Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Somebody implemented something I wrote a blog about
852 points by rexfuzzle on Sept 20, 2022 | hide | past | favorite | 241 comments
So a while ago I wrote about how 2FA was missing a key feature: https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781...

Having not had any feedback on it in a while and the idea not taking off, today somebody messaged me to say that had implemented it in their product.

1. Obviously I think this is great and more secure

2. Tell people about things you do that they played a part it- it might just make their day.




Years back, every web browser's built-in password manager locked up the page when submitting a login form, waiting for the user to answer "do you want to save this password?" before proceeding.

I thought that was silly: how do I know if I want to save the password before I've seen whether it's correct? Which I can't see until the form is submitted.

At the time I was using Opera, so I wrote in to their customer support suggesting that the prompt appear after the new page loaded. I never heard back, but a couple months later their next major release implemented exactly that behavior. A few months after that, every other browser followed suit.

I can't have been the only one bothered by the existing behavior, but given how long browsers had worked that way before I wrote in, I like to tell myself that the timing wasn't a coincidence, and that my little suggestion rippled out into a change that made a small thing better for the whole world :)


I found a bug in firefox where the two letters of the weekdays appeared as 3 letters for portuguese (pt-PT). Eventually found that it was an error in the unicode standard, so submited the proposal for change. Probably there's dozen of people involved in this... but seeing it being changed brought me great joy.

I was a tiny part in changing a tiny mostly irrelevant detail that was causing a slight inconvenience to millions of people daily. Improving humanity one bit at a time...


Do you happen to have a link to the proposal I can see and share with a class? I'm teaching a few lectures about some "weird" stuff this semester, and this would be a great example.


Started as a firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1555275

Then moved to unicode CLDR: https://unicode-org.atlassian.net/browse/CLDR-13106


FWIW searching https://rachelbythebay.com/w/ for "magic" finds a bunch of posts that might also fit with that topic.

(The rest of the posts are an interesting rabbithole if you're not aware, apologies in advance)


I ran into a problem formatting numbers in the Italian locale back in 2014: https://bugs.launchpad.net/ubuntu/+source/langpack-locales/+...

It turned out to be a low-level bug in glibc: https://sourceware.org/bugzilla/show_bug.cgi?id=10797

It got fixed five years later, long after I had worked around it and left the job where I found the bug.


Well, that's going to be a very cool class I best !


This is great! Imagine how many people had no idea how to get something like that fixed yet noticed the bug.


Opera was the most innovative web browser ever. They brought so many new things to the world of web browsing. Tabbed-browsing, mouse gestures, colored tabs, browser themes, in-built security integration with anti-virus software, an extensible browser - so many wonderful innovative features. It was a paid software initially, but then they made it free for everyone. I used to use it as my default browser, maybe 13-15 years ago.


Something I really miss from Opera is that the content of every page you visited was saved and stored for search! This helped me so often to find pages that I had visited, and remembered a few words from, but didn't bookmark or save otherwise. No idea why browsers today did not copy this feature.


Web browsers are strange. They are sophisticated pieces of engineering, but they refuse to implement the lowest hanging fruit features UX wise.


A cynical take is that they purposely hold back bookmarks/offline-search so that you use their web search engine instead.


They are built by people who are excited about the web, so it sort of makes sense that anything off the critical path of: “make websites and web applications great” would be deemed less important. Why make local search when there is a web application called Google?

Ferraris probably aren’t know for having sufficient cup holders.


What an amazing idea! I would love to have that feature.


Spatial navigation is a feature I really do miss. I don't think any other browser supports this. It made keyboard-based browsing possible without resorting to stuff like hit-a-hint. You could just hit Shift+Arrow Key (which I mapped to the home row) and select a the nearest link (or anything interactive) in that direction. I think it worked in a visual fashion so order in the DOM didn't matter at all. It behaves exactly like one would expect.


The Opera CTO is now building Vivaldi, which is basically Opera. It has all the features I remember (spatial navigation, mail/RSS client, gestures, split tabs, etc) and is very good.


