my first experience with 2FA was when I was a WoWfag in like 2008 and got an authenticator for my account. It was a little keychain fob thing, you pressed a button and it gave you a six-digit code. I would have no objection to a site or service that did that. My objection to 2FA is sites using it as a thinly-veiled excuse to tie the account to a phone number. SMS is insecure in the first place, and I don't want businesses to have my phone number at all if possible.
>I don't want businesses to have my phone number at all if possible.
This. I never had problems with spam until I started using a couple sites that force 2fa.
GIVE US YOUR PHONE NUMBER! IT'S FOR YOUR SECURITY!!!!!! NO WE DONT CARE IF YOU CHANGE PHONES NUMBERS OR SOME OTHER SHIT HAPPENS THAT MAKES YOU LOSE YOUR PHONE NUMBER! THATS NONE OF OUR PROBLEM!
>thinly-veiled excuse to tie the account to a phone number
Exactly this. I will not use a service, app or whatever that requires this shit. If they have a feedback section I tell them I dont have a phone so I cant use their shit.
>2FA >SMS is unencrypted since forever >iMessage probably works (on some companies OTP/codes) meanwhile RCS is spotty and may not work depending on your APN and SIM capabilities, while RCS may also eat your encrypted 2FA SMS OTP/codes for breakfast (it is usually broken at night time your time zone, saving bandwidth? lol) >4G call is "somewhat okayish encrypted" however OTP codes aren't sent this way, since it costs more to do calls >but also most phones do not support VoLTE / 4G call since the IMS is broken most of the times and most ISPs only IMEI whitelist their available "postpaid" phone plans for VoLTE, thereby making the theoretical call OTP code insecure anyways since it's 2G/3G >most "authenticator" apps are botnet as fuck >2FA is actually just a thinly-veiled KYC+datamining+(credit)profiling, it is likely that your information would be leaked anyways, even more vector for your total compromise >complete and utter compromise when the OTP code over insecure SMS included the device's user agent which banking apps sometimes do to notify logins, this lets hackers imitate your user agent and compromise more accounts later
you can literally migrate TOTPs to devices like this (some have their own cameras + a GPS for exclusively scanning TOTP QR codes offline)
You're a literal dribbling moron lmao
TOTP doesn't use SMS
^ this, you dont need a phone for any of this shit, you can do TOTPs on an air-gapped device, other than the initial QR with the secret key being intercepted.
most websites actually work users never used SMS 2FA, because it is surprisingly expensive to send SMS to people regularly. multiple orders of magnitude more than emails or similar. and even more when your users include third-worlders with oligopolistic mobile carrier markets
the problem is 99.9999999% of people just can't be arsed to use TOTP because the user experience is ass. how do you expect normies to safekeep their TOTP secrets when Google's own retarded app for it didn't bother syncing them until very recently? This is the onyl reason why shit like Authy got popular for example
These days it's getting better at last, with passkeys in particular hopefully saving us from all this shit in the future
(and don't mention security keys, they're great but are multiple layers of autism further away from what the average dumbass can handle)
Isn't having your totp in the same app as your passwords kinda defeating the purpose though?? in any case, my issue is now setting up all the totp keys again, massive pain in the ass.
yes, it may defeat the purpose in some cases. in general, three factors of authentication are >something are (login, biometrics) >something you know (password) >something you own (auth token)
having TOTP and passwords in password manager basically rolls the last two into one, when someone gets hold of your master password, or a leak happens which publishes both these factors.
just use aegis authenticator, you can back up your keys in plaintext if you so want and use them anywhere including your desktop with autistic cli tools like oathtool
my first experience with 2FA was when I was a WoWfag in like 2008 and got an authenticator for my account. It was a little keychain fob thing, you pressed a button and it gave you a six-digit code. I would have no objection to a site or service that did that. My objection to 2FA is sites using it as a thinly-veiled excuse to tie the account to a phone number. SMS is insecure in the first place, and I don't want businesses to have my phone number at all if possible.
you literally do not need to give them your phone number because they support TOTP 2FA apps
You can generate a code with oathtool
You don't know what TOTP is.
It doesn't require network access, or any sort of authentication aside from a shared secret given to you which is used to generate one time passwords and then confirming that your code generator works when it asks you to give a 6 digit code.
