Email or username:

Password:

Forgot your password?
Joe's posts Post Back to profile
Joe Brockmeier

Authenticating to a website, 2010: Type in username and password

Authenticating to a website, 2024:
- Type in username
- Look up 20-character password in password keeper
- wait
- Prompt for 2FA token
- Dig out phone
- Unlock phone
- Scroll through 50 services to find 2FA token for website
- Type in 2FA token
- Success
- Receive email alerting you to the fact you've logged in
- Six weeks later: receive email telling you service had been compromised eight weeks ago and you must change password.

23 September at 17:31 | Open on mastodon.social
54 comments
Internet Hedgehog

@jzb what did you do to make it so that you don't get asked to solve 7 captches and then get your account auto-locked anyway when you login using 4 different factors?

24 September at 12:02 | Open on mastodon.social
solo

@jzb tbh I hate services forcing 2fa on you when you don't need it, so I just store my 2fa codes in bitwarden. yes, it makes it not actually 2fa. no, I don't care.

24 September at 12:05 | Open on tech.lgbt
winter

@solonovamax @jzb It's still beneficial. There are a couple things i don't keep in Bitwarden but most of it i do. I guess i could separate them out but it seems so tough given how 2fa works.

24 September at 16:51 | Open on infosec.exchange
solo

@winterayars @jzb yeah if it was smth where I really cared about the security I'd use actual 2fa

24 September at 23:50 | Open on tech.lgbt
Oliver Jensen

@solonovamax @winterayars @jzb arguably it's still 2fa (assuming you 2fa into your pw manager)

The second factor is something you have: you're using the device from which you 2fa'd into your password manager.

25 September at 3:11 | Open on hachyderm.io
solo

@ojensen @winterayars @jzb I'm not using 2fa for my password manager lol (tbh I prob should, but, inconvenient)

so it's not really 2fa

25 September at 3:18 | Open on tech.lgbt
Oliver Jensen

@solonovamax @winterayars @jzb ok so I'm going to disagree *hard* with the idea of not 2fa'ing into your pw manager. For real, you should set that up right now.

It's not inconvenient, you do it like once every 30 days or something.

25 September at 3:37 | Open on hachyderm.io
13reak

@solonovamax @jzb

It still helps against online attackers. They (hopefully) don't have access to your bitwarden.

I honestly trust my password manager more than my phone.

24 September at 19:30 | Open on infosec.exchange
Stefan Monnier

@jzb @maj Huh? What's that magical "unlock phone" step? Doesn't that require authentication?

24 September at 12:12 | Open on oldbytes.space
Locksmith

@monnier @jzb @maj
The "unlock phone" itself requires two authenticators.

24 September at 16:59 | Open on infosec.exchange
Walter Burns

@jzb

In case this post is not sarcastic: here's a superior and simpler way to do it.

1. Open @bitwarden in the browser (if already not unlocked)
2. Let it auto-fill credentials
3. If 2FA active: simply cmd+V or ctrl+V (since it has auto copy TOTP)
4. Press enter to log in

Passwords cannot be compromised if securely generated with password managers since they are stupendously strong.

Please don't imply that authentication is hard - everyone should be encouraged given its ease.

@jzb

In case this post is not sarcastic: here's a superior and simpler way to do it.

1. Open @bitwarden in the browser (if already not unlocked)
2. Let it auto-fill credentials
3. If 2FA active: simply cmd+V or ctrl+V (since it has auto copy TOTP)
4. Press enter to log in

Passwords cannot be compromised if securely generated with password managers since they are stupendously strong.

24 September at 14:14 | Open on toot.community
Tokenizer

@walterburns @jzb @bitwarden He's just pointing out a fact. Independently of how hard/easy auth is, facts should not be ignored.

24 September at 14:42 | Open on fosstodon.org
Walter Burns

@tokenizer And I mentioned facts too - a simpler way to do things.

24 September at 14:56 | Open on toot.community
Robbert

@walterburns @jzb @bitwarden
don't assume that their threat model is the same as yours.
i for example use multiple methods
some required a yubikey as 2fa
some have the totp in my password manager
some are in a standalone totp manager

and then ofcourse we have companies which force you to use their own 2fa which is incompatible with de standard(i'm looking at you authy)

24 September at 14:52 | Open on mastodon.online
Walter Burns

@mjrider For most people, TOTP is enough and security keys are not necessary. So - my advice applies to most and not all. I am aware.