Are you sure tabbed browsing was Opera? I mean, Mozilla browser (predating Firefox) had it in 1998.


Wikipedia lists Opera v4 having tabs in 2000, while they were added to Mozilla 0.9.5 in 2001: https://en.m.wikipedia.org/wiki/Tab_(interface)


Mozilla had multiple documents first, by just following Windows' MDI standard.

Then Netscape and IE got into a war for mindshare, and part of that was to ignore MDI and splash their browser windows all over the taskbar instead, to be more visible and grab more user attention.

Tabbed browsing was never a new invention, it was just a re-implementation of what we already had by way of MDI.


IIRC it was InternetWorks by BookLink Technologies

According to: https://www.makeuseof.com/tag/which-browser-invented-tabs-3-...


Opera also had tab groups, MRU tab switching, and saved sessions. Those exist in some form or fashion now, but the implementations are not as smooth.


Text reflow on mobile browsers. I still miss that feature and much prefer that with desktop mode vs crappy mobile mode sites.


"Reading mode" is still very much a feature of mobile Chrome and Firefox, and almost a neccessity.


its my default browser now. It still great!


Well, I used to love Opera as well, it was my first "serious" browser as I became a netizen. But now I wouldn't even dare to try it as it's owned by a consortium of Chinese investors, rather than a Norwegian company.


Vivaldi is pretty good and though it's based on chromium, is the new opera in spirit.


No coincience. Vivaldi is co-founded by ex-CEO and co-founder of Opera.

I quit using Opera after he did not keep his promise to swim across the Atlantic in 2005: https://www.zdnet.com/article/opera-boss-starts-atlantic-swi...


> I quit using Opera after he did not keep his promise to swim across the Atlantic in 2005: https://www.zdnet.com/article/opera-boss-starts-atlantic-swi...

Congratulations. This is the most persnickety HN comment I've read. And I've been here more than a decade.


I might try Vivaldi out after your comment and because of their completely sarcastic pricing section on the download page.

Genius.


Built in email and rss feeds are really nice as is the calendar base history page.


And now we’ve come full-circle as 1Password 8 requires you to save your password prior to submitting the form instead of offering to save it after submission. Which is a huge regression as it results in this exact issue all over again.

https://support.1password.com/save-fill-passwords/


Sadly, 1Password seems to just get worse and worse in terms of usability with each release. The latest incarnation has so many little annoyances that makes me seriously consider switching. The one thing it's got going for it that really is kind of a killer feature for me is SSH key handling. It's super nice being able to sign your commits with Touch ID. Everything else is meh at best.


It's truly baffling how they manage to consistently make the software worse every single release. I was a huge fan of 1Password many years ago (and have been happy to pay for it throughout), but each successive release is more confusing and less reliable.


Bitwarden is by no means perfect but I really appreciate their user engagement and excellent documentation.


How is it not perfect? I haven't noticed a flaw yet.


The UI isn't all that intuitive, the 'ask to save'/'ask to update' prompts don't work that well, but I don't really blame them because they are injecting into the DOM which usually changes. As someone else mentioned, it's a bit slow to sync and load sometimes. I wish it was more obvious when I have an existing session with the desktop app which can send a token to the browser extension to keep it loaded.

You can tell i'm really reaching for bad things to say about it, haha


Agreed. Especially on iOS has it become obtrusive. Form inputs being obscured by mini pop-ups. I could go on.

I’m waiting for the release of the new macOS and I’m going to evaluate using the native implementation and ditching 1P.


The promlem with using apple password management on macos is that I need vertical tabs. Only vivaldi and Firefox provide them now and they don't use the macos key chain


What do you mean by vertical tabs?


The tabs are to the side rather than along the top.

This allows you to see the text in the tab when you have several tabs open.

Ideally tabs should be indented so you can see which tab you linked the page from.

The best implementation is the Firefox extension Tree Style tab https://addons.mozilla.org/en-GB/firefox/addon/tree-style-ta...

