[HN Gopher] Tell HN: Somebody implemented something I wrote a bl...
___________________________________________________________________
Tell HN: Somebody implemented something I wrote a blog about
So a while ago I wrote about how 2FA was missing a key feature:
https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781...
Having not had any feedback on it in a while and the idea not
taking off, today somebody messaged me to say that had implemented
it in their product. 1. Obviously I think this is great and more
secure 2. Tell people about things you do that they played a part
it- it might just make their day.
Author : rexfuzzle
Score : 566 points
Date : 2022-09-20 13:22 UTC (9 hours ago)
| sagebird wrote:
| Also, if someone logs in with correct username and password and
| -does not- attempt to try the 2FA, I also want to know about it.
| kevincox wrote:
| Yeah, it should basically be a timeout. If within a few minutes
| of entering the correct password a correct second factor is not
| provided then it should notify the user.
|
| I think you can probably skip notifying on a single failed OTP
| code to avoid spamming the user when they make a typo (or are a
| bit too slow for TOTP) but if you were very paranoid you could
| also send in this situation.
| mikessoft_gmail wrote:
| I don't know of anyone who does 2FA this way.
| nishnik wrote:
| Five years back, YouTube didn't have the feature to queue your
| videos on the fly. You could have created a playlist, but then it
| is the same sequence of songs every time. So I hacked a chrome
| extension to add/remove songs to a dynamic queue saved on your
| LocalStorage[1]. Later, YouTube added the queue feature.
| Sometimes I go on long hikes and think that it wasn't merely a
| coincidence. :)
|
| [1]: https://github.com/nishnik/Play_Next
| Kalanos wrote:
| Normies: what the heck he stole your idea :angry:
| NKosmatos wrote:
| Bravo!!! Such a simple (and more secure) change to the way 2FA
| works. This should be the standard and also mandatory in many
| similar cases. Good for you and for sharing this improvement,
| that's the mentality all of us should have. Reminds me on how
| Volvo shared the 3 point safety belt patent with everyone else so
| as to make all cars safer, instead of keeping it to themselves I
| order to profit [
| https://www.forbes.com/sites/douglasbell/2019/08/13/60-years...
| ].
| jimmydddd wrote:
| Re: Volvo's good deed -- In contrast, Edward Land (the Polaroid
| camera guy) came up with a system for polarizing car headlights
| and windshields to lessen glare from oncoming headlights in
| 1948. Apparently, none of the car manufacturers implemented it
| because there was nothing to gain financially from such a
| safety feature. https://www.polarization.com/land/land.html
| tra3 wrote:
| That's awesome. I was expecting a lament on how an amazing
| startup idea was stolen and monetized by someone else. Glad I'm
| wrong and the world is a little bit better.
| qorrect wrote:
| Hey me too, a little sunshine this morning :).
| NiagaraThistle wrote:
| Same here. Came to say the same and to explain how i publicly
| share all my 'great' ideas publicly even though so many friends
| think I'm nuts in case someone 'steals it' and makes a
| successful startup from my idea. My answer: "Great for them. At
| least they had the determination and focus to follow through
| with bringing the idea to fruition when I couldn't."
| dspillett wrote:
| Same. I'll often share relevant ideas in comments here and
| elsewhere in the hope that I inspire someone to go implement
| something I might like but will never find the
| time+organisation to get around to creating!
| dhosek wrote:
| People tend to overvalue ideas. I see this all the time in
| writing where people are worried someone will steal their
| great idea for a story. The truth of the matter is that it's
| unlikely that you've come up with something truly new and in
| any event, ideas tend to breed and multiply. I will never
| write all the stories and novels that I have jotted down in
| my notebook before I die and there are more every day.
| qorrect wrote:
| On that note though, is there a way to protect your story
| if you want to pitch it to a publisher, or anywhere else ?
| Like a registry for story ideas ?
| Gene_Parmesan wrote:
| There's no IP protection for ideas for stories.
| Regardless, almost no fiction shop is going to agree to
| print a book on spec, just off a story pitch. Write the
| book first. Then you already have protection, in the form
| of copyright (which is automatic and doesn't require
| registration).
| aardvark179 wrote:
| Not really, and it's not a problem. Ideas for stories are
| abundant, the ability to turn them into finished books or
| scripts is much rarer.
| ncmncm wrote:
| If an idea is any good, you generally have to fight tooth
| and nail to get anybody to listen to it, and put in a
| hundred times that to get anybody to understand it, and
| that again to act on it.
|
| If you don't directly control how that happens they will
| implement it fundamentally wrongly.
|
| But after it is finally implemented more or less correctly,
| everyone will agree that the idea was trivial and obvious,
| and they had already thought of it themselves, in _exactly_
| the form where they first encountered it, even if that is
| actually not quite right.
| thombat wrote:
| Victory has a hundred fathers, but defeat is an orphan.
| tinmandespot wrote:
| Exact same sentiment :)
| joshmanders wrote:
| Honestly I'm shocked reading this. I _NEVER_ considered that
| scenario. Now I will be doing this in all my apps. Thank you!
| theappanalyst wrote:
| I enjoyed when a french hacker used information from my blog to
| set off all the alarms of Bird scooters in Lyon France for an
| evening.
|
| I had written about (what I considered as) a vulnerability that
| allowed remote triggering of Bird Scooter alarms (Bird disagreed
| of course) on my blog [1]. I then saw this github repo linked in
| the comments for setting off alarms of Bird scooters [2] and
| reached out to the author.
