My favourite stupidity is related to self-service password reset questions.
You know the type: "What's your favourite animal?", and other easily-guessed and easily obtained information hackers can use.
I always put in some gibberish by mashing the keyboard and make sure to record them somewhere safe just in case I need a password reset. I memorise my password and that should be fine, right?
Well, I was overseas with just my phone available to me, and one of the banking apps refused to let me use my valid password without also entering my password reset answers!
They misused the value I was only expecting to need for a reset for access.
I was totally locked out of my bank account with no recourse until I got back home and could look up the gibberish string used for the answers.
That drives me crazy, too: "Choose a password." I choose a very secure password. "Now, in case you (or anyone else) can't recall your password, choose one of the following three personal security questions that any reader of your blog will be able to answer."
I can create my own question in a way that a specific answer will immediately come to mind if I'm ever asked in the future, without any need to look anything up, and that cannot be answered by googling me. How about if you let me choose the question? "No, we are security experts who have given you three excellent options to choose from. Choose one."
A travel agent had ridiculous and not explained rules for password composition so after many many tries I ended up very angry and with a password on the lines of "how about f* you idiots" (I use a password manager too). Later I wasn't able to login and the phone support told me it was because I used profanity in the password.
I treat all security questions as if they are just an additional password. I use a password manager and store a random string for each required security question.
Shouldn't, but it all depends on the training and awareness of the person on the phone. Instead of "random gibberish" the attacker could just say "random words", or, if they didn't know which strategy you used, "random stuff".
And the answer’s probabilities are not equally distributed! For example for the color of the house you grew up in, there are clearly most common colors and rare colors. If they asked for house number, it would have been better.
Using password reset questions are pretty bad as a second factor is pretty bad. It probably came from good intentions. Since you were logging in from an unusual location, the bank flagged the process for a higher level of security. I wonder if they could have used literally anything else to verify you. (My bank also lets me tell them when I'll be abroad, which would have helped with the issue.)
But it isn't as bad as those "identify which of these loans you might have used" to identify you or as bad as silently truncating a password on input (both of which I've seen). Still, pretty darn bad. Don't surprise your users!
Speaking additional factors, I wrote up a piece about all the different kinds of factors[0] and when you might use them. But NIST has the canonical list[1] as far as I'm concerned (section 5).
> You know the type: "What's your favourite animal?", and other easily-guessed and easily obtained information hackers can use.
> I always put in some gibberish by mashing the keyboard and make sure to record them somewhere safe just in case I need a password reset. I memorise my password and that should be fine, right?
But then you have to trust that "somewhere safe" is actually as safe as you think it is.
One alternative is to use them like mnemonic code phrases. So perhaps your answer to "What's your favourite animal?" is not really an animal, but maybe Cthulhu, so as a (somewhat overkill but illustrative) example maybe the answer would be "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn"
>One alternative is to use them like mnemonic code phrases. So perhaps your answer to "What's your favourite animal?" is not really an animal, but maybe Cthulhu, so maybe the answer would be "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn"
I'd go further than that and use stuff like that for actual passwords, but with a twist.
Using that sort of thing for such questions is good, but take something you know well, like a song lyric or line from a poem and then change it subtly. For example:
Forty score and eleventy years ago, our
foremothers brought forth a new abomination.
Since you're the one making this stuff up, it's easy to remember, both for passwords and for those "secret" questions.
Those are pretty much endless in possibility too:
In the town where babby formed, there lived a
gal who mailed some trees.
Ask not what who has done it in your country.
Ask which Lulu can do it with you.
And on and on. The only real requirement is that you know whatever it is you're adapting well. Whether that be song lyrics, movie lines, poesy, etc.
I prefer song lyrics myself, since they're usually easier to remember, and when presented with the need to recall it as a password/"secret" question, the modifications made come right back.
I imagine that wouldn't work for everyone, but it works well for me, and would also work for others.
In linguistics, an eggcorn is an idiosyncratic substitution of a word or phrase for a word or words that sound similar or identical in the speaker's dialect. The new phrase introduces a meaning that is different from the original but plausible in the same context, such as "old-timers' disease" for "Alzheimer's disease".[1] An eggcorn can be described as an intra-lingual phono-semantic matching, a matching in which the intended word and substitute are from the same language. Together with other types of same-sounding phrases, eggcorns are sometimes also referred to "oronyms".
in my experience this inevitably be on form feild where pasting isn't allowed and you cant see what you are typing and will be case sensitive but not inform you of that. and you will get locked out on attempt 3.
