Does anyone else think this 2FA everywhere is getting out of hand?

The need for MFA is an admission that all the education about passwords has completely failed. Even after decades of pleading, users still reuse passwords, choose pet names, and do other dumb things. Forcing MFA it essentially telling users, “We tried to be friendly about this, and you didn’t listen.”

When accounts get hacked, the company is almost always blamed (in both the user’s and the public’s mind), even if they had nothing to do with it (the user was reusing a password from another site that got hacked). So there’s almost no choice but to require it, else they face a large reputational risk.

I find it odd you need to enter it so many times every day. Most sites allow you to “trust this browser” for some period of time. Are you clearing cookies all the time? Sounds like you might be making it worse due to some other habits.

As long as the standard[1] is respected (looking at you, Steam), I don't mind having the option to turn it on. I don't like it being forced on me, though.

> The authenticator apps are probably worse than SMS in terms of the interface.

I don't share your opinion. I use andOTP[2] and it does exactly what it needs. Password managers may also allow you to store them next to your passwords, but this is not something I do nor something KeePassXC recommends[3].

[1]: https://en.wikipedia.org/wiki/Time-based_one-time_password

[2]: https://f-droid.org/en/packages/org.shadowice.flocke.andotp/

[3]: https://keepassxc.org/docs/#faq-security-totp

2FA is fine.

Except for Steam AND Battle.net (Blizzard) which both have their own dedicated 2FA apps.

I use 1password to manage all of this and the only thing compliant is about some sites that seem to break a password manager's ability to auto-populate form fields.

You may want to check it the 1Password. Although not free, it provides 2FA integration on both browser and phones.

On the other hand... it may not be the brightest idea to have both password manager AND 2FA in the same baseket, but it may be a good compromise for a lesser secure-demanding services (i.e. those that, if breached, won't affect you in any way other than internet points; think forums, reddit and such).

Yes. Worst offenders:

- Companies that deliberately offer a subpar webapp experience (including, not keeping you logged in and spamming you with 2FA) to push you to download their mobile app

- every fucking company that saves your credit card info - I mean I understand why (you wouldn't want credit cards to be easily abused) but it just points out to the actual market failure - Visa/Mastercard duopoly and subsequent lack of innovation (obviously the correct solution here is to have phone-app confirmation of every purchase even for stored credit cards)

Relevant blog post 'Now They Have 2FA Problems':

https://www.go350.com/posts/now-they-have-2fa-problems/

There's only thing I want.

Let me whitelist a computer/installation to not require 2FA all the time. Blizzard's battle.net client does this and it's wonderful. I only have it installed on a non-movable tower computer at home. Not a laptop that can be stolen or that I might forget somewhere. It doesn't even matter that I value the contents of my Blizzard account less than credentials to some website, because there's a checkbox to "remember this account". I don't often have nothing but praise for a feature (or for Blizzard) but this is THE BEST. I would 100% enable that for some websites. I think Github is the other good citizen where I can usually do all my stuff and only need my yubikey once per week. And even then, touching the yubikey is 10x less work than fumbling with an OTP app on my phone.

I want security and convenience, and I think it is possible.

2FA as such? No, it should be supported everywhere that auth is important. Fido U2F and TOTP.

Doxxing/insecure (SMS/e-mail) and inaccessible (Google/Apple required)? 110%. Sick of it. More often than not that these are required I'm certain that "2FA" and "for your security" are just pretexts to be able to tie accounts to meat-space individuals.

If you are talking about TOTP and want some centralized solution where you're OK with ceding some control, it exists. Authy seems to be the most popular. I'm sure there are other options where you can get it synced between your smartphone and browser extensions, if that is what you prefer.

You should see what happens when you lose your phone and didn't save your recovery codes! 2FA is great until it isn't

Most folks seem to believe that laws are an import part of society. The sages maintain that the appearance of written laws indicates that society has already degraded too far.

When passwords for computers were first introduced RMS objected. His password was "password", and anyone could log in using it.

Remember that RMS is correct (when it comes to computers) and reflect.

Why did he do that?

Because he knew that passwords on computers were stupid make-believe (we call it "security theater" now), pernicious nonsense.

Computers are where you put secrets to give them to hackers. Computers don't keep secrets.

I'm pretty much with you on this. Important things I want 2FA on, but so many services are forcing it me now. I don't understand why I can't choose to not have a second factor if I don't want it.

However, it's worth noting that you can get desktop apps for TOTP, and some password managers also support it. So you don't necessarily have to go via your phone.

Have you looked into a password manager? I use 1Password for managing all my logins including 2FA on them. I open a login page, 1Password automatically puts a dropdown on the input for me to select an account, I click one, it fills it in, I click login, get 2FA page, and the code is already filled in.

It would be nice to see some OS integration with TOTP (https://en.wikipedia.org/wiki/Time-based_one-time_password). If the point of TOTP is the combination of 1) having the password and 2) having an item, then it should be reasonable to bake it into my OS so that it can be filled in for me. Safari should be able to store my various TOTP stuff and just input the code for me without my interaction. That proves that 1) I had the password to login, 2) my device had the TOTP confirmation.

I basically use two devices so if I just set up my TOTP on both of them (and they both had OS integration), I'd then get 2FA security without me having to do anything.

1. I think MFA is a great security practice, for now.

2. Almost every login I've seen allows you to check a box to specify some variation of "Don't use MFA when logging in from this machine in the future."

TOTP is the most easy way to implement two factor authentication, but is not very user friendly. I'm fairly certain you refer to this.