|
| The author let me know that they had used the info in my blog to
| script a tool for setting off Bird Scooters en masse. They then
| targeted the script at all the scooters in Lyon and subsequently
| fell asleep. When they woke up the noticed the end point was
| disabled... Bird had taken the action to disable the API endpoint
| in response of course.
|
| Probably would've been easier to fix before someone scripted it
| out but it made for a fun story.
|
| [1] https://theappanalyst.com/bird.html [2]
| https://github.com/pcouy/bird-whisperer
| wallfacer wrote:
| If any Spotify devs are here, please let me explore and add
| songs, artists and albums to my library without "hearting" it.
|
| I often just want to follow up later by "adding to my library,"
| and it feels weird to "LOVE" it before ever hearing it. I really
| feel pain when I hear something terrible that I've already
| "liked" and consider the impacts to my algorithm.
|
| Please distinguish between "like" and "save."
|
| A simple "plus sign" or really any other symbol that signifies
| "adding to a collection" without "liking" connotations (stars are
| out too).
| iscrewyou wrote:
| I like how Instagram has solved this. You can like a post but
| you can also save it for later viewing or showing to someone
| else.
|
| Spotify should totally have a save to library function but also
| a heart function that trains their personalized mixes for me.
| I've just stopped looking at my library for my music catalog.
| Every album I like goes into a "favorite albums" folder. It
| shooldn't have to be this way.
| spiderice wrote:
| I'm confused. I thought I missed something in the article. Why
| are we talking about Spotify in this thread? I'm all for your
| suggestions, I'm just confused how we got here. Haha. What did
| I miss?
| posix86 wrote:
| What's wrong with a playlist: Saved for later?
| qwertygnu wrote:
| I think their idea is that you don't have/shouldn't want a
| personal library because everything on Spotify is your library.
| scetron wrote:
| Oof! They used to have this for Songs, then they removed the
| feature, and I lost the major way I used Spotify. I used it to
| make sure I could listen to music offline while traveling and
| it was an infuriating few flights before I could download
| everything again.
| omar12 wrote:
| If there is a feature I want to see on Spotify is a easier way
| to see my friends playlists.
| jimmygrapes wrote:
| I'd be happy with just being able to consistently access my
| own playlists and currently playing queue on Android. I swear
| it's a coin flip whether the button appears or not.
| why-el wrote:
| Now that you opened this forum for Spotify feedback: If I do
| "like/heart" a few songs and then go to the Radio based on one
| of them, please don't show the songs I already liked in that
| Radio. I mean, I already "liked/saved" them, why are they
| appearing in my discovery phase?
| a_t48 wrote:
| Disagree on that - Radio is not just for discovery but also
| for easy random playlist creation.
| gmueckl wrote:
| I'd like to have a different tiny change in the "Song Radio"
| feature: if you start playing that playlist, skip the song
| it's based on if it was recently played or is currently
| playing. It's mildly annoying when you switch to that feature
| after stumbling across an interesting track and the first
| thing you hear is the same track again.
| posix86 wrote:
| That's one of their best features!! I'm using discovery bcs I
| want to listen to tracks similar to the one i use as a basis.
| If they mix some of my liked tracks in there that are similar
| too (which they usually are), that makes it even more
| enjoyable. Idk about you, but I use Spotify to listen to good
| music.
| Stupulous wrote:
| While we have Spotify's ear: why is the default behavior to
| clear my queue if I play another song? It's especially an issue
| on mobile, where viewing a playlist or album means that an
| errant tap almost anywhere on the screen undoes all of my
| queueing so far. Just a toast with an 'Undo' button whenever
| the queue is erased would be plenty.
| mhink wrote:
| This kinda sounds like a use case for a playlist to me.
| unsafecast wrote:
| Another thing that bothers me, in Spotify and pretty much
| everything else: you can't add playlists to other playlists.
| Like union directories. The most important thing is that it's a
| link, so every list updates whenever I update the included one.
|
| If there's a program with this type of functionality, lmk.
| motoxpro wrote:
| I don't really understand how that is useful but if you need
| to do it manually you can just shift click all the songs and
| add them all to a playlist on the desktop app
| unsafecast wrote:
| Yeah, I get why it wouldn't be. I just have a peculiar way
| to organize my music.
|
| I know I can do that, it just doesn't sync when I change
| another list, which breaks everything.
| cantsingh wrote:
| You can use the Spotify Smart Playlists feature to do
| this. I used to do something similar before giving up.
| It's clunky, but it works. You basically set it to pull
| all new songs from the feeder playlists into the
| accumulation playlists, every night.
| motoxpro wrote:
| Valid. One way around it would be to create a "Follow Up" or
| "In The Queue" playlist that you add it to. Obviously not as
| easy as just a + button though.
| guidopallemans wrote:
| You can swipe songs to the side to add them as next up
| jaxn wrote:
| I emailed Tim O'Reilly in ~2001 and suggested they release PDF
| versions of their "Pocket Guide" reference books. I wanted to be
| able to have all of my pocket guides on my Sharp Zaurus (Linux
| handheld with keyboard, color screen, and Wi-Fi).
|
| He went for it and offered me PDF copies of every Pocket Guide as
| a thank you.
| forrestthewoods wrote:
| > Tell people about things you do that they played a part it- it
| might just make their day.
|
| Agree so much! I've met numerous people, often co-workers, who
| say "oh I know you I used your blog post". Wish they'd have shot
| me a quick email! It's always a nice surprise when someone
| reaches out to say thanks.
