The need for MFA is an admission that all the education about passwords has completely failed. Even after decades of pleading, users still reuse passwords, choose pet names, and do other dumb things. Forcing MFA it essentially telling users, “We tried to be friendly about this, and you didn’t listen.”

When accounts get hacked, the company is almost always blamed (in both the user’s and the public’s mind), even if they had nothing to do with it (the user was reusing a password from another site that got hacked). So there’s almost no choice but to require it, else they face a large reputational risk.

I find it odd you need to enter it so many times every day. Most sites allow you to “trust this browser” for some period of time. Are you clearing cookies all the time? Sounds like you might be making it worse due to some other habits.

But is it just a question of education, or also a question of usability? A nice, random sequence of alphanumerical characters that can not be connected to the user at all is, unsurprisingly, hard to remember for the user. Dumb stuff like reusing passwords and choosing pet names is a mistake from a security perspective of course, but also a mitigation of the poor usability of passwords. Don't expect the user to remember dozens and hundreds of strong passwords.

Rather, I would advocate password managers. For me personally, the simple usability of Firefox's integrated password manager (auto-suggests a strong password on account creation, auto-saves the credentials and syncs them across devices) has done more to improve my passwords than all education. I guess I am lazy, but many people are.

> hard to remember for the user

If the user has to remember any password aside from a single unique password used in only one place, they’re doing passwords horrendously wrong.

We have had at least twenty years of password managers by now (KeePass), a good ten of them with browser integrations of various degrees of effectiveness, and almost as long with some form of mobile phone support.

At this point, not using a password manager to save totally-random passwords that don’t need remembering is no different than not using a seatbelt. It’s stupidity and ignorance in action.

Laziness is one of the cardinal programmer virtues:

https://wiki.c2.com/?LazinessImpatienceHubris

Of course you're not lazy. You're just human. Our brain isn't designed to store and recall this kind of information.

It's not fair to blame users on this, because it's impossible to "teach" people to come up with and remember 100+ hard passwords and recall which service which password belongs to.

Passwords were the problem to begin with. Easy to implement, but extremely hard to remember and use correctly.

MFA is part of the solution to this problem.

MFA could have largely been unnoticed had there been large scale adoption of client side SSL/TLS certificates. This would have required a better UX on the browser side and an account creation process that made creating a CSR locally, transmitting it, receiving the cert and storing it transparent.

Then as long as both the username/password and certificate authentication were required, then password reuse wouldn't matter.

You could go one step further and just put a pin in with the cert or no pin at all and just have seamless logins everywhere. Assuming you are using a physical cert token.

Then you lose one factor which is the username/password. If someone managed to get your hardware token and was able to brute force the PIN (if there was a PIN set), then they could log into any of your accounts. By requiring both, an adversary would not be able to log in unless they had the certificate and the username/password. Using one of the two would not be sufficient.

That's how passwordless works with Yubikeys on Office 365 and Microsoft Accounts.

Point is people have to choose a password and supply an email (for the company to spam) just to comment on a news article or submit a bug report. Of course passwords are reused for all that type of website. 2FA is a PITA when you don't even care if your account is hacked. If money or reputation is concerned people take more care.

It is trivial to set a long random cookie on a machine that provides 2FA for all repeated use of a service until the user deletes tokens or changes device. No need for bad UX.

I just looked at my password manager and it has 421 entries plus a few secure notes and other things. I don't believe I have the capacity to remember that many 12 character random passwords with symbols, numbers, capitals, etc...

The symbols, numbers, and capitals are part of the problem. We should have been using passphrases all along.

https://xkcd.com/936/

I still remember the XKCD password.

> I still remember the XKCD password.

Now try remembering 436 different ones.

Exactly. And also remember which of those 436 easily-remembered passphrases go with which accounts.

Correct <url> horse battery staple

I have to disagree with the perceived security with this approach because it fails the requirement of not reusing your passwords.

In case you have this clever scheme and use it on some malicious or insecure website, your scheme could be leaked and then it's only marginally harder to break into your other accounts. Randomly generated passwords don't have this weakness.

Ideally, we shouldn't solely have to rely on unique username/password combinations to log into various accounts. As I mentioned in another comment, had websites and browser makers made it easier to use client-side TLS certificates as part of the authentication process, then both the certificate and a username/password would be needed to log into an account. Then even if someone decided to use the exact username/password combination across all their accounts, since they have a different client-side TLS cert for each account, it would not be practical to get into their accounts without access to the device that stored the private key and the associated certificates.

