On Thu, May 12, 2022 at 07:23:31PM -0500, Nicholas Geovanis wrote: > On Thu, May 12, 2022 at 6:06 PM Ash Joubert <ash@transient.nz> wrote: > ...trimmed... > > > > Two-factor authentication is when you need to confirm your login with an > > SMS message or one-time pad or other second way of authenticating that > > you are who you claim to be. 2FA is popular because users choose weak > > passwords and share them between services. If users generate a unique > > strong random password for every service, little is gained with 2FA, and > > 2FA is then just a massive pain in the arse. But user behaviour is > > unreliable. > > > > In the last couple years many corporate and not-for-profit organizations > have implemented > 2-factor authentication internally. Even in the physical office many > transactions require 2FA interaction. > Where I am now that is also the case, and 2FA is configured to prompt with > a choice between receiving > the 2nd factor by SMS text message, voice call, or email. They're using > Pulse 2FA. So your provider > can do that too if they want to. But the whole point of 2FA is that there > shall be a second response > from a previously known location for you: phone number, email address, etc. > > That's the value added in exchange for Ash's "massive pain in the arse". > Just making the 1st factor be > a loong password is not equivalent to 2FA in any way. Machine reaching back > to you is the difference. The only "value added" is for those third-party providers: they know where & when you are logging into which service and can monetize on it. It's just the basic antipattern you can see everywhere in surveillance capitalism: provide a service which interposes between users and the things they do (search, communicate, marketplace, transport; in the current case: identity management), try to make them dependent, monetize the knowledge you gain about your users. Not all 2FA is like that, of course. When your second factor is a hardware dongle (best if you control it, i.e. it's open hardware and free firmware, Nitrokey comes as near as it gets). Still, why? A loong password is not "equivalent" to 2FA, that's right. Good password management (of which length is but a part) is as secure as 2FA. Cheers -- t
Attachment:
signature.asc
Description: PGP signature