| canjobear wrote:
| The main feature that 2FA needs is non-existence.
| CobrastanJorji wrote:
| If you have better options, I'm all ears.
| alittlecringe wrote:
| spuz wrote:
| OWASP actually includes this suggestion in their guidance for
| implementing MFA:
|
| https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_A...
|
| > When a user enters their password, but fails to authenticate
| using a second factor...:
|
| > ...
|
| > Notify the user of the failed login attempt, and encourage them
| to change their password if they don't recognize it.
|
| > The notification should include the time, browser and
| geographic location of the login attempt.
|
| > This should be displayed next time they login, and optionally
| emailed to them as well
| effnorwood wrote:
| _dain_ wrote:
| A few months ago I had a ghastly time trying to take a bike along
| with me for a multi-stage train journey across the UK. Trainline
| is good about abstracting away the (pointless) differences
| between the train operating companies -- it's just a single
| interface and you never have to know which company operates which
| section of the route. But this abstractions breaks the minute you
| want to bring a bike on board -- you need to contact each company
| separately, and each one has its own bespoke and annoying way of
| doing it. Some by phone, some by email, some through their
| website (that you need an account for), some by social media(!).
| So I emailed Trainline's customer support saying how lovely it
| would be, if bike reservations were as seamless as people
| reservations, and to pass along the idea to their dev team.
|
| Lo and behold, while booking a journey the other day I noticed a
| new option for bike reservations on the route planner interface,
| that I'd never seen before. I haven't had opportunity to use it
| yet, but I hope it works well, and I'd like to think that it was
| my email that tipped the scales into it getting implemented (Lord
| knows I can't have been the first to ask for it).
| weaksauce wrote:
| great stuff rexfuzzle! that is indeed something that should be
| part of the standard security of apps nowadays. it costs
| surprisingly little to clone a phone number and get those 2fa
| requests on a new phone so any heads up would be great to know.
| posix86 wrote:
| I asked Notion to implement inline LaTex, bcs it's the last thing
| missing for me to use Notion during math lectures. They did so a
| couple weeks later, even told my I was part of the reason they
| did!
| Aethylia wrote:
| Congratulations! Really good to hear, and definitely a nudge to
| me to let people know when their blog was useful.
| makz wrote:
| I once sent Apple feedback about how activity monitor was missing
| some metric, I don't remember what it was. Never heard back from
| them but in the next OS X release it was there.
| gjvc wrote:
| that'll teach you
| redsummer wrote:
| teekert wrote:
| Some 10 years ago I pointed out the lack of ssl or starttls on my
| mail provider's smtp servers. This was the Netherlands biggest
| provider Transip they said it was an interesting observation that
| they were going to discus, some months later I go a big
| announcement over email about their new secure email platform,
| yes it was all the same but now with ssl.
| avg_dev wrote:
| This is a heartwarming post and I enjoyed all of the comments.
|
| As an aside I would recommend using U2F over OTP. This article
| explains some of the benefits: https://www.yubico.com/blog/otp-
| vs-u2f-strong-to-stronger/
| wannabebarista wrote:
| I had a similar experience and it certainly made my day! I wrote
| some code to parse nested JSON and fill a hole in a tutorial.
| Here's my relevant post: https://bcmullins.github.io/parsing-
| json-python/.
|
| Here's the plug for the project using my code:
| https://github.com/sinnfeinn/microweather.
| hanoz wrote:
| Cool, well done. Hope the idea gets picked up by a few more
| developers here.
|
| If you don't mind I'm just just pasting the URL into a comment to
| make it a link:
|
| https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781...
| kevincox wrote:
| The comment is a link in the HTML I am served. However there is
| no underline which is confusing.
| hanoz wrote:
| I could be wrong, but I'm _fairly_ sure that wasn 't the case
| originally.
| kevincox wrote:
| Must be a new feature :)
| mncharity wrote:
| AFAIR, a 1980's MIT AI Lab "how to do research" memo, suggested
| as one way to build things: describe what you'd like to build,
| and maybe someone else will be inspired to do it, long before
| you'd have gotten around to it.
| flippinbits wrote:
| Actually, PSD2 SCA (Strong Customer Authentication) talks about
| requiring 2 different elements (out of knowledge, possession,
| inference) for authentication, while also requiring that
| information on which one was wrong when authentication failed, to
| not be disclosed. This directive needs to be implemented by all
| payment processors in EU (I am not an expert on this).
|
| We have implemented such a system at a company I worked at, where
| we also took into account the credential stuffing aspect as you
| talk about it. It is quite challenging to ensure no information
| leaks (in content and in other request parameters, including
| response times) when users transition from the partially
| (un)authenticated state (username + password) towards 2FA. I have
| to say that security aspect is noticeable in a significant drop
| in credential stuffing attacks volume, but usability wise I see
| why this is not a popular approach :). I personally hate it,
| especially when 2FA that is used is TOTP.
| frakkingcylons wrote:
| Yes! That's such a nice feeling.
|
| One of my GitHub projects was used in a demo at Google Cloud next
| a while ago. the presenter was considerate enough to attribute
| the project to me by name during the demo and even sent me an
| issue just letting me know about it. That was so nice! Absolutely
| people should do this.
| zoomablemind wrote:
| It's a nice courtesy from the product authors/implementors. Not
| only it's polite, it also acknowledges your contribution to the
| idea, not sure to which extent it is formally.
|
| All in all it is a great feeling to see your idea getting a
| concrete life. In a way, reporting an issue and a possible
| improvement to any product you care about is an essence of
| collaboration. Open source further helps to contribute by
| augmenting such effort with a skill to implement it.
