|
Chalks posted:we've never had any issues with the ms authenticator, do you mean there might be an issue if you have no wireless internet and no phone signal but need to log in? we also have phone call auth as a fallback but obviously if you have no phone signal that's of no use either. Exactamundo. Not having to do additional comms for 2FA feels nice/ fairly reassuring, to be quite honest about it.
|
#
?
Mar 16, 2021 18:00
|
|
|
|
| # ? Jun 9, 2023 20:02 |
|
|
Guy Axlerod posted:Who needs to steal a SMS token for your bank when everyone you've ever written a check to has all the details needed to make an ACH withdrawal from your account. I've never written a check with my current bank accounts. I do everything electronically
|
|
#
?
Mar 16, 2021 18:44
|
|
|
I stand corrected.
|
|
#
?
Mar 16, 2021 19:10
|
|
|
Quackles posted:You only allow Microsoft Authenticator? if they cant get the azure ad push for whatever reason i think they can revert to the totp code for the same account. altho if they cant get the push notification because they dont have an internet connection they wont be able to access whatever anyways
|
|
#
?
Mar 16, 2021 19:13
|
|
Not the usual 'code refreshes every 30 seconds' types?
|
did they run out of money to frame it
|
|
#
?
Mar 16, 2021 19:22
|
|
|
Volmarias posted:Your bank cannot tell you to, quote, "git gud," and it also allows you to handle an incident far more directly than blizzard ever would. Your bank has a physical presence where you can make a scene, flecks of spittle flying everywhere, as you scream about your extremely secure password of "lmao1234" being guessed and your SMS based token getting intercepted. i was going to say that banks tell people to "git gud" with various stuff all the time, they already try to select for a certain type of customer for things like checking accounts but people who are not "gud" just end up making the bank money via overdraft and monthly service fees, e.g. from not having enough direct deposit income, which ends up excluding whole classes of customers who cant afford $30 here or there or $7 per month because they dont have the option for direct deposit
|
|
#
?
Mar 16, 2021 19:27
|
|
|
Guy Axlerod posted:Who needs to steal a SMS token for your bank when everyone you've ever written a check to has all the details needed to make an ACH withdrawal from your account. I have never written a cheque in my entire life.
|
|
#
?
Mar 16, 2021 19:46
|
|
|
neither have i, but i used to pay rent by check
|
|
#
?
Mar 16, 2021 20:41
|
|
|
Guy Axlerod posted:Who needs to steal a SMS token for your bank when everyone you've ever written a check to has all the details needed to make an ACH withdrawal from your account. this is not really a thing outside of the usa sorry for your lots though
|
|
#
?
Mar 16, 2021 20:47
|
|
|
Lysidas posted:even duo-2FA access to 'sudo' on a cluster, which i thought was really neat
|
|
#
?
Mar 16, 2021 21:00
|
|
|
GuNs GuNs GuN's https://www.hackread.com/hacker-dumps-guns-com-database-customers-admin-data/ HackRead posted:As seen by Hackread.com, among other sensitive data, the database includes Guns.com administrator, WordPress, and Cloud log in credentials in plain-text format.
|
|
#
?
Mar 17, 2021 02:34
|
|
|
My wife's employer's payment processor got breached and all data leaked, that's going to be fun  e: the fuckers got breached in January but only now figured out what was stolen and didn't bother telling anyone in the meantime, good job idiots SixFigureSandwich fucked around with this message at 12:33 on Mar 17, 2021 |
|
#
?
Mar 17, 2021 11:17
|
|
|
u brexit ukip it posted:My wife's employer's payment processor got breached and all data leaked, that's going to be fun
|
|
#
?
Mar 17, 2021 13:58
|
|
|
BlankSystemDaemon posted:are there not disclosure requirements as part of the pci/other standards payment processors? i found this adorably quaint article from 2007: https://www.pcicomplianceguide.org/data-breaches-part-ii-five-steps-to-manage-a-data-breach/ quote:Though a smaller data breach than its predecessors at TJX and ChoicePoint, the musical instrument company Bananas.com (Bananas at Large) was the victim of a hacker, who, according to published reports stole an administrative password by accessing Bananas.com systems as a remote user.  anyway that article mentions: quote:If you have been certified as PCI compliant, and a breach occurs, Visa and MasterCard require a forensic investigation into the breach, before fines are levied. so i guess yes
|
|
#
?
Mar 17, 2021 14:17
|
|
|
BlankSystemDaemon posted:are there not disclosure requirements as part of the pci/other standards payment processors? It's a payroll company, not a payment processor, sorry. They do need to call the local data security watchdog presumably
|
|
#
?