But simpler vertical tabs are on Vivaldi, OmniWeb which had them since the mid 1990s but unfortunately has not kept up with allowing other extensions, Opera used to have them when it was not Chrome. Chrome had them at one stage but reading the issues on that the developers really showed a complete lack of understanding.


Gotcha. Thanks for clearing that up. And yes, the indentation of tabs is actually a good idea.

Although, iOS has tab groups now. I rarely use them because the menu is out of sight so I forget. But on macOS they’re convenient for when I’m researching a topic.


I think you can sign git commits with a yubikey [1]. I haven’t done it myself; I use Apple’s keychain for my ssh keys.

[1] https://nuculabs.dev/2018/06/30/how-to-sign-git-commits-with...


everybody seems to be complaining about the latest release, but i find it just fine. what's wrong with it?


Any person/company/thing that uses 1Password needs to take a look around. Bitwarden is where it is at.


I love Bitwarden, but I don't understand why it takes 10 seconds to search a database with 100 entries (Android app, when searching for a saved password). It's aggravating.


Something's wrong as I have many hundreds of passwords and have no noticeable lag searching them.


I just did a whole test because I missed the fact that you said 1Password 8. I'm still on 1Password 7: https://imgur.com/a/WpeffJE


They may have come full circle but I certainly haven’t.


I discovered a bug in Java 1.0.1's GridBagLayout and posted about it to USENET. It was fixed in JDK 1.0.3.

I also emailed the GIMP maintainers about a bug in their select color region tool in GIMP 0.99.x that made it ignore 1-pixel-wide barriers. By 1.0 it was fixed.

I was chuffed when it happened, but the internet was a smaller, chummier place back then, so we expected that kind of response more than we do today, I think.


In a similar vein, I wrote to Microsoft suggesting their "Authenticator" TOTP app for Android would benefit from a search feature. I can't have been the only one, but it did make me happy when they actually implemented it a few months later


I also suggested it but their iOS app still does not have it. Really annoying with >20 totp tokens.


i still see this behavior in firefox. the save password popup disappears by the time the page is loaded. and it baffles me every time how that is supposed to be useful.


The stupid thing is that it already is async and not locking up like it was in the very old days op refers to. They were just so clever as to add a timeout after which that dialog closes, regardless of whether the page actually finished loading. So on a slower page you end up with the popup disappearing while the page is still (mostly) blank and you don't know yet whether the credentials were correct.

I think just clicking in a blank spot (or the text fields) in that dialog stops the timeout, but it's one of these things I'm not actually sure about and it's almost like a cargo cult kind of ritual...


I find that it usually sticks around long enough. But I agree that it should stay open at least until I interact with something else.

On the bright side it just collapses into a "key" icon in the URL bar that you can click to open it back up and save the password.


> On the bright side it just collapses into a "key" icon in the URL bar that you can click to open it back up and save the password.

I've been using Firefox as my main browser since 2010 and I never realized this.


It’s like that Teams pop up that informs you that a colleague started a meeting, the one that always disappears after you finish typing your sentence and start to move your mouse towards it.


you can click it right away, finish your sentence, then click again to join the meeting once you're done :]


Ha! Great tip indeed!


The most amusing (for me) behaviour is what OR I need to press Csncel everytime ( my preffered bahaviour, honestly, I don't save passwords) OR never see the dialog again (I'm totally okay with saving the pass for some LAN devices which would be never acessible from the net ever - but I can't)


I submit suggestions, features, bugs, detailed reports, new use cases etc. I'm more than happy to write detailed submissions, or do some traces when there's a bug.

But if I notice there's no feedback or implementation within a reasonable period of time, I will stop doing that ever again for that company (large, small, doesn't matter).

I refuse to waste my energy on that kind of process.


Every few years I get an automated email from Wordpress where someone finally fixed a bug I submitted over a decade ago, lol


If only Roku and Android TV boxes had a way to display pdf's on the TV!

Hint hint hint!!!

After all, they can display movies, pictures, and music. PDFs, please! I'd even pay for it.


I usually cast them from my ipad to the tv.

My ipad may be a very expensive PDF reader but it's bloody good at it.


I understand it not working on a Roku but why couldn’t you use an android pdf reader?


