Two Step Verification Will Fail Hard.

[NikolaeVarius]

It'll fail because it's cumbersome to you and because some people use shitty passwords? Yeah, no. Also, I don't get why it matters how strong the password is... isn't that part of the point of 2-step?

2 Factor doesn't always authenticate. Gmail/Banks/etc etc tend to give your computer a 30 day cookie where you don't have to 2 factor login again. So anyone local who knows your "12345" password can still trivially login.

2 Factor works against remote login attempts so you should still have a strong password.

 

[Ichinisan]

According to this article if an identity thief takes over your mobile phone account they can then get a hold of your TFA and potentially get into your bank info.

http://www.nbcnews.com/tech/tech-news/fraud-alert-id-thieves-hijack-mobile-phone-accounts-n599761

I think this article is more hype at that point, while it could happen they provide no example of it happening. Just people getting free phones from the identity theft.

Without 2FA on your email account, they could take over the email account and gain access to everything else through password resets.

No need to target your phone in that case.

Also, that wouldn't work for me. Gaining access to my phone number to get my texts wouldn't work because I don't do 2FA via text. I use 2FA with the Google Authenticator app. It's set to use time based cypher, so I don't even need a mobile data connection or WiFi signal.

Dropbox and Hotmail work fine with my Google Authenticator app. I'm pretty sure Microsoft has a free multi-platform Authenticator app too.

 

[stlc8tr]

2 Factor doesn't always authenticate. Gmail/Banks/etc etc tend to give your computer a 30 day cookie where you don't have to 2 factor login again. So anyone local who knows your "12345" password can still trivially login.

2 Factor works against remote login attempts so you should still have a strong password.

If you're that worried about a local attack, you can set a password for your PC or configure your browser to wipe cookies periodically.

 

[Charmonium]

I called one of my credit card companies a few days ago, Citi I think, and they asked if they could voice print me. I said yes.

This will probably be the next thing in biometrics.

 

[biostud]

I use it for google and microsoft accounts. And we have a public NemID (EasyID) two step verification system in Denmark you use with all public servives, banks, insurance etc. You get a small piece cardboard with a lot of one times codes you use, combined with your social security number and personal password, and when there's 30 codes left on your card they'll send you a new one. Or you can buy an electronic number generator if you use it a lot.

 

[JimKiler]

Without 2FA on your email account, they could take over the email account and gain access to everything else through password resets.

No need to target your phone in that case.

Also, that wouldn't work for me. Gaining access to my phone number to get my texts wouldn't work because I don't do 2FA via text. I use 2FA with the Google Authenticator app. It's set to use time based cypher, so I don't even need a mobile data connection or WiFi signal.

Dropbox and Hotmail work fine with my Google Authenticator app. I'm pretty sure Microsoft has a free multi-platform Authenticator app too.

What is the google 2FA app? That is an app and not a dongle like RSA keychains right?

 

[Jaskalas]

2FA will fail hard?
Only if you don't have a cell phone.

 

[sdifox]

What is the google 2FA app? That is an app and not a dongle like RSA keychains right?

same thing as a keychain except in software.

 

[Adul]

2factor when made easy is good I like how it is setup for Microsoft multi-factor auth, blizzards updated authenticator, and a couple of others I have used. Simple to use and increases security greatly.

 

[stlc8tr]

What is the google 2FA app? That is an app and not a dongle like RSA keychains right?

Yes, it's an app.

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en

It's time-based so no network access needed.

Alternatives include Authy.

https://play.google.com/store/apps/details?id=com.authy.authy&hl=en

Authy allows for multi-device linking so you can have the codes appear on all of your devices (including your browser). (There's a hack to do this for Google's app but it's much easier to do with Authy.)

 

[TheGardener]

I called one of my credit card companies a few days ago, Citi I think, and they asked if they could voice print me. I said yes.

This will probably be the next thing in biometrics.

So far I was asked once, and I declined. Of course just about every call that one makes to a customer service department is recorded. So if they want, they could pull a Microsoft by ignoring my opt out and do it anyway.

 

[Cheesemoo]

Holy crap! You almost have my password. Mine only has 1 character more. Amazing.

thats mine too. but it is in Finnish

 

[blankslate]

http://www.youtube.com/watch?v=EegEM7Ay9NQ&t=45m55s

you mean fail hard like that


___________

 

[shortylickens]

we need encouragement to use it