Post AD9yy0cbG7xo3j9LdI by fatboy@fosstodon.org
 (DIR) More posts by fatboy@fosstodon.org
 (DIR) Post #AD9yoGpU8zNtQmX6rQ by brandon@fosstodon.org
       2021-11-07T14:13:44Z
       
       0 likes, 0 repeats
       
       You're clearly missing the point of infosec 101 when you put your fucking 2FA codes in your password manager. 🤦‍♂️ :blobcatfacepalm: :blobfoxfacepalm:
       
 (DIR) Post #AD9yy0cbG7xo3j9LdI by fatboy@fosstodon.org
       2021-11-07T14:15:34Z
       
       0 likes, 0 repeats
       
       @brandon yes
       
 (DIR) Post #AD9z2I1EWC7tAriGJs by brandon@fosstodon.org
       2021-11-07T14:16:20Z
       
       0 likes, 0 repeats
       
       ALSO, put a fucking password on your 2FA code manager!
       
 (DIR) Post #AD9z5b5a4YPZBiK83c by brandon@fosstodon.org
       2021-11-07T14:16:57Z
       
       1 likes, 0 repeats
       
       ALSO, put a password on your 2FA code manager! (If you can. If you can't, find a better manager)
       
 (DIR) Post #AD9zRvoRheeDpdxV8S by jb@fosstodon.org
       2021-11-07T14:20:58Z
       
       0 likes, 0 repeats
       
       @brandon I've worked for companies where 2FA was required for corporate accounts. Yet they were reluctant to provide a device. Instead they suggested to use a private owned device like smartphone. I think this practice is unacceptable.Luckily some password managers have TOTP functionality so...
       
 (DIR) Post #ADA026Lc0nKovkie6C by brandon@fosstodon.org
       2021-11-07T14:27:24Z
       
       0 likes, 0 repeats
       
       @jb I agree, that's totally unacceptable. At my job they provide physical TOTP tokens for those who prefer to use a smartphone (personal or corporate). Though I think that the restrictions on whether it can be a personal device is going to change down the road. If someone is using an Android from 5 years ago, they're bound to be hacked and there goes everything, including the 2FA codes
       
 (DIR) Post #ADA0TawkLzWfeNCMYS by brandon@fosstodon.org
       2021-11-07T14:32:29Z
       
       0 likes, 0 repeats
       
       @jb I agree, that's totally unacceptable. At my job they provide physical TOTP tokens for those who prefer not to use their personal smartphone for MFA. Though I think that the restrictions on whether it can be a personal device is going to change down the road. If someone is using an Android from 5 years ago, they're bound to be hacked and there goes everything, including the MFA codes
       
 (DIR) Post #ADAGyK8CWMCrk5EMHg by deriver@fosstodon.org
       2021-11-07T17:37:17Z
       
       0 likes, 0 repeats
       
       @brandon @jb as long as the MFA service doesn't require proprietary apps (eg: Authy, Microsoft Authenticator, Google Authenticator, etc.), then I don't think it's too bad. It would be nice if we were provided a PC application to handle 3rd party sites/services' MFA directly on the employer's device (although I guess you would still need to use a different device to help authenticate you onto the employer's device/network).
       
 (DIR) Post #ADAJQDfSLVDxiEDO1g by efftoyz@fosstodon.org
       2021-11-07T18:04:44Z
       
       0 likes, 0 repeats
       
       @brandon yeah, keeping all eggs in single bucket? Oh, actually I have 1 (!) 2fa code in my #bitwarden vault, game I don't care about, but they made launcher so complicated, that keeping that 2fa is really helpful. And of course, bit warden's vault itself locked with long password and yubikey.