[HN Gopher] Tell HN: Somebody implemented something I wrote a bl... ___________________________________________________________________ Tell HN: Somebody implemented something I wrote a blog about So a while ago I wrote about how 2FA was missing a key feature: https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781... Having not had any feedback on it in a while and the idea not taking off, today somebody messaged me to say that had implemented it in their product. 1. Obviously I think this is great and more secure 2. Tell people about things you do that they played a part it- it might just make their day. Author : rexfuzzle Score : 566 points Date : 2022-09-20 13:22 UTC (9 hours ago) | sagebird wrote: | Also, if someone logs in with correct username and password and | -does not- attempt to try the 2FA, I also want to know about it. | kevincox wrote: | Yeah, it should basically be a timeout. If within a few minutes | of entering the correct password a correct second factor is not | provided then it should notify the user. | | I think you can probably skip notifying on a single failed OTP | code to avoid spamming the user when they make a typo (or are a | bit too slow for TOTP) but if you were very paranoid you could | also send in this situation. | mikessoft_gmail wrote: | I don't know of anyone who does 2FA this way. | nishnik wrote: | Five years back, YouTube didn't have the feature to queue your | videos on the fly. You could have created a playlist, but then it | is the same sequence of songs every time. So I hacked a chrome | extension to add/remove songs to a dynamic queue saved on your | LocalStorage[1]. Later, YouTube added the queue feature. | Sometimes I go on long hikes and think that it wasn't merely a | coincidence. :) | | [1]: https://github.com/nishnik/Play_Next | Kalanos wrote: | Normies: what the heck he stole your idea :angry: | NKosmatos wrote: | Bravo!!! Such a simple (and more secure) change to the way 2FA | works. This should be the standard and also mandatory in many | similar cases. Good for you and for sharing this improvement, | that's the mentality all of us should have. Reminds me on how | Volvo shared the 3 point safety belt patent with everyone else so | as to make all cars safer, instead of keeping it to themselves I | order to profit [ | https://www.forbes.com/sites/douglasbell/2019/08/13/60-years... | ]. | jimmydddd wrote: | Re: Volvo's good deed -- In contrast, Edward Land (the Polaroid | camera guy) came up with a system for polarizing car headlights | and windshields to lessen glare from oncoming headlights in | 1948. Apparently, none of the car manufacturers implemented it | because there was nothing to gain financially from such a | safety feature. https://www.polarization.com/land/land.html | tra3 wrote: | That's awesome. I was expecting a lament on how an amazing | startup idea was stolen and monetized by someone else. Glad I'm | wrong and the world is a little bit better. | qorrect wrote: | Hey me too, a little sunshine this morning :). | NiagaraThistle wrote: | Same here. Came to say the same and to explain how i publicly | share all my 'great' ideas publicly even though so many friends | think I'm nuts in case someone 'steals it' and makes a | successful startup from my idea. My answer: "Great for them. At | least they had the determination and focus to follow through | with bringing the idea to fruition when I couldn't." | dspillett wrote: | Same. I'll often share relevant ideas in comments here and | elsewhere in the hope that I inspire someone to go implement | something I might like but will never find the | time+organisation to get around to creating! | dhosek wrote: | People tend to overvalue ideas. I see this all the time in | writing where people are worried someone will steal their | great idea for a story. The truth of the matter is that it's | unlikely that you've come up with something truly new and in | any event, ideas tend to breed and multiply. I will never | write all the stories and novels that I have jotted down in | my notebook before I die and there are more every day. | qorrect wrote: | On that note though, is there a way to protect your story | if you want to pitch it to a publisher, or anywhere else ? | Like a registry for story ideas ? | Gene_Parmesan wrote: | There's no IP protection for ideas for stories. | Regardless, almost no fiction shop is going to agree to | print a book on spec, just off a story pitch. Write the | book first. Then you already have protection, in the form | of copyright (which is automatic and doesn't require | registration). | aardvark179 wrote: | Not really, and it's not a problem. Ideas for stories are | abundant, the ability to turn them into finished books or | scripts is much rarer. | ncmncm wrote: | If an idea is any good, you generally have to fight tooth | and nail to get anybody to listen to it, and put in a | hundred times that to get anybody to understand it, and | that again to act on it. | | If you don't directly control how that happens they will | implement it fundamentally wrongly. | | But after it is finally implemented more or less correctly, | everyone will agree that the idea was trivial and obvious, | and they had already thought of it themselves, in _exactly_ | the form where they first encountered it, even if that is | actually not quite right. | thombat wrote: | Victory has a hundred fathers, but defeat is an orphan. | tinmandespot wrote: | Exact same sentiment :) | joshmanders wrote: | Honestly I'm shocked reading this. I _NEVER_ considered that | scenario. Now I will be doing this in all my apps. Thank you! | theappanalyst wrote: | I enjoyed when a french hacker used information from my blog to | set off all the alarms of Bird scooters in Lyon France for an | evening. | | I had written about (what I considered as) a vulnerability that | allowed remote triggering of Bird Scooter alarms (Bird disagreed | of course) on my blog [1]. I then saw this github repo linked in | the comments for setting off alarms of Bird scooters [2] and | reached out to the author. | | The author let me know that they had used the info in my blog to | script a tool for setting off Bird Scooters en masse. They then | targeted