I think that's evidence that we just haven't done a good job when it comes to accounts and account security. Users choose simple passwords and reuse passwords because otherwise they need to remember a different complex password for every single goddamned thing they interact with, a number that has skyrocketed in the past decade or two.

I can't honestly say I know of a better way, though. Something involving identification using asymmetric keys would be a good start to replace username/password, but that doesn't really solve the problem of losing or compromised private key in a way that's any better than we have currently for passwords.

Hopefully one day we'll all stop using memorized passwords and switch to hardware authentication. So much of this will go away.

It's already happening.

Of course the real reason for 2fa over sms, is that companies want your phone number as well as your email address.

Sure, they may have nefarious purposes. But it's also because most people have a working recovery path when they drop their phone in the river.

2FA without a recovery path that people will actually prepare for is a recipie for locked out users, and that's going to mean your customer service gets all the sad stories and hopefully has no ability to do anything about them.

It's because just about everybody has a phone.

It's because, unlike email, phones are approximately 1:1 to humans.

As long as the standard[1] is respected (looking at you, Steam), I don't mind having the option to turn it on. I don't like it being forced on me, though.

> The authenticator apps are probably worse than SMS in terms of the interface.

I don't share your opinion. I use andOTP[2] and it does exactly what it needs. Password managers may also allow you to store them next to your passwords, but this is not something I do nor something KeePassXC recommends[3].

[1]: https://en.wikipedia.org/wiki/Time-based_one-time_password

[2]: https://f-droid.org/en/packages/org.shadowice.flocke.andotp/

[3]: https://keepassxc.org/docs/#faq-security-totp

2FA is fine.

Except for Steam AND Battle.net (Blizzard) which both have their own dedicated 2FA apps.

I use 1password to manage all of this and the only thing compliant is about some sites that seem to break a password manager's ability to auto-populate form fields.

I find Steam to be the least-onerous (phone-based) 2FA tool I use - it pops up automatically when needed, and the codes are only 5 characters with a mix of letters and numbers, which I somehow find much easier to remember and type.

Granted, I don't know if those features involve security sacrifices, and I'm sure I'd get annoyed if I needed a separate app for every tool, but the user experience is more pleasant there for me.

Plus Twilio/Sendgrid who are still trying to make Authy the standard, despite it being closed source/closed spec. They do let you use SMS as an alternative, which I guess makes sense being Twilio, but SMS 2FA has proven to be significantly less secure.

You may want to check it the 1Password. Although not free, it provides 2FA integration on both browser and phones.

On the other hand... it may not be the brightest idea to have both password manager AND 2FA in the same baseket, but it may be a good compromise for a lesser secure-demanding services (i.e. those that, if breached, won't affect you in any way other than internet points; think forums, reddit and such).

With 1Password taking the typically suicidal approach of re-writing everything to fix some abstract problem that doesn’t really exist, I wouldn’t recommend anyone go there.

Non-nerds get very confused with 1Password, as you can easily have multiple versions that work slightly differently at once.

Changing password managers is a PITA.

Or Bitwarden, which is free. Login, hit paste (the code is copied and ready).

Edit: oops, I was wrong, as pointed out, it’s a premium feature ($10 yearly subscription).

I think the 2FA feature is only available if you have their subscription which is kinda cheap to be fair.

Or alternatively you can host VaultWarden and get it for “free”.

I think TOTP is a premium only feature in Bitwarden. But it is only $10/YEAR.

I always avoided that in 1Password, as you hint it seems like turning 2FA into 1FA.

Also iOS 15 has it built in to Keychain

Yes. Worst offenders:

- Companies that deliberately offer a subpar webapp experience (including, not keeping you logged in and spamming you with 2FA) to push you to download their mobile app

- every fucking company that saves your credit card info - I mean I understand why (you wouldn't want credit cards to be easily abused) but it just points out to the actual market failure - Visa/Mastercard duopoly and subsequent lack of innovation (obviously the correct solution here is to have phone-app confirmation of every purchase even for stored credit cards)

>obviously the correct solution here is to have phone-app confirmation of every purchase even for stored credit cards

This is exactly what happens in Europe for online purchases, with SCA being part of PSD2.