24 September at 14:57 | Open on toot.community
Walter Burns

@mjrider And you really should not be using or even recommending Authy. If you need an app, @ente Auth comes highly recommended from most if not all experts on the matter.

24 September at 14:58 | Open on toot.community
Robbert

@walterburns
to make it abundantly clear, i only use authy because it is(or was) the only way to use 2fa with twilio.
i really think it's a bad solution for 2fa

24 September at 17:13 | Open on mastodon.online
Joe Brockmeier

@walterburns @bitwarden The post is largely a sarcastic, or perhaps sardonic, observation what a royal PITA using the Web has become if you happen to use a lot of web-based services / websites with authentication of some sort. (Doubly so if you only log into many of them infrequently.)

Note the point about going through all the fuss of 2FA and then being notified the service itself was hacked anyway... which is only a minor exaggeration, unfortunately...

24 September at 15:05 | Open on mastodon.social
Walter Burns

@jzb yes I get that my good sir. And I wanted to bring in a little more seriousness to the post by actually informing readers of easy it really is in case anyone may actually be interested in learning.

24 September at 15:31 | Open on toot.community
Joe Brockmeier

@walterburns What is this "seriousness" of which you speak?

24 September at 15:51 | Open on mastodon.social
Walter Burns

@jzb my first comment of explaining and showing how easy it actually is.

24 September at 15:59 | Open on toot.community
blausand 🐟

1. I'm not a customer of #Bitwarden and I strongly recommend not even thinking about it. A commercial service at this point in the chain, what could possibly… really.
2. 2FA severly damages the UX of following simple and effective safety guidelines, like deleting cookies once a day.
3. 2FA undermines good habits like keeping your phone number private. E.g., when I have to log into my webmailer in somebody else's browser to copy the code, I gain ZERO security.

#funktionalKAPUTT

1. I'm not a customer of #Bitwarden and I strongly recommend not even thinking about it. A commercial service at this point in the chain, what could possibly… really.
2. 2FA severly damages the UX of following simple and effective safety guidelines, like deleting cookies once a day.
3. 2FA undermines good habits like keeping your phone number private. E.g., when I have to log into my webmailer in somebody else's browser to copy the code, I gain ZERO security.

24 September at 19:35 | Open on chaos.social
JK

@walterburns @jzb @bitwarden if authentication wasn't hard there wouldn't be people doing research to make it easier (passkeys). password-based authentication with 2FA is a pain in the ass. I know hardly any normal people using password managers.

24 September at 18:34 | Open on mastodon.world
Walter Burns

@jasonekratz

Sigh *rolls eyes*

It obviously means authentication and using password managers isn't hard - from the users' POV.

Do you not fathom the context of the thread and the discussion?

24 September at 18:41 | Open on toot.community
JK

@walterburns Eye roll all you want but its clear you have have never worked with normal people 😂 of course its hard. Auto-fill does not work 100%. Never has for any of the many password managers I've used over the years. Password managers *add* another layer of complexity, not take it away. The best password is no password (passkeys) and not a password manager.

24 September at 19:12 | Open on mastodon.world
Sieva 🚴🚇🏙️🌹

@walterburns @jzb 2FA in Bitwarden requires a premium account. It also doesn't support HOTP and custom MFA auth (like app pushes to Microsoft or DUO), not to mention moronic services that just default to email or phone MFA (looking at you, Eventbrite).

But yeah, Bitwarden is very cool.

24 September at 19:10 | Open on social.coop
David Penfold :verified:

@jzb ...and the change password workflow fails leaving you in a permanent loop.

24 September at 15:45 | Open on infosec.exchange
Pelle Wessman

@jzb 2024 should be passkeys, you’re at most describing 2020-2022

24 September at 15:51 | Open on mastodon.social
Locksmith

@voxpelli @jzb
Which is another device providing a key and which device requires a pin or password or fingerprint to unlock.

