[HN Gopher] Playing with more user-friendly methods for multi-fa...
___________________________________________________________________
Playing with more user-friendly methods for multi-factor
authentication
Author : noleary
Score : 40 points
Date : 2025-07-28 22:04 UTC (1 days ago)
(HTM) web link (tesseral.com)
(TXT) w3m dump (tesseral.com)
| averageRoyalty wrote:
| Quite funny. Amusingly, the self-portrait method is effectively
| the signatures we considered acceptable for financial and legal
| transactions for many decades - make up a scribble and compare it
| to a scribble you do previously - if it's close enough and you
| _seem_ to be the guy, we're good.
| sunrunner wrote:
| > make up a scribble and compare it to a scribble you do
| previously
|
| I'll take "Lies that your parents told you about how the world
| works" for 500, Alex.
|
| Serious question though, I thought the whole signature thing
| was more of a legally binding thing for the signer asserting
| themselves as X, sort of like checking the "I'm over 18" box.
| Sort of a "Well we asked you the question, it's not our fault
| if you lied" type thing.
| j-bos wrote:
| I remember opening a bank account and having to sign a
| specific card that the bank would keep solely to verify my
| signature on checks.
| progbits wrote:
| I always do a random scribble. If I want to later deny
| signing something good luck proving its me, won't match any
| of my other signatures. At least that's the theory, this is
| mostly a joke to me and I don't care if it works.
| boogieknite wrote:
| "lies that your American parents told you about how the world
| works"
|
| i went to Germany as an exchange student, scribbled out my
| random scribble for my travellers check, and they denied me
| because my signature wasn't close enough to their record.
| heard a similar story from a friend who visited Japan
| evantbyrne wrote:
| Signatures are the tip of the iceberg. Plenty of other forms
| of bs forensics live on in the legal system in some shape or
| form. e.g., fingerprint analysis, polygraphs, field sobriety
| tests, devices that literally do nothing, trainings on
| reading facial expressions, and so on. If you can take a two
| week course on it, then chances are there is some cop
| somewhere using it to detain people.
| FuriouslyAdrift wrote:
| A fingerprint locked NFC Yubikey seems to be the preferred with
| all ages at work. Everyone likes it as long as it is once per
| login to the computer (which basically means we have to use Edge
| for everything which is fine).
|
| Everyone universally hates passkeys because they never work
| right.
| 1970-01-01 wrote:
| These are such terrible ideas that I expect someone already has
| one of them on github.
| seplox wrote:
| > When I tell people I work on authentication software, I nearly
| always hear some version of the same story: I hate multifactor
| authentication. No, really. People hate this stuff.
|
| I hate all of the half-cooked non-TOTP MFA methods that I'm
| forced to use. Just let me use my freaking authenticator app. If
| you believe that your users prefer (or maybe it's just you?) more
| databroker-friendly methods, then fine, but please at least
| provide TOTP as an option.
| cosmic_cheese wrote:
| I wish that banks would offer TOTP. SMS is famously insecure
| and poorly suited for something that's a load-bearing pillar in
| most of our lives, and TOTP is probably the most reasonable
| replacement. Unfortunately only a tiny handful of US banks
| offer non-SMS 2FA of any kind, and to my knowledge the one that
| does (Scwhab I think?) requires the use of a hardware gadget
| even though it's standard TOTP (which people have written
| python scripts to extract the necessary bits of info from).
| toomuchtodo wrote:
| Fidelity offers TOTP standard support, works with the native
| Apple Password app/keychain.
| hinkley wrote:
| To this day I'm just amazed that World of Warcraft tried to
| mandate security tokens in a time when E*Trade barely
| supported them.
|
| Why is a video game embarrassing fintech?
| abdullahkhalids wrote:
| World of Warcraft was supporting tens of thousands poor
| teenagers in developing countries, who would farm high
| value items in the game and then sell the account /items to
| rich people who didn't want to put in the hard work.
|
| There was (maybe still is) lots of money to be made by
| hacking accounts and selling them.
|
| WoW was fintech!
| riedel wrote:
| At least in Germany all the SMS 2FA has been shut off, but
| replaced with tons of custom 2FA apps. The security argument is
| certainly that they can check for 'insecure' devices. But I
| wonder what the empirical evidence here is and how often
| (compared to phishing/social engineering) a TOTP token was
| actually stolen. Worst thing is IMHO Microsoft now which seem
| to have also shut off the TOTP option and use some other
| propriatary 2FA scheme now. IMHO banks should simply use FIDO2
| HW tokens, but with all that passkey bullshit it becomes
| unlikely...
| thcipriani wrote:
| Poker hands would pretty cool for encoding things that you have
| to recognize quickly; e.g., key fingerprints. If there are 2.5M
| unique hands then encoding 256 bits of information requires
| 12(ish) poker hands.
| smokel wrote:
| One aspect I find puzzling is why most two-factor authentication
| (2FA) applications restrict authentication to only a single valid
| code at any given time. This constraint inevitably creates a
| window during which it is inconvenient or impractical to copy the
| code to another device. Allowing the previous code to remain
| briefly valid would eliminate this unnecessary delay, enhancing
| usability without significantly compromising security.
| brewdad wrote:
| Ente Auth displays the current code and the next code so you
| can choose whichever best meets the time remaining until the
| changeover. It's a nice usability feature.
| fredley wrote:
| FWIW 2FAS starts to show you the next code near the end of the
| window, this is very handy https://2fas.com/
| conradludgate wrote:
| Have you actually tried writing a code close to the expiry
| window? I've definitely submitted codes a few seconds after the
| expiry and had them still be accepted
| _Algernon_ wrote:
| Since totp codes are time based and there is no guarantee that
| time of the generating device, and the verifying device are
| exactly identical they usually allow some room for error.
| You'll probably be fine entering the code before or after for
| example.
| zie wrote:
| See RFC-6238: https://www.rfc-editor.org/rfc/rfc6238
|
| This is all in the standard, most places have implemented one
| of the options. I've implemented all of the options at least
| once. It's configurable based on how lax/secure you want to be.
|
| Most places I've dealt with allow the previous and next code to
| also be used, so instead of a 30s window you actually have a
| 1.5m window.
| JamesSwift wrote:
| I believe every single 2fa system I've used accepts either the
| current code or the one directly prior.
| anteloper wrote:
| Why do we like entropy in auth factors?
| noleary wrote:
| Imagine two different password strength standards:
|
| 1. Just a 4 digit numeric PIN like `1981`
|
| 2. A 20 character upper/lower/numeric/special-character
| password like `qmd1tkf7mwa.PQB0qrz$`
|
| --
|
| The PIN has lower entropy and is therefore a lot easier to
| brute force.
|
| I haven't calculated this stuff myself -- I just used Wolfram
| Alpha -- but it looks like the PIN would take <1 second to
| brute force, while the 20 character password would take 7.6 *
| 10^25 years. [1] [2]
|
| --
|
| [1]
| https://www.wolframalpha.com/input?i=password+strength+qmd1t...
|
| [2] https://www.wolframalpha.com/input?i=password+strength+1981
| Liftyee wrote:
| Pedantry warning: I'm not convinced that some of these methods
| qualify as a second factor of authentication, based on the
| "something you know, something you have, something you are"
| model. They're both "something you know", right?
___________________________________________________________________
(page generated 2025-07-29 23:01 UTC)