No it doesn't.

Only a few banks have phone-app based pre-transaction 2FA.

TransferWise is my favourite, but even they only check for the first transaction, not subsequent ones (e.g. for "recurring" one-off purchases e.g. UberEats).

> have phone-app confirmation of every purchase even for stored credit cards)

That sounds painful for subscriptions or even the handful of places that don't check the card until they verify inventory.

A lot of places (e.g. UK) have superior options for subscriptions - e.g. direct debit where it's automatic, but you have a fairly long period afterwards to dispute the payment.

But still, I wouldn't be opposed to that being user configurable (with e.g. spending limits).

Relevant blog post 'Now They Have 2FA Problems':

https://www.go350.com/posts/now-they-have-2fa-problems/

Great pun on Jamie Zawinski's comment about regular expressions from the discussion about embedding Perl in Emacs:

Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.

The article quotes it, but doesn't mention the source. Jamie says he was repurposing an older "sed" quote. Safe testicle-free link:

http://regex.info/blog/2006-09-15/247#comment-3085

I bet I've written more and harrier PostScript code than he has, though! And as a monster raving loony, I'll defend PostScript as being “readable” any day! ;)

https://www.donhopkins.com/home/pub/NeWS/litecyber/cyber.ps

There's only thing I want.

Let me whitelist a computer/installation to not require 2FA all the time. Blizzard's battle.net client does this and it's wonderful. I only have it installed on a non-movable tower computer at home. Not a laptop that can be stolen or that I might forget somewhere. It doesn't even matter that I value the contents of my Blizzard account less than credentials to some website, because there's a checkbox to "remember this account". I don't often have nothing but praise for a feature (or for Blizzard) but this is THE BEST. I would 100% enable that for some websites. I think Github is the other good citizen where I can usually do all my stuff and only need my yubikey once per week. And even then, touching the yubikey is 10x less work than fumbling with an OTP app on my phone.

I want security and convenience, and I think it is possible.

2FA as such? No, it should be supported everywhere that auth is important. Fido U2F and TOTP.

Doxxing/insecure (SMS/e-mail) and inaccessible (Google/Apple required)? 110%. Sick of it. More often than not that these are required I'm certain that "2FA" and "for your security" are just pretexts to be able to tie accounts to meat-space individuals.

If you are talking about TOTP and want some centralized solution where you're OK with ceding some control, it exists. Authy seems to be the most popular. I'm sure there are other options where you can get it synced between your smartphone and browser extensions, if that is what you prefer.

You should see what happens when you lose your phone and didn't save your recovery codes! 2FA is great until it isn't

Most folks seem to believe that laws are an import part of society. The sages maintain that the appearance of written laws indicates that society has already degraded too far.

When passwords for computers were first introduced RMS objected. His password was "password", and anyone could log in using it.

Remember that RMS is correct (when it comes to computers) and reflect.

Why did he do that?

Because he knew that passwords on computers were stupid make-believe (we call it "security theater" now), pernicious nonsense.

Computers are where you put secrets to give them to hackers. Computers don't keep secrets.

I'm pretty much with you on this. Important things I want 2FA on, but so many services are forcing it me now. I don't understand why I can't choose to not have a second factor if I don't want it.

However, it's worth noting that you can get desktop apps for TOTP, and some password managers also support it. So you don't necessarily have to go via your phone.

Have you looked into a password manager? I use 1Password for managing all my logins including 2FA on them. I open a login page, 1Password automatically puts a dropdown on the input for me to select an account, I click one, it fills it in, I click login, get 2FA page, and the code is already filled in.

It would be nice to see some OS integration with TOTP (https://en.wikipedia.org/wiki/Time-based_one-time_password). If the point of TOTP is the combination of 1) having the password and 2) having an item, then it should be reasonable to bake it into my OS so that it can be filled in for me. Safari should be able to store my various TOTP stuff and just input the code for me without my interaction. That proves that 1) I had the password to login, 2) my device had the TOTP confirmation.

I basically use two devices so if I just set up my TOTP on both of them (and they both had OS integration), I'd then get 2FA security without me having to do anything.

The closest thing I’ve found (for macos) is using OTP Auth. It works on ios and has a paid menubar dropdown for copy/paste in Monterey. Not affiliated, but it’s a great TOTP combo for mobile/laptop.