Sigh. We're working to normalize better UX around account security at https://clerk.dev
It's a sordid affair, but we're making progress. We've reduced our average time to sign-in by about 20% since our launch 6 months ago. (There's nothing to say our starting point was very good, but we do think about this very consciously.)
If you're working to improve your sign-in flow, our biggest wins so far have been:
- OAuth buttons at the top, critically with Google included. OAuth is _way_ faster than passwords for most users, putting it at the top switched oauth usage from just below 50% to just over 50%. Those extra percent using oauth bring down the overall average speed.
- Eliminate OAuth "edge cases." Turns out, they're not edge cases at all. 15% of users will sign up with email/password then try OAuth next, or will sign up with OAuth then try email/password next. Make sure you have happy paths for these.
- Magic links instead of OTPs for passwordless auth. Overall, magic links are a few seconds faster than OTPs since there's no entry step. (That said, we're still investigating whether it's better to trigger OTPs on mobile devices because of the auto-fill capabilities)
- Integrate with password managers. Our sign-in flow is normally two screens, but if we detect a password manager we'll accept the password on the first screen. Password manager folks are already the fastest, but this makes them even faster.
This is just the first factor. Admittedly, our second factor is still lagging behind, but UX is getting better for 2FA with FaceID & TouchID. We're optimistic we can have a positive impact on the second factor, as well.
If you're interested in having a team obsess over this on your behalf, come check us out :)
How about you allow me to turn off the second factor if I have a password manager, because I'm way more concerned about loosing my second factor and getting locked out of my account than someone somehow getting into my password manager.
Edit: Didn't answer the actual question - it's something we can look into. My instinct is that offering this wouldn't drastically change the security model, as long as we can be confident your password actually came from a secure password manager. Since some password managers (like 1password) are very strongly tied to devices, I think your ability to retrieve a password from it is a reasonable proxy for a possession factor.
It's definitely something I'd want to read more literature on before building. That's just my instinct, and I'm half expecting someone on HN to share the attack I'm forgetting :)
But doesn't this completely defeat the purpose of the codes, since they're no longer a second factor? I'd rather just not have the codes, as they're still a significant annoyance with next to zero benefit.
"Magic links instead of OTPs for passwordless auth. Overall, magic links are a few seconds faster than OTPs since there's no entry step."
I am willing to stipulate that magic links are better in this way.
That is, provided they are of reasonable length. Say, 32 characters or less beyond the domain name itself ?
You can't predict what device, or interface, or mail client one will receive these links on. You also can't predict how they will interface with the link (or resend or process it).
The 300+ character hash links I sometimes see are really lazy and clueless.
> You might think there aren’t enough bells and whistles for us to teach you a new one every time you log on, but there are. And when there aren’t, we’ll switch to a new one.
> Update: It’s come to our attention that some of you don’t drive, which, honestly, just never occurred to us.
Worst I've seen by far for getting into a desktop banking website recently, it felt like a parody:
1. On desktop: Enter username and answer to a random memorable question like "your first pet" (password manager will probably fail to autofill this). You're then prompted for a "mobile security code".
2. On mobile app: Enter username + different password. Need to scroll, tap 7 items and then enter a password to get a mobile code you then have to type into the desktop app.
Getting the mobile security code logs you out of the mobile app and logging into the mobile app will log you out of the desktop app.
It's like they didn't do any user testing and think that more steps = better security.
Lots of UK banks also ask for random parts of your password only e.g. "enter the 2nd, 10th and 5th character from your password" which is super tedious to do correctly because you can't use muscle memory or autofill. This is to defeat key loggers? Isn't that what 2FA would do? You'd think banks would be clued up on this.
One time I signed up on a site with 'Sign in with Google'. Months later, I wanted to delete my account, but the deletion process required I enter my account's password, which obviously I was never prompted to set up. The site wouldn't let me do a 'Forgot password' to set a password, so the account was impossible to delete.
Yep, agree with that. UK banks don't usually advertise their log-in UX though so it's a pain being surprised by this and having to switch after going through the long sign up process (usually involves receiving letters by post and multiple sign-up steps over a week).
my bank insisted that i add a phone number to my account when i called them today. i declined and when pressed briefly explained sim swapping and declined again. a glaring and obvious flaw in the integrity of using a phone number for id verification was not even in the lexicon of this establishment that safeguards nothing less than all of my literal fucking money. they then went on to find that i actually did have a phone number on record and that it is authorized for identity verification and also that i have never even heard of this phone number! im still dealing with it.
its amazing to think that not just this but the entire mountain of bullshit could be avoided with simple passwords. it should be an option offered by every service for a user to deactivate all authorization methods besides one very strong password and perhaps a backup password. we should at least have the option.