| ezekg wrote:
| Related: I think it's surprising how many services leak whether
| or not a password is correct. E.g. bad password => error, good
| password => 2FA prompt.
|
| You should verify a user's second factor before password.
| jve wrote:
| > leak whether or not a password is correct
|
| Errm, could you elaborate what is the issue here?
| idkyall wrote:
| If you input a username and wrong password, in some cases,
| the service won't prompt you for your 2FA code.
|
| If you input the right username and password, it will then go
| forward in the flow and prompt you for the 2FA.
|
| I believe parent comment is suggesting the system should
| prompt for 2FA even if the password was incorrect, so that
| you can't infer whether you guessed the correct password
| without also compromising the 2FA method.
|
| This only matters if you re-use passwords, though.
| thewebcount wrote:
| Well, doesn't it also matter if the 2FA method sucks? For
| example, maybe you can use a SIM swap to get the one-time
| code, but if you don't have the password, too, then that
| doesn't help you. In the above scenario, they can figure
| out whether they have the password or not, and once they
| do, then use a SIM swap to get the second factor (or
| whatever), and then they're in. If the login never tells
| them which factor is bad, it's a bit harder, right?
| [deleted]
| ezekg wrote:
| tl;dr: The code should verify the user's second factor before
| the user's password.
|
| Consider this, scenario A:
|
| 1. When attacker enters a username and bad password. then
| they receive a bad password error.
|
| 2. When attacker enters a username and good password, then
| they receive a 2FA prompt.
|
| And then scenario B:
|
| 1. When attacker enters a username and bad password, then
| they receive a 2FA prompt.
|
| 2. When attacker enters a username and good password, then
| they receive a 2FA prompt.
|
| In scenario A, the website leaks password validity to the
| attacker. In the case of a brute force attack, the attacker
| can use the 2FA prompt as a signal that they found a good
| password. Scenario B does not leak that information, because
| the second factor was wrong or missing.
|
| More concretely, this pseudo-code: if
| user.authenticate_with_password(password) if
| user.authenticate_with_second_factor(code) # ...
| else raise InvalidSecondFactorError end
| else raise InvalidPasswordError end
|
| Should instead be this pseudo-code: if
| user.authenticate_with_second_factor(code) if
| user.authenticate_with_password(password) # ...
| else raise InvalidPasswordError end
| else raise InvalidSecondFactorError end
|
| Hope that makes sense. :)
| ridgered4 wrote:
| It sounds good for stopping attackers, but if I am the real
| user and enter a bad password it is going to be pretty
| infuriating spending time troubleshooting the 2FA not
| working problem that doesn't actually exist. I suspect your
| service will get a reputation for completely unreliable 2FA
| which may have unintended consequences.
| codegeek wrote:
| This can be solved with an error message at the end with
| something like "You either provided an incorrect password
| or your 2FA code is incorrect. Check and try again". This
| still ensures that someone is not able to guess the
| correct password and reuse it somewhere else where 2FA
| may not be enabled.
| Eleison23 wrote:
| But which 2FA prompt should they receive?
|
| If MFA can be configured using myriad choices, should a
| user be prompted to "Insert security key" or "Input
| security code" or "Send code to your email/SMS" or "Tap YES
| on your mobile device"?
|
| Since you can't know a priori what the second factor will
| look like, I'd say it's troublesome to try and present a
| challenge to every user regardless of their MFA
| configuration.
| ezekg wrote:
| In my pseudo-code example, we're raising a couple errors,
| InvalidSecondFactorError and InvalidPasswordError. You
| could imagine there could be finer grained errors, such
| as TotpRequiredError or HardwareKeyRequiredError,
| depending on the user's second factors, which could then
| propagate down to the UI via specific error codes.
|
| The UI could then use these error codes to display the
| correct prompt, and then resend the request with the
| appropriate second factor.
| nick__m wrote:
| You would have to randomize the error when the wrong
| password is inputed and ensure that for a particular
| username the returned error is invariant. Else an
| attacker could infer that when you get a different error
| you have a correct password.
| ezekg wrote:
| The bad password error would only be sent if the second
| factor is valid, though.
| BeefWellington wrote:
| Note that this is not universal to all systems.
|
| If your 2FA options all require the user to enter a code,
| you can simply display a "Please enter your 2FA code"
| dialog without divulging what kind of 2FA the user has.
| dalmo3 wrote:
| How would you prevent someone from spamming a user just
| by knowing their username? Say, if the 2FA is done by
| SMS, or email.
|
| An attacker brute-forcing the password could flood the
| user with multiple messages. The usual response is doing
| a password reset, but that wouldn't work in your system.
|
| I wonder how systems that use magic links handle this.
| ezekg wrote:
| Your authentication system should have per-user and per-
| IP rate limits.
| weaksauce wrote:
| > You should verify a user's second factor before password.
|
| the cost of sending those 2fa texts is not zero and also the
| idea of them is that they are ephemeral so them being tied to
| the successful entering of username and password and limited in
| time is a feature... not a bug.
| kevincox wrote:
| This is technically superior for things like TOTP but falls
| apart if not all users use TOTP.
|
| 1. Users who aren't using 2FA have a confusing box to leave
| empty.
|
| 2. SMS, Email and similar OTP codes should only be sent after
| the password is verified.
|
| 3. U2F requires the site to share which devices are registered
| which can only be done after the password is verified.
