WTF is up with 2 tier verification these days?

[TimothyEllis]

RANT mode ON

Everything I come into contact with these days is shifting to 2 tier verification systems.

And I don't want the stupid things!

I know what I just did. I don't want a text with a code to verify I did it. I don't want to wait for an email to verify I did it.

I know what I did, because I just did it! 

I know business needs protection, because access to computers is more available. I get that.

But my computer is MINE. No-one else touches it. Everything done on it is ME, ME, ME.

And lets face it, if someone breaks in and steals the computer, they also get the email verification so they can enter the same code I have to, or click the same link. Where is the security? None at all!

And the chances are, if they get my computer, there is a good chance they will get my phone as well, so they will also get the text with the code verification in it. So where's the security? None at all.

I get it for banks. I really do. But now when I send a book to my kindle device, Amazon sends me an email to verify the stupid thing. What the f*ck for? I sent it. I sent it to me. It's listed as a valid email address. Why do I need to verify what I just sent to myself?

The world has gone nuts.

And Amazon, if you're reading this, my response to your verification email is F*CK OFF!

RANT mode OFF

 

[Bill Hiatt]

Yeah, Amazon asking you to verify sending an ebook to your Kindle is pretty silly.

With regard to the practice in general, part of the reason for its expansion is the fact that hackers can scoop up auth cookies (that is, the kind of cookie that identifies your computer to some kind of secure service) and plant them on a different computer.

And yes, the system doesn't secure you against the theft of both your computer and your phone, but it does secure you against hackers penetrating your security remotely. Breaking in to steal your equipment is much more trouble and risk than breaking in over the internet.

After the major break-in on my website, one of the ways I beefed up security was with Wordfence, and I enabled authentication. Now I have to go to Google Authenticator on my phone to get the code to complete the login process. That's a bit of a hassle because I don't usually keep my phone on, but it's totally worth it. The people trying to login are mostly far, far away. They're not going to be breaking in to steal my phone.

[DrewMcGunn]

In my day-job, we were forced to go to double-layer authentication (same thing as two-tier) because of the State of New York's regulators. Even though in the US we have 50 different sets of regulations, as a practical outflow of tending to do business in all 50 states, most businesses simply adopt the most stringent state's requirements, ergo... double-layer authentication. (this explanation is probably an overly simplified explanation, but for the sake of responding to Tim, it helps explain why so many US-based companies are adopting it)
I hate it with a passion.

[Lynn]

I despise two-factor authentication.

I had to use it for banking in a prior job (of course, far too much money money around not to!) and I bought into the whole security aspects of it for a while for my personal stuff.

I set it up on oodles of sites and devices and used Google Authenticator, etc, but it was a hassle of the worst sort. And I have no decent cell signal at my home, so I couldn't receive texts from the places that require that, and then my phone got glitchy. I disabled it in preparation for a phone swap and never bothered to turn it back on anywhere. And I've never been so glad to get rid of anything as I was to get rid of two-factor authentication.

I finally just strengthened all my passwords to the point where it would take an actual hack to get it because brute forcing was too unlikely, and let it go.

The extra security that comes from two-factor is just not worth it in my opinion if you can take some common-sense precautions. (Don't reuse passwords, use alternate email addresses for as many of the important log ins as you can, use very long passwords, don't use public wifi if at all possible, use made up answers to security questions, and use a good script / ad blocker on your browsers). :D

I just hate the two factor stuff. It had some serious downsides that the extra security can't make up for. It can get you locked out of your accounts if you're not careful, and usability suffers massively from it for a whole lot of people.

[Jan Hurst-Nicholson]

It's a pain having to verify everything. We have to produce our ID books and proof of residence not more than 3 months old, such as a telephone, rates or similar utility bill,  before we can do anything. Even had to produce a utility bill to renew my driver's licence. I had to return home to fetch one  . Now I keep one in my bag and change it each time a new bill arrives. Married women have a problem if all the bills come in their husband's name as they have to get a letter from their husband signed by a commissioner of oaths.
When I moved to my retirement cottage I let the credit card bank know my new address as a new card was due the same month I moved. When I went to collect the new card they wouldn't accept their own bank statement with my new address and said it had to be a utility account, which I would only get the following month, but I needed my credit card urgently. They wouldn't accept a letter from the manager of my retirement complex, so I was stuck. I eventually took in my final telephone account from my old address and made sure I spoke to a different teller. She accepted this without checking my address on their system - which was different from the account  ..
As far as I am concerned the double checking is done with good intentions, but all it does is inconvenience honest people as rogues will always find a way around it.

