I personally am fine with this.

      • Bitrot@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        If your account is frozen they should still be on the device. That would be a good time to change all your passkeys over to a yubikey, or to add one as a secondary token.

        The keys being locked in a Secure Enclave is generally considered a feature, not a bug. That passkeys sync at all is somewhat concerning. I wouldn’t expect them to be exportable any time soon.

          • Bitrot@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            Apple actually describes the process for sync in some detail: https://support.apple.com/guide/security/secure-keychain-syncing-sec0a319b35f/web

            Apple also describes the keychain recovery process in depth (I think this is when you’ve lost all devices?): https://support.apple.com/guide/security/escrow-security-for-icloud-keychain-sec3e341e75d/1/web/1

            The Secure Enclave can apparently return the private key. For most keys it is encrypted with a key pair that is permanently stored in the Secure Enclave. For synchronized keys it is apparently encrypted with a key that is also stored in iCloud in such a way that Apple themselves cannot get to it.

            It does sound like they could potentially enable exporting the passkeys, I think it’s unlikely they would because they provide a method to move them to other devices already and it does introduce more avenues for misuse. I don’t think it’s a huge requirement anyway, most hardware tokens provide no way to export at all by design. Apps that use them for 2FA should provide for enrolling multiple tokens.

  • Doink@lemmy.world
    link
    fedilink
    arrow-up
    40
    arrow-down
    1
    ·
    1 year ago

    While you are adding this anyway consider using an open source app instead of google auth like aegis. There are many others but I wish I knew about them sooner.

    • dyc3@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      I personally love keeweb. Passwords and 2fa all in one place.

      I mean you could argue that defeats the purpose of having 2fa, but it’s convenient

      • technojamin@lemmy.world
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        It weakens it a bit, but in my opinion it still has strength where it counts. If an attacker gets access to your password outside your password manager (man-in-the-middle, keylogger, phishing), then you’re still protected. Maybe it’s hubris in my own ability to keep my password manager safe, but I’ve never been worried about storing MFA in my password manager.

      • Anon819450514@lemmy.ca
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        Bitwarden crew checking in. The best thing about bitwarden is the 10$/year to have a pro account. It gives you, amongst other things the ability to store up to 1tb of attachments and reports on various risk assessments.

        You can even host your own instance.

        I recommend it.

    • vinniep@lemmy.world
      link
      fedilink
      arrow-up
      53
      arrow-down
      2
      ·
      1 year ago

      Too many people were making poor choices. When there’s an incident of an account that should have been secured but wasn’t getting compromised, that’s bad for the platform, ecosystem, and community. This is just another level beyond not allowing you to set a password of “password”

    • Sibbo@sopuli.xyz
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      Yep. If people care about supply chain attacks or so, just add features that allow only commits from accounts with 2FA to certain repositories.

    • progandy@feddit.de
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      At least you should be able to use your local password manager as well if you don’t care about keeping your 2fa on separate hardware. KeePass 2, KeePassXC, Bitwarden, …

    • 30p87@feddit.de
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Though people that have authority over important projects should have proper security, considering how large the internet is, with how many individual parts, the chance of someone being in charge of a large and important project - may it be a browser, compiler/interpreter, utility, library etc. is not even close to zero.
      So if a (co-)maintainer of a project included as standard utility in Linux Servers, let’s say bash for example, is somehow breached, the attacker could push and force merge a malicious obfuscated commit, maybe even with normal content included. As it’s from a reputable source, it’s not going to be checked as thoroughly as commits from other people. One hour later, every Arch system, desktop and server, has a trojan. Four hours later also all Gentoo systems (got to compile it first). 2 years weeks later regularly updated debian servers now contain malware. A chain of events, fragile to being detected by people monitoring their own activity, other maintainers activity and people reading the source - eg. for security reasons -, but yet, not that unlikely considering the amount of packages present even in a standard install, and needed as dependencies for typical server packages.

    • vanontom@geddit.social
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Bitwarden has 2FA (for paid tier, like $10/year). I don’t consider it “real” 2FA, but it’s more secure than just a password, and super quick to copy code using browser addon. Useful for certain sites, that don’t stay logged in, require every time, etc.

      • SkaveRat@discuss.tchncs.de
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        how would they track you?

        The reason they want a phone number is, that it’s a relatively cheap way to ensure people not signing up bots galore, as getting phone numbers en masse is a lot harder than getting email accounts

        • Otome-chan@kbin.social
          link
          fedilink
          arrow-up
          3
          arrow-down
          7
          ·
          1 year ago

          phone numbers are typically tied to your name/identity, and phone companies can locate you using their towers and such. Giving a company your phone number is identical to giving a company your full legal name and address.

          • SkaveRat@discuss.tchncs.de
            link
            fedilink
            arrow-up
            7
            arrow-down
            3
            ·
            1 year ago

            me giving, let’s say, twitch my phone number gives them exactly 0 ways of tracking me in any way whatsoever

            Source: worked for a mobile company

          • _number8_@lemmy.world
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            1 year ago

            yeah, no idea why you’re getting downvoted, it’s clear why companies are so eagerly embracing and requiring 2FA – if the benefits were only for the consumers, it wouldn’t be mandated anywhere near this quickly. but when they know they get a real human phone tied to every account, that’s a huge motivation

  • Gamey@feddit.rocks
    link
    fedilink
    arrow-up
    27
    arrow-down
    5
    ·
    1 year ago

    Good, people are fucking stupid and if it effects others it’s often better to choose the security for them!