WebAuthn is more friendly, because you can either enroll something you have (a Yubikey) or something you use (your device - via Windows Hello/iOS fingerprint reader/etc). This of course requires the service to support multiple enrollments, and WebAuthn by itself is much more complex to understand and use. Logging in is just a matter of username/password + fingerprint/Yubikey/Windows Hello.

I use the Google Authenticator for everything and with ios & macOS i just press on the code on iOs & paste on the mac. Done.

Things have gotten way easier with password managers and proper MFA in my opinion.

Use terminal!

• Get: https://github.com/pcarrier/gauth

• Edit: gauth.csv (1 line per account)

• Do: watch gauth (1 line per account)

• Profit!

Curious as to why you're having to type these every day. My experience is that the vast majority of sites only require a code once every 2 weeks to a month per device.

And apart from Steam, all my codes are Google Authenticator compatible, meaning there are several different options for an authenticator app that will hold all my codes. Seems as centralized as I would ever want.

I have considered going the Yubikey route, but it seems like it might be cumbersome when used across a range of devices.

1Password and its opensource cousin supports 2FA tokens, including auto-fill.

Yes, makes no sense in terms of security (storing both on the same place) but hey, it's life.

There is a centralized solution to it. At most well-run companies, all the SAAS apps you log into will be tied to your Google Apps account, so you'll MFA to Google and to nothing else. Not only that, but Google will "remember" (cookie) your device, so you MFA to it only once in a blue moon.

> I probably have to enter 20-30 different 6 digit codes every day logging into various accounts.

Usually those websites allows you to skip the 2FA from a known computer if you keep the session cookies.

I currently use Bitwarden Premium and the TOTP authentication has been mostly hassle-free.

I think it’s good. I have a policy not to work with vendors who don’t implement two factor for their login. And I look down on vendors that implement it only via email or sms… it’s quick and easy way to ensure secure access…

As of 15, iOS has pretty good support for MFA built-in. You create your login/password as usual and then scan the QR code to setup MFA too. It's not easy yet, but it's very possible for HN readers (i.e. tech-savvy).

It’s 6 or 8 digits because it’s an oath totp or hotp, it’s quite a standard. At least they don’t reinvent the wheel, even those that seem proprietary use a standard algo underneath.

Example: Duo security uses a 6 digit hotp.

Also worth noting most companies allow password reset which make it very 1FA.

I use Bitwarden’s 2FA feature which makes it very simple. Since I’m already using Bitwarden’s Firefox extension for password management, it’s easy to grab the OTP when needed.

Nope

If anything, the codes should be longer - 8 digits would be far better (8-10 digits bumps up against what a person can easily keep in their mind at one time for long enough to type it)

I wish I could use Yubikeys everywhere and that I can have multiple keys instead of just one. Only Google seems to get that second part right....

I use the gauth CLI tool + Hammerspoon (Mac) to make a menubar that generates codes and puts them in my clipboard. Just 2 clicks.

Services love MFA because it makes it hard for user to share logins and therefore gets them to buy more seat licenses.

Yes. 2FA is getting out of hand and too many companies are using it instead of investing in robust network security.

In the case of online banks/payments, for some reason you need a 2FA PIN to log in (fair enough), then one for EACH payment you have to make, it escapes me why you cannot input payments and when done authorize all of them together with a single 2FA PIN, it seems to me very like a "normal" online shopping cart works, you add items to it and when you have finished pay the total.

SMS is not 2FA. It's a way to get your cell phone sim-jacked and should be avoided at all costs.

If you are in the apple eco system you have auto complete of 2FA everywhere

> Why does it have to be 6 digits?

See https://www.rfc-editor.org/rfc/rfc4226#section-4 and https://www.rfc-editor.org/rfc/rfc4226#appendix-E.1

> Especially if it expires in like 5 minutes?

Usually it's 60 seconds. See https://www.rfc-editor.org/rfc/rfc6238#section-5.2

> And why can't we have some sort of centralised solution to all this?

So, Single Sign On (SSO)? Who do you trust to run the SSO services? Google, Microsoft, Facebook? Bring your own SSO (this used to be a thing that some sites supported, but it was too complex for the average user and too much support burden for the average site).

> The authenticator apps are probably worse than SMS in terms of the interface.

Worse how? These apps solve a different threat model (documented in the 2 RFCs mentioned above. Particularly note:

* HOTP Intro: https://www.rfc-editor.org/rfc/rfc4226#section-2

* TOTP Intro: https://www.rfc-editor.org/rfc/rfc6238#section-1

> I am starting to think the amount of manpower wasted on this globally is way more than the fraud preventing in terms of economic cost.

How would you quantify that waste vs the threat mitigated?

---

The general answer to why 2FA at all is that password hygiene is generally pretty terrible. Pretty much every "normal" (non developer / security professional) when you talk about passwords will say some form of "I use a different password for my bank, from the services I don't care about" [unspoken... which all share the same password]. My guess is that most people don't even do that. 2FA prevents the problem of I know Joe's password for ServiceA, so I can also get into Joe's account on Service{B..ZZZ}

---

The landscape of 2FA auth for each service that you rely on pretty much looks like:

* Use your own password storage

  * without 2FA

  * with 2FA (TOTP/SMS/email)

* Use Google/Facebook/Twitter/...

  * accept whatever the user has setup for 2FA

* Use a third party service (e.g. Auth0)

* U2F / WebAuthN - newer stuff happening. I don't know a lot about these to talk much about them

---

Being security aware and practicing security hygiene is hard, but personally I'd prefer not to be the low hanging fruit when it comes to security breaches.

Yes.