I personally am fine with this.
deleted by creator
Yep. If people care about supply chain attacks or so, just add features that allow only commits from accounts with 2FA to certain repositories.
they want your phone number so they can track you.
how would they track you?
The reason they want a phone number is, that it’s a relatively cheap way to ensure people not signing up bots galore, as getting phone numbers en masse is a lot harder than getting email accounts
phone numbers are typically tied to your name/identity, and phone companies can locate you using their towers and such. Giving a company your phone number is identical to giving a company your full legal name and address.
deleted by creator
me giving, let’s say, twitch my phone number gives them exactly 0 ways of tracking me in any way whatsoever
Source: worked for a mobile company
yeah, no idea why you’re getting downvoted, it’s clear why companies are so eagerly embracing and requiring 2FA – if the benefits were only for the consumers, it wouldn’t be mandated anywhere near this quickly. but when they know they get a real human phone tied to every account, that’s a huge motivation
Yep, should be standard everywhere
… for accounts you actually give a shit about
emphasis on the
… for accounts you actually give a shit about
deleted by creator
If your account is frozen they should still be on the device. That would be a good time to change all your passkeys over to a yubikey, or to add one as a secondary token.
The keys being locked in a Secure Enclave is generally considered a feature, not a bug. That passkeys sync at all is somewhat concerning. I wouldn’t expect them to be exportable any time soon.
deleted by creator
Apple actually describes the process for sync in some detail: https://support.apple.com/guide/security/secure-keychain-syncing-sec0a319b35f/web
Apple also describes the keychain recovery process in depth (I think this is when you’ve lost all devices?): https://support.apple.com/guide/security/escrow-security-for-icloud-keychain-sec3e341e75d/1/web/1
The Secure Enclave can apparently return the private key. For most keys it is encrypted with a key pair that is permanently stored in the Secure Enclave. For synchronized keys it is apparently encrypted with a key that is also stored in iCloud in such a way that Apple themselves cannot get to it.
It does sound like they could potentially enable exporting the passkeys, I think it’s unlikely they would because they provide a method to move them to other devices already and it does introduce more avenues for misuse. I don’t think it’s a huge requirement anyway, most hardware tokens provide no way to export at all by design. Apps that use them for 2FA should provide for enrolling multiple tokens.
deleted by creator
Just FYI, your account shows up as a bot. You should change it in your account settings.
And not the twitch way, where you have to have in an identifier, your phone number, but using proper, standards ways for it, like TOTP and such
twitch has TOTP
deleted by creator
Before I deleted my accounts there, I remember twitter and facebook deactivated your account for “suspicious activity” if you did not provide a phone number when making it, and the only way to reactivate it was to give them your phone number.
true. But I think that’s mostly to make bots harder to create. Not as easy to get a phone number than an email address
I had a lot of success with this: https://phonegenerator.net/
As the other commenter said, only if you give them your phone number, and only through that garbage authy that does not use standard TOTP, but some proprietary crap, specifically made for twitch.
And if you give them a phone number, which another user will also try to use in the future, then the secret used for TOTP can change in any moment, which means if you exported the secret to e.g. Aegis and deleted that tracking filled garbage that is named authy, at one point the codes just won’t work anymore, and you’re practically locked out. Apparently support should be able to help, but they don’t give a single fuck.
and only through that garbage authy
you can use any TOTP app. I use bitwarden
How? How do you import the secret key to it? Are they finally showing a proper QR code when setting it up?
My account is still locked to authy, and the support pages I have read are written as if it would still work through authy for everyone.
Are they finally showing a proper QR code when setting it up?
At least that was the case for me. I removed 2FA to make the authy key invalid and activated it again. and they do the normal TOTP setup stuff during setup
What’s wrong with Authy?
First of all, that they are totally unnecessary for twitch to be able to provide 2fa authentication.
Other than that, their app has tracker components, all secret keys are stored in the cloud, who knows whether that’s encrypted, but on your phone’s storage surely not, if yours is rooted you can just view it in a file manager and copy it to a normal code generator app.
Generally they support standard TOTP code generation, but for twitch they are using some weird shit that generates 8 long numbers (instead of the standard 6), of which the middle 2 is the same so they drop one of them, and then also codes expire in third the time as it is normally.
2FA is the biggest bane to my productivity in the last 15 years, no part of my work life should require me to pull out my magic distraction device.
I don’t like how a lot of things require their own custom app, especially when there’s no automatic notification. I need to try and remember what the app is called, open it, navigate through, then approve it
Use a password manager that lets you autofill 2fa, like Bitwarden.
That’s bad advice
Passkeys supported?
What’s the difference between a passkey and a security key?