the script at all the scooters in Lyon and subsequently | fell asleep. When they woke up the noticed the end point was | disabled... Bird had taken the action to disable the API endpoint | in response of course. | | Probably would've been easier to fix before someone scripted it | out but it made for a fun story. | | [1] https://theappanalyst.com/bird.html [2] | https://github.com/pcouy/bird-whisperer | wallfacer wrote: | If any Spotify devs are here, please let me explore and add | songs, artists and albums to my library without "hearting" it. | | I often just want to follow up later by "adding to my library," | and it feels weird to "LOVE" it before ever hearing it. I really | feel pain when I hear something terrible that I've already | "liked" and consider the impacts to my algorithm. | | Please distinguish between "like" and "save." | | A simple "plus sign" or really any other symbol that signifies | "adding to a collection" without "liking" connotations (stars are | out too). | iscrewyou wrote: | I like how Instagram has solved this. You can like a post but | you can also save it for later viewing or showing to someone | else. | | Spotify should totally have a save to library function but also | a heart function that trains their personalized mixes for me. | I've just stopped looking at my library for my music catalog. | Every album I like goes into a "favorite albums" folder. It | shooldn't have to be this way. | spiderice wrote: | I'm confused. I thought I missed something in the article. Why | are we talking about Spotify in this thread? I'm all for your | suggestions, I'm just confused how we got here. Haha. What did | I miss? | posix86 wrote: | What's wrong with a playlist: Saved for later? | qwertygnu wrote: | I think their idea is that you don't have/shouldn't want a | personal library because everything on Spotify is your library. | scetron wrote: | Oof! They used to have this for Songs, then they removed the | feature, and I lost the major way I used Spotify. I used it to | make sure I could listen to music offline while traveling and | it was an infuriating few flights before I could download | everything again. | omar12 wrote: | If there is a feature I want to see on Spotify is a easier way | to see my friends playlists. | jimmygrapes wrote: | I'd be happy with just being able to consistently access my | own playlists and currently playing queue on Android. I swear | it's a coin flip whether the button appears or not. | why-el wrote: | Now that you opened this forum for Spotify feedback: If I do | "like/heart" a few songs and then go to the Radio based on one | of them, please don't show the songs I already liked in that | Radio. I mean, I already "liked/saved" them, why are they | appearing in my discovery phase? | a_t48 wrote: | Disagree on that - Radio is not just for discovery but also | for easy random playlist creation. | gmueckl wrote: | I'd like to have a different tiny change in the "Song Radio" | feature: if you start playing that playlist, skip the song | it's based on if it was recently played or is currently | playing. It's mildly annoying when you switch to that feature | after stumbling across an interesting track and the first | thing you hear is the same track again. | posix86 wrote: | That's one of their best features!! I'm using discovery bcs I | want to listen to tracks similar to the one i use as a basis. | If they mix some of my liked tracks in there that are similar | too (which they usually are), that makes it even more | enjoyable. Idk about you, but I use Spotify to listen to good | music. | Stupulous wrote: | While we have Spotify's ear: why is the default behavior to | clear my queue if I play another song? It's especially an issue | on mobile, where viewing a playlist or album means that an | errant tap almost anywhere on the screen undoes all of my | queueing so far. Just a toast with an 'Undo' button whenever | the queue is erased would be plenty. | mhink wrote: | This kinda sounds like a use case for a playlist to me. | unsafecast wrote: | Another thing that bothers me, in Spotify and pretty much | everything else: you can't add playlists to other playlists. | Like union directories. The most important thing is that it's a | link, so every list updates whenever I update the included one. | | If there's a program with this type of functionality, lmk. | motoxpro wrote: | I don't really understand how that is useful but if you need | to do it manually you can just shift click all the songs and | add them all to a playlist on the desktop app | unsafecast wrote: | Yeah, I get why it wouldn't be. I just have a peculiar way | to organize my music. | | I know I can do that, it just doesn't sync when I change | another list, which breaks everything. | cantsingh wrote: | You can use the Spotify Smart Playlists feature to do | this. I used to do something similar before giving up. | It's clunky, but it works. You basically set it to pull | all new songs from the feeder playlists into the | accumulation playlists, every night. | motoxpro wrote: | Valid. One way around it would be to create a "Follow Up" or | "In The Queue" playlist that you add it to. Obviously not as | easy as just a + button though. | guidopallemans wrote: | You can swipe songs to the side to add them as next up | jaxn wrote: | I emailed Tim O'Reilly in ~2001 and suggested they release PDF | versions of their "Pocket Guide" reference books. I wanted to be | able to have all of my pocket guides on my Sharp Zaurus (Linux | handheld with keyboard, color screen, and Wi-Fi). | | He went for it and offered me PDF copies of every Pocket Guide as | a thank you. | forrestthewoods wrote: | > Tell people about things you do that they played a part it- it | might just make their day. | | Agree so much! I've met numerous people, often co-workers, who | say "oh I know you I used your blog post". Wish they'd have shot | me a quick email! It's always a nice surprise when someone | reaches out to say thanks. | canjobear wrote: | The main feature that 2FA needs is non-existence. | CobrastanJorji wrote: | If you have better options, I'm all ears. | alittlecringe wrote: | spuz wrote: | OWASP actually includes this suggestion in their