!dev

A year or so ago (or more...?), Facebook started with text based 2FA. They promised not to use the phone numbers for anything else than the extra security.

I immediately said that they'd probs do that anyways and got into a few fights and people started calling me paranoid yet again.

Guess what was revealed a few days ago .____.

I don't even want to be right in these kinda cases :/

When you wake up, notice your phone fell off the bed (my bed is about 180cm high), don't have google services to locate it/make it ring etc so you log into one of your domain name providers because you've got 2FA enabled there and you might hear the text notification sounds xD.

(in the end, I just had to clean my room partly in order to find it again :/)

TL;DR: Fuck you Apple.

10:30 PM, parent needs iPhone update to update Messenger. How hard can this be?
Need to update iPhone from 9.x to latest, which is so outdated it still required iTunes. Fk.

Boot iTunes on Windows 10 pc that is at least 10 years old.
Completely unresponsive
Crash in task manager
Launch and is completely unresponsive. (Also starts playing unrequested music.. Oh joy..)
Fuck this, go to apple.com to download iTunes exe
Gives me some Microsoft store link. Fuck that shit, just give me the executable
Google “iTunes download”. click around on shitty Apple website. Success.
Control panel. Uninstall iTunes. (Takes forever, but it works)
Restart required (of fucking course).
2 eternities later. Run iTunes exe. Restart required. Fk.
Only 1 eternity later. Run iTunes, connect iPhone.
Actually detects the device. (holy shit, a miracle)
Starts syncing an empty library to the phone. Ya, fuck that.
Google. Disable option. Connect phone. Find option to update.
Update started. Going nowhere fast. Time for a walk at 1:00 AM punching the air.
Come back. Generic error message: Update failed (-1). Phone is stuck installing update. (O shit)
1x hard reset
2x hard reset
Google. Find Apple forum with exact question. Absolutely useless replies. (I expected no less)
Google recovery mode. Get into recovery mode.
Receive message: “You can update, but if it fails, you will have to reset to factory settings”. Fuck it, here we go.
Update runs (faster this time). Fails again. Same bullshit error message. (Goddammit, fuck. This might actually be bad.)
Disconnect phone.
… It boots latest iOS version. (holy shit, there is a god)
Immediately kill iTunes. Fuck that shit.
Parents share Apple account
Sign in, 2FA required.
Fat finger the code.
Restart “welcome” process.
Will not send code. What. The. Fuck.
Requests access code on other parent’s iPhone.
No code present. What???
Try restarting welcome process again. No dice. (Of course)
Set code on other parent’s iPhone.
Get message “Code is easy to guess”. Ya. IDGAF
Use code on newly updated iPhone. Some success.
Requires reset of password.
Password cannot be the same as old password (Goddammit)
Change password.
Welcome process done.
Sign in again on same phone after welcome process done in settings. (Nice.)
Sign in again on other phone with updated password
Update Messenger.
Update hangs. Needs more space.
Delete shit.
Update frozen in App Store (Really??)
Restart iPhone.
Update Messenger.
Update complete past 2. Well that was easy.

Apple, fuck you.
Some call Android unintuitive, but I look at the settings app on iPhone and realize you aren’t any better.
This company hasn’t been innovative since 2007. Over 1000 USD for a phone? Are you fucking kidding me?
Updating an iPhone from iOS 9.x is probably uncommon anymore. But this is a fucking joke. Fix your shit.
Shit like this is why I’ll never again own an Apple product. I have HAD IT with the joke of a business.

Thanks for reading.

My private Email Account got hacked when I was in school, and they sent out a mail with something along the lines of "hey, you should really use this product to lose weight, it is great" to all of my contacts. Many of them ignored it, some of them called me to inform me about the issue (the worst part was, long after I used 2fa and changed passwords regularly, they still had my name and contact list, so they just made email adresses that looked like mine and continued to send out spam to my contacts). Anyway, one teacher of mine didn't know that this was a scam and was insulted because I regularly sent emails about her losing weight. And as if the whole situaion, which I couldn't do anything about, wasn't bad enough, my parents and I had do have a 1h conversation (which ended up in me explaining how those hacks work, and luckily she understood, but still). Never again. I prefer those fake ms support guys that call me over this every day.

Question regarding implementing two factor authentication.

I want to implement 2FA for at least one service I'm writing but I'm wondering, next to email, what services/implementations could I use?

I know that email isn't the best when it comes to security but I also don't want to force (a-technical) users to install an app specifically for 2FA so keeping email as an option as well.

But except for email, any ideas? Anything related to Google/facebook (prism integrated services) are a no go anyways (this has, as mentioned before, nothing to do with my ego or giving myself 'a pat on the back')

As for costs, I don't mind a little bit of money but the service will be free at first and I'm not rich :)

Looking forward to the comments!

Getting real fucking sick of shitty websites excessive security measures!

1. Username
2. Password
3. Captcha
4. Mandatory 2FA

We don't recognize your IP, please log into your email, click the link, get redirected and complete steps 1-4 again! Also the site will time out in 10 minutes if you aren't actively using it. Have a nice day!

Go fuck yourself.

*Extreme security measures on the backend, it must be failsafe, every db is as redundant as possible, generated salt, 2fa, everything*

*Forgets to add a case for {"key":""}*

I would blame it on the team but i built the entire backend myself.

sms 2fa makes me very happy in a house with no reception /s

OFFICE 365 IS FUCKIN DOGSHIT, I CAN’T EVEN LOGIN TO FUCKING OUTLOOK BECAUSE MS WAY OF GIVING ME THE 2FA WAS SO VAGUE AND RANDOM

I FUCKING HATE MS TEAMS

I FUCKING HATE AZURE DEVOPS

I FUCKING HATE MSSQL

I FUCKING MS

*Sigh

Every single one of us here loathe this question "Hey can you hack a Facebook account for me?"

Even worse when the one asking is your mom.
😶😶😶

(Backstory, she and her friend runs a store. Shit happened between them. The friend is the one who setup the store's Facebook page. Now posting shit on that page. She's not tech savvy. I can probably brute force her password. No 2FA)

Dilemma. Dilemma.

@netikras since when does proprietary mean bad?

Lemme tell you 3 stories.

CISCO AnyConnect:
- come in to the office
- use internal resources (company newsletter, jira, etc.)
- connect to client's VPN using Cisco AnyConnect
- lose access to my company resources, because AnyConnect overwrites routing table (rather normal for VPN clients)
- issue a route command updating routing table so you could reach confluence page in the intranet
- route command executes successfully, `route -n` shows nothing has changed
- google this whole WTF case
- Cisco AnyConnect constantly overwrites OS routing table to ENFORCE you to use VPN settings and nothing else.

Sooo basically if you want to check your company's email, you have to disconnect from client's VPN, check email and reconnect again. Neat!

Can be easily resolved by using opensource VPN client -- openconnect

CISCO AnyConnect:
- get a server in your company
- connect it to client's VPN and keep the VPN running for data sync. VPN has to be UP at all times
- network glitch [uh-oh]
- VPN is no longer working, AnyConnect still believes everything is peachy. No reconnect attempts.
- service is unable to sync data w/ client's systems. Data gets outdated and eventually corrupted

OpenConnect (OSS alternative to AnyConnect) detects all network glitches, reports them to the log and attempts reconnect immediatelly. Subsequent reconnect attempts getting triggered with longer delays to not to spam network.

SYMANTEC VIP (alleged 2FA?):
- client's portal requires Sym VIP otp code to log in
- open up a browser in your laptop
- navigate to the portal
- enter your credentials
- click on a Sym VIP icon in the systray
- write down the shown otp number
- log in

umm... in what fucking way is that a secure 2FA? Everything is IN the same fucking device, a single click away.

Can be easily solved by opensource alternatives to Sym VIP app: they make HTTP calls to Symantec to register a new token and return you the whole totp url. You can convert that url to a qr code and scan it w/ your phone (e.g. Google's Authenticator). Now you have a true 2FA.

Proprietary is not always bad. There are good propr sw too. But the ones that are core to your BAU and are doing shit -- well these ARE bad. and w/o an oppurtunity to workaround/fix it yourself.

I was never really fond of 2FA, mostly due to the pain in the ass it creates if you lose or can’t access the 2nd device or jumping between GAuth to access Password Manager to access a password to use a login 😱.

But when your phone prompts up with a “allow some Asian, access to you’re iCloud account” you feel a world of relief that you have:

1) a notification you’re account is no longer secure,

And,

2) an immediate ability to change passwords before any access is granted.

Now it’s 1 more password I no longer know due to it being a scrambled mess of characters.

PS: Fuck you, you low life shithead!

!dev

Ffuuuuucckk

This day just sucks.
Got a speeding ticket, went to pay it first thing in the morning. To renew insurance I had to call the bank to update my phone nr for 2FA. In this endless loop of „for this, press 1, for that, press2“ I pressed the wrong number and it invalidated my e-Banking password.
After a while got my number updated, after that called the insurance, after waiting for like 20min got that sorted and wanted to check my bank balance but I couldn’t log in. Now I can’t reset it either because it’s locked.
Need to call then again but needed a break and wanted to cook something but now my FUCKING SINK is clogged.

Have to uninstall half of the kitchen to get to t he pipes..

And it’s only noon.

So... I’m sitting here doing pretty much nothing, just reading through some rants when all of a sudden I get a wave of emails.

Pinterest!
We noticed a login from a new device or location and want to make sure it’s you.
Device: Firefox, Windows 8
Where: New Jersey, United States (Approximate)

OhhhhhKay then... so there’s a couple of problems with this, 1 I didn’t even know I had a Pinterest account, 2 I don’t have Pinterest in my password manager either.

So I follow the link and fair enough it’s actually pintest, so I attempt to login, to no avail, oh maybe it’s a social login..., ok let’s try google, nope that wasn’t it, deletes account, logins with Facebook, oh here we go, checks logins, 1 random jersey player, deletes account, swaps to Facebook, changes password (this fucker was already 100+ characters) and adds 2FA and contains no new logins 🤔

Ok... so what the fuck, either someone managed to get through a long ass password or something phishy is going on, the email for FB logins is seldomly used (maybe a handful of services at best) as I have another for all the junk and spam bullshit I expect from today’s “marketing”

Germany has the best 2fa method in the world. Sending otp through post-mail....

Thanks to mandatory password change, today:

- My windows account got locked because my phone kept logging into wifi using
old password.
- Google Hangouts were silently running in background with old session until I re-opened it. Work of others delayed by 4 hours due to missing message notifications.
- Docker for Windows lost credentials needed to use SMB mounts - 1h of debugging why my containers mount empty folders ( now I will know)
- Google G-Sync for Outlook asked for new password on outlook restart - few mails delayed.

All of that for sake of security that could be easily solved with 2FA instead, not faking that "I do not change number at the end of my password"

So... did I mention I sometimes hate banks?

But I'll start at the beginning.

In the beginning, the big bang created the universe and evolution created humans, penguins, polar bea... oh well, fuck it, a couple million years fast forward...

Your trusted, local flightless bird walks into a bank to open an account. This, on its own, was a mistake, but opening an online bank account as a minor (which I was before I turned 18, because that was how things worked) was not that easy at the time.

So, yours truly of course signs a contract, binding me to follow the BSI Grundschutz (A basic security standard in Germany, it's not a law, but part of some contracts. It contains basic security advice like "don't run unknown software, install antivirus/firewall, use strong passwords", so it's just a basic prototype for a security policy).

The copy provided with my contract states a minimum password length of 8 (somewhat reasonable if you don't limit yourself to alphanumeric, include the entire UTF 8 standard and so on).

The bank's online banking password length is limited to 5 characters. So... fuck the contract, huh?

Calling support, they claimed that it is a "technical neccessity" (I never state my job when calling a support line. The more skilled people on the other hand notice it sooner or later, the others - why bother telling them) and that it is "stored encrypted". Why they use a nonstandard way of storing and encrypting it and making it that easy to brute-force it... no idea.

However, after three login attempts, the account is blocked, so a brute force attack turns into a DOS attack.

And since the only way to unblock it is to physically appear in a branch, you just would need to hit a couple thousand accounts in a neighbourhood (not a lot if you use bots and know a thing or two about the syntax of IBAN numbers) and fill up all the branches with lots of potential hostages for your planned heist or terrorist attack. Quite useful.