|
| You may be able to make it work UX-wise if you separate
| username from auth information (such as a lot of sites do to
| support SSO auth). But even then it isn't clear to me if you
| should be leaking information about their 2FA configuration
| (especially their U2F device) list without a password.
| ezekg wrote:
| Your login form doesn't need to display an empty second
| factor input. Your server can send back a specific error code
| on first login attempt that can be used by the UI to prompt
| for the user's second factor, whatever that may be (or even
| give a choice, in the case of multiple second factor types).
|
| For example, given this /login request to our server:
| POST /login Authorization: Basic
| Zm9vQGJhci5leGFtcGxlOmJhego=
|
| Depending on the user's second factor, the server could send
| back a response like this: { "error": {
| "code": "TOTP_REQUIRED" } }
|
| Then, depending on the error code, our UI could prompt for
| the second factor and we could send a new /login request:
| POST /login Authorization: Basic
| Zm9vQGJhci5leGFtcGxlOmJhego= { "totp": "123456" }
|
| This flow can work for any type of second factor, not just
| TOTP. It also works for good and bad passwords, and doesn't
| leak any information (well, other than the fact the user
| exists, but that road introduces a lot of other UX issues.)
| kevincox wrote:
| Good point.
|
| It does leak a little information. It leaks the type of 2FA
| the user has configured and a list of devices for U2F
| (since that needs to be provided to authenticate). But that
| is likely acceptable.
| jabbany wrote:
| This is not a huge deal in practice and can be a good
| honeypot/alarm system.
|
| Most services today have fairly low "lockout" + "notify"
| thresholds on wrong passwords so brute force spraying passwords
| is already out of the question.
|
| Now, if someone fails the password check, clearly the user's
| current password is still secure so leaking that the attempted
| password was wrong to an attacker is not particularly helpful
| to them. If, however, the password is correct, then the
| attacker gets hit with the 2FA surprise. Assuming the great
| suggestion in this post is implemented (it really should be),
| the attacker now is stuck--abandoning the login or trying an
| incorrect 2FA could all trigger notifications to the user that
| their password was breached [re: the "Was this login you?"
| prompts implemented by major services after these situations].
| Attackers would need to also solve the 2FA in some reasonable
| period to "disarm" such an alarm.
|
| Real users who happen to fumble once or twice are also fine,
| since they won't be surprised about the login confirmation as
| it really was them.
| KolmogorovComp wrote:
| Same thing goes for email address when registering. Correct
| email => "already in use" is still frequent, although some
| websites (such as github) have changed it to "incorrect or
| already in use email"
| Aissen wrote:
| While this is true in the absolute sense, it's one of those
| things where you have to think about non-technical users:
| something like this would just confuse them, unless you make it
| very clear in the message that either one of those are bad, and
| provide a clear path to recovery... Having a good UX/security
| UX is hard.
| punnerud wrote:
| About 10 years ago I e-mailed OxfordDictionary asking if they
| could change the webpage so you could start typing your search
| right away, and not have to click the search area first.
|
| It made my day when they some days later had implemented it, and
| emailed me back with a message that they now had implemented it.
| markdown wrote:
| A few years ago I tweeted them to say that they had a word
| definition wrong. They changed it!
| Rygian wrote:
| I would consider that as a bug, not as a feature. If the login
| panel behaves differently on a correct password than on a wrong
| password, that's an information leak that must be fixed.
|
| Authentication must be evaluated and rejected only when all
| factors are already provided, and the rejection error should not
| disclose which of the factors failed.
|
| So, with a proper login panel, my 2FA being asked does not mean
| that someone has my password.
|
| Edit: this is, for example, the recommendation from PCI to
| separate "Multi-Step Authentication" from true "Multi-Factor
| Authentication": https://www.pcisecuritystandards.org/pdfs/Multi-
| Factor-Authe...
| medevacs wrote:
| I'm under the impression you misread the original blog post,
| which by the way does not really do a very good job in terms of
| explaining how this should be implemented.
|
| IMHO, the idea is not to display the info about wrong 2FA code
| on the login page but to use a separate channel to inform the
| account owner about this recent, failed login attempt. So, no
| info on the login page of the website (adversary would still
| not know that they have a good password but wrong 2FA) but e.g.
| an email, a text message, a push notification, etc. with this
| info. I would certainly like to know that someone, somewhere is
| trying to login to my account and that this adversary is in
| possession of my actual password.
| xwx wrote:
| If I've understood the linked post, the login panel doesn't
| have to behave or look different if someone gets the username
| and password right. You could still show everyone the 2FA
| input.
|
| It's suggesting that if the username and password are right but
| 2FA isn't the system should let the account owner know.
| runlevel1 wrote:
| Correct. The blog suggests letting them know out-of-band,
| like via email, not in the login flow.
| Rygian wrote:
| I have read the linked post too quickly before sending my
| initial comment. Indeed, a back-channel notification to the
| legitimate account owner is probably a good idea.
|
| On the other hand, disclosing to the attacker that they got
| the password right is not acceptable.
| jstanley wrote:
| Unless you're an especially high-value target, I'd rather you
| gave quicker feedback about whether or not I have remembered my
| password correctly than you make it impossible to determine
| whether or not a password is correct without also having to
| input the 2FA token.
| Semaphor wrote:
| You make a good point, but does anyone do that? I've been using
| a PW manager so long, I don't really enter incorrect passwords.
| DangitBobby wrote:
| I don't know of anyone who does 2FA this way.