guidance for | implementing MFA: | | https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_A... | | > When a user enters their password, but fails to authenticate | using a second factor...: | | > ... | | > Notify the user of the failed login attempt, and encourage them | to change their password if they don't recognize it. | | > The notification should include the time, browser and | geographic location of the login attempt. | | > This should be displayed next time they login, and optionally | emailed to them as well | effnorwood wrote: | _dain_ wrote: | A few months ago I had a ghastly time trying to take a bike along | with me for a multi-stage train journey across the UK. Trainline | is good about abstracting away the (pointless) differences | between the train operating companies -- it's just a single | interface and you never have to know which company operates which | section of the route. But this abstractions breaks the minute you | want to bring a bike on board -- you need to contact each company | separately, and each one has its own bespoke and annoying way of | doing it. Some by phone, some by email, some through their | website (that you need an account for), some by social media(!). | So I emailed Trainline's customer support saying how lovely it | would be, if bike reservations were as seamless as people | reservations, and to pass along the idea to their dev team. | | Lo and behold, while booking a journey the other day I noticed a | new option for bike reservations on the route planner interface, | that I'd never seen before. I haven't had opportunity to use it | yet, but I hope it works well, and I'd like to think that it was | my email that tipped the scales into it getting implemented (Lord | knows I can't have been the first to ask for it). | weaksauce wrote: | great stuff rexfuzzle! that is indeed something that should be | part of the standard security of apps nowadays. it costs | surprisingly little to clone a phone number and get those 2fa | requests on a new phone so any heads up would be great to know. | posix86 wrote: | I asked Notion to implement inline LaTex, bcs it's the last thing | missing for me to use Notion during math lectures. They did so a | couple weeks later, even told my I was part of the reason they | did! | Aethylia wrote: | Congratulations! Really good to hear, and definitely a nudge to | me to let people know when their blog was useful. | makz wrote: | I once sent Apple feedback about how activity monitor was missing | some metric, I don't remember what it was. Never heard back from | them but in the next OS X release it was there. | gjvc wrote: | that'll teach you | redsummer wrote: | teekert wrote: | Some 10 years ago I pointed out the lack of ssl or starttls on my | mail provider's smtp servers. This was the Netherlands biggest | provider Transip they said it was an interesting observation that | they were going to discus, some months later I go a big | announcement over email about their new secure email platform, | yes it was all the same but now with ssl. | avg_dev wrote: | This is a heartwarming post and I enjoyed all of the comments. | | As an aside I would recommend using U2F over OTP. This article | explains some of the benefits: https://www.yubico.com/blog/otp- | vs-u2f-strong-to-stronger/ | wannabebarista wrote: | I had a similar experience and it certainly made my day! I wrote | some code to parse nested JSON and fill a hole in a tutorial. | Here's my relevant post: https://bcmullins.github.io/parsing- | json-python/. | | Here's the plug for the project using my code: | https://github.com/sinnfeinn/microweather. | hanoz wrote: | Cool, well done. Hope the idea gets picked up by a few more | developers here. | | If you don't mind I'm just just pasting the URL into a comment to | make it a link: | | https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781... | kevincox wrote: | The comment is a link in the HTML I am served. However there is | no underline which is confusing. | hanoz wrote: | I could be wrong, but I'm _fairly_ sure that wasn 't the case | originally. | kevincox wrote: | Must be a new feature :) | mncharity wrote: | AFAIR, a 1980's MIT AI Lab "how to do research" memo, suggested | as one way to build things: describe what you'd like to build, | and maybe someone else will be inspired to do it, long before | you'd have gotten around to it. | flippinbits wrote: | Actually, PSD2 SCA (Strong Customer Authentication) talks about | requiring 2 different elements (out of knowledge, possession, | inference) for authentication, while also requiring that | information on which one was wrong when authentication failed, to | not be disclosed. This directive needs to be implemented by all | payment processors in EU (I am not an expert on this). | | We have implemented such a system at a company I worked at, where | we also took into account the credential stuffing aspect as you | talk about it. It is quite challenging to ensure no information | leaks (in content and in other request parameters, including | response times) when users transition from the partially | (un)authenticated state (username + password) towards 2FA. I have | to say that security aspect is noticeable in a significant drop | in credential stuffing attacks volume, but usability wise I see | why this is not a popular approach :). I personally hate it, | especially when 2FA that is used is TOTP. | frakkingcylons wrote: | Yes! That's such a nice feeling. | | One of my GitHub projects was used in a demo at Google Cloud next | a while ago. the presenter was considerate enough to attribute | the project to me by name during the demo and even sent me an | issue just letting me know about it. That was so nice! Absolutely | people should do this. | zoomablemind wrote: | It's a nice courtesy from the product authors/implementors. Not | only it's polite, it also acknowledges your contribution to the | idea, not sure to which extent it is formally. | | All in all it is a great feeling to see your idea getting a | concrete life. In a way, reporting an issue and a possible | improvement to any product you care about is an essence of | collaboration. Open source further helps to contribute by | augmenting such effort with a skill to implement it. | ezekg wrote: | Related: I think it's surprising how many services leak whether | or not a password is correct. E.g. bad password => error, good | password => 2FA prompt. | | You should verify a user's second factor before password. | jve wrote: | > leak whether or not a password is correct | | Errm, could you elaborate what is the issue here? | idkyall wrote: | If you input a username and wrong password, in some cases, | the service won't prompt you for your 2FA code. | | If you input the right username and password, it will then go | forward in the flow and prompt you for the 2FA. | | I believe parent comment is suggesting the system should | prompt for 2FA even if the password was incorrect, so that | you can't infer whether you guessed the correct password | without also compromising the 2FA method. | | This only matters if you re-use passwords, though. | thewebcount wrote: | Well, doesn't it also matter if the 2FA method sucks? For | example, maybe you can use a SIM swap to get the one-time | code, but if you don't have the password, too, then that | doesn't help you. In the above scenario, they can figure | out whether they have the password or not, and once they | do, then use a SIM swap to get the second factor (or | whatever), and then they're in. If the login never tells | them which factor is bad, it's a bit harder, right? | [deleted] | ezekg wrote: | tl;dr: The code should verify the user's second factor before | the user's password. | | Consider this, scenario A: | | 1. When attacker enters a username and bad password. then | they receive a bad password error. | | 2. When attacker enters a username and good password, then | they receive a 2FA prompt. | | And then scenario B: | | 1. When attacker enters a username and bad password, then | they receive a 2FA prompt. | | 2. When attacker enters a username and good password, then | they receive a 2FA prompt. | | In scenario A, the website leaks password validity to the | attacker. In the case of a brute force attack, the attacker | can use the 2FA prompt as a signal that they found a good | password. Scenario B does not leak that information, because | the second factor was wrong or missing. | | More concretely, this pseudo-code: if | user.authenticate_with_password(password) if | user.authenticate_with_second_factor(code) # ... | else raise InvalidSecondFactorError end | else raise InvalidPasswordError end | | Should instead be this pseudo-code: if | user.authenticate_with_second_factor(code) if | user.authenticate_with_password(password) # ... | else raise InvalidPasswordError end | else raise InvalidSecondFactorError end | | Hope that makes sense. :) | ridgered4 wrote: | It sounds good for stopping attackers, but if I am the real | user and enter a bad password it is going to be pretty | infuriating spending time troubleshooting the 2FA not | working problem that doesn't actually exist. I suspect your | service will get a reputation for completely unreliable 2FA | which may have unintended consequences. | codegeek wrote: | This can be solved with an error message at the end with | something like "You either provided an incorrect password | or your 2FA code is incorrect. Check and try again". This | still ensures that someone is not able to guess the | correct password and reuse it somewhere else where 2FA | may not be enabled. | Eleison23 wrote: | But which 2FA prompt should they receive? | | If MFA can be configured using myriad choices, should a | user be prompted to "Insert security key" or "Input | security code" or "Send code to your email/SMS" or "Tap YES | on your mobile device"? | | Since you can't know a priori what the second factor will | look like, I'd say it's troublesome to try and present a | challenge to every user regardless of their MFA | configuration. | ezekg wrote: | In my pseudo-code example, we're raising a couple errors, | InvalidSecondFactorError and InvalidPasswordError. You | could imagine there could be finer grained errors, such | as TotpRequiredError or HardwareKeyRequiredError, | depending on the user's second factors, which could then | propagate down to the UI via specific error codes. | | The UI could then use these error codes to display the | correct prompt, and then resend the request with the | appropriate second factor. | nick__m wrote: | You would have to randomize the error when the wrong | password is inputed and ensure that for a particular | username the returned error is invariant. Else an | attacker could infer that when you get a different error | you have a correct password. | ezekg wrote: | The bad password error would only be sent if the second | factor is valid, though. | BeefWellington wrote: | Note that this is not universal to all systems. | | If your 2FA options all require the user to enter a code, | you can simply display a "Please enter your 2FA code" | dialog without divulging what kind of 2FA the user has. | dalmo3 wrote: | How would you prevent someone from spamming a user just | by knowing their username? Say, if the 2FA is done by | SMS, or email. | | An attacker brute-forcing the password could flood the | user with multiple messages. The usual response is doing | a password reset, but that wouldn't work in your system. | | I wonder how systems that use magic links handle this. | ezekg wrote: | Your authentication system should have per-user and per- | IP rate limits. | weaksauce wrote: | > You should verify a user's second factor before password. | | the cost of sending those 2fa texts is not zero and also the | idea of them is that they are ephemeral so them being tied to | the successful entering of username and password and limited in | time is a feature... not a bug. | kevincox wrote: | This is technically superior for things like TOTP but falls | apart if not all users use TOTP. | | 1. Users who aren't using 2FA have a confusing box to leave | empty. | | 2. SMS, Email and similar OTP codes should only be sent after | the password is verified. | | 3. U2F requires the site to share which devices are registered | which can only be done after the password is verified. | | You may be able to make it work UX-wise if you separate | username