I'm a veteran developer, but really more of a "normal" than the type of developer who is commenting on this story. I admit I find this stuff really, really, really confusing. I hate dealing with any of this stuff, I don't do it voluntarily for the same reasons I don't (for example) use pretty good privacy for email (I just use web gmail like a regular person).
Anyway, I do (involuntarily) use 2FA for two services, and managed to set myself up with Google Authenticator on my Android phone. Both services that onboarded me for this explained it really poorly, but at least got me hooked up and I now routinely (and reluctantly) login to those services this way. Reading this I suddenly realised, whoaaa, if I lose my phone do I lose access to those (important) services? Well no, I hope not at least, when I look at the Authenticator app it has the green "your codes are being saved to your google account" cloud icon. That's kind of reassuring. I suppose.
I'm not really sure what my point is, other than online security is an ever more important issue, it's a swamp and even many technical people who might know everything there is to know about some arcane corner of the technology universe don't necessarily properly understand it. Although I suspect most would not be prepared to admit it like I just did. Actual normal people (like my wife for example) have absolutely no chance of getting on top of the details and navigating their way to a best practice solution. I hope Google (or Apple) don't either give up on this or go full evil, that would be really bad.
I think I will check out whether my two services can give me recovery codes. I am confident I can manage vital username/password combinations and recovery codes, that's the level of sophistication (or not) I'm comfortable with in this space.
For my personal threat model, most 2FA flows decrease my security. Historically, the loss of my phone is a more likelier event than a compromise of my credentials and the damage to me and the businesses holding my accounts from loss of my credentials is much less than the denial of service from loss of access. This flips with some access from my employer and my bank, but I don't associate any of my personal devices with my employer's account in any way.
It is a shame how the industry seems to think that security is some single dimension along which things are more or less secure. Denial of service for personal accounts is often times more damning and common than account compromise. 2FA makes me less secure in some cases.
I absolutely get your point but I think at least some of that is on you, or on those services. There are supposed to be safeguards that remove (or at least mitigate) the risk of denial of service caused by loss of the secondary device. One-time-use codes or some other method for emergency access are common ones I can think of.
True, but you are missing the point. A system is secure that acts in its user's best interests. In the case above, 2FA is not in the user's best interest, as defined by the user.
The current state of technology seems frightening indeed. This 2FA is a miracle. It is free and independent of the big tech companies. I'd put it on the same level of importance as Mozilla products. In the future, we will see more proof-of-personality applications for security reasons. But recovery codes won't be going out of fashion any time soon. Unless, of course, AI-enabled developers are gifted with long-term memory in the next few years.
It makes me nervous for sure, not super happy about it. I think I'll be fine if I lose my phone. My last phone died so completely it may as well have been lost but I could still hook the new one up to my Google account. Actually maybe I was already using the Google Authenticator app then.
Well, that's exactly why I started using Aegis and swear by it, its backup capability. I keep it encrypted and backed up on two separate locations, so my phone can blow up safely and I'll still be able to 2FA under my own terms.
Anyway, I do (involuntarily) use 2FA for two services, and managed to set myself up with Google Authenticator on my Android phone. Both services that onboarded me for this explained it really poorly, but at least got me hooked up and I now routinely (and reluctantly) login to those services this way. Reading this I suddenly realised, whoaaa, if I lose my phone do I lose access to those (important) services? Well no, I hope not at least, when I look at the Authenticator app it has the green "your codes are being saved to your google account" cloud icon. That's kind of reassuring. I suppose.
I'm not really sure what my point is, other than online security is an ever more important issue, it's a swamp and even many technical people who might know everything there is to know about some arcane corner of the technology universe don't necessarily properly understand it. Although I suspect most would not be prepared to admit it like I just did. Actual normal people (like my wife for example) have absolutely no chance of getting on top of the details and navigating their way to a best practice solution. I hope Google (or Apple) don't either give up on this or go full evil, that would be really bad.
I think I will check out whether my two services can give me recovery codes. I am confident I can manage vital username/password combinations and recovery codes, that's the level of sophistication (or not) I'm comfortable with in this space.