|
Something similar but with a bigger collateral damage: The Insider News[^]
M.D.V. 
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
MS Auth has a URL you can visit to reset your password. Security questions or some other method, but probably won’t work if you forgot to set it up.
|
|
|
|
|
If I recall, and it is the same, it has a favorite color secret question to which the answer must be at least 5 letters. "oh you mean my favorite if my first two are eliminated by a restriction I have no idea even exists at the point you are asking me to answer a challenge?" Oh yeah? Green then.
|
|
|
|
|
englebart wrote: MS Auth has a URL you can visit to reset your password
So you expect the HR person to know that? Keep in mind there is no way for IT (help) to know there is a problem so they won't be telling them about that.
But to be fair as a developer I am unlikely to even think of that possibility myself. I would expect that my company's IT is responsible for that so I would not even look. I do know for a fact that at least the way my company AWS account is set up if my password expires then company help(IT) must reset it. No way for me to do it. So no reason for me not to expect the same.
|
|
|
|
|
Company had to dich such authentication for two reasons...
Not all have a smart phone to use that grate app to authenticate
Some refused to use personal phones
"Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid." ― Albert Einstein
|
|
|
|
|
I feel your pain, not a fan of all the "work" involved.
However...
Setting up 2FA is the way to go to avoid having your account compromised.
The Hello 6-digit pin probably only works on your machine, while your password roams across devices.
The way Slack handles it requires a hacker to have access to your Slack and email account, which is another barrier.
2FA can usually be set up in a way that remembers your location or device, so you don't have to authenticate every minute.
Like it or not, about 99% of hacks could've been avoided by 2FA.
Not because it's impossible to get past 2FA, but because it's a lot harder, so hackers tend to simply move on to someone who doesn't have 2FA.
|
|
|
|
|
It's also possible to add extra security to your email account if it comes to that. I dislike the interruption that 2FA requires, but it's probably a good thing, forcing me out of auto-think into actually looking at what I'm doing at a time when my attention should be on the task at hand (logging in securely) instead of my original task (the reason for logging in).
Security is increasingly important in this world of cyber criminals, so I just cuss quietly and get the thing done. I do think companies should choose tools that do not require their employees to use their personal phones, but that is going to take push-back from the employees, so it's on them. I think I'll start to do that for the two apps we use that require me to use my phone (one is even owned by my company, so that ought to be easier  )
|
|
|
|
|
And how many people have their email on their phone already logged in (gmail). If you have somebody's phone, you have all of their security.
Hogan
|
|
|
|
|
So make sure you have your phone locked well.
I'm pretty sure most hacks aren't done by stealing someone's phone though.
A brute force attack or unencrypted database leak is far more common.
Especially in that last scenario 2FA is your only protection.
You can whine and make excuses all you want, but 2FA is simply a security best practice that may save your life one day 
|
|
|
|
|
I have never setup my phone to handle my emails just because of that. I have no problems waiting till I get to my home computer to check emails.
|
|
|
|
|
We have the same crap.
I have to change my Windows password every 3 months.
This also means that most of my applications require a new 2FA login.
So by the end of the day, I have about 20 messages on my personal phone. (I'm not 'important enough' to get a work phone)
And for elevated stuff, we have a Yubi key, and for Google crap we have another electronic key. 
Where are the days that I could turn on my computer and just start working?
I dreading the day that it requires a vial of blood to log-in 
|
|
|
|
|
JohaViss61 wrote: I'm not 'important enough' to get a work phone
I had that problem too. Except that whilst people with work phones could have them on their desks, those of use without work phones were not allowed to have personal mobile phones in the office. So, for 2FA, one had to leave the office, go to the lockers to get you personal phone. write down the 2FA code, get back to the office and hope that the activation code had not expired before you could use it.
|
|
|
|
|
old fashioned passwords for old fashioned hackers. 
MFA/2FA is essential these days, whether you like it or not. I, personally, like it. It's way better than just a plain old password. Passwords get bought and sold every day on the dark web, etc.
Our software shop is in the process of converting all of our existing legacy web apps to use MFA.
We already have 2FA at work for all work related accounts. Its not a hassle at all.
|
|
|
|
|
2FA is a hassle, but a necessary one.
|
|
|
|
|
Amen. I worked in a classified government vault so (A) we can't bring cell phones into our office and (B) personal email websites are usually unavailable. So getting 2FA codes is quite challenging...
|
|
|
|
|
Without giving away any secrets (if you can), how did you 2FA in that situation?
Hogan
|
|
|
|
|
In many top secret locations where personal digital devices are not allowed, they "usually" provide a RSA SecureID dongle or something similar and that is stored at the government site and does not leave there, usually.
That is how it was done back in the day, not sure how it is done now, but I would be surprised if it is much different.
|
|
|
|
|
We still use our personal devices, but have to run out to our car, storage locker, etc, where our phones are and write down the code, then bring it back into the secure location. It sucks.
|
|
|
|
|
One employer demanded I use my personal phone for Visual Studio 2FA authentication because his wasn't recognized by Microsoft as a valid number. I refused, he yelled at me, I refused again. He went to the next underling who was too scared to refuse and used her phone.
I now have another employer, a huge company that has initiated 2FA, expecting me to install Microsoft's MFA app on my phone. (And yes, they demand you have an Android phone or an iPhone.) Rather than use my cell phone I installed Android Studio, created a virtual phone, and used it to help me figure out how to write my own. I now have a tiny program that puts the 6-digit code onto the clipboard (with a beep so I'm sure it ran) whenever I click its Quick Launch icon. Works great.
It seems to me that an institution's database of users' secret keys (or their generator algorithm) is just another target for hackers. I have a hard time appreciating how this really increases security.
|
|
|
|
|
Abraham Lempel - Wikipedia
Inventor (with Jacob Ziv) of the LZ77 and LZ78 compression algorithms.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
Real Pioneers of Computer Science.
We studied the LZ77 paper in GRAD school.
"A little time, a little trouble, your better day"
Badfinger
|
|
|
|
|
They provided the breakthrough in data compression (loss-less) which greatly improved network traffic. This was one of the lessons we learned in GRAD school. Our professor was keenly interested in this area of research. Really smart man. Had 3 PHD's, math, computer science, electrical engineering. I was fortunate to have him as mentor.
"A little time, a little trouble, your better day"
Badfinger
|
|
|
|
|
|
Green * is a scam. It's just a way to move funds and sell trends, just like vegan products and homeopathy / crystallotherapy / younameit.
Don't get me wrong, moving away from fossil fuels and getting sustainable energy is necessary in this power hungry society (though I still have to understand why a US house needs more thn 3 times the power available to an Italian house, considering we do use the same appliances). But the trend of geen everything sold on partial data and preconception, that is a scam full stop.
GCS/GE d--(d) s-/+ a C+++ U+++ P-- L+@ E-- W+++ N+ o+ K- w+++ O? M-- V? PS+ PE Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Yeah - my electricity supplier swears blind that all my power comes from renewable, green sources.
Doesn't stop the price doubling every time the gas market burps though ... 
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