Came here to recommend this. Specifically installed it because Github wouldn't let me log in if I didn't enable this shit, never used it before and I found it really convenient.
I know how you feel, but it's not OP's fault, you can be forgiven for thinking 2FA TOTP is some proprietary botnet shit where your keys are now stuck on your phone tied to your google account or some shit because they literally do promote it this way and the most visible apps when you search for a TOTP app are exclusively proprietary phone apps that require a goddamn login.
I was pretty angry when robinhood started forcing me to use totp 2fa but then it made a lot of sense and now I'm angry my regular bank doesn't support it.
>its an additional layer of security*
*that gives us access to your phone and all your data to sell to third parties.
enjoy the extra securityTM so nobody hacks into your fucking videogame/forums account.
good god fuck modern "security". not everything needs to be inconveniently secure. but i know the financial reason behind it
>key stores secret >plug in key >sys time + number sent to key >computes hash on the key >sends HOTP back
it's a smart card but with a USB port, some of them require you to touch it or enter a pin/biometric as well depending on the standard
>totp device >has battery >keeps time >computes TOTP "burned" in with NFC
same shit but it's air-gapped and has a screen, cheap AF for work ones and can last for like 8 years on the included RTC battery. again some can hold multiple or be plugged in to transfer secrets via a computer.
then there's hybrid devices like hardware wallets that can have a camera, do both HOTP/FIDO2 and TOTP with a screen, type shit out for you as a password manager, and store arbitrary shit used for crypto. an old phone storing your keypass db can do this just as well.
if it wasnt for 2fa i would have been hacked and lost all my money and had my identity stolen like 6 times over by now. passwords are so easy to get leaked and cracked nowadays that they are basically useless, they are just the first line of defense.
going with full-autismo 56 character password won't help you with inevitable password leaks. but to be fair, TOTP probably won't help you neither. I guess when passwords leak, so do authenticator keys (unless they are handled by third party).
my passwords are very secure, uses every type of character avaliable, random bullshit that no one could ever guess.
that is totally fucking irrelevant however because of how easy to is to crack passwords and how prevalent data leaks are now. fuck, some exploits with cookies/tokens whatever mean you dont even fucking need the password.
the fact of the matter is a password is NOT enough and hasnt been since around 2018.
if you wanna risk having basically your entire life fucked because of some nonsensical principle against 2fa, thats on you. indeed i will quite happily laugh alongside those benefiting from your ineptitude,
doesn't work for steam. as soon as you try to trade anything you have to convert back to using the app and waiting 14 days. otherwise thats the only service ive even found that allows totp to be setup. most use sms and don't give you token access
Steam is annoying in that it forces it to be either email, sms or their own app iirc. But I have loads of sites using my 2FA app (Aegis). To mention a few: >Amazon >Microsoft >Epic Games >Reddit >Firefox >Github >Proton >AutoDesk >Nextcloud >Facebook >Paypal >LinkedIn >Discord >Google
>Steam is annoying in that it forces it to be either email, sms or their own app iirc.
and it doesn't even fucking work!!!
source: got my account stolen by a russian which then replaced email/phone number and everything else and I didn't even receive an email warning or anything
well, that explains how that happened then, because why send a security notification to your old number just in case if you forgot it anyway, am i right?
Luckily I pirate 99,9% of my games and I only lost a couple of cs:go skins + 3€ (which support couldn't give me back because somehow it was my fault for not securing my account properly)
and i'll keep pirating, not that I was planning to ever stop, but this just gave me a reminder to never """"purchase"""" shit on steam ever again
> what is sim hijacking? > what is signalling system #7?
absolutely 100% not going to make it
https://en.wikipedia.org/wiki/Signalling_System_No._7?useskin=vector#Protocol_security_vulnerabilities
>Guys, you should now secure your accounts to prevent them from getting stolen by skids. >THIS IS LITERALLY LE HECKIN 1984!!!! FUCKING OPRESSIUN, EAT ZE BUGS!!REEEEEEEEEEEEEEEEEEEEEEEEE!!!!
Why is LULZ full of Dunning-Kruger NEETs like that?