from auth information (such as a lot of sites do to | support SSO auth). But even then it isn't clear to me if you | should be leaking information about their 2FA configuration | (especially their U2F device) list without a password. | ezekg wrote: | Your login form doesn't need to display an empty second | factor input. Your server can send back a specific error code | on first login attempt that can be used by the UI to prompt | for the user's second factor, whatever that may be (or even | give a choice, in the case of multiple second factor types). | | For example, given this /login request to our server: | POST /login Authorization: Basic | Zm9vQGJhci5leGFtcGxlOmJhego= | | Depending on the user's second factor, the server could send | back a response like this: { "error": { | "code": "TOTP_REQUIRED" } } | | Then, depending on the error code, our UI could prompt for | the second factor and we could send a new /login request: | POST /login Authorization: Basic | Zm9vQGJhci5leGFtcGxlOmJhego= { "totp": "123456" } | | This flow can work for any type of second factor, not just | TOTP. It also works for good and bad passwords, and doesn't | leak any information (well, other than the fact the user | exists, but that road introduces a lot of other UX issues.) | kevincox wrote: | Good point. | | It does leak a little information. It leaks the type of 2FA | the user has configured and a list of devices for U2F | (since that needs to be provided to authenticate). But that | is likely acceptable. | jabbany wrote: | This is not a huge deal in practice and can be a good | honeypot/alarm system. | | Most services today have fairly low "lockout" + "notify" | thresholds on wrong passwords so brute force spraying passwords | is already out of the question. | | Now, if someone fails the password check, clearly the user's | current password is still secure so leaking that the attempted | password was wrong to an attacker is not particularly helpful | to them. If, however, the password is correct, then the | attacker gets hit with the 2FA surprise. Assuming the great | suggestion in this post is implemented (it really should be), | the attacker now is stuck--abandoning the login or trying an | incorrect 2FA could all trigger notifications to the user that | their password was breached [re: the "Was this login you?" | prompts implemented by major services after these situations]. | Attackers would need to also solve the 2FA in some reasonable | period to "disarm" such an alarm. | | Real users who happen to fumble once or twice are also fine, | since they won't be surprised about the login confirmation as | it really was them. | KolmogorovComp wrote: | Same thing goes for email address when registering. Correct | email => "already in use" is still frequent, although some | websites (such as github) have changed it to "incorrect or | already in use email" | Aissen wrote: | While this is true in the absolute sense, it's one of those | things where you have to think about non-technical users: | something like this would just confuse them, unless you make it | very clear in the message that either one of those are bad, and | provide a clear path to recovery... Having a good UX/security | UX is hard. | punnerud wrote: | About 10 years ago I e-mailed OxfordDictionary asking if they | could change the webpage so you could start typing your search | right away, and not have to click the search area first. | | It made my day when they some days later had implemented it, and | emailed me back with a message that they now had implemented it. | markdown wrote: | A few years ago I tweeted them to say that they had a word | definition wrong. They changed it! | Rygian wrote: | I would consider that as a bug, not as a feature. If the login | panel behaves differently on a correct password than on a wrong | password, that's an information leak that must be fixed. | | Authentication must be evaluated and rejected only when all | factors are already provided, and the rejection error should not | disclose which of the factors failed. | | So, with a proper login panel, my 2FA being asked does not mean | that someone has my password. | | Edit: this is, for example, the recommendation from PCI to | separate "Multi-Step Authentication" from true "Multi-Factor | Authentication": https://www.pcisecuritystandards.org/pdfs/Multi- | Factor-Authe... | medevacs wrote: | I'm under the impression you misread the original blog post, | which by the way does not really do a very good job in terms of | explaining how this should be implemented. | | IMHO, the idea is not to display the info about wrong 2FA code | on the login page but to use a separate channel to inform the | account owner about this recent, failed login attempt. So, no | info on the login page of the website (adversary would still | not know that they have a good password but wrong 2FA) but e.g. | an email, a text message, a push notification, etc. with this | info. I would certainly like to know that someone, somewhere is | trying to login to my account and that this adversary is in | possession of my actual password. | xwx wrote: | If I've understood the linked post, the login panel doesn't | have to behave or look different if someone gets the username | and password right. You could still show everyone the 2FA | input. | | It's suggesting that if the username and password are right but | 2FA isn't the system should let the account owner know. | runlevel1 wrote: | Correct. The blog suggests letting them know out-of-band, | like via email, not in the login flow. | Rygian wrote: | I have read the linked post too quickly before sending my | initial comment. Indeed, a back-channel notification to the | legitimate account owner is probably a good idea. | | On the other hand, disclosing to the attacker that they got | the password right is not acceptable. | jstanley wrote: | Unless you're an especially high-value target, I'd rather you | gave quicker feedback about whether or not I have remembered my | password correctly than you make it impossible to determine | whether or not a password is correct without also having to | input the 2FA token. | Semaphor wrote: | You make a good point, but does anyone do that? I've