Edit: ohh, it’s passwordless. I won’t do this for my Google account. Github: maybe. but not Google
No offense to companies but I’m honestly sick of companies forcing 2fa. Every single one seems to have a different shitty way of doing it. Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)? Some do sms/phone number, but then yell at you and prevent you from doing 2fa if you have a “bad phone number”. This happened on discord where I’m locked out of certain servers because I can’t do phone verification, and I can’t do it because discord doesn’t like my phone number. Twitter was the same way for a long while (couldn’t do 2fa/phone verification due to them not liking my number).
From the article it sounds like they’re doing authenticator app or sms. I’m guessing sms won’t work for me, so app it is. I decided to dig to see which authenticator app they use and they list: 1password, authy, lastpass, and microsoft… no google?
Honestly, even email requirements for accounts is annoying because you know it just ends up spamming you. is the future where we’re gonna have to have 30 different authenticator apps on our phone?
Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)?
you… don’t?
Both of these implement exactly the same protocol (TOTP). Used authy for all my
Top Of The PopsTime-based one-time password needs exclusively, before moving everything to bitwardenAnyone who claims they’re doing OTPs over SMS for “security” ia lying to you. Discord wants your phone number; it has nothing to do with your security
there’s quite a lot of services that want phone for verification/2fa/whatever. whenever I run into them I usually just refuse to use the service altogether.
deleted by creator
I personally am afraid of this. What if something gets botched? I’ll be permanently locked out of my account!
I’d prefer me getting permanently locked out over someone who isnt me getting allowed in. Even more so to services which have my credit card number.
But unlikely anyway, as long as I save my pass and 2fa to a password manager, and keep the backup codes backed up.
Print off your recovery codes and keep them safe. If you want to be extra, hammer them into metal plates like the crypto weirdos do.
Printing recovery codes would require me to either be price gouged by the printer ink cartel or use someone else’s printer, and using someone else’s printer is begging to get my account stolen.
I have no idea how to hammer things into metal plates, but I’m guessing that’s even more expensive than printer ink.
Just use your pen and paper.
I can do that with alphanumeric codes, yeah, but can I get alphanumeric codes from GitHub, or is it going to be a QR code? I can’t write down a QR code…
The recovery codes come as a set of numbers
QR codes are just an encoding. Just use any half-competent QR code app, and it will give you it’s content, which you can then write down. For the reverse you can use any QR code generator.
How do I feed the generated QR code back to GitHub, then? Can I upload an image of it?
Have you ever used any website with 2FA? You don’t need to upload QR codes.
2fa should be mandatory everywhere
Hard disagree. I do not want to have 2FA for every shittly little thing I do not care about.
Yeah. GitHub makes sense because most users are writing code that can be executed by others. That makes GitHub accounts security critical.
But a Lemmy account? Naw, you lose almost nothing if that gets compromised. A little bit of history and subscriptions, mostly.
I’m in a discord that for some reason “requires” 2FA. Based on searching, I think they give everyone some kinda admin role or something? It doesn’t actually require 2FA, but it shows a very annoying warning that covers up a bunch of the channel selection screen. But despite that, I don’t really wanna deal with the hassle of 2FA on a chat app that’s basically consequence free for me if it gets exploited.
Specifically app-based 2FA, ideally Google Authenticator based. There are tons of great authenticator apps available that are all compatible, so it should absolutely be preferred over SMS or email.
Good, people are fucking stupid and if it effects others it’s often better to choose the security for them!
Yup. I’m actually a bit baffled by how much negativity/misinformation there’s around 2FA even in a place like this, which should naturally have a more technically inclined userbase.
Well negativity is there because every app wants it.
I don’t care if account x is compronised, as it has absolutly no value
I dislike MFA because it creates a risk of losing access to my account. I can back up my passwords; I can’t back up a hardware device.
A hardware device is a physical key. Its no different than backing up your home key. Get two keys and copy them. Keep one on you, and the other in a safe somewhere in case you lose the first.
Normally you get a handful of recovery codes when you set up 2FA. If not, you can just create a backup of the QR-Code or secret when setting up 2FA and store it in a safe location. And even if all that fails there’s usually a way to recover an account by going through support.
Although I wouldn’t recommend it, there’s also 2FA apps out there that have cloud-sync.
It’s pretty hard to hand-write a QR code, I don’t wish to pay the printer cartel $50 for the privilege of printing it, and it would of course be horribly insecure to print it with someone else’s printer.
And how would I use the QR code? I can’t scan it with my phone’s camera because allowing my phone access to my GitHub account is a security risk, and I can’t scan it with my desktop because it doesn’t have a camera.
So, how is this going to work? How do I recover my GitHub account without making it less secure than it is with just a password?
There is no printer ink cartel if you pick an older HP LaserJet/Brother printer. Once you buy, printer is yours and laser cartridge is cheap.