[Bill Hiatt]

I despise two-factor authentication.

I had to use it for banking in a prior job (of course, far too much money money around not to!) and I bought into the whole security aspects of it for a while for my personal stuff.

I set it up on oodles of sites and devices and used Google Authenticator, etc, but it was a hassle of the worst sort. And I have no decent cell signal at my home, so I couldn't receive texts from the places that require that, and then my phone got glitchy. I disabled it in preparation for a phone swap and never bothered to turn it back on anywhere. And I've never been so glad to get rid of anything as I was to get rid of two-factor authentication.

I finally just strengthened all my passwords to the point where it would take an actual hack to get it because brute forcing was too unlikely, and let it go.

The extra security that comes from two-factor is just not worth it in my opinion if you can take some common-sense precautions. (Don't reuse passwords, use alternate email addresses for as many of the important log ins as you can, use very long passwords, don't use public wifi if at all possible, use made up answers to security questions, and use a good script / ad blocker on your browsers). :D

I just hate the two factor stuff. It had some serious downsides that the extra security can't make up for. It can get you locked out of your accounts if you're not careful, and usability suffers massively from it for a whole lot of people.

All of that safety advice is great, and it's true you can minimize risk that way.

I would advocate two-factor authentication on author websites mostly because they're probably more vulnerable than major websites like large banks, for example. Brute force is more likely in that kind of situation. Even if someone can't get in, rapid-fire, repeated efforts to log in can end up acting like a DNS attack and bring down the website. The only way to avoid that kind of thing is a lockout after a certain number of incorrect tries, which banks often do. I tried that approach once. I kept getting shut out of my own website because the number of incorrect passwords used on the admin account always exceeded the maximum, and I had to keep disabling the plugin involved so that I could log in and remove the block on the admin account--only to have to do the same thing the next day. Creating a new admin account worked only until the bots could figure out the name, which apparently isn't that hard to do in WordPress. In that kind of situation, two-factor authentication is actually easier.

[Bill Hiatt]

It's a pain having to verify everything. We have to produce our ID books and proof of residence not more than 3 months old, such as a telephone, rates or similar utility bill,  before we can do anything. Even had to produce a utility bill to renew my driver's licence. I had to return home to fetch one  . Now I keep one in my bag and change it each time a new bill arrives. Married women have a problem if all the bills come in their husband's name as they have to get a letter from their husband signed by a commissioner of oaths.
When I moved to my retirement cottage I let the credit card bank know my new address as a new card was due the same month I moved. When I went to collect the new card they wouldn't accept their own bank statement with my new address and said it had to be a utility account, which I would only get the following month, but I needed my credit card urgently. They wouldn't accept a letter from the manager of my retirement complex, so I was stuck. I eventually took in my final telephone account from my old address and made sure I spoke to a different teller. She accepted this without checking my address on their system - which was different from the account  ..
As far as I am concerned the double checking is done with good intentions, but all it does is inconvenience honest people as rogues will always find a way around it.

The good news is that, once you have a driver's license that passes the federal ID requirements, I think you don't need to go through all that every time you renew.

A bank not accepting its own statement address is just crazy. Don't get me started on banks. They do a lot of crazy things.

That said, there's so much identity theft going on, I can see why some of the checking is necessary.

[Lynn]

All of that safety advice is great, and it's true you can minimize risk that way.

I would advocate two-factor authentication on author websites mostly because they're probably more vulnerable than major websites like large banks, for example. Brute force is more likely in that kind of situation. Even if someone can't get in, rapid-fire, repeated efforts to log in can end up acting like a DNS attack and bring down the website. The only way to avoid that kind of thing is a lockout after a certain number of incorrect tries, which banks often do. I tried that approach once. I kept getting shut out of my own website because the number of incorrect passwords used on the admin account always exceeded the maximum, and I had to keep disabling the plugin involved so that I could log in and remove the block on the admin account--only to have to do the same thing the next day. Creating a new admin account worked only until the bots could figure out the name, which apparently isn't that hard to do in WordPress. In that kind of situation, two-factor authentication is actually easier.

Yeah, I'm not invested in whether or not other people choose to use it. I just don't think it's worth the benefits. And there are risks a lot of people gloss over. Anyone can search for thirty seconds and find huge swaths of people who got locked out of accounts and sites and lost a lot more than they ever gained from using two-factor auth. :D

I personally don't believe it's ready for prime-time. :D Too many people (in the US at least) who can't get the silly codes even. I mean, I can wait on a text message for hours and not get it, because reliable cell service in very rural areas is a joke. Even good internet is a joke. Like I said, a glitchy phone made me rethink the whole thing. If I'd lost that phone, I would have been reliant on the special codes they give out for one time use that you have to save when you set the whole thing up. If you're not super organized, that can bite you in the behind, too.