1. I think MFA is a great security practice, for now.

2. Almost every login I've seen allows you to check a box to specify some variation of "Don't use MFA when logging in from this machine in the future."

TOTP is the most easy way to implement two factor authentication, but is not very user friendly. I'm fairly certain you refer to this.

WebAuthn is more friendly, because you can either enroll something you have (a Yubikey) or something you use (your device - via Windows Hello/iOS fingerprint reader/etc). This of course requires the service to support multiple enrollments, and WebAuthn by itself is much more complex to understand and use. Logging in is just a matter of username/password + fingerprint/Yubikey/Windows Hello.

I use the Google Authenticator for everything and with ios & macOS i just press on the code on iOs & paste on the mac. Done.

Things have gotten way easier with password managers and proper MFA in my opinion.

Use terminal!

• Get: https://github.com/pcarrier/gauth

• Edit: gauth.csv (1 line per account)

• Do: watch gauth (1 line per account)

• Profit!

Curious as to why you're having to type these every day. My experience is that the vast majority of sites only require a code once every 2 weeks to a month per device.

And apart from Steam, all my codes are Google Authenticator compatible, meaning there are several different options for an authenticator app that will hold all my codes. Seems as centralized as I would ever want.

I have considered going the Yubikey route, but it seems like it might be cumbersome when used across a range of devices.

I agree with OP, though - Its getting ridiculous and its not just websites. For example, my employer requires me to enter 2FA code every time I log into windows.

1Password and its opensource cousin supports 2FA tokens, including auto-fill.

Yes, makes no sense in terms of security (storing both on the same place) but hey, it's life.

There is a centralized solution to it. At most well-run companies, all the SAAS apps you log into will be tied to your Google Apps account, so you'll MFA to Google and to nothing else. Not only that, but Google will "remember" (cookie) your device, so you MFA to it only once in a blue moon.

> I probably have to enter 20-30 different 6 digit codes every day logging into various accounts.

Usually those websites allows you to skip the 2FA from a known computer if you keep the session cookies.

I currently use Bitwarden Premium and the TOTP authentication has been mostly hassle-free.

I think it’s good. I have a policy not to work with vendors who don’t implement two factor for their login. And I look down on vendors that implement it only via email or sms… it’s quick and easy way to ensure secure access…

As of 15, iOS has pretty good support for MFA built-in. You create your login/password as usual and then scan the QR code to setup MFA too. It's not easy yet, but it's very possible for HN readers (i.e. tech-savvy).

It’s 6 or 8 digits because it’s an oath totp or hotp, it’s quite a standard. At least they don’t reinvent the wheel, even those that seem proprietary use a standard algo underneath.

Example: Duo security uses a 6 digit hotp.

Also worth noting most companies allow password reset which make it very 1FA.

I use Bitwarden’s 2FA feature which makes it very simple. Since I’m already using Bitwarden’s Firefox extension for password management, it’s easy to grab the OTP when needed.

Nope

If anything, the codes should be longer - 8 digits would be far better (8-10 digits bumps up against what a person can easily keep in their mind at one time for long enough to type it)

Per RFC (for HOTP, which is just TOTP w/o the time element)...

"The HOTP value must be at least a 6-digit value. It is also desirable that the HOTP value be 'numeric only' so that it can be easily entered on restricted devices such as phones."

6 was defaulted to in the TOTP for being 'secure enough' and easy enough for most people to remember.

Exactly, it’s a pragmatic choice.

There are scenarios where that doesn’t provide sufficient assurance, but those scenarios are also not really suited for TOTP in the first place!

Why should the codes be longer? Is your concern brute force attacks on the code across a network connection on something that is attempt limited?

it's kind of interesting that physical totp generators like entrust, securid, etc all went with 8 digits vs the "typical" digital totp codes being 6 digits long

I'm not so much concerned with brute force as that 8 is better than 6

Not necessary _longer_ but could include letters too.

I wish I could use Yubikeys everywhere and that I can have multiple keys instead of just one. Only Google seems to get that second part right....

I got three YubiKeys last week and have been adding them everywhere. So far I have not encountered a site that didn't allow me to register multiple keys.

Fair point, I remember wanting multiple Yubikeys and no other 2FA and that was hard to find.

I use the gauth CLI tool + Hammerspoon (Mac) to make a menubar that generates codes and puts them in my clipboard. Just 2 clicks.

Services love MFA because it makes it hard for user to share logins and therefore gets them to buy more seat licenses.

Yes. 2FA is getting out of hand and too many companies are using it instead of investing in robust network security.

2FA and network security are orthogonal concerns.

2FA protects your users from silent account compromises via phishing. Network security does nothing to stop phishing attacks on consumer users outside your company’s firewall and email filtering.

If a company’s network actually is breached and their password database dumped, the 2FA secrets are usually in a column right next to the password hashes and don’t provide any additional security.

2FA doesn’t protect against phishing because the phisher can just create a form for the 2FA code and the victim, who already trusts the phishing page because they’ve already typed in their username and password, will give it to them.

2FA protects against attacks like trying passwords from a hacked database on other accounts with the same username.

It shouldn't be... This is why HSMs exist.

See https://www.rfc-editor.org/rfc/rfc4226#section-7.5 and https://www.rfc-editor.org/rfc/rfc4226#section-9 for bidirectional authentication

The exception is U2F, which binds the key to the domain name to prevent pass through attacks.

I think they do that because a common fraud for small business and others (school districts, towns) is to compromise the bookkeeper’s computer and clean out accounts.

They may have an issue where session timeouts are too long and cannot be fixed, or outsource the payment function to another provider though a mechanism that they probably shouldn’t use.

I last saw that happen with a big commercial bank (HSBC maybe) a decade ago. The credit unions I use now don’t have that issue.

I am not sure to understand your comment about the bookkeeper fraud.

If you have a way to receive/generate (SMS or App or Token) the Pin, you can clean out the account just fine, how does this change?

From what I understand the 2FA Pin purpose is that the bank wants to make sure that I am actually the person that can authorize the payment, and asks for this confirmation immediately before processing the payment(s).

I could understand if there were some limits (I think there are but they are way higher than any payment I ever made), but I cannot see why I need 3 Pins to make 3 payments of 100 Euro each (let's say water, gas, electricity) when the same Pin is good for a single - say - 10,000 Euro payment.

SMS is not 2FA. It's a way to get your cell phone sim-jacked and should be avoided at all costs.

If you are in the apple eco system you have auto complete of 2FA everywhere

> Why does it have to be 6 digits?

See https://www.rfc-editor.org/rfc/rfc4226#section-4 and https://www.rfc-editor.org/rfc/rfc4226#appendix-E.1

> Especially if it expires in like 5 minutes?

Usually it's 60 seconds. See https://www.rfc-editor.org/rfc/rfc6238#section-5.2

> And why can't we have some sort of centralised solution to all this?

So, Single Sign On (SSO)? Who do you trust to run the SSO services? Google, Microsoft, Facebook? Bring your own SSO (this used to be a thing that some sites supported, but it was too complex for the average user and too much support burden for the average site).

> The authenticator apps are probably worse than SMS in terms of the interface.

Worse how? These apps solve a different threat model (documented in the 2 RFCs mentioned above. Particularly note:

* HOTP Intro: https://www.rfc-editor.org/rfc/rfc4226#section-2

* TOTP Intro: https://www.rfc-editor.org/rfc/rfc6238#section-1

> I am starting to think the amount of manpower wasted on this globally is way more than the fraud preventing in terms of economic cost.

How would you quantify that waste vs the threat mitigated?

---

The general answer to why 2FA at all is that password hygiene is generally pretty terrible. Pretty much every "normal" (non developer / security professional) when you talk about passwords will say some form of "I use a different password for my bank, from the services I don't care about" [unspoken... which all share the same password]. My guess is that most people don't even do that. 2FA prevents the problem of I know Joe's password for ServiceA, so I can also get into Joe's account on Service{B..ZZZ}

---

The landscape of 2FA auth for each service that you rely on pretty much looks like:

* Use your own password storage

  * without 2FA

  * with 2FA (TOTP/SMS/email)

* Use Google/Facebook/Twitter/...

  * accept whatever the user has setup for 2FA

* Use a third party service (e.g. Auth0)

* U2F / WebAuthN - newer stuff happening. I don't know a lot about these to talk much about them

---

Being security aware and practicing security hygiene is hard, but personally I'd prefer not to be the low hanging fruit when it comes to security breaches.

Yes.