Unfortunately people like you (and me), who actually have strong passwords, let alone who understand in any detail what constitutes a strong password, are a tiny minority. They have to design for the lowest common denominator.
And even those of us with strong passwords, and a strong understanding of cyber security, are vulnerable to phishing and other attacks, that can be defended against by using MFA.
Obviously MFA can be taken to ridiculous "ten factor" extremes. But sticking with, or going back to, just passwords, isn't the solution.
All of the comments so far are about security and UX, but I read this more as a parody of the ever increasing bloat of university administration and burdens placed on faculty that go beyond their core expertise (and some mild digs at wokeism)
After consulting with the TSA, they added an alternate 2FA process in which access is gated via displaying your University Precheck Card ($199/year) to the webcam, and verifying the subsequent link sent to your university email.
People who care about user experience hardy ever talk to people who care about security in large organizations. That's how we end up with experiences like this.
Ring (Amazon) made me call them to reset my two-factor app sync. They asked me to send a bill to the address of my home via my email as a proof that this is really me and not just someone who have my password and access to my email. I asked what's the point of this if it's not really me but it's someone who has my password, has access to my email and can go login to the utility company to get a copy of my bill after reseting my password there too? They agent literally said this is the script they have to say and they don't know...
This is how you come up with security suggestions like "Let's just email the user a one time password on every login" which gets suggested here perennially.
Plus, grandparents, the group notorious for their tech-skill.
I've just taken over all my elder family accounts for internet, TV, phone, etc. Much easier. And all the vendors treat me as HVC cause I'm paying for multiple services on their platforms.
Has anyone had any luck reasoning with the powers that be, to come up with reasonable security?
When the security department suggests another thing, to protest sounds like you want things be less safe simply because it's annoying. But some of things add only a little bit of security, or address a scenario that is highly unlikely, but you pay for it every day, day after day, with a dozen irritations that peck at you.
Security is a continuum. I could always imagine something more to add: "Lock the screen after 10 minutes? Why not 5? Why not 2?" So the security team seems to have their way until the users are almost driven crazy but not quite.
I think the UK uses AWS QLDB to issue vehicle ownership. I don’t know if VIN’s are recognized globally, but I really appreciate that non-repudiation use of the blockchain.
Almost all the comments here pertain to the 10-factor authentication mechanism in the title of the article, but the article really is a criticism of the current education system.
it's both. administration/bureaucracy is behind both. university or megacorp they both overcomplicate things. they overextended because there's no real pressure pushing against that extension.
sure, good intentions are pushing for doing more, more inclusivity more security more assessment, more reports, more measurability (to get more fairness), etc.
and since it's hard to start a competing university or ISP or telco or TSA (!)... there's not even the usual push from the market to be resource efficient.
> While the system verifies that your definition is sufficiently accurate, please report to campus police, where you’ll undergo a very brief body cavity search. For security reasons, we cannot tell you what we’re looking for. This is about digital safety.
This was a fantastic read. Kudos to whoever put it together.
the problem with mcsweeneys is that it's a humor publication that fails at humor. it's like those sitcoms from the 80s where they had to add laugh tracks because no one actually laughed while watching them. at best it's something for young adults to forward around to try and look sophisticated, but like those young adults, it misses the point entirely by trying much too hard.
There aren't very many things that someone can say that are universally wrong, but "I don't think this is funny and therefore it is failed humor" is probably pretty close
Ten is a nice round number. Now if it was 11, a nice prime number, well then, that would have been nerdy pretentious. Good job at finding the sweet spot.
> It is written left to right, and uses subscripts, superscripts and diacritics. Each sign is written in this order: handshape, orientation, location, actions.
A sign of the times. Seems like our non-technical brethren find 2FA/MFA a burden?
McSweeneys’ satire and parodies are rarely in good jest in my experience. This is a criticism of the move towards 2FA/MFA make no doubt about it. The writer, and the editors who let this through, are not happy about this state of affairs.
McSweeney’s isn’t a no-name blog or journal either — its name holds sway over those who work in literary arts.
I'm one of your technical brethren, and non-technical people aren't the only ones who think 2FA is a pain.
