this post was submitted on 21 Dec 2024

94 points (98.0% liked)

technology

23382 readers

171 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.

founded 4 years ago

MODERATORS

[email protected]

I hate 2FA Hell (hexbear.net)

submitted 21 hours ago by [email protected] to c/[email protected]

41 comments fedilink hide all child comments

Installed Steam on a new computer. Signed in. It sent a passcode to my GMail. I signed into GMail. It wanted me to 2FA because I hadn't signed into Google on that device. It sent a notification to my phone, which I never received. I had it resend the notification twice, still nothing. Tried again with my phone's offline passcodes. Neither worked. Tried the QR code/Bluetooth connection, and that finally did it.

At least I got through in the end, but fuck, it's annoying.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 45 points 21 hours ago (4 children)

Yeah I've been thinking this more and more. Losing a phone now means losing access to everything

[–] [email protected] 31 points 21 hours ago* (last edited 21 hours ago) (2 children)

Discord wanted my fucking phone number and since I use a free voip service it couldn't send it to that so I had to use my dad's phone. So fucking stupid and backwards. I've been using email for decades now and I've never been hacked, what was wrong with that, why you gotta enshittify everything so?

[–] [email protected] 27 points 20 hours ago* (last edited 20 hours ago) (3 children)

A phone number requirement is to stop people from making a bunch of accounts. Emails are free and unlimited, but phone numbers mostly cost money and like you said they have some way to know which numbers come from free voip services.

Of course phone numbers are also more closely linked to your private identity, as they usually have to be in your or someone close to you's name. So that makes data gathering easier and makes it easier for feds to snoop on your shit if they really wanted (Discord will comply ofc).

[–] [email protected] 4 points 12 hours ago (1 children)

VoIP is not supported for 2FA by some institutions like banks because it may be less secure than a conventional phone line, since it is connected to the internet. In practice, I think SMS is insecure regardless whether it is over the internet or phone line, but in any case that is why VoIP is not fully supported.

[–] [email protected] 1 points 1 hour ago

SMS is very unsecure but companies use it. I think that's what Discord uses on sign up, but they don't allow free numbers like Google Voice.

[–] [email protected] 21 points 20 hours ago (1 children)

It's not fair to broke b*tches like me.

[–] [email protected] 15 points 20 hours ago

Or ban evader trolls like me. thonk-cri

[–] [email protected] 11 points 20 hours ago (1 children)

Discord doesn't even have to comply, there's zero E2EE in any part of the network, anyone can snoop in on it if they get any level of access to chat logs.

I wonder why Discord is known for being home to predators.

[–] [email protected] 2 points 1 hour ago* (last edited 1 hour ago)

There's still TLS, so even without end to end encryption of the messages, the only parties that should be able to see the contents are you, the recipient(s), and Discord. So either Discord has to willingly give over the messages, or a larger data breach of Discord has to happen.

[–] [email protected] 5 points 20 hours ago (1 children)

Discord hasn't asked me for a phone number and I have 2 burner accounts on there with email aliases. I think you just got flagged because you connected with a VPN or something. I use Vesktop as well so that might be why.

[–] [email protected] 6 points 17 hours ago

I think individual Discord servers can demand phone verification as a way to limit people entering it.

[–] [email protected] 20 points 20 hours ago (1 children)

Ya its a big problem IMHO. Last time my phone was fucked I could pay rent or anything because I couldn't log into my bank because I couldn't get the SMS. I use a password manager and have TOTP set up for important account but a lot of these big institutions only support SMS.

I heard about a guy who got his google account deleted because a computer wrongly though he had csam. (During covid his small child had a genital rash so he took a picture and emailed for a virtual medical visit as the clinic requested.) They deleted everything and "dont have backups" so even tho google admitted it was an error will not restore. So he couldn't log into anything, no email, cross site logins, his phone didn't work, even totp I think via authy. All just gone.

Its not the exact same situation but shows what a tangled web has been created and so precarious.

[–] [email protected] 11 points 17 hours ago* (last edited 17 hours ago) (1 children)

it's part of my job to think about this for companies, and you'd think that would make me feel confident in my ability to create a robust backup system with failsafes for all of these logins. instead i'm hyper-aware of how screwed I'd be with loss of access to any given point of failure and constantly anxious about it, bc it takes a literal team of people to set up and maintain that sort of thing

twice as bad if you're concerned about data privacy or opsec. like sometimes the options are "give my phone number to some company i inherently don't trust" or "accept the risk that it will be impossible to recover this account if I lose access to my email address"

[–] [email protected] 8 points 16 hours ago

the problem is, and it seems like a legitimate problem, is that in this context a backup is also a back door.

I don't know how it is possible to have any amount of security without the possibility of being totally locked out in some situations. how can you assure that you can reset a password but prevent anyone else?

It seems intractable. Password managers have been available for a long time and if people haven't started using them yet en masse I see no reason to expect they might any time soon.

[–] [email protected] 12 points 19 hours ago* (last edited 19 hours ago)

If you have any tech literate friends, you can all install Syncthing and quickly each create a personal push-only share. Then everyone you know is helping each other backup their password manager databases or anything else locally encrypted with a strong password that's small enough to be acceptable. Micro SD cards are 1.5 and even 2TiB now, and work with my 4 year old Xiaomi phone.

I'm thinking of the WeChat recovery option that just makes a couple people you had in your friends list or were your main contacts open a menu in settings and confirm you contacted them (I think IRL), in order to verify the recovery request.

[–] [email protected] 5 points 20 hours ago

perhaps this is the reason we shouldn’t have turned a useful tool (technology) into a system that controls all aspects of our lives

I’m convinced that Marx would rethink his takes on technological advancement if he could see how it has become fully integrated with a hyper-capitalist and profit-driven world.