So, after getting nowhere with the support - After suggesting to change my username to something cryptic and insisting that their homegrown, 2FA would prevent attacks. Unless someone would login (which worked without 2FA because the 2FA only is used when moving money), report the card missing, request a new one to a different address and log in with that. Which, you know, is quite likely to happen and be blamed on the customer.

So... I went to cancel my account there - seeing as I could not fulfill my contract as a customer. I've signed to use a minimum password length of 8. I can only use a password length of 5.

Contract void. Sometimes, I love dealing with idiots.

And these people are in charge of billions of money, stock and assets. I think I'll move to... idk, Antarctica?

So I’m thinking this is one of those apps I wouldn’t mind having Touch ID on or some form of 2FA 😏

What do you say guys?
@dfox, @trogus

GODDAMMIT okay time to set up 2fa

(GitHub says nothing was done to my account besides a login but i'm still suspicious...)

Facebook 2FA:
Want to log in? Sure, authorize your login. Oh you've authorized it? Nah you can't get in. Log in again.
2FA, excellent technology, except when it's implemented by "move fast and break things" Facebook.

Facebook Marketplace:
Want to buy $listing? Sure, you can send a message to the seller to ask for details. Oh, you want to send them a message? Nah sorry, you can't send messages to this person. You'll have to go to their profile, send them a message there and do it not with our le fancy instant messages but by manually typing it in. Because you know, reasons. Message approvals or something like that probably. Because why on Earth would Facebook support its own ecosystem?!

Move fast and break things. And breaking things those certified enganeers at Facebook sure do. Fucking pieces of shit.

Here we see the world's thickest user of 2FA. That tokens are stored offline is literally the whole premise of TOTP.

Best review I received for my app so far. It's a 2FA app, so basically every site where you enable 2FA tells you exactly what to do (scan the QR code)...

"How do we share access to two-factor authentication."

What you mean is "how do we defeat the purpose of multi-factor authentication."

Ex-employer contacting me after 6 months asking for 2FA codes into their system which I handed over a week before leaving... Sorry guys (not really!)

What sucks most about smartphones is how much everyone came to rely on them and expect you to have one which is turned on and working. Rent a bike? Need an app! Log in somewhere? Need 2FA. I just want to leave my phone turned off for a few days like in the good old days. There must be something wrong with the way we live.

How does one hack a 2fa authentication?

RANT:
Google is just a steaming pile of shit!!

I've recently installed LineageOS onto my phone and wanted to degooglify my life.

So my current Smartphone doesn't have any GApps installed and I get along fairly well.

Should I need anything, I should just be able to use it in my browser right?
RIGHT?

Nono!! As soon as I want to log into a third party Service using Google (older acccounts with the other choice only being Facebook) I need to "verify my identity". And the only option are my old smartphone who still have Gapps on it but are slow and don't accessible when I'm away!

For those who say: "Google is just beeing secure. They don't want anyone to steal your account.". I USE 2FA AND HAVE BACKUP CODES.
BEFORE DEGOOGLING MY DEVICE IT NEVER ASKED SUCH A THING!!! WHAT A PILE OF SPYING SHIT!!!

And the best part, after I remotely started my PC at home and just want to take a screenshot of the message for this post before just using a working session, the message didn't appear.
Somehow google decided that me logging in 15 mins later (same ip) proves my identity?!?!?!

IF THIS CAN BE ATTRIBUTED TO AI. FUCK THIS SHIT. GOOGLED SHOULD BE TREATED LIKE AN ONLINE CASINO BECAUSE THE CHANCE OF JUST GETTING LOGGED SEEMS COMPLETELY RANDOM!!!

(I also had this prior when using my smartphone browser. There I couldn't "circumvent" this and I was at home. But having this shit on my browser which should've a session is unacceptable.)

Yay, our 2FA of our accounts for the stores are linked to the phone number of the CTO who has left the company

Random Showerthought: Any 2FA code prefixed by 2 is a valid nhentai code

No, just no. Who does this shit ? I turned on 2FA for a reason.

Story time:

I worked at a firm that had an infernal off the shelf CRM system that they collaborated with the dev company to customise.

They were seriously behind the competition, and didn’t have any app or web presence for interacting with their system, instead relying on people calling (fine for the nature of the business, but competition was leaving them in the dust).

They decided that they needed to redevelop it in-house, with a focus on supporting the web and apps.

I was hired for this purpose.

It was me and one other dev, who was also the head of IT.

He’d built a small prototype, and was new to the whole WPF / MVVM thing for the in-house app, so with my previous experience it was clear it needed to serve as an example only, and that it would need redeveloping.

I was only there three months.

In that time I singularly (he was pulled away to troubleshoot their VOIP installation - yes, for three months as other companies kept dropping the ball) built:

- A WebAPI with JWT auth
- An MVC skeleton frontend
- A WPF desktop app

It had all sorts of cool shit in it, 2FA, Reactive UI, Reactive extensions, server push to desktop, a custom workflow and permissions system.

It was pretty dang cool.

End of the three months rolled around, and the non-technical managers were concerned about time to market, so they decided to drop me as I’d “not made enough progress”.

I’d also had a bit of absence which they were aware of and were supposedly supporting me through.

But MFW three months is assumed to be enough time to build such a system with one dev.

Bittrex is "amazing"...

I had lost my 2FA a long time ago (as my phone fried) and missed the account ferification deadline which caused my account to get disabled. Off we go to support!

0. Nothing to rant about at this point. I just created an account in their zendesk, logged in and logged a ticket to reset my 2FA and reactivate my account. They asked me for info, I provided it to them and got my 2FA disabled. Hooray!

1. I then asked to reenable my account. They sent me a link to restart the verification process. I open up that link and log in. I'm asked to upload some photos. I select requested photos from my galery and hit [UPLOAD]. An error pops up saying that smth wrong happened and I need to reload that site and reupload my photos. After page refresh they are telling me they are validating my uploaded info (w/o any way to resubmit my info, which, according to the error seen below, was not successfully submitted in the first place)...