[Bill Hiatt]

All of that safety advice is great, and it's true you can minimize risk that way.

I would advocate two-factor authentication on author websites mostly because they're probably more vulnerable than major websites like large banks, for example. Brute force is more likely in that kind of situation. Even if someone can't get in, rapid-fire, repeated efforts to log in can end up acting like a DNS attack and bring down the website. The only way to avoid that kind of thing is a lockout after a certain number of incorrect tries, which banks often do. I tried that approach once. I kept getting shut out of my own website because the number of incorrect passwords used on the admin account always exceeded the maximum, and I had to keep disabling the plugin involved so that I could log in and remove the block on the admin account--only to have to do the same thing the next day. Creating a new admin account worked only until the bots could figure out the name, which apparently isn't that hard to do in WordPress. In that kind of situation, two-factor authentication is actually easier.

Yeah, I'm not invested in whether or not other people choose to use it. I just don't think it's worth the benefits. And there are risks a lot of people gloss over. Anyone can search for thirty seconds and find huge swaths of people who got locked out of accounts and sites and lost a lot more than they ever gained from using two-factor auth. :D

I personally don't believe it's ready for prime-time. :D Too many people (in the US at least) who can't get the silly codes even. I mean, I can wait on a text message for hours and not get it, because reliable cell service in very rural areas is a joke. Even good internet is a joke. Like I said, a glitchy phone made me rethink the whole thing. If I'd lost that phone, I would have been reliant on the special codes they give out for one time use that you have to save when you set the whole thing up. If you're not super organized, that can bite you in the behind, too.

Agreed. Things like good cell service are necessary to get any benefit out of that kind of system, and it is possible to get locked out if something goes wrong.

[Jeff Tanyard]

I despise two-factor authentication.

I had to use it for banking in a prior job (of course, far too much money money around not to!) and I bought into the whole security aspects of it for a while for my personal stuff.

I set it up on oodles of sites and devices and used Google Authenticator, etc, but it was a hassle of the worst sort. And I have no decent cell signal at my home, so I couldn't receive texts from the places that require that, and then my phone got glitchy. I disabled it in preparation for a phone swap and never bothered to turn it back on anywhere. And I've never been so glad to get rid of anything as I was to get rid of two-factor authentication.

I finally just strengthened all my passwords to the point where it would take an actual hack to get it because brute forcing was too unlikely, and let it go.

The extra security that comes from two-factor is just not worth it in my opinion if you can take some common-sense precautions. (Don't reuse passwords, use alternate email addresses for as many of the important log ins as you can, use very long passwords, don't use public wifi if at all possible, use made up answers to security questions, and use a good script / ad blocker on your browsers). :D

I just hate the two factor stuff. It had some serious downsides that the extra security can't make up for. It can get you locked out of your accounts if you're not careful, and usability suffers massively from it for a whole lot of people.

Some good advice in this post.   

[Mark Gardner]

I also despise two-factor, and want to hulk smash organizations that don't allow me to turn it off. I also hate organizations that harass me to use it. (I'm looking at you, Apple.) I've already declined to use it, and no amount of harassing me will suddenly change my mind on it.

Two-factor authorization is just like the ridiculously complicated passwords, and the idiotic policy to force people to change their passwords regularly: they actually make your accounts less secure. Especially when you're trying to access a two-factor protected account from the device that recieves the verification text or email. But, just like the TSA, two-factor authentification is security theater.

[Demon_Lord]

I understand your opposition to use 2-step authorization. But I learned the hard way, that it's worthy.

My Amazon account log in information was sold, and the only thing that prevented access to my KDP, and everything else connected with Amazon, was the 2-step authorization I had set five years ago. See? During five years, it was just an annoyance, which more than once, I considered removing. I'm glad that I didn't.

Regardless of how annoying and bothersome it is, 2-step authorization is the only real security standing between us and a criminal data broker. There are factories of people harvesting data all over the world, and sooner or later, one of us will install an app, visit a website, or click on an email that will open the doors for them.

They aren't smarter than us, they simply have a job to do, and that job is to steal our information. Nothing personal here.

It doesn't matter how long or complicated the password is, if one can simply snoop the data, anything can be taken. It's a matter of time invested, the access to it, and the tools used.

They can have my log in credentials, but as long as they don't have my phone, they can't log in into my important accounts. And I'd gone as far as having my codes sent to a phone paid with a prepaid card (A phone that isn't on my name), and with a number I never share with anyone. 