Mar 17, 2021 15:06
|
|
|
Kesper North posted:GuNs GuNs GuN's mods plz rename me 'Guns.com Administrator'
|
|
#
?
Mar 17, 2021 17:10
|
|
|
Potato Salad posted:jesus christ The bank regulations over here are very strongly pushing away from sms as 2FA. I don't think the push notification to phone model is particularly good (doesn't prevent competent phishing), but better than loving sms.
|
|
#
?
Mar 18, 2021 09:06
|
|
|
spankmeister posted:I have never written a cheque in my entire life. the only cheque i have is for my last grocery run 
|
|
#
?
Mar 18, 2021 09:39
|
|
|
Xarn posted:The bank regulations over here are very strongly pushing away from sms as 2FA. I don't think the push notification to phone model is particularly good (doesn't prevent competent phishing), but better than loving sms. our bank industry 2fa app is push based, but with extra information, which I like. for instance, as you are shopping online, when you press “pay” on some site you’ll get transferred to bank payment gateway. step 1 will be to log in - you have 4 digit random pin on screen to compare with your 2fa app. once you have logged in, you’re on bank’s payment screen, showing to whom this is, how much, etcetra, and you confirm that with secondary (longer) password in the 2fa app, where in addition to checksum pin you’ll also have “€420.69 to Funko.com”. olds still somehow get scammed, but imo the only way to stop olds from being scammed is to take any possessions away from them
|
|
#
?
Mar 18, 2021 09:48
|
|
|
PSD2 is pretty much removing any option for “just sms” in most eu countries, be it on banks (pretty much every bank here demands you install their app to act as TOTP) or credit cards(hard code and then sms). Sadly I think it’s clearly written to not let customers use more strong systems like fido2 but only the bank apps.
|
|
#
?
Mar 18, 2021 20:22
|
|
|
i still do not understand why orgs insist on having their own bespoke TOTP apps. there's zero advantage to doing so and i mean poo poo if you want to do your own app then why not also do push MFA? that said i guess they're still better than SMS...at least until an org producing a bespoke TOTP app has their back-end popped and effectively invalidates everything...
|
|
#
?
Mar 18, 2021 20:32
|
|
|
yeah, just support whatever the standard is that the ms and google apps support
|
|
#
?
Mar 18, 2021 20:56
|
|
|
a big offender for that bullshit is the AU federal government. a few years ago they centralised all gov services (centrelink, medicare, ATO, etc.) under a single portal. then they introduced MFA using either SMS or their bespoke TOTP app. the app is absolute trash, so much so that it doesn't support transferring to a new phone (you have to disable MFA and then re-enable it on the new phone). i literally only use the MFA app once a year when i login to file my tax return, it's the most useless app ever and yet from what i've heard it's been a giant PITA for the fed gov. edit: that bullshit MFA app aside i've never once had a single issue filing my taxes via the portal and as far as im concerned i've a flawless record with online filing via the ATO both before the portal with eTax and with the portal. never once filed a paper return, drat it's good when AU finally does some poo poo right! Pile Of Garbage fucked around with this message at 21:10 on Mar 18, 2021 |
|
#
?
Mar 18, 2021 21:07
|
|
|
Pile Of Garbage posted:the app is absolute trash, so much so that it doesn't support transferring to a new phone (you have to disable MFA and then re-enable it on the new phone). this is the correct behavior, though
|
|
#
?
Mar 18, 2021 21:12
|
|
|
pseudorandom name posted:this is the correct behavior, though most these days give you some mechanism to transfer. often it's installing the app on the new phone and then scanning a QR code produced by the app on the old phone.
|
|
#
?
Mar 18, 2021 21:15
|
|
|
Pile Of Garbage posted:edit: that bullshit MFA app aside i've never once had a single issue filing my taxes via the portal and as far as im concerned i've a flawless record with online filing via the ATO both before the portal with eTax and with the portal. never once filed a paper return, drat it's good when AU finally does some poo poo right! TOTP being carried from device to device(eg Authy or ms authenticator) is convenience at the expense of security. PSD2 seems to demand to reenroll devices rather than migrate too as every bank app I have does the same.
|
|
#
?
Mar 18, 2021 21:18
|
|
|
in a general sense convenience is security, if the alternative is users choosing not to do it at all. i am absolutely not putting 20 things into google authenticator and spending a whole day resetting things when i get a new device again
|
|
#
?
Mar 18, 2021 21:26
|
|
|
Pile Of Garbage posted:most these days give you some mechanism to transfer. often it's installing the app on the new phone and then scanning a QR code produced by the app on the old phone. wow, that completely misses the point of OTP and retroactively makes the entire concept of HOTP and TOTP as open standards that anyone can implement a dire mistake, since people are implementing them wrong and there's no way to enforce compliance server-side when all you're doing is supplying an otpauth URL
|
|
#
?
