Do you use 2fa?

Most providers seem to support time-based two-factor authentication (2fa) these days. i.e., Google Authenticator, Authy, LastPass, and so on. A few support other forms such as through a YubiKey or an SMS-based verfification code. However, I assume the majority of customer accounts are only being protected by passwords. I'm curious to hear about customer and provider experiences with the tech.

Feel free to complete the poll and then provide additional detail in follow ups. I'm interested to see some follow up discussion on topics such as:

  • Why you actively choose not to use 2fa, if that is your choice?
  • What rough percentage of your providers support it?
  • If you're a provider, what rough percentage of your customers enable it?
  • What problems have you run into with it, as either a customer or provider?
  • What 2fa method/app do you like and why?
2FA usage
  1. Do you use or support 2fa?75 votes
    1. Yes
      86.67%
    2. No
      13.33%
«1

Comments

  • I do, but not for EVERYTHING.

    Just the ones I think are important and paranoid about :smiley:

    Enpass for personal and Okta (I know right) for work-related stuff.

    Thanked by (2)jtk skorous
  • havochavoc OGContent Writer

    I've got yubikeys but not sure I'd want that on VPS stuff frankly just because implementation has to be quite good to avoid lockout.

    Thanked by (2)jtk lemoncube
  • Well, if they support it, yes.
    If they force me to retarded things like SMS, because its more secure, kek.

    Thanked by (2)jtk AlwaysSkint
  • AmadexAmadex Hosting Provider

    Yes

    Thanked by (1)jtk

    AmadexHosting ForumsWie ist meine IP-Adresse?AS215325
    Forum for System Administrators: sysadminforum.com

  • I use aegis.

    Thanked by (1)jtk
  • @jtk said: What 2fa method/app do you like and why?

    The methods are usually dictated by the service, but if offered, and as I always have a YubiKey plugged in here for SSH/SFTP access, FIDO/FIDO2 preferred (Google,GitHub,Shopify) followed by TOTP (everyone else). FIDO is just so much simpler, and even TOTP is easier with a key, you can generate then cut/paste the code directly on the PC without having to reach for and transcribe from a phone.

    @havoc said: I've got yubikeys but not sure I'd want that on VPS stuff frankly just because implementation has to be quite good to avoid lockout.

    Not sure that's sooo much of an issue, most services provide emergency code access to keep offline for the rainy day, or do TOTP in addition which you could keep offline too or just use as a an alternative.

    @dosai said: I use aegis.

    +1 for aegis as the phone based TOTP app.

    Thanked by (1)jtk
  • I avoid 2FA as much as possible, because I don't like the idea of having to grab the phone when I'm on the computer.

    Some sites are forcing 2FA though:

    • Google Account
    • AppleID
    • Uber (paid link, non-aff)
    • Credit Karma Money
    • National Consumer Panel
    • VirMach (only during service transfer)
    • Adafruit (only for purchasing high demand goods)
    Thanked by (3)jtk zed AlwaysSkint
  • No.

    Requiring the phone is terrible to me.

    Thanked by (2)zed AlwaysSkint
  • havochavoc OGContent Writer

    @cochon said: Not sure that's sooo much of an issue, most services provide emergency code access to keep offline for the rainy day, or do TOTP in addition which you could keep offline too or just use as a an alternative.

    I ended up using codes twice while trying to set up it & it failed...and that was on cloudflare and namecheap.

    Many here are very skilled for sure, but not quite cloudflare engineering team skilled so definitely more risk of bad implementations.

  • bikegremlinbikegremlin ModeratorOGContent Writer

    I think 2FA is mostly needed for the folks who reuse (admin123) passwords on many accounts.
    Enforcing it makes the providers' life easier.

    Having said that, for the important stuff (especially emails used for service registration), I think it's not a bad idea.

    It is a hassle though. Yes, you get bacup codes, but having to carry and use a "smart" phone is not to my liking.
    That's the main reason why I use Authy (my article on it).
    Yes, I know, it's by that company. Nonetheless, it lets me use a computer for 2FA, and that's a must as far as I'm concerned.

