Re: [DNG] [OT] Twitch and 2FA (TOTP)
Bernard Rosset via Dng wrote: > Something very important is implied there, and probably only a few will > notice it: there is a requirement for a smartphone. In general, it’s also possible to do 2FA using applications on a desktop. But, what I don’t like is the assumption prevalent behind a lot of this (my bank keeps trying to persuade me to use “their app”) that we’re happy carrying around the keys to our lives on something that is a) easily lost, b) easily stolen, c) liable to run out of power at inopportune moments, or d) can break/be broken. b) is the worst case of course - because then the thief not only has your 2FA keys, but they also have access to your backup routes (e.g. SMS and email) as well. And for as long as it takes you to realise that it’s gone and be able to access the various services and change the access to them - which might not be easy if you are away from home and without access to your desktop or laptop. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Twitch and 2FA (TOTP)
On Thu, 7 Oct 2021 11:31:16 +0200 Bernard Rosset via Dng wrote: > Something very important is implied there, and probably only a few > will notice it: there is a requirement for a smartphone. I agree. I'm also getting text messages for 2FA for a lot of things, for some more security.. but I have no illusions. I've been talking to youths as young as 13 who don't even have a computer.. they are able to do all their computery stuff using a phone. I can't comprehend this, and I recognize this as being the generation gap I've been waiting to experience. God I hate phones, they have so much potential but turned out awful. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Twitch and 2FA (TOTP)
On 2021-10-07 04:32, Bernard Rosset via Dng wrote: As it is an object coming generations can't imagine living with, this message is/will be widely accepted without a thought. with -> without, of course. Bernard (Beer) Rosset https://rosset.net/ The only cell phone I own is without a sim card or account. I only have it so I am able to call 911 emergency services when I'm away from home. As to cell phones that are so ubiquitous . . . think cattle > abattoir . . . golinux ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Twitch and 2FA (TOTP)
As it is an object coming generations can't imagine living with, this message is/will be widely accepted without a thought. with -> without, of course. Bernard (Beer) Rosset https://rosset.net/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Twitch and 2FA (TOTP)
- Twitch only supplies a QR code - Twitch forces the use of Authy 2FA Something very important is implied there, and probably only a few will notice it: there is a requirement for a smartphone. Smartphones are notoriously known for: - Being a closed/proprietary environment: * hardware * OS (unless jailbreaked) * Application "stores" - From the previous point, being an easy target for vulnerabilities - Being incredible eavesdropping enablers - Being incredible privacy intrusion enablers At the same time, emails are discarded as being unsafe/unenough for 2FA... but isn't it because *how* people/moral entities use emails (no DNSSEC, using external email providers - not mentioning GAFAM, cleartext)? Are smartphones more secure than emails? To people answering yes to the previous question: really?! With the pretext of "security" slowly comes the forced-fed ownership of smartphones. As it is an object coming generations can't imagine living with, this message is/will be widely accepted without a thought. This. This scares the shit outta me. Bernard (Beer) Rosset https://rosset.net/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] [OT] Twitch and 2FA (TOTP)
Sortof-related to the Twitch security concerns.. I keep separate passwords for every website, and looked into two-factor authentication, with a one time code, using KeePassXC [1]. - Twitch only supplies a QR code - KeePassXC cannot use a QR code - I happen to have a phone and can use SecScanQR [2] to decipher it. - Twitch forces the use of Authy 2FA https://help-twitch-tv.force.com/s/article/authy-faq I started some beginner research into avoiding using Authy, and came upon: https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93 A comment in that pointed me to: https://web.archive.org/web/20190418055823id_/us.battle.net/forums/en/bnet/topic/20755608040 [1] https://keepassxc.org/ [2] https://github.com/Fr4gorSoftware/SecScanQR ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng