ad: w5yi

2-Factor Authentication is maddening

Discussion in 'Community Help Center' started by WY7BG, Nov 9, 2019.

Thread Status:
Not open for further replies.
ad: L-HROutlet
ad: l-rl
ad: FBNews-1
ad: OK1UUad-1
ad: Left-2
ad: Subscribe
ad: L-MFJ
ad: Left-3
  1. KV6O

    KV6O Ham Member QRZ Page

    Cookies aren't only used for nefarious purposes. In this case, you're throwing out the good with the bad. Be selective.
     
    AG5DB likes this.
  2. WY7BG

    WY7BG Ham Member QRZ Page

    I am an electrical engineer and helped to bring up TCP/IP on the Internet, so one might say I have some experience with this. True, not all cookies are used for nefarious purposes. However, because it's so difficult to distinguish the innocent uses from the nefarious ones, it pays to flush your cookies regularly and every time you shut down your browser.

    Ironically, QRZ's option to make its cookie last for 30 days completely obviates any "extra security" provided by 2FA. Check it, and DON'T clear your cookies, and anyone who gains access to your device has access to your account anyway.

    I have a password vault program which allows me to use very non-guessable passwords, and there's also a fairly good one built into Mozilla Firefox. These allow me to flush cookies regularly and quickly log into MOST sites - but, of course, not when there is with two factor authentication that insists upon SMS.

    Perhaps QRZ could also allow full access to the site to those who use a very long, randomly generated password and a password vault program? Again, it is MUCH more secure than using 2FA and checking the box.
     
  3. W6TAB

    W6TAB XML Subscriber QRZ Page

    Anyone who gains access to your device has access to your password vault. Unless your entering the password vault password every time you use it. My password vault is on my phone and requires 3FA to access.

    Good passwords don't solve the problem of phishing, 2FA helps, 3FA would be better.
     
  4. WY7BG

    WY7BG Ham Member QRZ Page

    2FA doesn't solve the problem of "phishing." If you're stupid enough to give away your password, you're stupid enough to give away the code that's sent to you via 2FA.
     
  5. W7UUU

    W7UUU Super Moderator Lifetime Member 133 Administrator Volunteer Moderator Platinum Subscriber Life Member QRZ Page

    The person doing the 'phishing' would still need to have my cell phone to read the code when it came in when he tried to log in with an unknown device.

    That's the whole point. The PHISHER does not have access to MY CELL PHONE (unless of course he also robbed my home but talk about long odds) so he has no way of knowing what the code being sent even is

    Dave
    W7UUU
     
  6. WY7BG

    WY7BG Ham Member QRZ Page

    Nope. Scammers routinely ask the victim for the code, claiming that they need it to verify the VICTIM'S identity. It's useless as a security mechanism unless the intended victim has a brain.
     
  7. W7UUU

    W7UUU Super Moderator Lifetime Member 133 Administrator Volunteer Moderator Platinum Subscriber Life Member QRZ Page

    Well, I guess we all make choices and take our chances in this life.

    I'll stick with 2FA here - works fine for me. I guess I'm just not that stupid as to fall for crap like that.

    But feel free to turn it off - it really affects nothing but your ability to keep your IDV status and sell stuff.

    No other ill effects whatsoever.

    Dave
    W7UUU
     
    AG5DB likes this.
  8. KV6O

    KV6O Ham Member QRZ Page

    You clearly need a lesson in what Internet security looks like today. 2FA isn’t perfect, but nothing is. More complex passwords with vaults does not address the most likely attack vector there is today - phishing and spear-fishing.
    Apple, Google, many banks, etc. use it.

    If you think clearing your cookies is buying you a more secure environment (at the expense of 2FA), keep right on doing what you’re doing.
     
    AG5DB likes this.
  9. W6TAB

    W6TAB XML Subscriber QRZ Page

    If your smart enough to take the time to clear your cookies on a regular basis then taking the time to use 2FA shouldn't be a problem.

    I have known some very smart people that have fallen for spear phishing attacks. Arrogance and pride are a big contributor to the success of a lot of scams.

    2FA works and keeps the integrity of the swap meet forum at a higher level then it would be without it.
     
    AG5DB likes this.
  10. KV6O

    KV6O Ham Member QRZ Page


    How does a more complex password fix this?
     
Thread Status:
Not open for further replies.

Share This Page

ad: ProAudio-1