Dnia Fri, Mar 26, 2021 at 01:47:08PM -0700, Kevin Fenzi napisał(a):
On Fri, Mar 26, 2021 at 09:34:49PM +0100, Tomasz Torcz wrote:
> Dnia Fri, Mar 26, 2021 at 03:26:53PM -0500, Brandon Nielsen napisał(a):
> > On 3/26/21 3:24 PM, Matthew Miller wrote:
> > > On Fri, Mar 26, 2021 at 02:48:39PM -0400, Christopher wrote:
> > [Snip]
> > > > * In many places, including
accounts.fedoraproject.org, in order to
> > > > log in, you have to append the OTP to your password, so it
doesn't
> > > > really play nice with password managers.
> > >
> > > This is pretty common in my experience; it seems like password managers
> > > should support this pattern.
> > >
> >
> > I can't say I have ever appended an OTP to a regular password, and I use
2FA
> > everywhere I can.
>
> I second that. I've only seen OTP appending on FreeIPA's
> implementation of 2FA. Everywhere else it's first a normal password
> prompt, then second for 2FA code (or push notification to phone, which
> is way easier for user).
Notification via sms is... not too secure. ;(
https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sak...
I didn't write SMS. SMS is terrible, it's the worst 2F channel nowadays.
I meant push notification, when the message is sent through secure channel
to your smart phone and you get popup asking for authorization.
At least:
- Google does that:
https://s3.amazonaws.com/neowin/news/images/uploaded/2017/07/1500141361_g...
- Microsoft Suite (Teams, Outlook) on my corporate accounts:
https://techcommunity.microsoft.com/t5/image/serverpage/image-id/46536iDD...
- My banking app (for login and transfer authorizations)
https://android.com.pl/apps/wp-content/uploads/2020/03/alior.jpg.webp
This seem to be easiest and most secure 2FA, but requires cooperation
with Android framework. Next in line are FIDO/Yubikeys, and OTP codes.
--
Tomasz Torcz Only gods can safely risk perfection,
tomek(a)pipebreaker.pl it's a dangerous thing for a man. — Alia