    • NekuSoul@lemmy.nekusoul.de
      link
      fedilink
      arrow-up
      12
      arrow-down
      3
      ·
      1 year ago

      Yup. I’m actually a bit baffled by how much negativity/misinformation there’s around 2FA even in a place like this, which should naturally have a more technically inclined userbase.

      • daYMAN007@feddit.de
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        Well negativity is there because every app wants it.

        I don’t care if account x is compronised, as it has absolutly no value

    • faerbit@feddit.de
      link
      fedilink
      arrow-up
      19
      ·
      1 year ago

      Hard disagree. I do not want to have 2FA for every shittly little thing I do not care about.

      • CoderKat@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Yeah. GitHub makes sense because most users are writing code that can be executed by others. That makes GitHub accounts security critical.

        But a Lemmy account? Naw, you lose almost nothing if that gets compromised. A little bit of history and subscriptions, mostly.

        I’m in a discord that for some reason “requires” 2FA. Based on searching, I think they give everyone some kinda admin role or something? It doesn’t actually require 2FA, but it shows a very annoying warning that covers up a bunch of the channel selection screen. But despite that, I don’t really wanna deal with the hassle of 2FA on a chat app that’s basically consequence free for me if it gets exploited.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      arrow-up
      5
      arrow-down
      4
      ·
      1 year ago

      Specifically app-based 2FA, ideally Google Authenticator based. There are tons of great authenticator apps available that are all compatible, so it should absolutely be preferred over SMS or email.

      • residentmarchant@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        1 year ago

        1password does this, too and it’s magical. I’ve had my SMS go to my browser via Google Messages for a while, but it’s so much easier to just auto-fill it instead of copy/paste

        • setVeryLoud(true);@lemmy.ca
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          Also, 1password logs you out when you stare at it wrong, so I’m not worried about someone who would somehow get local access abusing it.

        • subtext@lemmy.world
          link
          fedilink
          arrow-up
          14
          arrow-down
          1
          ·
          1 year ago

          Is it less secure than it could be? Yes.

          Is it better than no 2FA? Also yes.

          In the end if it doesn’t work for your security model, than more power to you. But if it helps to increase the security of the average Joe, it’s good advice.

    • Otter@lemmy.ca
      link
      fedilink
      English
      arrow-up
      12
      ·
      1 year ago

      I don’t like how a lot of things require their own custom app, especially when there’s no automatic notification. I need to try and remember what the app is called, open it, navigate through, then approve it

      • Otome-chan@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I like the app setup rather than shoving everything into a browser. But I’m not a fan of this 2fa stuff. I get the point is security, but let me decide which app/method to use, and whether I want to use it at all. Otherwise it’s just annoying.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          I’m absolutely a fan of choosing which method to use, and also a fan of requiring choosing one. I prefer Google Authenticator-style 2FA (I use Aegis, but there are plenty of options), and I get annoyed when I need something else (e.g. Fidelity only offers Symantec, Steam only offers Steam Guard, etc).

    • Rootiest@lemm.ee
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      1
      ·
      1 year ago

      Get a hardware 2FA key instead of using your phone for TOTP

    • cmnybo@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      You can use KeePassXC to generate the TOTP codes on your PC. With the browser plugin, you can generate the code and fill the textbox with one click when the password database is unlocked.

      Sites that don’t use standard TOTP for 2FA are a pain in the ass though.

      • sep@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        This! Authy is very very nice. Syncing accounts is a life saver, both as backup, and not having to pick up the phone all the time.
        Cut and pasting with a click instead of reading and typing, is so much faster.
        Easily search the very long list of entries.
        Not open source tho, but free as in beer.
        If Aegis had the sync option, i would have used that. But it did not last time i checked.

  • Otome-chan@kbin.social
    link
    fedilink
    arrow-up
    19
    arrow-down
    19
    ·
    1 year ago

    No offense to companies but I’m honestly sick of companies forcing 2fa. Every single one seems to have a different shitty way of doing it. Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)? Some do sms/phone number, but then yell at you and prevent you from doing 2fa if you have a “bad phone number”. This happened on discord where I’m locked out of certain servers because I can’t do phone verification, and I can’t do it because discord doesn’t like my phone number. Twitter was the same way for a long while (couldn’t do 2fa/phone verification due to them not liking my number).

    From the article it sounds like they’re doing authenticator app or sms. I’m guessing sms won’t work for me, so app it is. I decided to dig to see which authenticator app they use and they list: 1password, authy, lastpass, and microsoft… no google?

    Honestly, even email requirements for accounts is annoying because you know it just ends up spamming you. is the future where we’re gonna have to have 30 different authenticator apps on our phone?

    • SkaveRat@discuss.tchncs.de
      link
      fedilink
      arrow-up
      29
      arrow-down
      1
      ·
      1 year ago

      Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)?

      you… don’t?