I looked up the android tv box on Amazon. Doesn't support pdfs.


You could always open the pdf on your phone and cast your phone screen.


Yes, and I could hook up my laptop to the TV, too. But I bought the Roku box because it's so much more convenient than dinking around with the laptop.


This still sometimes happens on iOS Safari. I don’t know what is different about the pages where it happens, but it’s annoying.


Even MacOS Safari does this. I don't know whether the latest update fixed it though.


During the Edge beta in transition to Chromium engine, I requested they add green to the icon. I did get an automated thank you when it was finally released. That really made my day.


Oh, that's so cool! :-) Could you please write to Whatsapp or Telegram and ask them not to delete the EXIF information from shared images on their platform? I understand that they compress images so they don't take too long to transmit and load, but I think there's a big group of their users (especially for Whatsapp) that use their platform to share family pictures. For this purpose, having the EXIF date (if it's available) could be very handy, since the picture could be properly timestamped and archived without having to ask again to the original poster for the specific files.


I think the EXIF data is removed because, for the vast majority of people that don't think to remove it, it's a safety risk. Posting a picture of your house? Your kid arriving at their first day of school? Some other location you'd rather a bad person not have info on? Most people don't think to remove that data before posting (and sometimes post directly from their phone camera?)... removing that data removes a lot of risk for them. Leaving it in is only considered a small benefit to a smaller subset of people (comparatively)


We could always strip the location information (or any other identifying data like camera/phone model). But I can't see how having the date information attached to the image could be a safety risk. Especially when that information is already available within the app. The issue is that the app's UI is cumbersome to provide both pieces of information at the same time for a set of images.


Oh no this is a bad idea. There's a bunch of data (including location!) that is often included in EXIF.


I don't think is a bad idea at all. Just keep the timestamps if you want, and strip all the rest. But I feel that having the date attached to the image is a good idea. Is not technically complex nor bandwidth demanding and provides a very useful context to the picture.


As a general privacy rule I like stripping this by default. Couldn't you just zip up some images to retain this?


People would doxx the hell out of themselves without knowing it all the time if you did that.


you are literally one of my new fav people !


That’s awesome. I was expecting a lament on how an amazing startup idea was stolen and monetized by someone else. Glad I’m wrong and the world is a little bit better.


Same here. Came to say the same and to explain how i publicly share all my 'great' ideas publicly even though so many friends think I'm nuts in case someone 'steals it' and makes a successful startup from my idea. My answer: "Great for them. At least they had the determination and focus to follow through with bringing the idea to fruition when I couldn't."


People tend to overvalue ideas. I see this all the time in writing where people are worried someone will steal their great idea for a story. The truth of the matter is that it’s unlikely that you’ve come up with something truly new and in any event, ideas tend to breed and multiply. I will never write all the stories and novels that I have jotted down in my notebook before I die and there are more every day.


If an idea is any good, you generally have to fight tooth and nail to get anybody to listen to it, and put in a hundred times that to get anybody to understand it, and that again to act on it.

If you don't directly control how that happens they will implement it fundamentally wrongly.

But after it is finally implemented more or less correctly, everyone will agree that the idea was trivial and obvious, and they had already thought of it themselves, in exactly the form where they first encountered it, even if that is actually not quite right.


Victory has a hundred fathers, but defeat is an orphan.


On that note though, is there a way to protect your story if you want to pitch it to a publisher, or anywhere else ? Like a registry for story ideas ?


There's no IP protection for ideas for stories. Regardless, almost no fiction shop is going to agree to print a book on spec, just off a story pitch. Write the book first. Then you already have protection, in the form of copyright (which is automatic and doesn't require registration).


Not really, and it’s not a problem. Ideas for stories are abundant, the ability to turn them into finished books or scripts is much rarer.


Same. I'll often share relevant ideas in comments here and elsewhere in the hope that I inspire someone to go implement something I might like but will never find the time+organisation to get around to creating!


Hey me too, a little sunshine this morning :).