been using | a PW manager so long, I don't really enter incorrect passwords. | DangitBobby wrote: | I don't know of anyone who does 2FA this way. | rexfuzzle wrote: | This was posted above: https://www.isnic.is/en/site/login | First time I've seen it too | Rygian wrote: | My employer does it for products requiring PCI certification. | Our PCI auditor recommends it even though it's not a formal | requirement of PCI v3. | darkarmani wrote: | That sounds like a terrible trade-off that makes people | more likely to write down passwords on post-it notes or in | a clear-text file to cut-n-paste. Especially if you lock | accounts after a 10 tries or so (or PCI's ridiculous low | number of tries). | anamexis wrote: | I think the majority of places I use 2FA, the 2FA prompt is on | a screen after the password login. This is because the use of | 2FA is an account option, so not all accounts will have it | active. | jonas-w wrote: | I don't know about wrong 2fa codes but bitwarden notifies you if | you have an "unfinished" 2fa login. If you type username and | password correctly and then don't type in your totp token it will | notify you. | bilekas wrote: | We implemented something that avoids the original articles, 2FA | notification. | | After your password is approved before 2FA you get an email. So | even if someone is somehow using the right 2FA you are aware. | | Our thinking was the mosly likely outcome was someone would hit | 2FA, not have the code and so close the request without even | entering a bad code. | | Apart from that though, it is always nice to get recognition for | the stuff you put out there. I know I should do it more myself | too. | lupire wrote: | But email can be delayed for hours or days. | bilekas wrote: | That's pretty rare in our scenario, also it still would apply | to the original post ? | kevincox wrote: | If you are going to send login notifications anyways this makes | sense. Since the user will either want to know about the login | or the failed 2FA. However if the user doesn't enable login | notifications I think it makes sense to give a short timeout to | wait and see if the authentication is successful. If the auth | is successful you can skip the alert. | Minor49er wrote: | I've noticed several services in the past that have blocked | someone at the 2FA step (either due to getting to that stage and | leaving or attempting and failing), then notified the account | owner that a login was attempted. I think we just don't hear | about it too often because not everyone who has compromised | credentials also has 2FA enabled on their accounts in most | publicized hacks | Ayesh wrote: | The Iceland NIC does this (https://www.isnic.is/en/site/login). | | Customer support burden when the lose the 2FA key is solved by | adding a hefty fee (around EUR100) to recover it. No webauthn | support yet though. | rexfuzzle wrote: | Interesting- I think that is the first time I've seen password | and 2FA code on the same page. Guess that means you may not | know if your password or 2FA code is incorrect depending on the | error page | soco wrote: | Or the login process should just go ahead and ask the 2FA | either way - and just fail you in the end without explaining | why. And then notify only behind the scenes via mail that the | password was correct but the 2fa wrong. That would be _the_ | way to handle it. I 'd receive such notifications from time | to time - I mix up the 2FA accounts sometimes, other times | I'm slow typing and it expires - but I can live with that | little extra email. | Ayesh wrote: | All my TOTP prompts (on websites I run) account for such | delays and clock skews by checking against the previous and | next TOTP. So even if the user is a little bit late to | enter the OTP, I can still validate it and complete | authentication. | throwaway2037 wrote: | This is standard practice with big corporate RSA remote | login. | darkhorn wrote: | Gmail has those features for some years. | rexfuzzle wrote: | Not AFAIK- they email you when a new device logs in, or a new | location, but I've never seen one from a wrong 2FA code | spiffytech wrote: | Years back, every web browser's built-in password manager locked | up the page when submitting a login form, waiting for the user to | answer "do you want to save this password?" before proceeding. | | I thought that was silly: how do I know if I want to save the | password before I've seen whether it's correct? Which I can't see | until the form is submitted. | | At the time I was using Opera, so I wrote in to their customer | support suggesting that the prompt appear after the new page | loaded. I never heard back, but a couple months later their next | major release implemented exactly that behavior. A few months | after that, every other browser followed suit. | | I can't have been the only one bothered by the existing behavior, | but given how long browsers had worked that way before I wrote | in, I like to tell myself that the timing wasn't a coincidence, | and that my little suggestion rippled out into a change that made | a small thing better for the whole world :) | tamiral wrote: | you are literally one of my new fav people ! | jbverschoor wrote: | I submit suggestions, features, bugs, detailed reports, new use | cases etc. I'm more than happy to write detailed submissions, | or do some traces when there's a bug. | | But if I notice there's no feedback or implementation within a | reasonable period of time, I will stop doing that ever again | for that company (large, small, doesn't matter). | | I refuse to waste my energy on that kind of process. | ck2 wrote: | Every few years I get an automated email from Wordpress where | someone finally fixed a bug I submitted over a decade ago, lol | em-bee wrote: | i still see this behavior in firefox. the save password popup | disappears by the time the page is loaded. and it baffles me | every time how that is supposed to be useful. | kevincox wrote: | I find that it _usually_ sticks around long enough. But I | agree that it should stay open at least until I interact with | something else. | | On the bright side it just collapses into a "key" icon in the | URL bar that you can click to open it back up