2. So I reach out to the support guy again. Guess what he replies! He says he's sorry but he cannot help me any more and I need to create a NEW ACCOUNT in their support site with the same email <???!!!???>

3. I try to log in to the support portal and my access no longer works. MY ACCOUNT HAS BEEN DELETED! WTF!!!

4. I do as I'm told and create a new acc with the same email. Now I can log back in. So I'm raising a new ticket saying I still cannot finish my verification process due to the same error. It looks like it's going to be a fun ride with them so I can't wait to see what they'll reply.

Is it me or is password security is a giant mess right now?

Everyone has a gazillion ways to sign in.

Everything needs an account so eventually you get a password manager to keep track.

After reauthenticating passwordword manager, then you get to the next screen that requires you to enter a code from 2FA. Internet isn't fun to use any more.

IT department of client still doesn't get its shit together. Previously, I've ranted that they insist I access their GitLab through a fucking RDP.

Me: requests an account to their Confluence space

Them: give me a Confluence account. Naturally, Confluence requests that I confirm my email. That needs to be confirmed in the inbox of my.name@theircompany.com. Mail servers hosted by Azure, using Outlook.

Me: ok, let's configure my Outlook, 2FA as they configured to demand it from me... install MS's authenticator app, ok so far so good... Now I'm ready to login and find that email from Confluence and... ERROR 500 INVALID LICENSE

Fucking hell. You just love your siloes so much you actually make it impossible to access it and feel good about my own good will.

Oh ffs, just fucking inject a chip into my finger already for authentication purposes, you can track my every fucking move if you so wish. When a web page like twitch uses 2FA it boggles my mind because its a page where you're watching some fucking videos.

"hey there, so out of the blue, we send you a code to your email, we won't tell you which so good luck. Also, you cannot copy paste this code because we did that fucking thing where each character has its own textbox"

Of course, this is only because we are dumb enough to reuse shitty passwords. THIS IS WHY WE CAN'T HAVE NICE THINGS.

FUCK Banks

Fuck Banks and fuck online Banking

Fuck you for not supporting real 2FA
Fuck you for having such shitty bloated bullshit Websites and online services
Fuck you for taking forever to transfer money
Fuck you for not having public APIs Fuck you for so many uncountable reasons.

And most of all Fuck you for constantly trying to fuck me. I FUCKING HATE BANKS SO FUCKING MUCH.

I hope so much that there'll be a decentralised uncontrollable anonymous and digital currency in the future. Something like Cryptos (like BTC or ETH) but without all the major Problems they have now.

I wish there was a hell Banks could go to. I want to see them burn and suffer so fucking much not even the worst medieval torture methods are enough to satisfy me.

***ILLEGAL***
so its IPL(cricket) season in india, there is a OTT service called hotstar (its like netflix of india), the cricket streams exclusively on hotstar..
so a quick google search reveals literally thousands of emails & passwords, found a pastebin containing 500 emails&passwords ...but those are leaked last year most of passwords are changed & many of them enabled 2FA.. after looking through them we can find some passwords are similar to their emails , some contains birth year like 1975,1997 etc, some passwords end with 123 ..so after trying a few different versions of the passwords like
1) password123 -> password@123, password1234
2) passwordyear -> password@year
2) for passwords similar to emails, we can add 123 ,1234, @ etc
created a quick python script for sending login requests

so after like 30-40 mins of work, i have 7 working accounts

*for those who have basic idea of security practices you can skip this part

lessons learnt
1) enable 2FA
2) use strong passwords, if you change your password , new password should be very different from the old one

there are several thousands of leaked plaintext passwords for services like netflix,spotify, hulu etc, are easily available using simple google search,
after looking through & analysing thousands of them you can find many common passwords , common patterns
they may not be as obvious as password ,password123 but they are easily guessable.
mainly this is because these type of entertainment services are used by the average joe, they dont care about strong passwords, 2FA etc

So, the Network I was on was blocking every single VPN site that I could find so I could not download proton onto my computer without using some sketchy third-party site, so, being left with no options and a tiny phone data plan, I used the one possible remaining option, an online Android emulator. In the emulator running at like 180p I once again navigated to proton VPN, downloaded the windows version, and uploaded it to Firefox send. Opened send on my computer, downloaded the file, installed it, and realized my error, I need access to the VPN site to log in.

In a panic, I went to my phone ready to use what little was left of data plan for security, and was met with no signal indoors. Fuck. New plan. I found a Xfinity wifi thing, and although connecting to a public network freaked me out, I desided to go for it because fuck it. I selected the one hour free pass, logged in, and it said I already used it, what? When?, So I created a new account, logged in, logged into proton, and disconnected, and finally, I was safe.

Fuck the wifi provider for discouraging a right to a private internet and fuck the owner for allowing it. I realize how bad it was to enter my proton account over Xfinity wifi, but I was desperate and desperate times call for desperate means. I have now changed my password and have 2fa enabled.

Got a Yubikey today. Seems like a really cool bit of kit. Time to nerd out and 2FA all the things.

Perhaps I should fix that...

Short angry rant
What the fuck is wrong with the SalesForce Authenticator logic?! How in the hell do you fuck up a simple 2FA system this hard?!!

Login -> Waiting for Notification... nothing... -> Reload Page -> Login -> Waiting for Notification... nothing -> Click "Use Code instead"... nothing happens... -> Reload Page -> "Login -> don't even wait for notification and just pres "Use Code instead"... nothing -> Reload Page -> Notice there's a "Use Code" button on this page as well -> Finally be able to log into the fucking Aloha piece of shit...

How TF is it, that Duo is able to send me a push notification within 1 second and it ALWAYS works... and THIS FUCKING SHIT NEVER FUCKING WORKS THE FIRST TIME AND AT WORST JUST DOESN'T WORK AT ALL!!!!!

Fucking hell.... Don't offer me a push notification service if you don't know how to make one... jesus fucking christ... All of Salesforce security is fucking stupid, but at least the others mostly work, but this retarded piece of crap is making me actively surprised when it works on first try... Maybe it's because I'm on a slow connection, but again Duo Mobile doesn't have this problem and works *instantly*... so what sort of retarded monkey coded the SF one I don't know, but I hope they are making better products now, because this is a disgrace to programming and security

So, i use this bulk messaging service and they decided to make logins OTP only ("for security reasons", they say), sent to your email.
So instead of entering a password quickly,
- enter the password for your email account,
- click about 10 times on Resend OTP
- wait for OTP
- copy OTP and paste in the box.