Exact same sentiment :)


I havnt done this in many years but for a while I was making creative content that was published online. Once in a while someone would contact me saying they liked what I did. I started doing the same. If I read an article I liked a lot I would contact the person and tell them I liked it and why. About half the time they responded with Thanks.

I didnt do this with NYT writers or anything. Just people who clearly dont get paid/paid much to make this content but I found it useful/interesting/helpful. I think that stuff goes a long way and it really doesnt take that long to do.

I've got a tech podcast now and about once every month or two someone contacts me to say they liked it or something nice. It's a huge reason why I keep doing it. I know that sounds silly but the internet can be such a black hole. A little feedback goes a long way.


This was a good comment. Keep it up!


I tend to see a lot more negativity than positivity as the default response so I like this thread.


I have a little blog that occasionally gets hits when the SEO winds blow my way and twice people have reached out thanking me for a post. It's made my whole month! And encourages me to keep posting stuff. So I really appreciate that you do that, I should make an effort to do the same.

I write the blog as more of documentation for myself than something to share, but knowing that I've helped someone else is icing on the cake.


Really enjoyed the insightful view. I bet it starts a fire on the internet.


OWASP actually includes this suggestion in their guidance for implementing MFA:

https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_A...

> When a user enters their password, but fails to authenticate using a second factor...:

> ...

> Notify the user of the failed login attempt, and encourage them to change their password if they don't recognize it.

> The notification should include the time, browser and geographic location of the login attempt.

> This should be displayed next time they login, and optionally emailed to them as well


Yeah I thought it weird that you only get an e-mail that someone logged in under a new account - passing the 2fa. But they should send one after correct username / password too.

I don't mind getting an e-mail as another form of 2fa, but that has its own issues.


I think the email is just a failure notification, not a second factor.


I enjoyed when a french hacker used information from my blog to set off all the alarms of Bird scooters in Lyon France for an evening.

I had written about (what I considered as) a vulnerability that allowed remote triggering of Bird Scooter alarms (Bird disagreed of course) on my blog [1]. I then saw this github repo linked in the comments for setting off alarms of Bird scooters [2] and reached out to the author.

The author let me know that they had used the info in my blog to script a tool for setting off Bird Scooters en masse. They then targeted the script at all the scooters in Lyon and subsequently fell asleep. When they woke up the noticed the end point was disabled... Bird had taken the action to disable the API endpoint in response of course.

Probably would've been easier to fix before someone scripted it out but it made for a fun story.

[1] https://theappanalyst.com/bird.html [2] https://github.com/pcouy/bird-whisperer


If any Spotify devs are here, please let me explore and add songs, artists and albums to my library without “hearting” it.

I often just want to follow up later by “adding to my library,” and it feels weird to “LOVE” it before ever hearing it. I really feel pain when I hear something terrible that I’ve already “liked” and consider the impacts to my algorithm.

Please distinguish between “like” and “save.”

A simple “plus sign” or really any other symbol that signifies “adding to a collection” without “liking” connotations (stars are out too).


I'm confused. I thought I missed something in the article. Why are we talking about Spotify in this thread? I'm all for your suggestions, I'm just confused how we got here. Haha. What did I miss?


This post is about how someone implemented the thing the author wrote about. So this comment-author hopes someone at Spotify will implement the thing he is now writing about in his comment.


While we have Spotify's ear: why is the default behavior to clear my queue if I play another song? It's especially an issue on mobile, where viewing a playlist or album means that an errant tap almost anywhere on the screen undoes all of my queueing so far. Just a toast with an 'Undo' button whenever the queue is erased would be plenty.


They used to have a separate star button in addition to the like button that was exactly that, but they took it out years ago. It would also add the song to a separate list in your library called "starred songs".

When they axed the feature, all the started songs got automatically added to a new playlist called "Star" that I still use today as a workaround, I just add new songs I enjoyed to it to keep track of them, and just throw it on shuffle when I'm not in the mood for anything specific.


What's wrong with a playlist: Saved for later?