and save the | password. | nl wrote: | > On the bright side it just collapses into a "key" icon in | the URL bar that you can click to open it back up and save | the password. | | I've been using Firefox as my main browser since 2010 and I | never realized this. | [deleted] | teekert wrote: | It's like that Teams pop up that informs you that a colleague | started a meeting, the one that always disappears after you | finish typing your sentence and start to move your mouse | towards it. | pacoverdi wrote: | you can click it right away, finish your sentence, then | click again to join the meeting once you're done :] | justsomehnguy wrote: | The most amusing (for me) behaviour is what OR I need to | press Csncel everytime ( my preffered bahaviour, honestly, I | don't save passwords) OR never see the dialog again (I'm | totally okay with saving the pass for some LAN devices which | would be never acessible from the net ever - but I can't) | iforgotpassword wrote: | The stupid thing is that it already is async and not locking | up like it was in the very old days op refers to. They were | just so clever as to add a timeout after which that dialog | closes, regardless of whether the page actually finished | loading. So on a slower page you end up with the popup | disappearing while the page is still (mostly) blank and you | don't know yet whether the credentials were correct. | | I think just clicking in a blank spot (or the text fields) in | that dialog stops the timeout, but it's one of these things | I'm not actually sure about and it's almost like a cargo cult | kind of ritual... | thallavajhula wrote: | Opera was the most innovative web browser ever. They brought so | many new things to the world of web browsing. Tabbed-browsing, | mouse gestures, colored tabs, browser themes, in-built security | integration with anti-virus software, an extensible browser - | so many wonderful innovative features. It was a paid software | initially, but then they made it free for everyone. I used to | use it as my default browser, maybe 13-15 years ago. | abfan1127 wrote: | its my default browser now. It still great! | capableweb wrote: | Well, I used to love Opera as well, it was my first | "serious" browser as I became a netizen. But now I wouldn't | even dare to try it as it's owned by a consortium of | Chinese investors, rather than a Norwegian company. | bityard wrote: | Vivaldi is pretty good and though it's based on chromium, | is the new opera in spirit. | IndrekR wrote: | No coincience. Vivaldi is co-founded by ex-CEO and co- | founder of Opera. | | I quit using Opera after he did not keep his promise to | swim across the Atlantic in 2005: | https://www.zdnet.com/article/opera-boss-starts-atlantic- | swi... | r00fus wrote: | Are you sure tabbed browsing was Opera? I mean, Mozilla | browser (predating Firefox) had it in 1998. | rch wrote: | Opera also had tab groups, MRU tab switching, and saved | sessions. Those exist in some form or fashion now, but the | implementations are not as smooth. | vikingerik wrote: | Mozilla had multiple documents first, by just following | Windows' MDI standard. | | Then Netscape and IE got into a war for mindshare, and part | of that was to ignore MDI and splash their browser windows | all over the taskbar instead, to be more visible and grab | more user attention. | | Tabbed browsing was never a new invention, it was just a | re-implementation of what we already had by way of MDI. | ricardobeat wrote: | Wikipedia lists Opera v4 having tabs in 2000, while they | were added to Mozilla 0.9.5 in 2001: | https://en.m.wikipedia.org/wiki/Tab_(interface) | [deleted] | nidnogg wrote: | IIRC it was InternetWorks by BookLink Technologies | | According to: https://www.makeuseof.com/tag/which-browser- | invented-tabs-3-... | renke1 wrote: | Spatial navigation is a feature I really do miss. I don't | think any other browser supports this. It made keyboard-based | browsing possible without resorting to stuff like hit-a-hint. | You could just hit Shift+Arrow Key (which I mapped to the | home row) and select a the nearest link (or anything | interactive) in that direction. I think it worked in a visual | fashion so order in the DOM didn't matter at all. It behaves | exactly like one would expect. | oliwary wrote: | Something I really miss from Opera is that the content of | every page you visited was saved and stored for search! This | helped me so often to find pages that I had visited, and | remembered a few words from, but didn't bookmark or save | otherwise. No idea why browsers today did not copy this | feature. | OinkEsFabuloso wrote: | Oh, that's so cool! :-) Could you please write to Whatsapp or | Telegram and ask them not to delete the EXIF information from | shared images on their platform? I understand that they | compress images so they don't take too long to transmit and | load, but I think there's a big group of their users | (especially for Whatsapp) that use their platform to share | family pictures. For this purpose, having the EXIF date (if | it's available) could be very handy, since the picture could be | properly timestamped and archived without having to ask again | to the original poster for the specific files. | nkozyra wrote: | As a general privacy rule I like stripping this by default. | Couldn't you just zip up some images to retain this? | RHSeeger wrote: | I think the EXIF data is removed because, for the vast | majority of people that don't think to remove it, it's a | safety risk. Posting a picture of your house? Your kid | arriving at their first day of school? Some other location | you'd rather a bad person not have info on? Most people don't | think to remove that data before posting (and sometimes post | directly from their phone camera?)