So basically relying on the person's email provider's security than deploying their own.

So I was like "imma be smart with my internet security and put 2 factor on my GitHub" only to find out I'm getting authenticating errors on trying to push. Disabling 2FA makes it work again.

GitHub y u do dis D:

Three-factor authentication:
1. Setup an Amazon.com account.
2. Setup an Amazon Web Services account under the same e-mail address
3. Setup two-factor authentication for both systems.
4. Login to Amazon Web Services in a new browser session, and you'll be required to provide BOTH security tokens at login (Amazon.com first, then AWS second.)

Debugging an elusive database query problem. Attached to server process about 10 steps into the call stack trying to figure out why a a column value is not being properly cast. In comes Windows. You picked the most inappropriate time to restart for updates without asking me. Restart VM, authenticate with VPN, wait for 2FA, start up Visual Studio, enter credentials for the millionth time to authenticate with version control since the remember me checkbox doesn't work, open solution. Now where was I? Then Windows pops up a notification to inform me the updates couldn't be installed. The following comic strip comes to mind.

I'm gonna rant about how Discord does not let you disable 2FA after having it enabled if you forget the code they provide for cases where you don't have access to the 2FA in the first place and I lost a damn account to that :/

Apparently Apple doesn't support 2FA on your iCloud account unless you own an iPhone.

The annoying thing about using Google Authenticator for everything 2FA, when your phone factory resets itself, you lose EVERYTHING!!!

AGHHHHHH

Question time:
What's the general opinion around here on Authy for 2FA?

I've been down the road of phone wipes and phone swaps before that blow out the Google Auth codes which is nothing but a royal pain in the ass to get access back to all the accounts setup.

Authy having encrypted backups gives me some level of belief they can do what I want them to do, but I figured I would ask around before transferring over since... well that's a pain in the ass too 😂

Oh my dear internet,

FUCK THIS FUCKING SHIT
I AM SICK AND TIRED OF IT, WHO BUILT THIS HACKED TOGETHER ORWELLIAN SWAMP PIT?

Fuck the same fucking Envato template on every content page with 70 layers of sidebars, inline ads, popups, cookies and content shifting as if I was playing CATCH UP WITH YOUR FUCKING CONTENT.

FUCK the same fucking annual upselling 'plans' on every 7-day trial overengineered scam app that requires me to sign up for 1 fucking, falsely advertised task where my fucking password generator doesn't even recognize the input as a password field so I have to cmd+, to my FUCKING BABYLONIAN PASSWORD ARCHIVES PROMPTING ME FOR THE MASTER PASSWORD.
Thank god I can at least CREATE A BURNER CREDIT CARD THAT FREEZES ITSELF BECAUSE I CANNOT BE BOTHERED TO UNSUBSCRIBE FROM YOUR FUCKING STEAMING CRAP.

FUCK every fucking step I take being recorded by our CYBERPUNK OVERLORDS REQUIRING ME to sign up for 5 different fucking privacy protection tools' annual plan or duct tape some open source shit onto my browser just for some BASIC PRIVACY WHILE TRYING TO NAVIGATE ALL THE OTHER 5000 annuals plan naval mines like A FUCKING FRENCH SUBMARINE IN 1940 GERMAN WATERS.

FUCK my walled garden scam ecosystem not being compatible with your walled garden scam ecosystem prompting me to reactivate my old SATANIC GOOGLE DON'T BE EVIL ACCOUNT from 2012 sending me on a DANTE ALIGHIERI STYLE ODYSSEY THROUGH THE 9 LAYERS OF PASSWORD RESET QUESTIONS, UNEXPECTED ERROR, 2FA MY PHONE DIED HELL to come out on the other side as a broken man.

Thank GOD I have your useless SUPPORT PAGE to aid with my signup problems that is actually just an FAQ with a hidden EASTER EGG HUNT for your support form CRISP AI BOT THAT IS ALSO 'currently experiencing high demand due to COVID' which is peculiar since that has been 3 years ago, but fortunately for you enabled you to fire ALL YOUR SUPPORT STAFF AND REPLACE IT WITH THIS BANNER.

I might as well just SCRAPE your fucking content, it'd be faster.

And although it is quite funny, FUCK THIS PAGE TOO for having me create another of 10.000 accounts to write this shit, where my browser firmly placed a newly created burner email into the PASSWORD FIELD.

I do not know how we managed to create something that is even more unwieldy than 56k DIAL-UPS, but I know that if this shit continues I'll have to train my own AGI to proudly interact with of all this STUPID SHIT on my behalf or I'll have to move into THE FUCKING MOUNTAINS AND LIVE WITH THE DEER.

Petition to implement a 2FA upon registration to deter bots and spam accounts.

He got me. I'm so done for...

Pretty funny, cause maybe half a year ago there was an attack against my email, but I'm pretty sure he got stopped because of the 2FA. Not to mention that I immediately changed it for a password x times stronger than whay I had before 🤷‍♂️

Would you say it's naive to assume that a Node.js consultant knows what 2FA is, how to clone a repo over SSH and how a .env file works?

As somebody who works in the industry, 2FA is a great idea, we need to do it more.
As a user, fuck 2FA, I ain't have time for that shit, if you make me type my screen lock once again I will throw my computer out of the window.

Was recently in a motorcycle accident and haven't been cleared to go back to work yet so I'm trying to build my first Android app.

I don't know Java, XML, kotlin, Android studio, or what the fuck a Gradle is; but I figured I'd take my app idea and download Android studio then try winging everything from there.

Needless to say, I'm having a damn hard time lol. I have been watching firebase tutorials on YouTube to try and figure out how to add authentication to my app. I kinda got it working in the AVD. But my personal Google account has 2FA enabled so I can't seem to get the app to sign me out, or sign me back in. (I was able to authenticate once successfully.)

I have no idea if having 2FA enabled is even the problem. I tried turning on debugging and can't seem to figure out how to actually get the app to debug or get a debug console open.

