I strongly dislike 2FA and MFA solutions and really they seem to be to be a way for services to protect themselves than to protect me, since if I lose the device they’re connected to then I get locked out myself. If they function poorly like Lemmy’s early implementation of them, they can lock you out even if you have everything in order.
So when companies try and force 2FA or MFA solutions as mandatory in online applications where there’s no additional recovery methods I’m not going to delude myself or go along with the notion they’re doing it to protect me, and not themselves. Since those solutions make it likely to lose my account at no loss or harm to them.
Maybe this seems harsh but I’ve seen how big tech companies handle this aspect and talk about it and I know none of the other things they do come out of legitimate care for their users and I know this isn’t ultimately any different.
I appreciate that 2FA can be annoying, but I’ve personally had my info leaked in various breaches, and (software) 2FA has been the thing that’s saved my important accounts. They manage to get as far as the TOTP and stop, because it’s an additional lock that’s harder to bypass than a static password. It’s easy to say it’s just a pointless hurdle when you’ve been lucky enough to have avoided having your data leaked.
I know none of the other things they do come out of legitimate care for their users and I know this isn’t ultimately any different
You are right that companies don’t care about users like us, but many of these protocols came from cryptographers and software engineers who do care. The Diffie-Hellman-Merkle key exchange underpins most of public cryptography, and it wasn’t created for big business. Regardless, big companies do care about big clients, who are often desirable targets for hackers.
So these locks and protocols exist because a relative few people genuinely care about security, and the big companies implement them as correctly as possible, because they care about not getting sued for negligence by a big client or losing their business.
You’re right to be cynical about corporations, but that doesn’t mean we can’t get mutual benefit from their self-interest.
I’ve also gotten unexpected TOTP email calls from multiple orgs, yeah.
I strongly dislike 2FA and MFA solutions and really they seem to be to be a way for services to protect themselves than to protect me, since if I lose the device they’re connected to then I get locked out myself
I use ente auth for 2FA. Is it less secure than hardware authentication? Yes, but at least i can recover if i ever manage to lose everything in a freak accident. Besides, it’s more secure than no 2FA :p
Software 2FA is a good middle ground (recoverable yet still secure)
Removed by mod
There are solutions and ultimately it’s up to you to ensure that you have access to your account not because services are mean and want to hurt you, but because you’re a big boy. They give you security tools and how you use them is up to you.
Are you really sitting here trying to argue that big tech companies like Google and Microsoft somehow has our best interests at heart on a dbzer0 community about privacy where it’s abundantly clear to us that they don’t? Especially in cases of forced 2FA/MFA adoption with texting.
You know the only worthwhile thing you said was about software based 2FA which @fxomt@lemmy.dbzer0.com already mentioned in a far more civilized manner that made me more willing to listen to him, while also not kissing up to big tech companies who really actually mandate it to make their lives easier and who couldn’t care less if you lose access to your account.
The irony is that “to ensure that you have access to your account” isn’t really accurate when it comes to the hardware solutions, it would be more accurate to say “to ensure if access is lost, it’s lost forever”, and I’m never going going to agree or be okay with that because ultimately the person gets screwed over with no loss to the company trying to mandate that. Which is what I was expressing and why I lack any desire or drive to use them, and also my knowledge of how big tech companies operate is ultimately one of the reasons I’m not willing to delude myself into thinking they have my back when they actually don’t.
Removed by mod
I’m all for MFA, but ultimately, a GOOD password - or rather, a good password recipe - that resides in my brain must be included in the mix as far as I’m concerned. Because unlike other forms of authentication, that one can never be extracted, stolen or recovered without torturing me.
So you can have your passwordless future: I’ll keep my passwords - in combination with other forms of authentication of course. Passwordless is lesser security for the lazy.
Same, but i find passkeys interesting so i keep watch on them.
Too bad passkeys overtook SQRL
I have never heard of this, thank you for bringing this up - it’s really interesting