Don't get me wrong, the security benefits are worth it. But having to pull out my phone multiple times a day to enter a code from an authenticator app? Dude, my phone communicates with my laptop throughout the day. Why does this need me in the mix?
Digital OTP, like the kind provided by 1Password or Bitwarden, are a little more convenient. And having Google Voice means I can easily copy codes sent via text straight from my laptop.
But it's something I'd rather not even have to pay attention to. I don't need to manually enter a code to get HTTPS.
Mind that 2FA replaced TANs, which are literally the most secure thing (one-time pads). 2FA is not about security, but about ease of administration.
(As a side effect, 2FA usually puts all the eggs in a single basket and forces you to carry that basket around with you, everywhere you go. Mind that this basket isn't even the basket itself, but one of many ways to access an account connected to another ID, but still the only one accessible to you.)
I remember a DevOps engineer at my last job telling me about a "cheat code" where we could type 'push' into the VPN 2FA prompt to have it pushed as a notification to the enrolled device. I've been typing the same command into every 2FA prompt I encounter since then with no luck. I wish that was a standard convention.
1. username and password for website
2. token sent to email
3. login for email (auto logged out)
4. email 2fa that requires SMS 2FA or Google auth, stored on phone
5. pincode / face for phone
RSA soft tokens require a PIN. Some versions it's appended to the code, some you enter it to get the code (both exist in my organization). So that's like three more factors right there.
Nah. I currently work for NYU and find their 2FA system pointlessly burdensome. I need to type my password (in practice, unlock my password manager) and then procure my second factor every day, on every device I use. Inevitably any mobile app I need to interact with requires doing all of this again, except this time inside a custom webview that doesn't remember cookies. I have never worked for a tech company that made things this annoying, and I can't fathom how bad it must be for anyone who needs to use e.g. a screen reader.
Hold the condescension. I wouldn't be surprised if author is from the place where the following definitely literally happened:
At first, there was 2FA where you could either
1. Download the proprietary app OR
2. Get texted the code.
(i.e. no "do-it-yourself" e.g. Google Authenticator option.)
This means you must have a cell phone of nearly any kind. Mostly reasonable.
Turns out; option 2 cost somebody like half a cent every time it was used and also was far more popular than anticipated.
So they just got rid of 2. That's all, no mitigation.
And now you've DRASTICALLY increased the tech requirements for a major public school; I know of IT instructors in the place who did not actually regularly use a phone "fancy" or new enough to handle the official app.
I don't think there's quite as much malice as you seem to read into it. Yeah, 2FA is kind of annoying, particularly when you don't have a real concrete understanding of the reasons why it's important.
It's a funny frame device to float a couple different satirical ideas. I'm sure faculty members – and most people – understand that 2FA is a necessary minor annoyance.
» I don't think there's quite as much malice as you seem to read into it.
Requiring signing into my Microsoft account (with two step authentication code) every twenty four hours on a company laptop you control is obnoxious. You should educate and empower your employees, not treat them as the weak link in your armor.
It’s naive to not treat them like the weak link though, because they really are. No amount of education (that is routinely ignored) is enough to actually change that.
Routinely ignored implies that it's a deliberate action on the part of an employee. I don't think that's the case. The yearly security training gets treated just like the airplane safety briefing. Folks pay attention the first couple of times they encounter it, but when they realize they'll never be in a situation then it gets classified as 'could be useful, but will probably never need.'
The yearly security training is probably just a compliance checkbox companies do. If they wanted an educated workforce that practices security first there are other far more effective approaches.
Of course, that all ignores the fact that employees are weak links not because they are dumb, but because they don't have an incentive to protect the company when they or their families are put in danger by a threat actor.
The two factor where I work, Google, uses security keys for the second factor. I think offering these as an alternative to the email/SMS codes would be nice, tapping a little USB nub isn’t nearly as annoying as grabbing a code from another webpage or device.
Not to mention the pain when said factor is lost. I just replaced a broken phone, and having to login in everywhere that previously required an Authenticator has not been fun.
You know the type: "What's your favourite animal?", and other easily-guessed and easily obtained information hackers can use.
I always put in some gibberish by mashing the keyboard and make sure to record them somewhere safe just in case I need a password reset. I memorise my password and that should be fine, right?
Well, I was overseas with just my phone available to me, and one of the banking apps refused to let me use my valid password without also entering my password reset answers!
They misused the value I was only expecting to need for a reset for access.
I was totally locked out of my bank account with no recourse until I got back home and could look up the gibberish string used for the answers.