I seriously feel like the world's biggest n00b right now. Going to go YouTube/Google how to get the debugging working. Then I'm off for a round of learning how to read a debug report!

Hahahaha... Kill me now -_-'

Now... I understand 2FA is to make things more secure, and I do appreciate it. BUT can we please work out a damn solution for people who work in an agency for other corporates which only have one shared account across the agency that bundles one phone number or mobile app.

What if people are on leave or sick? I need stupid 2FA to be able to login/work. uhhhhhhh.....

My brother-in-law's mother's face when she was telling me that she was forced to use 2FA Microsoft Office for work..
"They think we're all IT ppl or what"

Just realise how complex the "simple" 2FA activation step is for someone without the slightest IT curiosity. Not super-democratic either.. (eg. For someone who uses a library PC and has no phone)

Dashlane is a fucking mess.
1. This fucker won’t sync.
2. This fucker requires you to pick the american state when you enter addresses so no non-us addresses
3. This fucker uses a really bad vpn company under the hood as “its” vpn
4. This fucker somehow messed up the offline 2fa, the thing that students do successfully in their authenticator apps

I’m gonna go back to noo.js.org, that fucker will sync even without any connection, across infinite number of devices, instantly. Yes it does nothing but passwords, yes you can’t change passwords but at least you’re always synced. And it doesn’t sell your data because it doesn’t even have a server let alone a database.

FUCK YOU DASHLANE

You know what's worse than having to come up with a new password every time you create an account? Forgetting your password every time you try to log in!

I swear, it's like my brain has a selective memory when it comes to passwords. I can remember every lyric to a song from 10 years ago, but I can't remember the password I created yesterday.

And don't even get me started on password manager software. You would think that having all of your passwords stored in one place would make things easier, but nope. I've forgotten my password for my password manager so many times that I'm starting to think I need a password manager for my password manager.

But seriously, why do we even need passwords in the first place? Why isn’t there an easier one stone kills all solution to all these password authentication nonsense?

I could remember when it was all letters, then forced to use letters + numbers…

then later forced to include symbols…

and then forced to make it lengthier…

and then solve puzzles after getting it right…

and after all the stress now we are forced to find nemo from a set of images.

I thought the misery would end there but nope. Now some platform forces 2FA like dude seriously?

For God’s sake we built self driving cars already! Why can’t one just exist without a password? Why do we always end up in a password cycle?

And please don’t say shit about oauth because if your password master (i.e: google) fucks you in the ass then all your oauth accounts are gone for good!

I'm currently having an existential crisis about the meaning of passwords in our modern society. Shit is crazy when I ponder about it I get worried.

I use google auth for 2FA. Had to factory reset my phone for some reason. Meanwhile, github one day forced me to change my password. So I used the back up recovery code to change the password and then logged out. I was in a hurry and actually forgot to set up the new 2FA. But hey I have got the recovery codes right.

But, guess what? The recovery codes are not working anymore! Wtf github?

What the hell is wrong with recaptcha? It is solely there to be a nuisance, especially if I use a 2FA device. I do not fear hacking attempts against my username+password, because the 2FA will keep the lucky guess out.

How enormously great:
(I’m using Windows on Mac a few times for games requiring windows )
*starts win to play with friend *
*update bluescreen*
*installing discord on phone again to inform friend*
*trying to remember the backup code for my 2fa codes*
*I tried*
*win updated but I don’t have time left to play*

PLEASE STOP SURPRISING ME WITH FORCE UPDATES AND FIND AWAY AROUND

My bank just switched from RSA SecurID to SMS-based 2-factor authentication, claiming it offers "equal security".
Is it not common knowledge that SMS 2FA is a security joke?? What the fuck guys?!?

Anyone else watching the HD remaster of Star Trek: TNG on Netflix and thinking, "that Holodeck should have had some unit tests!"

Also: what's with the passwords being short spoken phrases that can be recorded and played back? Have they not heard of 2FA in Starfleet?

1/10 totally unwatchable (just kidding, I'm loving it)

!rant
REEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

fuck you Samsung and your "APPLICATION OPTIMIZATION" I need this fucking 2FA code right now

!rant

Many out there say you should use 2 factor authentication with everything, but personally i feel lile that would just turn your phone into a sigle point of failure.
Phisical security is my primary worry, because loosing your phone or having it stolen yould pretty much lock you out of all your accounts.
Another thing is i don't know as much about android security, and i wouldn't be confortable managing it.

I have 2FA active for some key services, but imho a strong password is usually enough. I think its far more more importat for your overall security to avoid passwords re-use.

What do you think? Do you have 2FA on all the time?

How do you handle 2fa authorization on GitHub?

Trying to remote in your home PC to setup git but because you have 2fa you need to signup about 6 time than creating a repo to push the home project to and setting up an exact copy of the tools on your laptop to continue on that said home project.

Hello. (Android) dev here contemplating about the future of my profession.

I am looking for a specialization or a field in my profession where i can be free of dependencies from GAFAM (The big five)
Basically software development is me only using dependencies and stuff they and 3rdparty people have created and then it works or it doesnt. Or if you dont keep it up2date it wont work because deprecation and breaking changes. I was web developer before and changed to android because of all the libs and frameworks one needed to wield for proper development. And now android has mostly become the same. Vanilla android is easy, but u start using google apis or 3rdparty services u quickly realize how far u get away from your actual usecase. Usermanagement, oauth, 2fa, userdatamanagement, crossplattform, offline, syncing etc.

I am pretty sure the topic came up before (dev fatigue, dependency fatigue) and most of you know what i mean but i might be the recent casualty here.

Guys, i'm so sad and laughing too cause i losed my GitHub account. I tried to recover but... i don't have the old OS where i had the SSH key so i can not authenticate myself as the owner, don't have the 2FA on my new mobile because i'm dumb and... i don't had the recovery codes... please, kill me...

The good news, i can make another account with the same e-mail.

So who of you got a 2FA Hardware device? I am think of getting one (Yubikey or nitrokey). My only question is, what if you loose the 2FA stick? You are locked out of all your stuff?

Does anyone uses 2FA for slack login?