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • tjntjn
    edited September 2022

    Why wouldn't you use it?
    Edit: if combined with a good password manager (not Lastpass, for example - in my opinion) it's pretty easy to manage.

  • I use it on everything that supports it.

  • I wouldn't hesitate to turn on the 2FA if it was very important APP or website, Authy is the best, I can barely get online without it now.

  • @Laura said:
    I wouldn't hesitate to turn on the 2FA if it was very important APP or website, Authy is the best, I can barely get online without it now.

    Authy is closed source and doesn’t provide an easy way to migrate. Do yourself a favour and pick an open source app that makes migration simple if needed.

  • If it's supported, I may use it as long as it doesn't involve SMS.
    Aegis is my favourite 2FA app.

  • @Nekki said:

    @Laura said:
    I wouldn't hesitate to turn on the 2FA if it was very important APP or website, Authy is the best, I can barely get online without it now.

    Authy is closed source and doesn’t provide an easy way to migrate. Do yourself a favour and pick an open source app that makes migration simple if needed.

    Is there an open source option that has a desktop flavour too? I mostly ended up with Authy so I didn't have to go find my phone all the time.

  • @Nekki said:
    Authy is closed source and doesn’t provide an easy way to migrate. Do yourself a favour and pick an open source app that makes migration simple if needed.

    By migrate, do you mean migrate to another phone, or migrate to a different 2FA app?

  • Use hardware key like yubikey, it is as simple as touching the key, worth the hassle compared to the security benefits 🙂

    Yubikey also can be used to keep TOTP

  • @yoursunny said:
    I avoid 2FA as much as possible, because I don't like the idea of having to grab the phone when I'm on the computer.

    Some sites are forcing 2FA though:

    • Google Account
    • AppleID
    • Uber (paid link, non-aff)
    • Credit Karma Money
    • National Consumer Panel
    • VirMach (only during service transfer)
    • Adafruit (only for purchasing high demand goods)

    You forgot GitHub when out of the blue it tells you to enter a security code sent to an e-mail you haven't accessed in 5 years :)

    Solutions to forced 2FA:

  • I feel that 2FA is the only way to the future. Password auth is a thing of past now. It's way too vulnerable and impractical as we require more complex passwords.

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

  • @ahnlak said:

    @Nekki said:

    @Laura said:
    I wouldn't hesitate to turn on the 2FA if it was very important APP or website, Authy is the best, I can barely get online without it now.

    Authy is closed source and doesn’t provide an easy way to migrate. Do yourself a favour and pick an open source app that makes migration simple if needed.

    Is there an open source option that has a desktop flavour too? I mostly ended up with Authy so I didn't have to go find my phone all the time.

    What desktop OS are you using? There are a few decent options but they’re OS specific.

    @casadebamburojo said:

    @Nekki said:
    Authy is closed source and doesn’t provide an easy way to migrate. Do yourself a favour and pick an open source app that makes migration simple if needed.


    By migrate, do you mean migrate to another phone, or migrate to a different 2FA app?

    To a different 2FA app. From memory, device migration on Authy is fine so long as you remember to enable the multi-device option.

    @deank said:
    I feel that 2FA is the only way to the future. Password auth is a thing of past now. It's way too vulnerable and impractical as we require more complex passwords.

    This. So many corporate IT breaches could be avoided simply by enforcing 2FA. We’re at the point that social engineering techniques are so advanced that it’s irresponsible not to enforce 2FA unless you literally do not care about the system in question being compromised.

    Thanked by (2)casadebamburojo skorous
  • I always enable 2FA wherever possible. Additionally, my preferences of methods is as follows:

    • AndOTP TOTP application <--- This is the most preferred option for me since the application is open source and encrypts the database file with my accounts at rest.
    • Dedicated 2FA apps (Authy, Duo) <--- Good for non-web logins (RDP and such)
    • Texts with one time codes
    • Emails with one time codes

    Cheap dedis are my drug, and I'm too far gone to turn back.