| rexfuzzle wrote:
| This was posted above: https://www.isnic.is/en/site/login
| First time I've seen it too
| Rygian wrote:
| My employer does it for products requiring PCI certification.
| Our PCI auditor recommends it even though it's not a formal
| requirement of PCI v3.
| darkarmani wrote:
| That sounds like a terrible trade-off that makes people
| more likely to write down passwords on post-it notes or in
| a clear-text file to cut-n-paste. Especially if you lock
| accounts after a 10 tries or so (or PCI's ridiculous low
| number of tries).
| anamexis wrote:
| I think the majority of places I use 2FA, the 2FA prompt is on
| a screen after the password login. This is because the use of
| 2FA is an account option, so not all accounts will have it
| active.
| jonas-w wrote:
| I don't know about wrong 2fa codes but bitwarden notifies you if
| you have an "unfinished" 2fa login. If you type username and
| password correctly and then don't type in your totp token it will
| notify you.
| bilekas wrote:
| We implemented something that avoids the original articles, 2FA
| notification.
|
| After your password is approved before 2FA you get an email. So
| even if someone is somehow using the right 2FA you are aware.
|
| Our thinking was the mosly likely outcome was someone would hit
| 2FA, not have the code and so close the request without even
| entering a bad code.
|
| Apart from that though, it is always nice to get recognition for
| the stuff you put out there. I know I should do it more myself
| too.
| lupire wrote:
| But email can be delayed for hours or days.
| bilekas wrote:
| That's pretty rare in our scenario, also it still would apply
| to the original post ?
| kevincox wrote:
| If you are going to send login notifications anyways this makes
| sense. Since the user will either want to know about the login
| or the failed 2FA. However if the user doesn't enable login
| notifications I think it makes sense to give a short timeout to
| wait and see if the authentication is successful. If the auth
| is successful you can skip the alert.
| Minor49er wrote:
| I've noticed several services in the past that have blocked
| someone at the 2FA step (either due to getting to that stage and
| leaving or attempting and failing), then notified the account
| owner that a login was attempted. I think we just don't hear
| about it too often because not everyone who has compromised
| credentials also has 2FA enabled on their accounts in most
| publicized hacks
| Ayesh wrote:
| The Iceland NIC does this (https://www.isnic.is/en/site/login).
|
| Customer support burden when the lose the 2FA key is solved by
| adding a hefty fee (around EUR100) to recover it. No webauthn
| support yet though.
| rexfuzzle wrote:
| Interesting- I think that is the first time I've seen password
| and 2FA code on the same page. Guess that means you may not
| know if your password or 2FA code is incorrect depending on the
| error page
| soco wrote:
| Or the login process should just go ahead and ask the 2FA
| either way - and just fail you in the end without explaining
| why. And then notify only behind the scenes via mail that the
| password was correct but the 2fa wrong. That would be _the_
| way to handle it. I 'd receive such notifications from time
| to time - I mix up the 2FA accounts sometimes, other times
| I'm slow typing and it expires - but I can live with that
| little extra email.
| Ayesh wrote:
| All my TOTP prompts (on websites I run) account for such
| delays and clock skews by checking against the previous and
| next TOTP. So even if the user is a little bit late to
| enter the OTP, I can still validate it and complete
| authentication.
| throwaway2037 wrote:
| This is standard practice with big corporate RSA remote
| login.
| darkhorn wrote:
| Gmail has those features for some years.
| rexfuzzle wrote:
| Not AFAIK- they email you when a new device logs in, or a new
| location, but I've never seen one from a wrong 2FA code
| spiffytech wrote:
| Years back, every web browser's built-in password manager locked
| up the page when submitting a login form, waiting for the user to
| answer "do you want to save this password?" before proceeding.
|
| I thought that was silly: how do I know if I want to save the
| password before I've seen whether it's correct? Which I can't see
| until the form is submitted.
|
| At the time I was using Opera, so I wrote in to their customer
| support suggesting that the prompt appear after the new page
| loaded. I never heard back, but a couple months later their next
| major release implemented exactly that behavior. A few months
| after that, every other browser followed suit.
|
| I can't have been the only one bothered by the existing behavior,
| but given how long browsers had worked that way before I wrote
| in, I like to tell myself that the timing wasn't a coincidence,
| and that my little suggestion rippled out into a change that made
| a small thing better for the whole world :)
| tamiral wrote:
| you are literally one of my new fav people !
| jbverschoor wrote:
| I submit suggestions, features, bugs, detailed reports, new use
| cases etc. I'm more than happy to write detailed submissions,
| or do some traces when there's a bug.
|
| But if I notice there's no feedback or implementation within a
| reasonable period of time, I will stop doing that ever again
| for that company (large, small, doesn't matter).
|
| I refuse to waste my energy on that kind of process.
| ck2 wrote:
| Every few years I get an automated email from Wordpress where
| someone finally fixed a bug I submitted over a decade ago, lol
| em-bee wrote:
| i still see this behavior in firefox. the save password popup
| disappears by the time the page is loaded. and it baffles me
| every time how that is supposed to be useful.
| kevincox wrote:
| I find that it _usually_ sticks around long enough. But I
| agree that it should stay open at least until I interact with
| something else.
|
| On the bright side it just collapses into a "key" icon in the
| URL bar that you can click to open it back up and save the
| password.
| nl wrote:
| > On the bright side it just collapses into a "key" icon in
| the URL bar that you can click to open it back up and save
| the password.
|
| I've been using Firefox as my main browser since 2010 and I
| never realized this.