I lost like 4 accounts that started using 2fa without getting my consent, I had a different phone number back then so when I tried to login it just fucking send the code to a non existing phone number, pieces of shit
Being tech incompetent has nothing to do with 1984. You don't even need a phone to use 2FA, not that you retards would realize this when you likely think Google Auth is the only way to do it.
my first experience with 2FA was when I was a WoWfag in like 2008 and got an authenticator for my account. It was a little keychain fob thing, you pressed a button and it gave you a six-digit code. I would have no objection to a site or service that did that. My objection to 2FA is sites using it as a thinly-veiled excuse to tie the account to a phone number. SMS is insecure in the first place, and I don't want businesses to have my phone number at all if possible.
>I don't want businesses to have my phone number at all if possible.
This. I never had problems with spam until I started using a couple sites that force 2fa.
Authenticator apps are a thing, though some still force phone number as a "recovery method"
GIVE US YOUR PHONE NUMBER! IT'S FOR YOUR SECURITY!!!!!! NO WE DONT CARE IF YOU CHANGE PHONES NUMBERS OR SOME OTHER SHIT HAPPENS THAT MAKES YOU LOSE YOUR PHONE NUMBER! THATS NONE OF OUR PROBLEM!
>thinly-veiled excuse to tie the account to a phone number
Exactly this. I will not use a service, app or whatever that requires this shit. If they have a feedback section I tell them I dont have a phone so I cant use their shit.
See:
>2FA
>SMS is unencrypted since forever
>iMessage probably works (on some companies OTP/codes) meanwhile RCS is spotty and may not work depending on your APN and SIM capabilities, while RCS may also eat your encrypted 2FA SMS OTP/codes for breakfast (it is usually broken at night time your time zone, saving bandwidth? lol)
>4G call is "somewhat okayish encrypted" however OTP codes aren't sent this way, since it costs more to do calls
>but also most phones do not support VoLTE / 4G call since the IMS is broken most of the times and most ISPs only IMEI whitelist their available "postpaid" phone plans for VoLTE, thereby making the theoretical call OTP code insecure anyways since it's 2G/3G
>most "authenticator" apps are botnet as fuck
>2FA is actually just a thinly-veiled KYC+datamining+(credit)profiling, it is likely that your information would be leaked anyways, even more vector for your total compromise
>complete and utter compromise when the OTP code over insecure SMS included the device's user agent which banking apps sometimes do to notify logins, this lets hackers imitate your user agent and compromise more accounts later
this
You're a literal dribbling moron lmao
TOTP doesn't use SMS
With this level of retardation it's hard to say if you're joking or not
you can literally migrate TOTPs to devices like this (some have their own cameras + a GPS for exclusively scanning TOTP QR codes offline)
^ this, you dont need a phone for any of this shit, you can do TOTPs on an air-gapped device, other than the initial QR with the secret key being intercepted.
most websites actually work users never used SMS 2FA, because it is surprisingly expensive to send SMS to people regularly. multiple orders of magnitude more than emails or similar. and even more when your users include third-worlders with oligopolistic mobile carrier markets
the problem is 99.9999999% of people just can't be arsed to use TOTP because the user experience is ass. how do you expect normies to safekeep their TOTP secrets when Google's own retarded app for it didn't bother syncing them until very recently? This is the onyl reason why shit like Authy got popular for example
These days it's getting better at last, with passkeys in particular hopefully saving us from all this shit in the future
(and don't mention security keys, they're great but are multiple layers of autism further away from what the average dumbass can handle)
what service?
Github, you vill use ze phones
move to codeberg or sourcehut
I won't do what you say so you can just suck it chump.
Retard, you don't need to use a phone
it should remain optional, but honestly, TOTP is good, open tech. there's no reason to not use it.
Bitwarden browser plugin handles TOTP for you.
Honestly, just for not loosing the totp keys bitwarden is worth the 10$ price it costs.
yeah, but I self-host anyway. still, a good product. I think they strike good balance between being community-friendly and making their business work.
Isn't having your totp in the same app as your passwords kinda defeating the purpose though?? in any case, my issue is now setting up all the totp keys again, massive pain in the ass.
yes, it may defeat the purpose in some cases. in general, three factors of authentication are
>something are (login, biometrics)
>something you know (password)
>something you own (auth token)
having TOTP and passwords in password manager basically rolls the last two into one, when someone gets hold of your master password, or a leak happens which publishes both these factors.
