Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
I think it should be an option everywhere.
Emphasis on “option”, forcing the user to do it shouldn't really be done except for mayb the really critical things (healthcare accounts, bank account, etc.) -
Most annoying is forced 2FA for stuff you really don't feel the security need for. Does a game launcher really need it? I don't think so. Do social networks accounts of non-celebreties need it? - probably not. Banks are now forced to do it in some jurisdictions and that might actually be justified (or not - don't know how much account breakins there actually are).
At the end, 2FA most often just is the bad pickupline of the web: A silly attempt to get your phone number.
And in most other cases it is implemented to check a mark on a security theater checklist. -
nitnip18132y@Oktokolo A game launcher like steam you mean? Most steam accounts had money poured into them over the years. Not a small amount. Also, if you're an user that cares about that stuff, any achievements you unlocked, content you created and such would be lost if your account gets stolen.
Steam auth is a pain, but it's a necessary pain. An obscure forum you'll only use once per year on the other hand... yeah, I don't like 2FA to be forced on that. -
PGP or a very long randomly generated password should definitely be an acceptable alternative. Pulling my passwords out of a password manager is acceptable overhead and so is entering a 2FA code, but not both. If I have to get my phone, wait for an SMS and copy a code, I'll use a password I can remember and completely disregard security, because the expected cost of a password leak is close to zero.
-
@nitnip steam already delays game transfers for some weeks. That surely should be enough to prevent actual theft happening. They also can just undo whatever is done to an account as there is no actual movement of physical stuff. I mean: Just roll back the changes done after the account got "hacked".
And for us password manager users, that 2FA really doesn't add any security. I am of the strong opinion, that they introduced forced 2FA to be able to axe their customer care department - because they want more of that 30% of all sales to be pure profit...
2FA really should be optional in almost all cases. I don't mind being asked wheather i want to turn it on once in a while. But it shouldn't be forced. -
I find it infuriating when I need to access some client accounts as part of my work and I get a retarded "lol 2fa input code sent by sms/mail" prompt, that was sent to my client on the other side of the world who is sleeping.
Also, if anyone has any suggestion for some sort of "shared 2fa" for these situations, I'm all ears. 🙂 -
@lorentz
Yes, it's easier when it's available over email, but that's not always offered. Sometimes it's sms only.
As somebody who works in the industry, 2FA is a great idea, we need to do it more.
As a user, fuck 2FA, I ain't have time for that shit, if you make me type my screen lock once again I will throw my computer out of the window.
rant