Do you use 2fa?
Most providers seem to support time-based two-factor authentication (2fa) these days. i.e., Google Authenticator, Authy, LastPass, and so on. A few support other forms such as through a YubiKey or an SMS-based verfification code. However, I assume the majority of customer accounts are only being protected by passwords. I'm curious to hear about customer and provider experiences with the tech.
Feel free to complete the poll and then provide additional detail in follow ups. I'm interested to see some follow up discussion on topics such as:
- Why you actively choose not to use 2fa, if that is your choice?
- What rough percentage of your providers support it?
- If you're a provider, what rough percentage of your customers enable it?
- What problems have you run into with it, as either a customer or provider?
- What 2fa method/app do you like and why?
2FA usage
- Do you use or support 2fa?75 votes
- Yes86.67%
- No13.33%
Comments
I do, but not for EVERYTHING.
Just the ones I think are important and paranoid about
Enpass for personal and Okta (I know right) for work-related stuff.
I've got yubikeys but not sure I'd want that on VPS stuff frankly just because implementation has to be quite good to avoid lockout.
Well, if they support it, yes.
If they force me to retarded things like SMS, because its more secure, kek.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
Yes
Amadex • Hosting Forums • Wie ist meine IP-Adresse? • AS215325
Forum for System Administrators: sysadminforum.com
I use aegis.
The methods are usually dictated by the service, but if offered, and as I always have a YubiKey plugged in here for SSH/SFTP access, FIDO/FIDO2 preferred (Google,GitHub,Shopify) followed by TOTP (everyone else). FIDO is just so much simpler, and even TOTP is easier with a key, you can generate then cut/paste the code directly on the PC without having to reach for and transcribe from a phone.
Not sure that's sooo much of an issue, most services provide emergency code access to keep offline for the rainy day, or do TOTP in addition which you could keep offline too or just use as a an alternative.
+1 for aegis as the phone based TOTP app.
I avoid 2FA as much as possible, because I don't like the idea of having to grab the phone when I'm on the computer.
Some sites are forcing 2FA though:
No hostname left!
No.
Requiring the phone is terrible to me.
I ended up using codes twice while trying to set up it & it failed...and that was on cloudflare and namecheap.
Many here are very skilled for sure, but not quite cloudflare engineering team skilled so definitely more risk of bad implementations.
I think 2FA is mostly needed for the folks who reuse (admin123) passwords on many accounts.
Enforcing it makes the providers' life easier.
Having said that, for the important stuff (especially emails used for service registration), I think it's not a bad idea.
It is a hassle though. Yes, you get bacup codes, but having to carry and use a "smart" phone is not to my liking.
That's the main reason why I use Authy (my article on it).
Yes, I know, it's by that company. Nonetheless, it lets me use a computer for 2FA, and that's a must as far as I'm concerned.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Why wouldn't you use it?
Edit: if combined with a good password manager (not Lastpass, for example - in my opinion) it's pretty easy to manage.
I use it on everything that supports it.
I wouldn't hesitate to turn on the 2FA if it was very important APP or website, Authy is the best, I can barely get online without it now.
Authy is closed source and doesn’t provide an easy way to migrate. Do yourself a favour and pick an open source app that makes migration simple if needed.
If it's supported, I may use it as long as it doesn't involve SMS.
Aegis is my favourite 2FA app.
Is there an open source option that has a desktop flavour too? I mostly ended up with Authy so I didn't have to go find my phone all the time.
By migrate, do you mean migrate to another phone, or migrate to a different 2FA app?
Use hardware key like yubikey, it is as simple as touching the key, worth the hassle compared to the security benefits 🙂
Yubikey also can be used to keep TOTP
You forgot GitHub when out of the blue it tells you to enter a security code sent to an e-mail you haven't accessed in 5 years
Solutions to forced 2FA:
big brain: in Firefox there's a neat config switch
security.webauth.webauthn_enable_softtoken = true
which allows you to emulate a hardware security token. Works even for Google account.huge sigma gigachad brain:
I feel that 2FA is the only way to the future. Password auth is a thing of past now. It's way too vulnerable and impractical as we require more complex passwords.
♻ Amitz day is October 21.
♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.
What desktop OS are you using? There are a few decent options but they’re OS specific.
To a different 2FA app. From memory, device migration on Authy is fine so long as you remember to enable the multi-device option.
This. So many corporate IT breaches could be avoided simply by enforcing 2FA. We’re at the point that social engineering techniques are so advanced that it’s irresponsible not to enforce 2FA unless you literally do not care about the system in question being compromised.
I always enable 2FA wherever possible. Additionally, my preferences of methods is as follows:
Cheap dedis are my drug, and I'm too far gone to turn back.
It's not much of a hassle at all until the key goes the way of all hardware.
Then you need the backup key (which Yubi does tell you to buy, so they get twice the sell) - good luck finding that. And hopefully all the sites are properly registered.
Now, consider when you want to access something and you don't have the key with you - because you didn't want to lose the key because of the inconvenience of the above. Especially email..
For a bonus, consider that any provider's backup can drop you arbitrarily, intentional or not - see people dropped from the Google or Apple ecosystems, unable to log into their device. Now you are on a loaner device - can you access any of your accounts?
2FA is a hideous design mistake, that puts the burden on the individual and has ended research into better methods of limited privilege and limited time authentication.
The alternative is a small number of memorable password patterns, with a paper backup sealed in a envelope, and put in a fire-resistant safe.
It doesn't protect against phishing (directly) but neither does 2FA
Primarily Linux; Authy works seemlessly on both my (Android) phone and (Linux) desktop which covers most of my bases (I'm rarely on Windows when I need 2FA).
I know these days 1Password will play, but putting my 2FA in the same app as my passwords feels... wrong.
Yup. That's what kept me from going that route for long but eventually decided to bite the bullet and just get two.
One on my house keys that goes with me and one permanently attached to desktop. So I figure if there is a fire one of them is likely to survive...and if neither does...then lets just say it is probably no longer my problem
I don't use 2FA for everything, but when I do I use a Yubikey. Just annoying to have to remember to keep it nearby.
RamNode: High Performance Cloud VPS
NYC - LA - ATL - SEA - NL - DDoS Protection
Is there really anything else to say?
"I disagree" ?
Mine's a slight twist on this, one on my house keys, that still needs to be plugged into the desktop to access most things, the backup stored securely in the basement. 2FA aside, this way I mostly always know where my house keys are having once left them overnight hanging in the door in full view of the street.
I'm not sure where you could "disagree" but I believe you will try. And the fact that you - like many others, no worry - accepted 2FA because you think it's not a big trouble is not exactly an "agreement".