      Both of these implement exactly the same protocol (TOTP). Used authy for all my Top Of The Pops Time-based one-time password needs exclusively, before moving everything to bitwarden

      • subtext@lemmy.world
        link
        fedilink
        arrow-up
        8
        arrow-down
        2
        ·
        1 year ago

        Unfortunately there are some websites that require Authy (probably because Authy wined and dined some business executive). I absolutely loathe these sites but if it’s a site you’re not willing to live without, you’re stuck with having Authy plus your main 2FA app.

        • SkaveRat@discuss.tchncs.de
          link
          fedilink
          arrow-up
          6
          arrow-down
          1
          ·
          1 year ago

          which ones are that? I’d love to check, because afaik, they have a feature that enables push-2fa via authy, but should generally work on other apps as well

            • SkaveRat@discuss.tchncs.de
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              1 year ago

              Are you sure that you can’t use a different TOTP generator? There’s a difference between telling you to use Authy and still being able to use a different app

              • LittleLily@shinobu.cloud
                link
                fedilink
                English
                arrow-up
                6
                ·
                edit-2
                1 year ago

                Yes I’m sure, hence why I specifically mentioned that. Try the sign up procedure yourself. It REQUIRES 2fa and it has to be Authy’s non-standard token or SMS. No option for regular TOTP.

                • SkaveRat@discuss.tchncs.de
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  edit-2
                  1 year ago

                  thx. just making sure. I already saw a lot of people annoyed about a specific app, just because that was the one being advertised, but in the end it was TOTP

        • subtext@lemmy.world
          link
          fedilink
          arrow-up
          8
          arrow-down
          1
          ·
          1 year ago

          Well the good news for you is that a website specifying one or the other is nothing more than marketing from that app maker! So long as there is a QR code (or a long random-ish string), you can use any authenticator app that supports that website’s 2FA algorithms!

          That last bit is important because I think Lemmy had a non-standard 2FA algorithm (SHA-256?) that wouldn’t work with Google Authenticator.

          • Rootiest@lemm.ee
            link
            fedilink
            English
            arrow-up
            7
            arrow-down
            1
            ·
            edit-2
            1 year ago

            Lemmy works with Google Authenticator, but not with Authy.

            Annoyingly Authy fails silently and ignores the part of the code that specifies SHA-256 and just generates a SHA-1 code that won’t work with no warning or indication to the user.

      • tool@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        BTW, any authenticator app works when it tells you to use one. They all use a standard, so it doesn’t matter which one you use.

        Eh, it’s a little more nuanced than that, there’re more standards for MFA code generation than just TOTP.

        And even within the TOTP standard, there are options to adjust the code generation (timing, hash algorithm, # of characters in the generated code, etc.) that not all clients are going to support or will be user-configureable. Blizzard’s Battle.net MFA is a good example of that.

        If the code is just your basic 6-digit HMAC/SHA1 30-second code, yeah, odds are almost 100% that your client of choice will support it, but anything other than that I wouldn’t automatically assume that it’s going to work.

    • library_napper@monyet.cc
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      1 year ago

      Anyone who claims they’re doing OTPs over SMS for “security” ia lying to you. Discord wants your phone number; it has nothing to do with your security

      • Otome-chan@kbin.social
        link
        fedilink
        arrow-up
        4
        arrow-down
        2
        ·
        1 year ago

        there’s quite a lot of services that want phone for verification/2fa/whatever. whenever I run into them I usually just refuse to use the service altogether.

        • Dandroid@dandroid.app
          link
          fedilink
          arrow-up
          4
          ·
          1 year ago

          How do you even use the internet? I mean, you could never book a flight, use any food rewards program, book a ride share, etc. Almost everything uses my phone number for 2FA.

            • totallynotarobot@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              1 year ago

              You can have a bank account, but you wouldn’t be able to do online or mobile banking.

              Sms is the only 2fa option (some offer email as well, but last I checked all fall back on sms), and it’s mandatory for online/mobile.

    • vinniep@lemmy.world
      link
      fedilink
      arrow-up
      4
      arrow-down
      2
      ·
      1 year ago

      Google Auth works just fine. The standard for app generated 2FA is, well, standard. They’re only listing a non-complete list of options for people that don’t know what an authenticator app is and need to get one for the first time.

        • vinniep@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          That is the specific app the person I replied to was asking about, so yea. Would have been a little weird if I was talking about some other app.

        • vinniep@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Mostly. The 6 digit standard ones that you see almost everywhere are standard TOTP codes and most apps work for them. There are some proprietary things out there too but you typically see those with a matching app from the same company. Those are far less common though so for practical reasons you can assume they are all interchangeable.

          Those values are computed separately what the app is really storing is just the input values which are then combines with the current time to create the 6 digit code. That means that keeping that input value (seed) safe is a big deal, and how and where that is done is one of the major differentiators between the various options.

      • Trexman@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        1
        ·
        1 year ago

        You might want to migrate away from LastPass. And change every account password. They were hacked horribly and the only thing standing between your encrypted passwords and hackers is time.