this post was submitted on 20 Dec 2024
632 points (98.8% liked)

Technology

60042 readers
2807 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
(page 2) 50 comments
sorted by: hot top controversial new old
[–] [email protected] 24 points 1 day ago* (last edited 1 day ago) (4 children)

The end of an era.

Or actually, probably not until we redo whole cellular phone technology works and kick out all the bad actors using SS7 vulnerabilities for stuff like spoofing numbers and stealing messages. We really shouldn't be using a 45 year old system for almost all communications.

load more comments (4 replies)
[–] [email protected] 40 points 2 days ago (2 children)

I hate forced 2FA that you can't disable anyway. I don't want to waste time waiting for an insecure text, I don't want to input an unencrypted code you sent to my email, I don't want to click your damn notification that runs through Play Services, and no I'm not enrolling in passwordless auth. I don't need to be babied into securing my accounts. Any account I do actively and willingly secure is already using TOTP. Let me put in my username and password, then kindly fuck off.

[–] [email protected] 2 points 1 day ago

is already using TOTP.

A lot of things are moving to phishing-resistant technologies like FIDO2/WebAuthn or passkeys. All my important accounts, like my password manager, are secured using Yubikeys (one that I keep with me and one as a backup in a secure place).

[–] [email protected] 18 points 1 day ago (2 children)

Yeah. So you, myself, and some others are the exception to the rule. But, you can't look at it that way because its a 'lowest common denominator' problem. The least secure of us means we are all only as secure. Others need to be hand held.

It's definitely time to raise all boats and drop SMS 2fa like a hot rock.

[–] [email protected] 3 points 1 day ago

The most natural authentication mechanism for humans is a key. That thing you carry with yourself. A physical key containing, well, the actual secret (shouldn't be retrievable, should be used for decrypting access request and signing the response) that, maybe combined with your password (another natural for humans authentication mechanism) or maybe, yes, TOTP, gives you access.

Like those "security keys" Imperial officers in Jedi Outcast carry with them. Maybe a bad example.

Phone numbers are used as identifiers because governments like it, nerds don't like it, and normies explicitly like what nerds don't like and also want everything to be insecure, they call it "having nothing to hide".

Also "normal and social" people have that idea that their social prowess is more elegant, smarter at ensuring their security that those dumb and boring nerd technical solutions. So them always choosing things logically opposite of sane, like social media instead of forums, and phone numbers instead of any other identifier, is literally a matter of principle. It's really not that hard to use something else. They do the stupidest possible thing technically to prove a point that you only have to do the smart thing socially. I mean, in Galileo Galilei's case the other side of the disagreement is generally considered right, but that's not an argument effective in society.

I should admit that I've been doing the opposite - the stupidest possible thing socially to prove a point that only technical sense matters, which is why nobody would send me encrypted mail except Facebook with its notifications, and nobody would write me in Tox, and nobody would even contact me via XMMP. Which is why I'm now using TG, VK, FB, WA and Signal for communication, of these Signal is secure, and WA is kinda better than the rest of them.

[–] [email protected] 1 points 1 day ago

You can apply this logic to nearly anything with very bad consequences.

[–] [email protected] 19 points 2 days ago* (last edited 2 days ago) (1 children)

Since when was sms ever secure? My understanding is that messages are sent in the clear, meaning your carrier and the recipient's carrier both have the opportunity to intercept messages.

I mean that's the message content, not the authentication, but still, sms is the opposite of secure, always has been.

[–] [email protected] 5 points 2 days ago (4 children)

Not true. SMS is encrypted in 3G, LTE, 5G. Block cyphers like Kasumi and A/9 are used. SMS is reasonably secure, because it's hard to infiltrate telecom systems like S7

[–] [email protected] 5 points 1 day ago* (last edited 1 day ago) (1 children)

it's hard to infiltrate telecom systems like S7

Telecom systems can be (and are) infiltrated though, which is what the FBI is warning about.

SS7 is very insecure. See this video, too: https://www.youtube.com/watch?v=wVyu7NB7W6Y

load more comments (1 replies)
[–] [email protected] 4 points 1 day ago (1 children)

It's hard, but not hard enough from what I've been able to gather. We should want something better IMO. I'm surprised that TOTP isn't more common.

[–] [email protected] 3 points 1 day ago (10 children)

S7 will be retired or extended with access control. TOTP apps don't work for edge cases like broken phone. Dedicated token devices get lost. SMS will continue being the main solution for 2FA.

load more comments (10 replies)
load more comments (2 replies)
[–] [email protected] 15 points 2 days ago (1 children)
[–] [email protected] 4 points 2 days ago
[–] [email protected] 13 points 2 days ago (3 children)

id take email Authentication over sms Authentication if there was only them 2 let me use my 2facter app for the love of god plz i hate how banks use sms its like come on man

load more comments (3 replies)
[–] [email protected] 5 points 2 days ago (1 children)

I'm new to technology, is this good?

[–] [email protected] 19 points 2 days ago (1 children)

They will now push proprietary apps which steal your data, so you decide.

In a sane world we would move to yubikeys or codes like Google authenticator, but we live in a post sane technological world

[–] [email protected] 10 points 2 days ago

TOTP or GTFO

[–] [email protected] 32 points 2 days ago

Always has been

load more comments
view more: ‹ prev next ›