Should browsers remember 2FA codes?

by @edent | , , , | 5 comments | Read ~227 times.

In HTML, the autocomplete attribute is pretty handy. The HTML autocomplete attribute is available on <input> elements that take a text or numeric value as input, <textarea> elements, <select> elements, and <form> elements. autocomplete lets web developers specify what if any permission the user agent has to provide automated assistance in filling out form field…

That's not how 2FA works

by @edent | , , , | 21 comments | Read ~30,868 times.

List of tweeters advocating for 2FA.

Another day, another high-profile website cloned to phish credentials. Is this a phishing attempt? Goes to "" and asks for username and pw (if so, it nearly got me!) /cc @github — Tess Rinearson (@_tessr) January 16, 2021 In the replies, you’ll see lots of techbros saying “this is why you should switch on…

I have 4% 2FA coverage

by @edent | , , | 2 comments | Read ~226 times.

A long list of 2FA tokens.

Last year, when doing some digital spring-cleaning, I realised that I had 800 different passwords. I tried going through them, removing long-dead websites, closing old accounts, and deleting anything incriminating. I now have 891 accounts. Arse. I also went through my 31 different 2FA accounts. Getting rid of old employers' email tokens, failed crypto wallet…

My 2FA Code was 000 000!

by @edent | , | 1 comment | Read ~1,079 times.

Facebook's 2FA code page.

I stared at my TOTP generator. Surely this must be a bug? Leap Year related? Or a cold-start error? Or some freaky prank? How could my login code be 000000?!?! A standard TOTP code is normally 6 digits long. There are a million combinations, from 000000 to 999999. A million isn't a particularly big number.…

I have Thirty-One 2FA codes

by @edent | , , , | 4 comments | Read ~777 times.

A long list of 2FA tokens.

Last week I wrote about how I had 800 passwords in my password manager. It was intended to highlight the ridiculous proliferation of online services, and how redecentralising identity comes with a manageability problem. I now want to talk about 2FA - Two-Factor Authentication - the random codes you have to type in every time…

Some thoughts on Amazon's 2FA

by @edent | , , , | 2 comments | Read ~528 times.

Amazon now let you secure your account with Two-Factor-Authentication (2FA). This means you can log on with a one-time password which changes every minute. For some reason, Amazon call it Two-Step-Verification (2SV) - but it is exactly the same as all the other 2FA solutions. The Process There's no direct link to 2FA settings. So…

PayPal doesn't care about 2FA security

by @edent | , , | 3 comments | Read ~1,422 times.

Remember when PayPal was a cool new company dedicated to radically improving online payments? Seems like it was ages ago. Now PayPal is little better than then bloated banks it sought to overthrow. Arcane bureaucracy, impenetrable fees, and a lamentable approach to security. I was minded recently to switch on 2-Factor-Authentication (2FA) for all my…

2FA Best Practice - Disable Autocomplete

by @edent | , , | Read ~609 times.

Just a short usability / security post. Hopefully, you're all using Two-Factor Authentication on your important sites. As well as a username and password, you've also got to enter a one-time code. Usually it is generated by an app, or sent to you via SMS. Each code can only be used once - which makes…

Facebook 2FA Security Flaw (Disclosed)

by @edent | , , , , | Read ~518 times.

I've found (and disclosed) what I think is an interesting little security flaw in Facebook's Two-Factor Authentication usage. First thing's first, this isn't a show-stopping bug. It's more of a curiosity which shows how different providers treat the verification of Two-Factor Authentication. Details If you are a security conscious user, you should have set up…

Two-Factor Authentication and the Police State

by @edent | , | 13 comments | Read ~11,243 times.

In Britain - and many other countries - the police can legally force you to divulge your passwords. Whether it's to an encrypted file, a social network, or your email account, the state can legally rifle through your most intimate thoughts and (potentially) pose as you online. As we've recently seen, this can be done…