Now that you opened this forum for Spotify feedback: If I do "like/heart" a few songs and then go to the Radio based on one of them, please don't show the songs I already liked in that Radio. I mean, I already "liked/saved" them, why are they appearing in my discovery phase?


I'd like to have a different tiny change in the "Song Radio" feature: if you start playing that playlist, skip the song it's based on if it was recently played or is currently playing. It's mildly annoying when you switch to that feature after stumbling across an interesting track and the first thing you hear is the same track again.


That's one of their best features!! I'm using discovery bcs I want to listen to tracks similar to the one i use as a basis. If they mix some of my liked tracks in there that are similar too (which they usually are), that makes it even more enjoyable. Idk about you, but I use Spotify to listen to good music.


Disagree on that - Radio is not just for discovery but also for easy random playlist creation.


Valid. One way around it would be to create a "Follow Up" or "In The Queue" playlist that you add it to. Obviously not as easy as just a + button though.


You can swipe songs to the side to add them as next up


I like how Instagram has solved this. You can like a post but you can also save it for later viewing or showing to someone else.

Spotify should totally have a save to library function but also a heart function that trains their personalized mixes for me. I’ve just stopped looking at my library for my music catalog. Every album I like goes into a “favorite albums” folder. It shooldn’t have to be this way.


And I would wish so much for a button "play next", that makes a song play directly after the current song (and then proceed with whatever was scheduled before).

I often browse spotify while listening. If I find something I haven't heard for a long time, I often want to directly listen to it, but not cut of the current track.


Another thing that bothers me, in Spotify and pretty much everything else: you can't add playlists to other playlists. Like union directories. The most important thing is that it's a link, so every list updates whenever I update the included one.

If there's a program with this type of functionality, lmk.


I don't really understand how that is useful but if you need to do it manually you can just shift click all the songs and add them all to a playlist on the desktop app


Yeah, I get why it wouldn't be. I just have a peculiar way to organize my music.

I know I can do that, it just doesn't sync when I change another list, which breaks everything.


You can use the Spotify Smart Playlists feature to do this. I used to do something similar before giving up. It's clunky, but it works. You basically set it to pull all new songs from the feeder playlists into the accumulation playlists, every night.


I can't find an official feature, you mean this?

http://smarterplaylists.playlistmachinery.com/


Oof! They used to have this for Songs, then they removed the feature, and I lost the major way I used Spotify. I used it to make sure I could listen to music offline while traveling and it was an infuriating few flights before I could download everything again.


This kinda sounds like a use case for a playlist to me.


I think their idea is that you don't have/shouldn't want a personal library because everything on Spotify is your library.


If there is a feature I want to see on Spotify is a easier way to see my friends playlists.


I'd be happy with just being able to consistently access my own playlists and currently playing queue on Android. I swear it's a coin flip whether the button appears or not.


Yes! That’s such a nice feeling.

One of my GitHub projects was used in a demo at Google Cloud next a while ago. the presenter was considerate enough to attribute the project to me by name during the demo and even sent me an issue just letting me know about it. That was so nice! Absolutely people should do this.


I actually had someone take one of my personal iOS apps from GitHub (https://github.com/wcochran/calfoo) and submit it to the app store as if it was theirs. Someone else told me -- I was gobsmacked that someone was so brazen. Oh well, I didn't license it. It had special features that only mattered to me (and would be inappropriate for general use).


Just fyi, if something is unlicensed, then other people can only use it under fair use. You’re the copyright holder automatically upon publishing and retain all rights. If you intend to let people do anything, then you need to explicitly put it in the public domain or use an appropriate license.

It’s very unlikely they can legally do what you’re describing… but it’s up to you to enforce it.


Most people wouldn't enforce it.

Thousands in legal fees, chasing someone across different timezones and the sheer amount of work isn't worth it unless it's a legit business.

Copyright laws really fail for those without money.


I emailed Tim O’Reilly in ~2001 and suggested they release PDF versions of their “Pocket Guide” reference books. I wanted to be able to have all of my pocket guides on my Sharp Zaurus (Linux handheld with keyboard, color screen, and Wi-Fi).

