I use very strong passwords, auto-generated by KeePass. Yet many organizations now want 2-point verification when logging in. Amazon & PayPal are examples. Both of those organizations want me to provide a mobile number, so that they can text me a security code, to use in addition to my password. So far, this is an optional thing. Even so, I have 3 problems with this: 1- I do not have a mobile phone. I am 91 so so I have a landline phone with special gadgets. It can boost volume as high as I need it, plus it has a button that, when pressed, it slows down the speed of the caller's conversation. Since I have no mobile phone, I am unable to have 2-point verification with those organizations who want it 2- I use 128 bit hex keys for KeePass to generate my passwords, & I change passwords fairly often. I really do not understand why that isn't sufficient security. (Of course, I can't use strong passwords with PayPal. They require passwords to be no more than 20 characters, plus they greatly limit the type of non-alpha, non-numeric characters allowed in passwords. It seems silly that they would intentionally limit the strength of passwords, considering the type of business that they are doing.) 3- USAA Insurance Co. REQUIRES 2-point security, but they send the security code to my email address. They do not require a mobile phone. I have no problem with that, and I wonder why other organizations do not offer that method as an option to texting mobile phones. ==>QUESTIONS: Why is 2-point verification needed when one uses very strong passwords?
Because hackers might obtain your password. Since the additional code changes every so often, the hackers won’t have sufficient information to hack you if they only got the (username and) password. This is usually called Two Factor Authentication (abbreviated as 2FA). You might find more relevant information if you search using those terms instead. Please note that getting these codes via SMS and email is considered less safe. Using An App that generates a Time-based One-Time Password (TOTP), usually a 6 digit code that changes every 30 seconds, is safer.
well you have about 7k post in security forum and still ask question like teenager ... but ok let me explain Well 2fa is 2 layer securit of password. If hacker use keyloger to steal your password he can easly take control on that acc and its not matter how much character have that password. Stron passowrd with random symbols its only good for try stop peoples be amateur hack by try gess what is your password and brutuforce, but agains keylogger all pasword are same weak. If you use 2fa he need get more access than only stolen key.. For example when your pc-system is infected but phone not where you hold 2nd password generator for verify acc during login. Than he fail with stealing your acc. More info here https://authy.com/what-is-2fa/
I am dealing with loss of short-term memory, increasing deafness, poor eyesight, and tremors. I first encountered this 2FA stuff just a few weeks ago. I apologize for falling below your standards of tech savvy.
It is call 2 factor authentication. First factor is something you know (i.e. password). Second factor is something you have: hardware security key, software token generated by app or, less favorably, SMS or e-mail. Password can be intercepted on various occasions: keylogger or clipboard eavesdropping software on end-point, some security breach that gave attackers access to unencrypted transport layer, surveillance cameras that record people typing passwords on smartphones etc. Last but not least: organizations don't know whether particular client uses strong password or not and how they handle security of devices etc.
Hi Bellgamin, I find 2FA or multi-factor authentication annoying, but I get why secure login services are trending in that direction, for reasons already stated in this thread. Like you, I also use very strong passwords generated by Keepass, and then I feel 100% confident no keyloggers or pw sniffers are getting onto my device. I do all my secure logins from home. Actually, Canada Revenue Service provides an option to send the passcode via landline telephone by sending an automated verbal message to the user.
The login process is getting increasingly a PITN. More & more sites are putting Captcha & security questions into their login process. The picture Captchas are sort of fun, but the letter/number Captchas are a real challenge to my ancient eyeballs. I have one login where they want user name, password, Captcha, and answers to 3 "security questions." Good grief! As for passwords getting hacked at my end, I have not had an infection in a very long time. Also, because the world situation has gotten tense lately, I have upped my security a bit. Now it's: Spyshelter FW, AVG antivirus, OSArmor, & VoodooShield. Amazingly, my aging HP laptop is still very speedy, even with all that extra security stuff riding along.
Security questions to login? I only encountered them in recovery processes or authenticating via phone call.
I hate Captcha. The letters and numbers are often indistinguishable, as I also have less than ideal eyesight, and the pictures are grainy like something from the 70's. Besides 2FA, Canada Revenue Agency requires security answers on devices not used before.
2FA is mandatory in europe by law. no bank is allowed to work without. but there exist several options to perform this. by app (TOTP, or other, eg Santander has its own app), by sms, by call, by flickering code. captcha is total irrelevant for this, captcha exists to prevent machines faking. in some cases they require action, in some cases only a check mark. chrome is more captcha friendly than firefox. people having problems with their eyes should use zoom from their system options, windows offers up to 200%. or set page content to similar zoom in browsers. for firefox https://addons.mozilla.org/de/firefox/search/?q=zoom form chrome/edge https://chrome.google.com/webstore/search/zoom use it!
Also note that not all 2FA are equal: MFA > email > SMS. Some banks, companies ban SMS as 2FA, because it is not encrypted and can be easily bypassed. Luckily, Windows 11 allows to run android apps, so you can install MFA app and verify via a desktop PC. MSE allows to use a passwordless account as well.
if you use keepass you could use the keeotp plugin... either hold in your main database or a second dedicated db (better) has a big clear display or just use copy/paste
You have already had your questions answered for why, and I agree with the posts above me. For my work, I had to roll out 2FA last December (had a Jan 1 deadline). For us, it was a requirement for cybersecurity insurance that my company now has a policy on. Just throwing another reason why people use it. So, we now have it deployed for the following reasons. * VPN connection for employees * Windows Login * RDP login for myself and the other admins * OWA access * ECP for myself and the other admins Almost all employees have the app installed on their smart phones to approve their logins. We have a few exceptions for the few who believe it or not, do not own a cell phone of any kind. For them we issued a Hard Token device.
@reasonablePrivacy -- one organization uses security questions as an option to sending a security code via texting. @Brummelchen -- I forgot about zoom (ctrl+ on the browser). I shall use it. Thanks! @kc -- one organization seems to have disabled cut&paste entry of passwords. I tried 4 different browsers but C&P wouldn't work with any of them. Hand entry of a 32-character, KeePass-generated PW would be a huge pain in the nether region. So I clicked "lost my password" and wrote a long but easily remembered PW using Forth (stack-oriented) syntax. A bit of fun, actually. I still do not know if the ban on C&P was intentional or simply a site design glitch.
Hi Bill, Did you try ctrl + C to copy and ctrl + V to paste? That's the only way I can paste passwords in my TomTom software and another program I occasionally use.
Yes. I tried KeePass's auto-type & also tried ctrl c ctrl v -- no joy either way. Hand entry is the only way at present. Not a big problem, however.
Be glad you can still get your verification code via e-mail. My bank removed the e-mail option (without notice) to receive verification codes and only allow codes via phone. I'm currently in Europe and can't access my account because there is no way to get a verification code - no e-mail allowed and U.S. phone numbers only. You have to make an international call to the bank every time you want to login. This is what I call SECURITY GOING OVERBOARD at the expense of the customer. IMO a lot of these security solutions are never thought out to the end.
Is it security going overboard though? If bank would allow another type of 2FA such as in-app authorization instead there wouldn't be that many problems.
I know how you feel. My biggest gripe with 2FA is that most websites only support 2FA based on SMS or authenticator app while I almost never use my smartphone. So I personally would like to see 2FA via the device itself, which means that your desktop or laptop should be registered as a trusted device which means that the authenticator app runs on the device (desktop/laptop) itself. Or 2FA via hardware security like YubiKey, of course you will always need at least 2 keys, one as back up.
