implantation (see below), much of it is do to people just being pretty whiny.
*A site that I need to log into for one of our clients requires MFA, but only allows Okta authenticator and SMS (it did at least allow 2 separate factors). The thing is, there is no way to change it once it is set up. The also requires me to authenticate twice, for some reason. THen again, the software is also pretty crap, so I should not expect more.
This. One example that comes to mind: the bank where I have one of my credit cards has the login set up with the standard “name and password”, immediately followed by “password (again) and code texted to your phone”. I’m not sure what purpose requiring people to type their password twice serves, except to train people to use shorter and simpler (and thus less secure) passwords…
A few months back I bought a couple of Yubikeys, all excited about switching from the terrible SMS-based 2FA to using something much more secure.
Then I discovered that none of the financial institutions I deal with support them. They don’t even provide a code-generation token, like every other business online.
At least I know my email account is secured by the Yubikey, and that’s a pretty important one to lock down. I also locked down my password safe–can’t log into it on a new device without the key.
I also hate it. B/c I don’t always want to keep my damn phone on me.
I was a systems administrator for about 10 years. spent another 10 years programming. I had to administer security for our systems. I judged by the audience what to apply. If it was receptionists answering phones and publishing the university blog page, I expressly did not enforce large complex passwords that had to be changed every month. Why? Because if you did that, they would write their password on a post it note and stick it to their monitor.
In the hands of an intelligent administrator who addresses his audience and use case will be good security. But the individual employee is becoming more and more rare, because why pay a person when you don’t have to!. Bad Security isn’t about security these days. HTTPS encryption/decryption protocols being depreciated were not about security. it was about Apple and Microsoft depreciating the browser you were using, so then they could force you to buy a new computer when you find the latest operating system does not work on your computer…
Actually, it would work, but they have written in the install program NOT to install the software on an old computer.
I know this a response to an ancient thread, but more anciently, my parents made me memorise our phone number when I was about 4 or 5.
3915
That’s it. I don’t know the area code, I assume my parents never thought that I might wander far enough to need one.
2FA is really standard in my field, web software development. We use a variety of “auth” phone apps, it becomes very seamless once one gets used to it.
Now