Mar 18, 2021 21:28
|
|
|
pseudorandom name posted:wow, that completely misses the point of OTP and retroactively makes the entire concept of HOTP and TOTP as open standards that anyone can implement a dire mistake, since people are implementing them wrong and there's no way to enforce compliance server-side when all you're doing is supplying an otpauth URL Shocker, prior solutions discovered to be naive when TOTP seed qrcode gets forwarded around to an entire admin team sharing that set of credentials / replicated to ten different devices owned by single admin. (So that transfer qrcode had better only work once, too) The original open standards worked well enough when people were carrying a single physical token, not so much once everybody had a dozen software implementations on their phone. People already have bank apps installed on their phone, they should just be confirming actions through push notifications to the app. Sassafras fucked around with this message at 21:35 on Mar 18, 2021 |
|
#
?
Mar 18, 2021 21:32
|
|
|
wait so it was fine when you had to pay RSA to do it for you?
|
|
#
?
Mar 18, 2021 21:40
|
|
|
Pile Of Garbage posted:wait so it was fine when you had to pay RSA to do it for you? Generally (but not universally) there's a reason why premium options command a premium, and now "good old free TOTP" doesn't particularly cut it. (And push-to-auth, too, is successfully phished, so the world moves on...)
|
|
#
?
Mar 18, 2021 21:50
|
|
|
They could at least let you add a new device before removing the old one. It would also be nice if they would stop blocking fido on mobile browsers. It would work just fine if you didn't actively block it.
|
|
#
?
Mar 18, 2021 22:02
|
|
|
Pile Of Garbage posted:wait so it was fine when you had to pay RSA to do it for you? when you had to pay RSA to do it for you, you couldn't extract the keys from the tokens because RSA understood the point of OTP (i.e. humans are stupid idiots who will give their password to any rando who asks, so make it impossible for them to share their real password)
|
|
#
?
Mar 18, 2021 22:18
|
|
|
totp accounts stored in duo mobile can be transferred to a new device when you set a password for your entire "account", which i think mine is 256 random characters, i forget the exact procedure and requirements despite just doing it last month i think the backup itself (icloud or itunes) had all of the totp keys saved too, encrypted with my password, and when restoring the backup onto new phone i had to enter that password to reactivate all of the totp entries duo-specific 2fa auth has to be re-enrolled on a new device though
|
|
#
?
Mar 18, 2021 22:31
|
|
|
fisting by many posted:in a general sense convenience is security, if the alternative is users choosing not to do it at all. yeah anyone saying you should force users to re-enroll is an insane dweeb. the first time a user gets a new phone and loses access to every MFA based account they'll never ever setup MFA ever again.
|
|
#
?
Mar 18, 2021 22:47
|
|
|
Shaggar posted:yeah anyone saying you should force users to re-enroll is an insane dweeb. the first time a user gets a new phone and loses access to every MFA based account they'll never ever setup MFA ever again. SSO for work / other principal identity sites, I don't care what people do with their lousy one-off site-specific personal accounts. A million Canadians (ie, like 5% of adults) had their CRA (IRS-equiv) accounts locked for having their valid credentials show up in password dumps from other sites. Users are idiots who can't be trusted. Sassafras fucked around with this message at 23:08 on Mar 18, 2021 |
|
#
?
Mar 18, 2021 23:06
|
|
|
i think its infinitely more likely that someone gets owned via a stolen phone with no passcode than someone stealing their encrypted totp backup
|
|
#
?
Mar 18, 2021 23:11
|
|
|
SlowBloke posted:TOTP being carried from device to device(eg Authy or ms authenticator) is convenience at the expense of security. PSD2 seems to demand to reenroll devices rather than migrate too as every bank app I have does the same. it does, for the exact same reason as with banks demanding their own bespoke totp apps - they’re held legally liable for your actions while authorised
|
|
#
?
Mar 19, 2021 10:20
|
|
|
Xarn posted:The bank regulations over here are very strongly pushing away from sms as 2FA. I don't think the push notification to phone model is particularly good (doesn't prevent competent phishing), but better than loving sms. On the other hand, all banking authentication is done via NemID which is a Nordic company that does a whole lot of stuff related to 2FA which gets tied to the equivalent of the social security number. And part of their service runs on FreeBSD. https://www.youtube.com/watch?v=I2rhwnY6Bg4
|
|
#
?
Mar 19, 2021 15:29
|
|
|
|
| # ? Jun 9, 2023 20:02 |
|
|
nets (the company that runs nemid) just got swallowed by an italian company called nexi so...
|
|
#
?
Mar 19, 2021 15:39
|
|
