Authentication for my work email: Enter 28 character password, receive sms, enter message, log in
Authentication for my Battle.net account:
-Enter email made before 2000 because they don’t let you change email
-Enter password
-Get rejected
-Solve CAPTCHA
-Try backup passwords, get rejected
-Request new password
-Send request to 24 year old email
-Try to log on to 24 year old email, email is suspicious and sends Authentication request to my newer email
-Open newer email, Authenticate older email
-open old email, Put in code to battle.net
-Battle.net requests Authenticator code from Battle.net app
-Open battle.net app (no requests)
-Try manual code, doesn’t work
- Realize Battle.net app Authenticator not connected
-Try to connect Battle.net app Authenticator to account
-Realize you cannot connect Authenticator without signing in AND signing in requires Authenticator
-Close Battle.net app
-Open Blizzard Authenticator
-Close warning that this app got depreciated in January
-Enter manual code
-it works
-Attempt to change password to password I first attempted
-Won’t let me use same password
-Try logging in using that password
-Still doesn’t work - Solve one more CAPTCHA
-Change password to backup password and back to original password - have to solve 2 more Captchas
-Finally works
-Log in
NIST has been saying since 2016 not to use SMS for MFA. It’s always been horribly insecure.
I hate forced 2FA that you can’t disable anyway. I don’t want to waste time waiting for an insecure text, I don’t want to input an unencrypted code you sent to my email, I don’t want to click your damn notification that runs through Play Services, and no I’m not enrolling in passwordless auth. I don’t need to be babied into securing my accounts. Any account I do actively and willingly secure is already using TOTP. Let me put in my username and password, then kindly fuck off.
Always has been
The end of an era.
Or actually, probably not until we redo whole cellular phone technology works and kick out all the bad actors using SS7 vulnerabilities for stuff like spoofing numbers and stealing messages. We really shouldn’t be using a 45 year old system for almost all communications.
In their defense, they JUST applied an update in March 1993, so they’re knocking on the doors of cutting edge technology updates -_-
Edit: added link
Use Telegram.
Not the app, the 200 year old wire radio messaging system based on Morse code, E2EE (Elderly man to Elderly man Enciphered)
I guarantee you that is the opposite of a solution, old man encryption is very easily hacked by other old men for spoofing, redirecting, or listening.
if you count whiskey and cigars as hacking
Since when was sms ever secure? My understanding is that messages are sent in the clear, meaning your carrier and the recipient’s carrier both have the opportunity to intercept messages.
I mean that’s the message content, not the authentication, but still, sms is the opposite of secure, always has been.
'nuf said
Thank god, give me my HMAC hash please.
Nothing more terrifying than losing your phone number these days because of all the accounts tied to it via 2FA.
of course it is. forced 2fa BY SMS OF ALL THINGS is one of the stupidest ideas
I assume businesses only jumped at the chance to enable SMS 2FA to get their greedy little fingers on our phone numbers.
It was the simplest/cheapest form of 2FA to implement. Grandma will never understand how to setup TOTP.
Capitalism requires regulations, otherwise it will ALWAYS do what is cheapest or most profitable, regardless of how dangerous or destructive.
I wish Signal stopped using it. I know you can set a Signal PIN but a lot of the non-techy friends I speak to on Signal probably wouldn’t think to, or look through the settings (not that you need to be “techy” to set it, but you know the kind of learned helplessness most people have about tech). At least a prompt for all users to set an account PIN so their account can’t just be stolen by anyone with their SIM card.
I coulda told you that for free. And sooner