... removing that data | removes a lot of risk for them. Leaving it in is only | considered a small benefit to a smaller subset of people | (comparatively) | akadruid1 wrote: | In a similar vein, I wrote to Microsoft suggesting their | "Authenticator" TOTP app for Android would benefit from a | search feature. I can't have been the only one, but it did make | me happy when they actually implemented it a few months later | teekert wrote: | I also suggested it but their iOS app still does not have it. | Really annoying with >20 totp tokens. | levymetal wrote: | And now we've come full-circle as 1Password 8 requires you to | save your password prior to submitting the form instead of | offering to save it after submission. Which is a huge | regression as it results in this exact issue all over again. | | https://support.1password.com/save-fill-passwords/ | WalterBright wrote: | If only Roku and Android TV boxes had a way to display pdf's on | the TV! | | Hint hint hint!!! | | After all, they can display movies, pictures, and music. PDFs, | please! I'd even pay for it. | bitwize wrote: | I discovered a bug in Java 1.0.1's GridBagLayout and posted | about it to USENET. It was fixed in JDK 1.0.3. | | I also emailed the GIMP maintainers about a bug in their select | color region tool in GIMP 0.99.x that made it ignore 1-pixel- | wide barriers. By 1.0 it was fixed. | | I was chuffed when it happened, but the internet was a smaller, | chummier place back then, so we expected that kind of response | more than we do today, I think. | fimdomeio wrote: | I found a bug in firefox where the two letters of the weekdays | appeared as 3 letters for portuguese (pt-PT). Eventually found | that it was an error in the unicode standard, so submited the | proposal for change. Probably there's dozen of people involved | in this... but seeing it being changed brought me great joy. | | I was a tiny part in changing a tiny mostly irrelevant detail | that was causing a slight inconvenience to millions of people | daily. Improving humanity one bit at a time... | pc86 wrote: | This is great! Imagine how many people had no idea how to get | something like that fixed yet noticed the bug. | jackpirate wrote: | Do you happen to have a link to the proposal I can see and | share with a class? I'm teaching a few lectures about some | "weird" stuff this semester, and this would be a great | example. | layer8 wrote: | This still sometimes happens on iOS Safari. I don't know what | is different about the pages where it happens, but it's | annoying. | malshe wrote: | Even MacOS Safari does this. I don't know whether the latest | update fixed it though. | mooreds wrote: | Such a great idea! I filed a feature request on our GH issues | list to implement this: https://github.com/FusionAuth/fusionauth- | issues/issues/1888 | EGreg wrote: | I agree but there is an even more serious security feature almost | all 2FA misses: | | Telling the user what action they are authorizing by reading back | the numbers. | | That "bank rep" on the phone? They are probably trying to log | into your account, or withdraw cash, not verify that you are the | right person to send the refund back to. | | It would save a lot of problems. | | Also you should be getting an alert on all your devices whenever | transactions over X amount per Y time occur, and you should have | an opportunity to reverse them for 24 hours (even for debit | cards). Also you should be able to make windows during which time | it would be longer than 24 hours, such as a Jewish holiday or | when out of range. This wouldn't apply to recurring transactions. | PeterisP wrote: | Yes, that's a cool feature - the Smart-ID app used by many | banks in Baltic countries as a second factor does that, it | states e.g. the payment and amount you're authorizing before | you do so. | coenhyde wrote: | When Apple released the very first iPod, I wrote to Steve Jobs to | tell him that I would buy it if it was a phone too, as i don't | want to carry two devices. I doubt I was the only one who had | this thought, but I like to think i influenced the development of | the iPhone. I never received a response from Steve. | teekert wrote: | Ah but you didn't add that you wanted it to be an internet | communicator as well! | | Only would you have been able to claim some credits ;) | Taylor_OD wrote: | I havnt done this in many years but for a while I was making | creative content that was published online. Once in a while | someone would contact me saying they liked what I did. I started | doing the same. If I read an article I liked a lot I would | contact the person and tell them I liked it and why. About half | the time they responded with Thanks. | | I didnt do this with NYT writers or anything. Just people who | clearly dont get paid/paid much to make this content but I found | it useful/interesting/helpful. I think that stuff goes a long way | and it really doesnt take that long to do. | | I've got a tech podcast now and about once every month or two | someone contacts me to say they liked it or something nice. It's | a huge reason why I keep doing it. I know that sounds silly but | the internet can be such a black hole. A little feedback goes a | long way. | miqueturner wrote: | This was a good comment. Keep it up! | avg_dev wrote: | I tend to see a lot more negativity than positivity as the | default response so I like this thread. | whatsdoom wrote: | I have a little blog that occasionally gets hits when the SEO | winds blow my way and twice people have reached out thanking me | for a post. It's made my whole month! And encourages me to keep | posting stuff. So I really appreciate that you do that, I | should make an effort to do the same. | | I write the blog as more of documentation for myself than | something to share, but knowing that I've helped someone else | is icing on the cake. | Lendal wrote: | As 2FA adoption spreads, the possibility increases that someone | could be using 2FA but not know the rule about not reusing a | password. This feature improves the spread of that gospel. It | seizes the opportunity to impress an abstract concept to the | technically-challenged in a way that is no longer abstract. I | like it. | egberts1 wrote: | I once wrote something obscure. | | About communication piggybacked over TCP/IP without changing any | one bit of packet data. | | https://egbert.net/blog/articles/pulse-width-covert-channel.... | | Some 20 years later, a guy posted on GitHub. | | https://vimist.github.io/2019/01/30/Steganographic-Packets.h... | | And made my day. ___________________________________________________________________ (page generated 2022-09-20 23:00 UTC)