You must log in or register to comment.
Well, maybe. You said years plural, so let’s take just two years. 2 years * 365 days a year * 24 hours a day * 60 minutes an hour is 1,051,200 minutes in two years.
Let’s say that every time you use 2FA it’s an extra 2 minutes. How many times a day do you use 2FA? That’s probably the biggest variable. For some people it’s a couple times a week, for others it’s several times a day. Let’s say 5 times a day. We also need to know how long you’ve been using 2FA. That’s going to be another big variable. Does 5 years seem reasonable? If so, 5 years * 5 times a day * 365 days a year * 2 minutes each time = 18,250 minutes wasted on 2FA.
That’s a small fraction of the million minutes in two years, but it could change a lot depending on some of the variables.
But on the other side, if even one time the 2FA stopped you getting your account hacked, the calculation would change a lot.
The galaxy-brain move is to store the password in a password manager, and also have the same password manager store the TOTP. Finally, you set your password manager to unlock by biometric authentication
All of a sudden, you’re set by just showing your fingerprint to the reader.
Passkey
Lemmy passkey wen
Oh you know your password? Fuck you. We’re sending an email to your second account and to verify that one we will text you.
Let’s say your account is logged into from 1000 miles away, wouldn’t you want that account or device, whether it was you or an attacker, to prove itself?
In most cases, if you’ve logged in on a specific browser/device/account, unless you’ve cleared cookies, it doesn’t constantly ask for MFA. but in my example above, a new IP, new device, or app, it should absolutely go “whoa, wtf is this” and make you verify.
got hired by a new company. every fucking day I have to MFA to use the VPN. then I have to MFA to sign into email. Then MFA into tickets. MFA into confluence. MFA into git.
and then I have to do it all over again 4 hours later after lunch.
No sso?
A minor annoyance now to avoid a major headache later. Worth the trade
It’s been nothing but a headache for me with no benefit
This is a misunderstanding. You can’t possibly know if there’s been a benefit, because you wouldn’t know unless your account was compromised. The mere presence of 2fa on an account will stop credential stuffing attacks dead in their tracks.
It’s like saying “this lock on my door is pointless because nobody has broken into my house”.
No it would be more like having the key to my house, but after I use the key I can’t get in and have to wait for a text and verification email before my door opens
The clunky user experience in the analogy isn’t wrong but is focused on the wrong thing, having locks is already an annoying user experience.
Having to carry keys everywhere and juggle shopping when opening my door sucks. It would suck more if someone entered my house and stole my stuff so I accept the trade off.
It’s the same with MFA. We all accept a worse user experience for significantly improved security.
More like using a key that hasn’t been used in I over 30 days and needing to wait on a text/email.
Also text or email is a bad second factor and an implementation problem. TOTP is better. Passkeys way better and are so simple once you start using them.
Ok. Why don’t you try explaining how digital security works to the security professional some more. I’m sure you’ll convince me real soon 😜
I’m a security professional also, i don’t see the issue with their analogy?
exactly :)
Their analogy is from the perspective of an authorized user complaining about inconvenience, completely ignoring the things I was addressing (their statement that 2fa provides no benefit)
they said it provides no benefit to them… and i get it - for some things, maybe you don’t need “all the security” … just “enough” of it. for example; i might not need any lock on my laundry room door, i might choose a privacy lock on my toilet room door (no key required to unlock), but i will fit an additional a deadlock on the front door. each has a level of security that i deem to be appropriate. they asserted their opinion about MFA as it pertained to them, not in general.
There’s lots of things that have two factor authentication that don’t need it.
Drag’s bank lets drag log in and see drag’s balance with just a password, but drag needs to authenticate to transfer any money. That’s perfect, drag loves it. Yet somehow, drag’s library card and epic games account have more restrictive MFA requirements.