| [deleted]
| teekert wrote:
| It's like that Teams pop up that informs you that a colleague
| started a meeting, the one that always disappears after you
| finish typing your sentence and start to move your mouse
| towards it.
| pacoverdi wrote:
| you can click it right away, finish your sentence, then
| click again to join the meeting once you're done :]
| justsomehnguy wrote:
| The most amusing (for me) behaviour is what OR I need to
| press Csncel everytime ( my preffered bahaviour, honestly, I
| don't save passwords) OR never see the dialog again (I'm
| totally okay with saving the pass for some LAN devices which
| would be never acessible from the net ever - but I can't)
| iforgotpassword wrote:
| The stupid thing is that it already is async and not locking
| up like it was in the very old days op refers to. They were
| just so clever as to add a timeout after which that dialog
| closes, regardless of whether the page actually finished
| loading. So on a slower page you end up with the popup
| disappearing while the page is still (mostly) blank and you
| don't know yet whether the credentials were correct.
|
| I think just clicking in a blank spot (or the text fields) in
| that dialog stops the timeout, but it's one of these things
| I'm not actually sure about and it's almost like a cargo cult
| kind of ritual...
| thallavajhula wrote:
| Opera was the most innovative web browser ever. They brought so
| many new things to the world of web browsing. Tabbed-browsing,
| mouse gestures, colored tabs, browser themes, in-built security
| integration with anti-virus software, an extensible browser -
| so many wonderful innovative features. It was a paid software
| initially, but then they made it free for everyone. I used to
| use it as my default browser, maybe 13-15 years ago.
| abfan1127 wrote:
| its my default browser now. It still great!
| capableweb wrote:
| Well, I used to love Opera as well, it was my first
| "serious" browser as I became a netizen. But now I wouldn't
| even dare to try it as it's owned by a consortium of
| Chinese investors, rather than a Norwegian company.
| bityard wrote:
| Vivaldi is pretty good and though it's based on chromium,
| is the new opera in spirit.
| IndrekR wrote:
| No coincience. Vivaldi is co-founded by ex-CEO and co-
| founder of Opera.
|
| I quit using Opera after he did not keep his promise to
| swim across the Atlantic in 2005:
| https://www.zdnet.com/article/opera-boss-starts-atlantic-
| swi...
| r00fus wrote:
| Are you sure tabbed browsing was Opera? I mean, Mozilla
| browser (predating Firefox) had it in 1998.
| rch wrote:
| Opera also had tab groups, MRU tab switching, and saved
| sessions. Those exist in some form or fashion now, but the
| implementations are not as smooth.
| vikingerik wrote:
| Mozilla had multiple documents first, by just following
| Windows' MDI standard.
|
| Then Netscape and IE got into a war for mindshare, and part
| of that was to ignore MDI and splash their browser windows
| all over the taskbar instead, to be more visible and grab
| more user attention.
|
| Tabbed browsing was never a new invention, it was just a
| re-implementation of what we already had by way of MDI.
| ricardobeat wrote:
| Wikipedia lists Opera v4 having tabs in 2000, while they
| were added to Mozilla 0.9.5 in 2001:
| https://en.m.wikipedia.org/wiki/Tab_(interface)
| [deleted]
| nidnogg wrote:
| IIRC it was InternetWorks by BookLink Technologies
|
| According to: https://www.makeuseof.com/tag/which-browser-
| invented-tabs-3-...
| renke1 wrote:
| Spatial navigation is a feature I really do miss. I don't
| think any other browser supports this. It made keyboard-based
| browsing possible without resorting to stuff like hit-a-hint.
| You could just hit Shift+Arrow Key (which I mapped to the
| home row) and select a the nearest link (or anything
| interactive) in that direction. I think it worked in a visual
| fashion so order in the DOM didn't matter at all. It behaves
| exactly like one would expect.
| oliwary wrote:
| Something I really miss from Opera is that the content of
| every page you visited was saved and stored for search! This
| helped me so often to find pages that I had visited, and
| remembered a few words from, but didn't bookmark or save
| otherwise. No idea why browsers today did not copy this
| feature.
| OinkEsFabuloso wrote:
| Oh, that's so cool! :-) Could you please write to Whatsapp or
| Telegram and ask them not to delete the EXIF information from
| shared images on their platform? I understand that they
| compress images so they don't take too long to transmit and
| load, but I think there's a big group of their users
| (especially for Whatsapp) that use their platform to share
| family pictures. For this purpose, having the EXIF date (if
| it's available) could be very handy, since the picture could be
| properly timestamped and archived without having to ask again
| to the original poster for the specific files.
| nkozyra wrote:
| As a general privacy rule I like stripping this by default.
| Couldn't you just zip up some images to retain this?
| RHSeeger wrote:
| I think the EXIF data is removed because, for the vast
| majority of people that don't think to remove it, it's a
| safety risk. Posting a picture of your house? Your kid
| arriving at their first day of school? Some other location
| you'd rather a bad person not have info on? Most people don't
| think to remove that data before posting (and sometimes post
| directly from their phone camera?)... removing that data
| removes a lot of risk for them. Leaving it in is only
| considered a small benefit to a smaller subset of people
| (comparatively)
| akadruid1 wrote:
| In a similar vein, I wrote to Microsoft suggesting their
| "Authenticator" TOTP app for Android would benefit from a
| search feature. I can't have been the only one, but it did make
| me happy when they actually implemented it a few months later
| teekert wrote:
| I also suggested it but their iOS app still does not have it.
| Really annoying with >20 totp tokens.