24 September at 17:04 | Open on infosec.exchange
Pelle Wessman

@locksmithprime @jzb On Apple devices it’s the same password / mechanism you use to log into the device (Face ID / Touch ID with fallback to password)

24 September at 17:06 | Open on mastodon.social
Alvaro

@jzb@mastodon.social with bitwarden:

- Click on suggested username
- Click on associated password
- Paste 2FA token that is added to the clipboard automatically

That's it.

24 September at 15:54 | Open on social.graves.cl
Linerd

@jzb you sure you ain't forgotten anything else?

24 September at 16:01 | Open on mastodon.social
Mx Autumn :blobcatpumpkin:
Ken

@jzb I find this flow only mildly more acceptable to the other sites that do all this plus ask you for answers to stupid questions, that no one in their right mind would answer truthfully, which I have to copy/paste out of the notes section of my password manager.

24 September at 16:28 | Open on infosec.exchange
David LaFontaine

@jzb you make me want to set my head on fire

24 September at 16:39 | Open on newsie.social
Alex :anarcho_punk: :demiboy_flag:

@jzb@mastodon.social bitwarden skips the totp steps tho. it copies the token after filling the password

24 September at 16:41 | Open on shonk.phite.ro
Molytov

@jzb

- Be offered 2 years of free credit monitoring from some sketchy service that you also have to sign up for and hand over all your information to.

24 September at 17:33 | Open on infosec.exchange
John Deters

@jzb You forgot the step in 2010 where you have to request a new credit card because you got a mystery letter from Visa saying that your card was stolen.

For a while it seemed like I was replacing cards almost annually back then.

24 September at 17:45 | Open on mastodon.social
BenBE

@jzb Actually you fogot a few steps:

- Select "Login with Username&Password"
- Type Username
- Hit Next
- Reject loggin in with FIDO2
- Lookup Password in password manager
- Type the password manually, because Copy&Paste is blocked
- Uncheck "Store password"
- Hit Next
- Reject storing the password in your browser
- Select other method for second factor to avoid SMS
- Search for current 2FA code in your phone app
- …

24 September at 18:01 | Open on social.chaotikum.org
chebra

@jzb Where is the "Your account has been suspended for suspicious activity (using Firefox)"?

24 September at 18:02 | Open on mstdn.io
Greg Bell

@jzb something you know
Something you are
Something you regret
Something that hunts you

24 September at 18:02 | Open on mastodon.online
Dźwiedziu

@ferrix
Did you mean “haunts you”?

<floorboards creaking behind me>

Oh, nevermind…

@jzb

24 September at 19:50 | Open on mastodon.social
Diego Pino

@jzb this is the short version, the longer version is when your 2FA app is installed in your former phone (now your nephew’s phone)

24 September at 19:26 | Open on mastodon.social
mdarge

@jzb but it's necessary though.

By the way I'm currently compute the checksum of a file I just downloaded. Which is the best MD5, SHA-1, SHA-256 or SHA-512 ?

24 September at 19:28 | Open on mastodon.social
Dźwiedziu

@jzb Well, what about passkeys?

You know, that thing you can't save it to your password manager and was called asymmetric cryptography when I was younger.

<canned laughter>

24 September at 19:56 | Open on mastodon.social
Helmut Tammen

@jzb you compare apples (1FA) with pears (2FA).

24 September at 20:04 | Open on saptodon.org
Fred Moyer

@jzb I’m sorry but what is the “success” item in the list?? 🤣

24 September at 21:10 | Open on hachyderm.io
Ascendor

@jzb true. Yet, tbf, in 2010, the service has been compromised as well, they just didnt email you back then.

24 September at 21:30 | Open on social.tchncs.de
woof
@jzb the frustrating thing is that, while 2fa does have a valid use for security, I strongly believe it's just being weaponized by online services for kyc purposes.
24 September at 23:17 | Open on pl.dokyun.club
Chris Adams

@jzb Bonus points if they pull a Hashicorp and in 2024 WONTFIX requests for passkeys because that'd be too secure or something.

24 September at 23:49 | Open on code4lib.social
oshy
@jzb Passkey universal adoption can't come soon enough
25 September at 0:10 | Open on ak.kawen.space
Go Up