The Lounge is rated Safe For Work. If you're about to post something inappropriate for a shared office environment, then don't post it. No ads, no abuse, and no programming questions. Trolling, (political, climate, religious or whatever) will result in your account being removed.
Another great web page design: arngren.net[^] (the text is in Norwegian, but you don't need to understand it to enjoy the design).
For being exact: It isn't a web page design. They had exactly the same design in the mail order days, 30+ years ago, when they distributed printed catalogs to every mailbox in the country every two weeks. Also known from the mail order days: Note that practically all prices end in ...99 or ..998.
Maybe that extreme-ugly design is part of the marketing strategy. The web page comes up in every ranking of ugly-looking pages, and everyone (in Norway) wants to see it ... and then they see some product that they will buy. It works, after 30+ years with the same design.
Any recommendations/experiences for/with services that, for example, sends your phone a code (SMS), or phone apps where all you have to do is approve/decline ?
Yes, this is for my new job, which I'm loving! No need to send codez, just your wisdom for what services rock and what services suck.
They all suck cause I hate having to find my phone to get a code or send a push notification.
Previous job used Duo and current one using Microsoft Authenticator.
"I controlled my laughter and simple said "No,I am very busy,so I can't write any code for you". The moment they heard this all the smiling face turned into a sad looking face and one of them farted. So I had to leave the place as soon as possible." - Mr.Prakash One Fine Saturday. 24/04/2004
+1 for MS authenticator. There's also Google authenticator. These applications kinda hard to "recommend" though, because you just open it and it rocks up with a set of random digits for authentication. They both do the job.
When I login and type my password correctly, it's because I want to get in and get started. I've started boycotting any services that do anything more than that, except for my surface that uses facial recognition effortlessly as the second bit.
To me, if you say you need to make sure it's me after getting my user name and password, that's equivalent to saying, move on, we don't want you in here!
CQ de W5ALT
Walt Fair, Jr., P. E. Comport Computing Specializing in Technical Engineering Software
The company I work for, ImageWare Systems, has a product: GoVerifyID[^]
"I intend to live forever - so far, so good." Steven Wright
"I almost had a psychic girlfriend but she left me before we met." Also Steven Wright
"I'm addicted to placebos. I could quit, but it wouldn't matter." Steven Wright yet again.
I've tried the various methods, and I would strongly recommend TOTP over SMS or push notifications. I tend to use "Google Authenticator" which you can actually use any app that supports the standard, which in my case on Android is the open source FreeOTP made by Red Hat.
In the case where you can't bring your phone to work, Google has had great success with Yubikeys.
Just make sure you're not looking at MFA in a vacuum. If you don't also implement MDM policies to enforce security on your mobile devices, you're missing the point. Any MFA solution is worthless if anyone can just pick up the mobile device and get at the code.
I'm partial to Microsoft's first-party MFA solution (based in Azure) because I work for them and help companies implement it, but no matter who you go with, make sure mobile/endpoint security is given equal attention. Security is a puzzle and no single piece is a panacea.
The morons at my bank will text or call - but not use email.
If I'm planning on banking online they know I'm near an email capable device. I may not be anywhere near a phone. The US Treasury Direct site, which is amazingly fussy to maintain security, will email the one-time code. Same for a number of online banks - major financial institutions. I'm already voting with my wallet - moving my accounts to where they'll cooperate.
Another thing - authenticating BACK to me would be nice - a great way to avoid phishing attempts.
My particular version - for extra secure - requires a custom .exe to be run, which identifies unique machine information, encrypts it (with an every-changing key) and sends it for confirmation in the machine registry. If you don't go through the .exe you cannot access the 'working' parts of the website. Rephrased, for all practical purposes, without the local launcher on a registered machine you don't even get to the same website.
Nothing is 100% hack-proof, but a local item to authenticate registered machines makes it damn tough. Meanwhile, it's a single-click (once registered) - and the browser opens for user login. No burden on the user.
Just use the good old send some random words (or numbers) to the user's email account.
If that is not secure enough, then make sure the user apply with 2 email accounts, so that your service can send two sets of different random words (or numbers) to the user's two email accounts. Which may be as safe as a "2 factor authentication services". No fumbling with phone SMS / swipe here / swipe there, etc, etc.
And if that is not secure enough, then make sure the user apply with 3 emai ... ... ... ...
Last Visit: 31-Dec-99 18:00 Last Update: 10-Apr-21 18:19