I personally am fine with this.

  • Otome-chan@kbin.social
    link
    fedilink
    arrow-up
    17
    arrow-down
    14
    ·
    1 year ago

    No offense to companies but I’m honestly sick of companies forcing 2fa. Every single one seems to have a different shitty way of doing it. Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)? Some do sms/phone number, but then yell at you and prevent you from doing 2fa if you have a “bad phone number”. This happened on discord where I’m locked out of certain servers because I can’t do phone verification, and I can’t do it because discord doesn’t like my phone number. Twitter was the same way for a long while (couldn’t do 2fa/phone verification due to them not liking my number).

    From the article it sounds like they’re doing authenticator app or sms. I’m guessing sms won’t work for me, so app it is. I decided to dig to see which authenticator app they use and they list: 1password, authy, lastpass, and microsoft… no google?

    Honestly, even email requirements for accounts is annoying because you know it just ends up spamming you. is the future where we’re gonna have to have 30 different authenticator apps on our phone?

    • SkaveRat@discuss.tchncs.de
      link
      fedilink
      arrow-up
      22
      arrow-down
      1
      ·
      1 year ago

      Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)?

      you… don’t?

      Both of these implement exactly the same protocol (TOTP). Used authy for all my Top Of The Pops Time-based one-time password needs exclusively, before moving everything to bitwarden

      • subtext@lemmy.world
        link
        fedilink
        arrow-up
        8
        arrow-down
        2
        ·
        1 year ago

        Unfortunately there are some websites that require Authy (probably because Authy wined and dined some business executive). I absolutely loathe these sites but if it’s a site you’re not willing to live without, you’re stuck with having Authy plus your main 2FA app.

        • SkaveRat@discuss.tchncs.de
          link
          fedilink
          arrow-up
          6
          arrow-down
          1
          ·
          1 year ago

          which ones are that? I’d love to check, because afaik, they have a feature that enables push-2fa via authy, but should generally work on other apps as well

            • SkaveRat@discuss.tchncs.de
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              1 year ago

              Are you sure that you can’t use a different TOTP generator? There’s a difference between telling you to use Authy and still being able to use a different app

              • LittleLily@shinobu.cloud
                link
                fedilink
                English
                arrow-up
                5
                ·
                edit-2
                1 year ago

                Yes I’m sure, hence why I specifically mentioned that. Try the sign up procedure yourself. It REQUIRES 2fa and it has to be Authy’s non-standard token or SMS. No option for regular TOTP.

                • SkaveRat@discuss.tchncs.de
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  edit-2
                  1 year ago

                  thx. just making sure. I already saw a lot of people annoyed about a specific app, just because that was the one being advertised, but in the end it was TOTP

        • subtext@lemmy.world
          link
          fedilink
          arrow-up
          6
          arrow-down
          1
          ·
          1 year ago

          Well the good news for you is that a website specifying one or the other is nothing more than marketing from that app maker! So long as there is a QR code (or a long random-ish string), you can use any authenticator app that supports that website’s 2FA algorithms!

          That last bit is important because I think Lemmy had a non-standard 2FA algorithm (SHA-256?) that wouldn’t work with Google Authenticator.

      • tool@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        BTW, any authenticator app works when it tells you to use one. They all use a standard, so it doesn’t matter which one you use.

        Eh, it’s a little more nuanced than that, there’re more standards for MFA code generation than just TOTP.

        And even within the TOTP standard, there are options to adjust the code generation (timing, hash algorithm, # of characters in the generated code, etc.) that not all clients are going to support or will be user-configureable. Blizzard’s Battle.net MFA is a good example of that.

        If the code is just your basic 6-digit HMAC/SHA1 30-second code, yeah, odds are almost 100% that your client of choice will support it, but anything other than that I wouldn’t automatically assume that it’s going to work.

    • library_napper@monyet.cc
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      1 year ago

      Anyone who claims they’re doing OTPs over SMS for “security” ia lying to you. Discord wants your phone number; it has nothing to do with your security

      • Otome-chan@kbin.social
        link
        fedilink
        arrow-up
        5
        arrow-down
        2
        ·
        1 year ago

        there’s quite a lot of services that want phone for verification/2fa/whatever. whenever I run into them I usually just refuse to use the service altogether.

      • Trexman@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        1 year ago

        You might want to migrate away from LastPass. And change every account password. They were hacked horribly and the only thing standing between your encrypted passwords and hackers is time.