  • @akhfa said:
    Use hardware key like yubikey, it is as simple as touching the key, worth the hassle compared to the security benefits 🙂
    Yubikey also can be used to keep TOTP

    It's not much of a hassle at all until the key goes the way of all hardware.
    Then you need the backup key (which Yubi does tell you to buy, so they get twice the sell) - good luck finding that. And hopefully all the sites are properly registered.

    Now, consider when you want to access something and you don't have the key with you - because you didn't want to lose the key because of the inconvenience of the above. Especially email..

    For a bonus, consider that any provider's backup can drop you arbitrarily, intentional or not - see people dropped from the Google or Apple ecosystems, unable to log into their device. Now you are on a loaner device - can you access any of your accounts?

    2FA is a hideous design mistake, that puts the burden on the individual and has ended research into better methods of limited privilege and limited time authentication.

    The alternative is a small number of memorable password patterns, with a paper backup sealed in a envelope, and put in a fire-resistant safe.
    It doesn't protect against phishing (directly) but neither does 2FA

    Thanked by (1)bikegremlin
  • @Nekki said:

    @ahnlak said:

    @Nekki said:

    @Laura said:
    I wouldn't hesitate to turn on the 2FA if it was very important APP or website, Authy is the best, I can barely get online without it now.

    Authy is closed source and doesn’t provide an easy way to migrate. Do yourself a favour and pick an open source app that makes migration simple if needed.

    Is there an open source option that has a desktop flavour too? I mostly ended up with Authy so I didn't have to go find my phone all the time.

    What desktop OS are you using? There are a few decent options but they’re OS specific.

    Primarily Linux; Authy works seemlessly on both my (Android) phone and (Linux) desktop which covers most of my bases (I'm rarely on Windows when I need 2FA).

    I know these days 1Password will play, but putting my 2FA in the same app as my passwords feels... wrong.

  • havochavoc OGContent Writer

    @erk said: Then you need the backup key (which Yubi does tell you to buy, so they get twice the sell)

    Yup. That's what kept me from going that route for long but eventually decided to bite the bullet and just get two.

    One on my house keys that goes with me and one permanently attached to desktop. So I figure if there is a fire one of them is likely to survive...and if neither does...then lets just say it is probably no longer my problem

    Thanked by (1)nessa
  • nessanessa Hosting Provider
    edited September 2022

    I don't use 2FA for everything, but when I do I use a Yubikey. Just annoying to have to remember to keep it nearby.

    RamNode: High Performance Cloud VPS
    NYC - LA - ATL - SEA - NL - DDoS Protection

  • @erk said:
    ...
    2FA is a hideous design mistake, that puts the burden on the individual and has ended research into better methods of limited privilege and limited time authentication.
    ...

    Is there really anything else to say?

    Thanked by (1)erk
  • @TigersWay said:

    @erk said:
    ...
    2FA is a hideous design mistake, that puts the burden on the individual and has ended research into better methods of limited privilege and limited time authentication.
    ...

    Is there really anything else to say?

    "I disagree" ?

    Thanked by (1)mfs
  • @havoc said: One on my house keys that goes with me and one permanently attached to desktop.

    Mine's a slight twist on this, one on my house keys, that still needs to be plugged into the desktop to access most things, the backup stored securely in the basement. 2FA aside, this way I mostly always know where my house keys are having once left them overnight hanging in the door in full view of the street.

  • @skorous said:

    @TigersWay said:

    @erk said:
    ...
    2FA is a hideous design mistake, that puts the burden on the individual and has ended research into better methods of limited privilege and limited time authentication.
    ...

    Is there really anything else to say?

    "I disagree" ?

    I'm not sure where you could "disagree" but I believe you will try. And the fact that you - like many others, no worry - accepted 2FA because you think it's not a big trouble is not exactly an "agreement".

Sign In or Register to comment.