| levymetal wrote:
| And now we've come full-circle as 1Password 8 requires you to
| save your password prior to submitting the form instead of
| offering to save it after submission. Which is a huge
| regression as it results in this exact issue all over again.
|
| https://support.1password.com/save-fill-passwords/
| WalterBright wrote:
| If only Roku and Android TV boxes had a way to display pdf's on
| the TV!
|
| Hint hint hint!!!
|
| After all, they can display movies, pictures, and music. PDFs,
| please! I'd even pay for it.
| bitwize wrote:
| I discovered a bug in Java 1.0.1's GridBagLayout and posted
| about it to USENET. It was fixed in JDK 1.0.3.
|
| I also emailed the GIMP maintainers about a bug in their select
| color region tool in GIMP 0.99.x that made it ignore 1-pixel-
| wide barriers. By 1.0 it was fixed.
|
| I was chuffed when it happened, but the internet was a smaller,
| chummier place back then, so we expected that kind of response
| more than we do today, I think.
| fimdomeio wrote:
| I found a bug in firefox where the two letters of the weekdays
| appeared as 3 letters for portuguese (pt-PT). Eventually found
| that it was an error in the unicode standard, so submited the
| proposal for change. Probably there's dozen of people involved
| in this... but seeing it being changed brought me great joy.
|
| I was a tiny part in changing a tiny mostly irrelevant detail
| that was causing a slight inconvenience to millions of people
| daily. Improving humanity one bit at a time...
| pc86 wrote:
| This is great! Imagine how many people had no idea how to get
| something like that fixed yet noticed the bug.
| jackpirate wrote:
| Do you happen to have a link to the proposal I can see and
| share with a class? I'm teaching a few lectures about some
| "weird" stuff this semester, and this would be a great
| example.
| layer8 wrote:
| This still sometimes happens on iOS Safari. I don't know what
| is different about the pages where it happens, but it's
| annoying.
| malshe wrote:
| Even MacOS Safari does this. I don't know whether the latest
| update fixed it though.
| mooreds wrote:
| Such a great idea! I filed a feature request on our GH issues
| list to implement this: https://github.com/FusionAuth/fusionauth-
| issues/issues/1888
| EGreg wrote:
| I agree but there is an even more serious security feature almost
| all 2FA misses:
|
| Telling the user what action they are authorizing by reading back
| the numbers.
|
| That "bank rep" on the phone? They are probably trying to log
| into your account, or withdraw cash, not verify that you are the
| right person to send the refund back to.
|
| It would save a lot of problems.
|
| Also you should be getting an alert on all your devices whenever
| transactions over X amount per Y time occur, and you should have
| an opportunity to reverse them for 24 hours (even for debit
| cards). Also you should be able to make windows during which time
| it would be longer than 24 hours, such as a Jewish holiday or
| when out of range. This wouldn't apply to recurring transactions.
| PeterisP wrote:
| Yes, that's a cool feature - the Smart-ID app used by many
| banks in Baltic countries as a second factor does that, it
| states e.g. the payment and amount you're authorizing before
| you do so.
| coenhyde wrote:
| When Apple released the very first iPod, I wrote to Steve Jobs to
| tell him that I would buy it if it was a phone too, as i don't
| want to carry two devices. I doubt I was the only one who had
| this thought, but I like to think i influenced the development of
| the iPhone. I never received a response from Steve.
| teekert wrote:
| Ah but you didn't add that you wanted it to be an internet
| communicator as well!
|
| Only would you have been able to claim some credits ;)
| Taylor_OD wrote:
| I havnt done this in many years but for a while I was making
| creative content that was published online. Once in a while
| someone would contact me saying they liked what I did. I started
| doing the same. If I read an article I liked a lot I would
| contact the person and tell them I liked it and why. About half
| the time they responded with Thanks.
|
| I didnt do this with NYT writers or anything. Just people who
| clearly dont get paid/paid much to make this content but I found
| it useful/interesting/helpful. I think that stuff goes a long way
| and it really doesnt take that long to do.
|
| I've got a tech podcast now and about once every month or two
| someone contacts me to say they liked it or something nice. It's
| a huge reason why I keep doing it. I know that sounds silly but
| the internet can be such a black hole. A little feedback goes a
| long way.
| miqueturner wrote:
| This was a good comment. Keep it up!
| avg_dev wrote:
| I tend to see a lot more negativity than positivity as the
| default response so I like this thread.
| whatsdoom wrote:
| I have a little blog that occasionally gets hits when the SEO
| winds blow my way and twice people have reached out thanking me
| for a post. It's made my whole month! And encourages me to keep
| posting stuff. So I really appreciate that you do that, I
| should make an effort to do the same.
|
| I write the blog as more of documentation for myself than
| something to share, but knowing that I've helped someone else
| is icing on the cake.
| Lendal wrote:
| As 2FA adoption spreads, the possibility increases that someone
| could be using 2FA but not know the rule about not reusing a
| password. This feature improves the spread of that gospel. It
| seizes the opportunity to impress an abstract concept to the
| technically-challenged in a way that is no longer abstract. I
| like it.
| egberts1 wrote:
| I once wrote something obscure.
|
| About communication piggybacked over TCP/IP without changing any
| one bit of packet data.
|
| https://egbert.net/blog/articles/pulse-width-covert-channel....
|
| Some 20 years later, a guy posted on GitHub.
|
| https://vimist.github.io/2019/01/30/Steganographic-Packets.h...
|
| And made my day.
___________________________________________________________________
(page generated 2022-09-20 23:00 UTC)