geekhack Community > Off Topic
2FA and security is about to get way worse....
Leslieann:
So Apple, Google and Microsoft want to get rid of passwords, their plan is to now use your phone as a passphrase instead.
Just like 2FA, you would go to Google (or Apple or MS) and use your username, then it sends a text message to your phone to verify it's you with no password needed at all.
Let's try an experiment here, follow along, you lost your phone or it was stolen. Need I say more? Yes there would be ways back in, with... a password. Remember the whole point of 2FA was to have a secondary device authenticate you on top of a password (first authentication), this knocks that right out because it eliminates the first authentication check, so what happens if you're accessing a site with your phone. Or someone steals your phone and uses it to access a site?
Your phone should never be your key for anything, it's an expensive highly visible device that people steal ALL. THE. TIME.
When your key is valuable for other reasons you're just encouraging people to steal it. This sort of scenarios is precisely why we went to passwords instead of keycards, it can't be stolen, works anywhere, it's convenient and easily revoked or changed. Like 2FA on most sites, this is not about security, it's loss of privacy and being sold as ease of use. Don't fall for it.
Side note, 2FA has serious issues as well.
Don't you find it odd that almost everyone doing 2FA insists on using your phone for 2FA, why not an email or a phrase or even pictures. Even when you're on your phone they use the phone for 2FA instead of email making it 1FA. Almost none of this is about security, if it was, more thought would be put into it and they would be forcing it on you everywhere and certainly not using your phone to do it.
P.S.
Don't get me wrong, passwords have their problems but they are solvable problems, that's kind of the point.
tp4tissue:
What to do Llan ?
Leslieann:
Refuse to use it, if possible.
I can't believe this is even proposed but it doesn't surprise me, hopefully people will see through it and kill it just like the Google cookie scam. Unfortunately with all 3 on board and not just Google I'm not going to get my hopes up.
For all the "find my phone" and shut down systems in place, phones are still regularly being stolen and cops do nothing, even when you know exactly where it is. That needs to change before this should even be considered. I fear it's going to take a few high level phones to be stolen before this dies.
Coreda:
I preemptively enabled TOTP (time-based one-time password) some places since I know they'll eventually want a phone for 2FA if I didn't, likely with some excuse of 'we don't recognize this device please give us your phone number' (as though that makes any sense from a security PoV if the statement is accurate).
suicidal_orange:
There is an option B - go back to dumbphones. As long as you delete any 2FA texts the thief (if they even bother to steal a dumbphone) wont know where your accounts are so wont know where to start to access them. No more remembering to charge your phone every day, no more smashed screens, no need for baggy pockets/huge bags and you might even recognise a friend when you walk down the street if you aren't looking at their facebook page at the time.
Navigation
[0] Message Index
[#] Next page
Go to full version