Multi-factor Authentication

Is anyone other than PG aggravated by websites that require multi-factor authentication these days?

PG’s least favorite is Google, which makes PG enter his ID and Password, then insists that he pick up his cell phone, load Gmail and tap another button, except when Google requires that PG tap another button, then choose one of three numbers that he has to use his cell phone yet again.

Google offers a checkbox that is supposed to allow PG to opt out of the extra authentication process, but, although PG has checked that box many times, he’s still not opted out.

Then, of course, there are the times when PG wants to quickly check something, but has left his phone in another room on another floor of Casa PG.

PG has used long random passwords for years and none of his accounts has ever been successfully hacked via guessing his password.

FYI, he’s not a fan of various authenticator applets either. They never seem to work right the first time.

PG moved into adulthood centuries ago and has been actively using computers for longer than many Google programmers have been alive, so he demands the right to opt-out of these sorts of “improvements” in his user experience.

13 thoughts on “Multi-factor Authentication”

  1. Count at least one other, PG. The few times that I have been forced to use it, my family knows to stay away from me for the entire day.

    I normally have my phone set to reject anything from anyone that is not on my very short contacts list – so I have to turn that off, which means scrolling through multiple spam texts, while spam calls keep interrupting the process.

    (Yes, I could pay a lot more for my phone provider to “white list” legitimate numbers like my bank, utilities, etc. But I now pay just under $55 for an entire year – a deal that I’m not about to surrender for a very lightly used service.)

  2. I hate it, if we weren’t sufficiently glued to our phones already, now everything you do needs your phone in your hand, and if your phone disappears (lost/robbed/whatever) it is a big hassle to get another one ASAP, because you are blocked from everything.
    Last aggravation just a few days ago, my boyfriend and I were out for a walk near home, he took his wallet, but left the phone at home. As we were passing near his bank office, he decided to go to the ATM and take some cash for the week (yes, we still use cash on local business), but the ATM asked for a code sent to his phone to retrieve his money, so he had to return afterwards. The card and the pin code aren’t enough now, even for small cash in usual locations.

  3. What is actually being “authenticated” by these systems is a profiling mechanism for targeting ads. And more-nefarious purposes. In this era of spoofing-a-phone-number and hijacking-a-connection-temporarily requiring a 0.00001 BTC investment on the dark web — thanks in large part to phone service providers’ agreement to adopt a marginally cheaper internal-authentication standard decades ago that’s so bad they don’t even use it themselves for internal authentication — relying on telephonic communications for any aspect of “security” isn’t smart enough to be dumb.

    Of course, there are easy ways to evade that phone-linking requirement, but they involved not remaining logged in to anything not in active use at that moment… so no antisocial media, no news tickers running in the background, no open administrator accounts on one’s website. Manually log in and log out (using a password manager and appropriate passwords), constantly clear your history and DNS cache, etc. And when Google demands that phone interface, close the browser, clear all the caches, and restart. That such simple means can defeat the authentication system is a GBFH that it’s not authenticating for “security”…

  4. I use a password manager which handles this nicely (for all my use-cases anyways). When I use it to fill in the name/password, it also copies the one-time-password to the clipboard, then I click submit, paste the one-time password, and away I go.

    Granted password manager have their own problems, but in my experience they benefits far outweigh the drawbacks.

    (Aside: I was a my bank trying to solve an account problem the other day and they wanted me to login. They were surprised I didn’t know my password (and I don’t have a phone). I just let the password manager generate 32 character random passwords, so I actually don’t know any of them.)

    • I’m a belt-and-suspenders kind of gal.

      I do indeed rely on a password manager (Lastpass), but I also keep a password-protected document which has all current passwords, as well as some site-specific tips/info where helpful. I’ve used that all my (computerized) life, so it’s now about 47 pages long and goes back decades. That has its uses, too, when all else fails.

      Phone authentication is both worthless and inconvenient. Until I can carry a cellphone in a pocket, I hate the tether, and I hate “security as performance art”.

  5. PG is likely set up to delete the website cookies google uses to track which browser instances have successfully passed the multi-factor authentication challenge. Either from the configuration of his browser, or from some extra privacy enhancing software he’s running on his PC.

    • I hadn’t thought about my “erase all cookies” setting, but I’m not sure that would free me from the various multi-factor schemes I seem to be stuck with.

      • it would reduce the number of times it triggers. There are also other MFA options besides the default phone app one. Google supports FIDO/yubikeys among others, but you will have to go digging to set it up.

  6. I like it – but then I spend most of every day at my computer. If I’m out of the apartment building, the phone is with me, because I probably have to call the MedVan to come pick me up.

    When the text comes to my phone, it also comes to my computer – so it’s a simple copy/paste.

    Anything that makes the scammers pick someone else is fine with me. I’m wondering if there’s a Mac/PC division here; my iPhone has made a lot of things easy, including, I’m sorry to admit, playing with the wifi thermostat in the middle of the night without having to turn the lights on.

  7. I hate multi-factor authentication. It’s bad enough to need to use it to get into the bank’s website, but there’s not a blog or website otherwise that’s worth the hassle.

    Of course, I don’t have a cell phone, much less a smart phone. Sending me a text won’t work. It has to be an email.

  8. Line everything else, there is a range of MFA implementations.

    My favorite is the Yubi-key (FIDO) standard where you have a low-profile USB device plugged in to your computer and when a website needs authentication, it blinks the key and you touch it to confirm that you are who you claim to be. (on mobile devices, it can use NFC but lives on your key ring, far less convienient)

    The problem with software MFA solutions is that they are vulnerable to the device you run that software on being compromised (just like your passwords are), and anything where compromising one device can result if loosing both factors can’t really be considered ‘multi-factor’

    That being said, passwords are too easy to compromise, and the truth is that pretty much nobody avoids re-using passwords and as a result there is a need to make it a bit harder for attackers than passwords do.

    It doesn’t matter how complex your password is, it’s still not that hard to brute-force it (the multi-word approach makes for good marketing text as a “long password that’s easy to remember” until you have an attacker who treats the words as the individual tokens instead of individual letters.

    computer security for banking is my day job.

    • All true. I used to be indifferent to password reuse/semi-reuse, but once I started using a password manager I took advantage of the long-random possibilities. (Not enough to proactively change existing passwords (way too many of them, and many are dead), but every time there’s an organic option…)

Comments are closed.