Why Apple has to do every configuration so f**ckin difficult? After a thousand logins, validations, and 2FA just to change my f**ckin region I find that I need to contact local support by chat or call even if my account is clean (no payment method added, no purchases made, etc.). Yeah right, great products, but crappy website UX.

I have 2FA enabled on NPM so it would shut up about it, the recovery codes are in my password manager, right next to my secure randomly generated password.

Password authentication is fucking stupid.

How mush longer do I have to sign into every app I use with 2FA? Not being on the company network is annoying...

THERE'S SO MANY TEXT MESSAGES!!!

Thats top notch design.
All actions happening on the page go to one endpoint. Removing old trusted computers, changing the password, changing 2FA, you name it.

Now if you want to remove all old trusted devices, you cannot remove all at once, there is no button for it. So you click one after the other. And then it stops working. Ok, then do the normal password rotation. Hmm, button has a loading spinner and then nothing happens.

Looking into the browser console:
- All requests go to /myaccount/security/graphql
- All requests get a 429 Too many requests
- Even if you just click a panel, it tracks the action to the graphql endpoint. Or at least tries to because even that gets shot down with a 429

Pretty dumb, eh? Must be some small shitty website. It's not. It's fucking paypal.

Well fuck Amazon. I am trying to get into my account because for some fucking reason they say my payment method is faulty while they actually write off the subscription of prime of it. But to get into my account I need to login again with 2FA as I have that turned it on. So far so good. But since it's an old phone number I can't login. Well just change the phone number wouldn't you think? Well yes but to change the phone number I need to login in with the old phone number to which I have no longer access 🤦‍♂️. Eventually found a phone number I could call. I get a lovely lady on the phone which guides me to resetting my password but for that, you guessed it, I need to do the 2FA again. I get send through to the next person as she can't change it for me because of privacy reasons (oh well). That guy first askes the last 4 numbers of my creditcard like 5 times because he can't remember it (write it the fuck down then asshole) then he starts mistaking the 6 for 9 (like how the fuck do you do that) and then the text messages don't come in while I am on the phone with him which he tries to blame to my service provider because they would block Amazon (like why would they do that?). But since I got a text message of them 15 min before I shot that down quickly. Then he finally admitted that they might have a disruption going on. So I think we'll fine I'll just ask my question to him how it's possible that Prime stops working as I am watching it because my payment method is faulty according to them (but manage to write off the subscription) and he starts talking just shit. Just admit that you don't know and connect me to someone who does know how that can happen. In the the end I just hung up because I knew I wasn't getting anywhere with this guy and don't you know it, as I start writing this the text messages come in. Problem solved you would say just out that number in the website and you can change your phone number. Well no because I have to tell the number to the guy who I hung up with because the texts weren't coming in 😒. Now I should call them back but I think I'll wait till tomorrow hopefully the day shift will be a bit more knowledgeable on how shit works and can actually remember 4 digits.

This is not a developer-related rant, but honestly, I'm annoyed, and this felt like the best place to vent.

My Twitter account has been suspended/restricted. I can still log in, but I can't tweet, follow people, anything.
No reason was given to me at all for my restriction, other than an automated reply when I attempted to appeal it stating they suspected my account of being hacked - an account I hadn't used in about a month, has a randomly generated 12 character password and has 2FA.

Here's the thing - I didn't grow up with Twitter, I've never really taken an interest in it, I only have my account to post dev stuff now and then as I know some over devs do - It felt like a good place to easily log what I'm currently working on and show off my work that I was proud of.

There aren't any other platforms I know of where I can do that, other than here (but my work consists of things that are also not dev related, so...)

I have no idea if I will get my Twitter account back; it's been over a week now since I attempted to appeal it with absolutely no response.

If anyone knows decent platforms where I can share my work and progress (dev, art, level design, etc.) and can use it sort of like a dev blog, I would greatly appreciate it.

How the fuck does my boss setup 2FA using her name, and then forget that she setup 2FA even though she sees the fucking app send her a code every time she logs in. Now we need to get her to reset her password so we can get the information so another team member can access the information they need.

Checking for root is maintaining a false façade of security. By the definition of root it can always be bypassed and we should be designing workflows to discourage logging in from an untrusted device unless you have 2fa.

I recently came across this article with some basic security advices, like use 2fa security key, encrypt your USB keys, don't use untrusted USB chargers / cables / ports (or use a data blocker cable if you need to charge your device). It made me think, how relevant are the USB-related threats and risks today? Do people really still use and carry so many wired USB devices, and just drop or plug them wherever?

The last time I used an USB device to transfer some important data was probably over 10 years ago, and for the love of god I don't know anyone who still carries an USB key with sensitive data with them on a daily basis, much less actively uses it. Besides, whoever still does that probably puts their USB key on the same keychain as their ID / access tag and a bunch of other keys (including a 2fa device if they use one) - they're not going to lose just some sensitive data, they're going to lose authentication and physical access devices as well, and that could turn a small data leak into a full-scale incident, with or without an encrypted USB device.

I'm also not sure about untrusted USB cables and ports, from what I've seen the USB outlets and cables are pretty much non-existent in public places, most places offer wireless charging pads instead (usually built into a hand rest or table surface).

So as a personal project for work I decided to start data logging facility variables, it's something that we might need to pickup at some point in the future so decided to take the initiative since I'm the new guy.
I setup some basic current loop sensors are things like gas line pressures for bulk nitrogen and compressed air but decided to go with a more advanced system for logging the temperature and humidity in the labs. These sensors come with 'software' it's a web site you host internally. Cool so I just need to build a simple web server to run these PoE sensors. No big deal right, it's just an IIS service. Months after ordering Server 2019 though SSC I get 4 activation codes 2 MAK and 2 KMS. I won the lottery now i just have to download the server 2019 retail ISO and... Won't take the keys. Back to purchasing, "oh I can download that for you, what key is yours". Um... I dunno you sent me 4 Can I just get the link, "well you have to have a login". Ok what building are you in I'll drive over with a USB key (hoping there on the same campus), "the download keeps stopping, I'll contact the IT service in your building". a week later I get an install ISO and still no one knows that key is mine. Local IT service suggests it's probably a MAK key since I originally got a quote for a retail copy and we don't run a KMS server on the network I'm using for testing. We'll doesn't windows reject all 4 keys then proceed to register with a non-existent KMS server on the network I'm using for testing. Great so now this server that is supposed to connected to a private network for the sensors and use the second NIC for an internet connection has to be connected to the old network that I'm using for testing because that's where the KMS server seems to be. Ok no big deal the old network has internet except the powers that be want to migrate everything to the new more secure network but I still need to be connected to the KMS server because they sent me the wrong key. So I'm up to three network cards and some of my basic sensors are running on yet another network and I want to migrate the management software to this hardware to have all my data logging in one system. I had to label the Ethernet ports so I could hand over the hardware for certification and security scans.

