The neologism "passkey" (a string used in lieu of a password, but which is not memorable, and therefore is destined to be something you "have") will probably help to sort out this concept: there would be no confusion about the fact that combining a passkey with totp constitutes two "have" items, and therefore is 1FA until combined with something else (biometric, probably). Things get complicated when people start storing both in some electronic or printed format, but that's not what any login interface tells people to do. When abiding by this concept, "storing 2FA secrets in a different place from their passwords" (the former in some electronic or printed format the latter in one's mind) is simple. "Have" means you cannot possibly produce it with your mind it's stored elsewhere. "Know" means it exists only in your mind it is not stored elsewhere. Normal people, in the sense of people who do what the interface says to do instead of layering anything else on top, are told 2FA means "something you know, and something you have." > store 2FA secrets in a different place from their passwords is just not something normal people are ever going to do is just not something normal people are ever going to do. Expecting users to store 2FA secrets in a different place from their passwords that is also just as secure. It all feels so absurd that the UX side of me just rebels. But asking me to remember a password I last used 3 years ago because that's when I set up 2FA? It's not gonna happen. I never forget my password manager master password because I use it weekly. But the biggest problem with both of these is I'm going to forget the password. Or, put the 2FA secrets inside their own encrypted file stored in my password manager, but once again with their own password that. So I guess I'm technically supposed to subscribe to a second password manager and store just my 2FA secrets inside of that, with a different master password. But honestly, where the heck else am I supposed to put them? I know from experience that printouts gets lost, and also that if someone were determined to hack me, the easiest route would be to break into my home and find the printouts. Yes this is a classic "maybe I can get support through public shaming" attempt. What am I supposed to do in this situation? Entering a backup code instead of a 2FA code returns an error. The only option under "Choose a way to verify" is to enter a 2FA code. When re-authenticating to access the 2FA page, there is no option to enter a 2FA backup code or SMS verification to pass the 2FA challenge. When I try to load the Two-factor authentication page, I am forced to re-authenticate with Google. In order to disable 2FA, or generate new 2FA backup codes, I need to access the 2FA settings page under the Security tab. These successfully log me into my Google Account. I lost my Google Authenticator settings when I broke my phone. I had 2FA set up with my Google Account through Google Authenticator. I would like to inform the HN community, if your plan to recover your Google account in the event of losing your phone is to use a 2FA backup code, or SMS recovery, to remove the old 2FA setup and set up a new 2FA code, that that may not be possible.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |