2FA for added account safety

Discussion in 'Announcements' started by ancestor(v), Nov 28, 2016.

  1. flowerhell

    flowerhell MDL Novice

    Apr 9, 2013
    4
    1
    0
    With 47,000 results for "2fa exploited" can't say I'm thrilled. No doubt depends on the implementation. Certainly hope the solution is open source. Hate tying an account to a phone number, makes it super easy for fed to take over an account. Are we trading privacy for security?
     
  2. ancestor(v)

    ancestor(v) Admin
    Staff Member

    Jun 26, 2007
    2,726
    4,789
    90
    win lottery delivers about 115.000.000 results. travelling to moon results in 65.800.000 hits.

    Don't get me wrong, but what do many search engine hits actually mean? I consider 2FA a very safe way of authentication, if implemented properly. If one can bypass the 2FA authentication on a site, doesn't necessarily mean the concept of 2FA is bad. You'd have to look at the implemention as well. If I can bypass a door, doesn't necessarily mean I picked the lock and that the lock is bad. Maybe there was just a second door?

    There are some ways you can use "our" 2FA method. Why not giving it a try? Authenticator Plus app works fine. Or any other app of your liking.
     
  3. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,623
    11,679
    340
    #43 Yen, Dec 11, 2018
    Last edited: Dec 11, 2018
    This post is a perfect example how people get mislead by firstly confusing exploit with successful attack and secondly by equaling number of hits with severity. :rolleyes:
    It's not personal, but your conclusions are totally wrong.
    It's not easy for people to choose a way / measure of security which is useful since you can read negative comments about any.

    Adding a second factor is all about maths and to lower the probability for a successful attack where an account is taken over and damage is done.

    You need 2 attack vectors at the same time frame with the same target!
    Even if they'd come from 2 different compromised systems they must have the same target account at the same time.

    By 2FA you do not tie a phone number to an account. You are tying a second factor for authentication to your account and this second factor can be your phone number. That's a big difference.
    And why should it make super easy for fed to take over the account?
    They could either way by judicial decision.

    We do, but not at all by 2FA. Quite the opposite!

    The accounts which need to be secured most are associated to a personal identity either way.
    By adding a second factor you do not trade privacy any further.

    2FA is a security measure that is OS independent and combines 2 ways of authentication of the same account.
    There could be nothing better and easier to gain a huge amount of security by a simple process.

    Think about it. Not only here at MDL, but at your accounts where a takeover would really hurt you. :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. zen45

    zen45 MDL Addicted

    Feb 25, 2010
    541
    956
    30
    security is nothing more then a warm fuzzy feeling that makes you feel better , you can make things a little harder to get at and that is the best you can do , nothing in this digital world is impossible to get at !
     
  5. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,623
    11,679
    340
    #45 Yen, Dec 12, 2018
    Last edited: Dec 12, 2018
    I bet in the real world there is much more stolen than in the virtual world via attack on an account.

    Security is all about to minimize probability of successful attack on that what's considered as personal property.
    If the energy for an attack is big and focused enough nobody can 'secure' that property.

    This applies to the real world as well.
    Anyway each applied and reasonable security measure minimizes that probability.
    It's not just a warm feeling, it's probability.
    Hence we have fences and locks. And we have several authentication procedures...passport for 'real' identity and this passport then legitimates the relation to a virtual identity and account....

    Besides of that.....
    If you should become victim of an attack, for instance hacked credit card account and you have to report it to the police, they exactly want to know which security measures you have applied.

    Such accounts are usually insured..but if they can prove negligence on your side you can be the fool....

    It's actually the (illusionary) idea that one can keep property forever that makes the temporary fuzzy warm feeling. :):D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...