So at this point I have my system running with a couple sensors setup with static IP's because I haven't had time to setup the DNS for the private network the sensors run on. Local IT goes to install McAfee and can't because it isn't compatible with anything after 1809 or later, I get a message back that " we only support up to 1709" I point out that it's server 2019, "Oh yeah, let me ask about that" a bunch of back and forth ensues and finally Local IT get's a version of McAfee that will install, runs security scan again i get a message back. " There are two high risk issues on your server", my blood pressure is getting high as well. The risks there looking at McAfee versions are out of date and windows Defender is disabled (because of McAfee).

There's a low risk issue as well, something relating to the DNS service I didn't fully setup. I tell local IT just disable it for now, then think we'll heck I'll remote in and do it. Nope can't remote into my server, oh they renamed it well that's lot going to stay that way but whatever oh here's the IP they assigned it, nope cant remote in no privileges. Ok so I run up three flights of stairs to local IT before they leave for the day log into my server yup RDP is enabled, odd but whatever let's delete the DNS role for now, nope you don't have admin privileges. Now I'm really getting displeased, I can;t have admin privileges on the network you want me to use to support the service on a system you can't support and I'm supposed to believe you can migrate the life safety systems you want us to move. I'm using my system to prove that the 2FA system works, at this rate I'm going to have 2FA access to a completely worthless broken system in a few years. good thing I rebuilt the whole server in a VM I'm planning to deploy before I get the official one back. I'm skipping a lot of the ridiculous back and forth conversations because the more I think about it the more irritated I get.

What is the name of the technology that your one time passcode is generated on your device instead of being send to your phone?

Is it a variety of 2FA?I try to google it but I am not having much luck.

This is what 2FA at some point is

Guys, I just need to know if I'm the one who's crazy.
I work at a fairly large bank. This bank has an Online Banking platform. Now, for reasons that deserve a rant of their own, I work on a self service account opening platform (in branch).
Now, my team is being tasked with adding features that will force customers to enroll in Online Banking and 2FA when opening accounts if they have not already done so.
The reason? There's low usage of the Online Banking solution.
My problem? I think this is a pointless waste of time.
Hear me out: All existing customers already have the ability to enroll with online banking, they can do it from there homes, in their underwear if they want, and they aren't doing it. Can anyone explain to me why we expect that customers who showed no interest in online banking before are going to be interested in using the application now?
You come in to branch to open an account, we stop the process to force you to enroll with internet banking(if you want to finish opening your account through the app), and then hope you'll use it now (despite the fact you could have enrolled at home all along)
We're duplicating the feature of an existing project and slowing down an unrelated process so we can hope you change your mind? Is this not a marketing problem? Do we not just need to sell the shit better? What am I not seeing? It's insane, we even took time to look at signing customers up for email addresses (in branch, while opening an account) if they didn't have one(because you need an email address for online banking). What really gets me is that everyone on my team is eating this shit up like it makes perfect sense. Like nobody else seems to think this is fucking stupid. I'm now resigned to implementing this bullshit. Am I the crazy one here? I realize I must be. Whatever I get paid anyway I guess. I raised my concerns repeatedly and I just kept getting the same stupid response. My job is done

I do it pretty regularly maybe once or twice a week depends when I'm working on something interesting and want to get it done. Not very hard when you have coffee, headphones, good music, and enjoy what you do.

As for a story i don't have much of one unless you want one about implementing jwt tokens with a rest api along with trying to implement an 2FA system that would support otp and u2f. Then nuking it from orbit two days later cause it looked like garbage from trying to abstract everything

Am i overthinking too much or are passwords like this

S9L4dk1i6sy5

Insecure?
This is an example generated by some website where i have activated 2fa and need to generate app passwords to access it from clients

I've thought about it many times to ask them to make it more secure but everytime i think i'm overrracting

Is anyone using a yubikey or any other hardware key device at work?
How is your experience when using it and what types of accounts are secured with it?

I'm implementing 2FA supporting TOTP, SMS and backup codes. To store the backup codes I've issued in my app's database, what should I do re hashing/encryption?

Anyone tried this Krypt.co thing? I just tried setting it up and I hooked up my Github and Google account with it. The odd thing during the connection, it kept asking me to add it as a Security Key. I didn't realize the Chrome Extension tricked the browser to think that it had a security key connected to it.

There should be a blacklist for websites that don’t allow 2FA or do it through SMS. There’s no excuse for sites such as PayPal not allowing TOTP, only some prehistoric hardware based token generator.

7 monthos ago, i invested a ridiculus amount of money on crypto. The day this month i decided to buy a battery for my loved laptop, i was notified that this crypto had doubled its price. Thanks Lord My God, i said, without any work and stress, i had 100% profit, i would totally buy the battery from the new money, i converted them all in euros, and started my odyssey.

Well, the platform, need 2fa to withdraw your money. But it did not inform you, it only had a popup saying "Reming me later".

WTF means "remind me later", for me it is something optional!!!! No red colours, no messages like (try again, your transactionr requires this ) etc.

Time is the only resource that do not come back, and i feel that my profit is already less, since the hour i spent searching, and searching, and then searching the chat (which is very well hidden...) and then chatting, and then writting this rant, i could have worked for the same amount of money.....

Thank God for Authy app!
Lost phone and was able to get all my 2FA accounts linked up in seconds.
That would have been a logistical nightmare given that all my account are 2fa.
I can see it now
Enter username: xyz
Enter password: abc
Enter 2fa code: dangit
Lost or recover account
Enter phone number: dangit