There are ways to circumvent 2-step authorization, but it requires a direct contact with an employee of the mobile provider. Hackers only bother with this situation, if there are millions to be stolen. Specially, if those millions are in Cryptocurrency.

Yeah, after this incident, I did my research. And remember, an Amazon account is the jackpot of data. It has not only our full information, and credit cards, bank accounts, but it also has our tax information too.

[Jake]

The purpose of two-factor authentication is in case your account details get hacked over the internet, which is a lot easier than you might think. It has nothing to do with someone breaking into your house and stealing your computer or your phone. We don't need two-factor authentication for everything, though, that's when it gets annoying.

[Bill Hiatt]

I think people are more likely to be willing to accept two-factor authentication, at least for some things, when they've already suffered a breach or attack of some kind.

It's like having bars on your home windows. People generally don't want that. I certainly don't. However, I have observed that people who've been robbed are much more likely to be OK with them.

[j tanner]

Count me a fan of two factor authentication.

Send-to-kindle is a little draconian considering they already have device registration, but outside of that it's a security godsend.

Now I can use modestly unsafe (but highly convenient) password practices and depend on 2-factor authentication as a backup.

[Edward M. Grant]

Don't forget that, if hackers really want your account, they can duplicate a SIM and get your text messages.

Meanwhile, Amazon don't even check the CVV code when you add a credit card to your account, and let hackers use a stolen credit card to send orders to an address other than the billing address.

[Bill Hiatt]

Don't forget that, if hackers really want your account, they can duplicate a SIM and get your text messages.

Meanwhile, Amazon don't even check the CVV code when you add a credit card to your account, and let hackers use a stolen credit card to send orders to an address other than the billing address.

True up to a point, but there some things to consider.

First, a hacker has to be able to fool your carrier or at least subvert someone who works there. Unless you're a really attractive target for some reason, a hacker is likely to go for the low-hanging fruit first.

Second, Google Analyticator doesn't rely on text messages and isn't vulnerable to the same kind of subversion. When possible, it's better to use that approach than SMS for that reason.

https://www.wired.com/story/sim-swap-attack-defend-phone/

Thieves can pick locks. Thieves can break windows (though that's less likely). That doesn't mean that you should leave your doors unlocked and your windows open when you leave home.

[spin52]

I'm another one who dislikes it, especially when you have to do it more than once. I have no cell phone coverage at my UK house, unless I go to the top of the garden and stand on tiptoe holding my phone as high as I can reach. Usually in the rain. Fortunately, Amazon has finally accepted that I might be me, although if I'm buying something from them, it's back to square one.

When I was in the US for five weeks earlier this year, I wanted to check my KDP account. I couldn't, because the only phone numbers it would accept to send codes to were my British ones. I phoned up to ask if I could add an American phone number to the account. Apparently not, unless I was willing to scan my drivers license or passport and send the details to Amazon. Yeah, right. Considering that I was located less than 10 miles from Amazon HQ, I was tempted to drive down and ask if they wanted to take my fingerprints as well.
However, apparently it was fine for me to access the account by way of a notebook I'd brought with me from the UK. So in one room of the house I was me, and in another room I was some stranger trying to hack my account. 

[R H Auslander]

Two tier authentication can be a pain, but it's relatively simple for me, and by the by only Zon does it to me and that depending on which proxy I'm using. If I'm on 'Soviet' proxy, no problem, just log in and go for it. If I'm on American proxy or no proxy, it's 'whoa there, fella, got to do this code sent thing'. As for passwords, I use simple number/letter combinations that literally come from various devices at hand, everything from my neighbor's antique Russian armored car to the number from my wife's hair dryer to the still remembered serial number of a '50's piece of farm equipment.

I also don't have an eyephone or any portable communication device beyond a cell phone that's stenciled "Property of Noah's Ark". No access codes are stored on any device, everything is written, not typed, hard copy. Neither of us in this household have credit cards but Her Excellency does have a debit card with a low minimum beyond which she must call the bank to verify and the bank wants a personal type of officialdom which is very hard to deduce in this AO. That account never has more than forty bucks in it anyhow, and it's insured, part of that particular bank's policy.

All that being said, there's two things you can not stop, a determined assassin and a determined thief. Since we are not worth the trouble to the best of my knowledge, it's doubtful either ilk would be interested in us or our accounts.

[Tom Wood]

I live for the day to be the target of a determined assassin.

[R H Auslander]

I live for the day to be the target of a determined assassin.

You ticked that many folks off with your writings? Well done!