SourceHut
just made a new account and I can't remember 2fa even being mentioned
You don't need a phone for TOTP auth you retard, you can use KeePassXC on your favorite troonix desktop.
github
just use aegis authenticator, you can back up your keys in plaintext if you so want and use them anywhere including your desktop with autistic cli tools like oathtool
you literally do not need to give them your phone number because they support TOTP 2FA apps
What's your credentials exactly, Dr. Shekelberg?
>apps
I don't want an app
I don't want anything I do to depend on a phone
dedicated device or nothing. no phones, ever.
keepassxc supports totp too
https://keepassxc.org/docs/KeePassXC_UserGuide#_adding_totp_to_an_entry
>t. juice
You can generate a code with oathtool
You don't know what TOTP is.
It doesn't require network access, or any sort of authentication aside from a shared secret given to you which is used to generate one time passwords and then confirming that your code generator works when it asks you to give a 6 digit code.
oathtool --totp -b "[your secret key]"
?
>t. autist
Came here to recommend this. Specifically installed it because Github wouldn't let me log in if I didn't enable this shit, never used it before and I found it really convenient.
>github
works on my machine
>just use [thing]
I don't want to, passwords work fine
>github
i dont get why people still use that shithole.
I moved to codeberg
at the very least they dont have 2Fa
I'm going to fucking scream. You do not need a phone for 2FA.
I know how you feel, but it's not OP's fault, you can be forgiven for thinking 2FA TOTP is some proprietary botnet shit where your keys are now stuck on your phone tied to your google account or some shit because they literally do promote it this way and the most visible apps when you search for a TOTP app are exclusively proprietary phone apps that require a goddamn login.
hahaha naggers hahaha lmao i hate naggers fuck naggers hahaha nagger nagger nagger lmao nagger fucking naggers nagger nagger nagger nagger hahahaha nagger
nah just kidding, i love naggers
>t. wigger
I just upgraded my F-91W and it supports TOTP now, I wish I had a use for it.
I was pretty angry when robinhood started forcing me to use totp 2fa but then it made a lot of sense and now I'm angry my regular bank doesn't support it.
fact: companies have used 2fa to link accounts with real world identities and have sold this information to advertisers
>what is TOTP
what you don't understand is not every site offers TOTP or webauthn
i dont get it.. is it asking u to use SMS 2FA? cuz u dont have to sign up to anything to use TOTP lol
>its an additional layer of security*
*that gives us access to your phone and all your data to sell to third parties.
enjoy the extra securityTM so nobody hacks into your fucking videogame/forums account.
good god fuck modern "security". not everything needs to be inconveniently secure. but i know the financial reason behind it
u r retarded
I just stole a bunch of those 2FA physical keys from my job and now I can make infinite accounts easily.
If you can afford a phone plan, you can afford a yubikey. You should be using them anyway.
hoqw do they work?
>key stores secret
>plug in key
>sys time + number sent to key
>computes hash on the key
>sends HOTP back
it's a smart card but with a USB port, some of them require you to touch it or enter a pin/biometric as well depending on the standard
>totp device
>has battery
>keeps time
>computes TOTP "burned" in with NFC
same shit but it's air-gapped and has a screen, cheap AF for work ones and can last for like 8 years on the included RTC battery. again some can hold multiple or be plugged in to transfer secrets via a computer.
then there's hybrid devices like hardware wallets that can have a camera, do both HOTP/FIDO2 and TOTP with a screen, type shit out for you as a password manager, and store arbitrary shit used for crypto. an old phone storing your keypass db can do this just as well.
>Phone 2FA
>Not just using something like Aegis
NGMI
you shouldnt post your 2fa code like that anon
switch to codeberg since they force 2fa
I completely forgot about Codeberg. What are the reasons people use Codeberg over Github or Gitlab?
~~*codeberg*~~
https://codeberg.org
works for me
What should I use instead of GitHub? I'm not self hosting
i will just ask my friend if i can use his phone. i have no idea what phone all of my 2fa accounts are using
if it wasnt for 2fa i would have been hacked and lost all my money and had my identity stolen like 6 times over by now. passwords are so easy to get leaked and cracked nowadays that they are basically useless, they are just the first line of defense.
Your post is full of indoctrinating bullshit.
im just saying its saved me many times. if its 'indoctrinating' then fine.
Maybe you should not make your password to be 123456.
going with full-autismo 56 character password won't help you with inevitable password leaks. but to be fair, TOTP probably won't help you neither. I guess when passwords leak, so do authenticator keys (unless they are handled by third party).
my passwords are very secure, uses every type of character avaliable, random bullshit that no one could ever guess.
that is totally fucking irrelevant however because of how easy to is to crack passwords and how prevalent data leaks are now. fuck, some exploits with cookies/tokens whatever mean you dont even fucking need the password.
the fact of the matter is a password is NOT enough and hasnt been since around 2018.
if you wanna risk having basically your entire life fucked because of some nonsensical principle against 2fa, thats on you. indeed i will quite happily laugh alongside those benefiting from your ineptitude,
Every single time I open an app these days I get this vibe. Why are they like this?
Literally George Orwell's Animal Farm
ITT: Retards not knowing about Aegis
doesn't work for steam. as soon as you try to trade anything you have to convert back to using the app and waiting 14 days. otherwise thats the only service ive even found that allows totp to be setup. most use sms and don't give you token access
Steam is annoying in that it forces it to be either email, sms or their own app iirc. But I have loads of sites using my 2FA app (Aegis). To mention a few:
>Amazon
>Microsoft
>Epic Games
>Reddit
>Firefox
>Github
>Proton
>AutoDesk
>Nextcloud
>Facebook
>Paypal
>LinkedIn
>Discord
>Google
>Steam is annoying in that it forces it to be either email, sms or their own app iirc.
and it doesn't even fucking work!!!
source: got my account stolen by a russian which then replaced email/phone number and everything else and I didn't even receive an email warning or anything
holy shit this
I recently moved my account to a new phone and you can just fucking say "I lost my old one" as a button like it means jack shit.
well, that explains how that happened then, because why send a security notification to your old number just in case if you forgot it anyway, am i right?
Luckily I pirate 99,9% of my games and I only lost a couple of cs:go skins + 3€ (which support couldn't give me back because somehow it was my fault for not securing my account properly)
and i'll keep pirating, not that I was planning to ever stop, but this just gave me a reminder to never """"purchase"""" shit on steam ever again
> proven method
aaaaaaaaaahahahaha. nah, this is false.
It's proven that it offers better protection than just password for sure
> what is sim hijacking?
> what is signalling system #7?
absolutely 100% not going to make it
https://en.wikipedia.org/wiki/Signalling_System_No._7?useskin=vector#Protocol_security_vulnerabilities
2fa is a joke.
>better protection
>better
Do you understand what that means?
You're yet another joke in this thread that doesn't understand TOTP
Fucking moron
>Guys, you should now secure your accounts to prevent them from getting stolen by skids.
>THIS IS LITERALLY LE HECKIN 1984!!!! FUCKING OPRESSIUN, EAT ZE BUGS!!REEEEEEEEEEEEEEEEEEEEEEEEE!!!!
Why is LULZ full of Dunning-Kruger NEETs like that?
>why userbase that consists of uneducated losers suffers with Dunning-Kruger the most
who knows?
2fa is a scam, you will be forced to upload your biometrics to the botnet to authenticate soon.
Bet
I wanted to create an account in Gitlab the other day and it said I had to give them my phone number or credit card number.
github hasn't bothered me about 2FA for some reason yet. I'm assuming someone fucked up somewhere but I won't complain.
You don't have to use 2FA unless you have public repos published.
That's the weird part. I do have public repos published
Learn to read, then just get what the guy above you posted and call it a day, 2FA is purely beneficial unless it uses a phone number
>Learn to read
try applying this advice to yourself first and reread the reply chain carefully
I'm gonna put the 2fa key into keepass next to my passwords
There's NOTHING you can do about it
It's not gonna be as secure but that's about it. Very handy though
I lost like 4 accounts that started using 2fa without getting my consent, I had a different phone number back then so when I tried to login it just fucking send the code to a non existing phone number, pieces of shit
mooltipass anon
ya store all those secret keys on some device you can care enough about to lug around at work
For me, it's https://www.f-droid.org/packages/com.beemdevelopment.aegis/
Being tech incompetent has nothing to do with 1984. You don't even need a phone to use 2FA, not that you retards would realize this when you likely think Google Auth is the only way to do it.