~/joelchrono12

Enabling 2FA everywhere ain't easy

Since the Twitch leak that revealed quite a lot of data and source code, I got the urge of evaluating all of my passwords and authentication methods, and I got into another password cleanup phase, I was surprised to see 2FA is still not implemented everywhere.

📅 16 Oct 2021 📝 749 words ⌚ ~2 min.
🏷️ security | privacy | foss | detox |

So ever since I switched to pass, I have really enjoyed my time and improved the state of my accounts bit by bit.

By now its old news, but the Twitch leak happened the same day I was getting my vaccine, and while waiting I talked a friend who was worried about the security of his account, turns out, both of us as soon as we woke up changed our passwords and got ready to get the shot (Astra Zeneca btw).

Regardless, because of this and other conversations in the Fediverse, I decided to check my accounts once again, change some passwords and enable multi-factor authentication everywhere I could. I already had a ton of accounts with it, but I knew I had ignored some sites since I didn’t care enough back then, or I didn’t bother to find the option.

Basically, MFA allows you to get a unique code that changes over time. This means that even if someone gets access to your password, they only have 30 seconds to try and guess the code until it changes. Sadly, not every website implements this feature properly. Twitch for example, requires you to add your phone number first, even if you don’t use MFA via SMS and use an authenticator app, the most recommended way of getting the codes.

I was sad to see that less than a third of all my online accounts provided good MFA support. I have like 150 accounts total, and I used to have a lot more, and while some don’t really need it (local accounts, router passwords), there are is a big amount of sites that don’t even bother for some reason.

Some interesting places that do not offer Multi-Factor authentication are the following:

There are many other sites that don’t have MFA and there are also some that surprisingly delivered. Stuff like the WCA, which is a site that keeps tracks of speedcubing competitions and world records is the kind of website that I would expect to not have the highest security, and yet, they actually did it. Mathworks and Autodesk also have it, which is quite surprising, especially taking into account that National Instruments nor Texas Instruments offer the option (Yes, I study Engineering btw)

Anyways, this is a friendly reminder to check if you have MFA enabled in all of your accounts that support it, and its important to encourage the developers of every account you log into, so they get to work on it.

This has been day 58 of #100DaysToOffload. I once again took a while to post something, but that’s how it is sometimes. Anyways, have a good day!


If you have something to say, leave a comment, or contact me ✉️ instead