He went for it and offered me PDF copies of every Pocket Guide as a thank you.


Cool, well done. Hope the idea gets picked up by a few more developers here.

If you don't mind I'm just just pasting the URL into a comment to make it a link:

https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781...


The comment is a link in the HTML I am served. However there is no underline which is confusing.


I could be wrong, but I'm fairly sure that wasn't the case originally.


Must be a new feature :)


> Tell people about things you do that they played a part it- it might just make their day.

Thank you for putting this out there!

I once reverse engineered the protocol for a popular mobile game so I could write my own client for it and posted my library online for others to do the same without any expectation it'd ever get seen. Months later, I received an email from someone reverse engineering the protocol as well for different purposes. They got stuck on a particularly difficult issue I also encountered (and documented), and googling it led them to my library, saving them hours of future work.

It definitely made my day and I'm still very proud of that project because of that.

Edit: There's a second part too! I just remembered that I've posted this story on HN before, and the last time I did a dev for the game emailed me saying he looked over the code and was impressed that I was able to figure out so much despite their deliberate efforts to keep the protocol locked down. Another great day!


Impressive story!

Did the devs try to further obfuscate the protocol after they discovered your library?


By that point, I no longer played and the game had gone through a rewrite that used a new API, so my library no longer worked and I never updated it for v2.


I once wrote something obscure.

About communication piggybacked over TCP/IP without changing any one bit of packet data.

https://egbert.net/blog/articles/pulse-width-covert-channel....

Some 20 years later, a guy posted on GitHub.

https://vimist.github.io/2019/01/30/Steganographic-Packets.h...

And made my day.


When Apple released the very first iPod, I wrote to Steve Jobs to tell him that I would buy it if it was a phone too, as i don't want to carry two devices. I doubt I was the only one who had this thought, but I like to think i influenced the development of the iPhone. I never received a response from Steve.


Ah but you didn’t add that you wanted it to be an internet communicator as well!

Only would you have been able to claim some credits ;)


A few months ago I had a ghastly time trying to take a bike along with me for a multi-stage train journey across the UK. Trainline is good about abstracting away the (pointless) differences between the train operating companies -- it's just a single interface and you never have to know which company operates which section of the route. But this abstractions breaks the minute you want to bring a bike on board -- you need to contact each company separately, and each one has its own bespoke and annoying way of doing it. Some by phone, some by email, some through their website (that you need an account for), some by social media(!). So I emailed Trainline's customer support saying how lovely it would be, if bike reservations were as seamless as people reservations, and to pass along the idea to their dev team.

Lo and behold, while booking a journey the other day I noticed a new option for bike reservations on the route planner interface, that I'd never seen before. I haven't had opportunity to use it yet, but I hope it works well, and I'd like to think that it was my email that tipped the scales into it getting implemented (Lord knows I can't have been the first to ask for it).


Related: I think it's surprising how many services leak whether or not a password is correct. E.g. bad password => error, good password => 2FA prompt.

You should verify a user's second factor before password.


This is not a huge deal in practice and can be a good honeypot/alarm system.

Most services today have fairly low "lockout" + "notify" thresholds on wrong passwords so brute force spraying passwords is already out of the question.

Now, if someone fails the password check, clearly the user's current password is still secure so leaking that the attempted password was wrong to an attacker is not particularly helpful to them. If, however, the password is correct, then the attacker gets hit with the 2FA surprise. Assuming the great suggestion in this post is implemented (it really should be), the attacker now is stuck--abandoning the login or trying an incorrect 2FA could all trigger notifications to the user that their password was breached [re: the "Was this login you?" prompts implemented by major services after these situations]. Attackers would need to also solve the 2FA in some reasonable period to "disarm" such an alarm.

Real users who happen to fumble once or twice are also fine, since they won't be surprised about the login confirmation as it really was them.


> Now, if someone fails the password check, clearly the user's current password is still secure so leaking that the attempted password was wrong to an attacker is not particularly helpful to them.

Maybe I misunderstand your post, but I think the parent comment is talking about leaking whether a password is correct and not whether it's wrong. (If I did misread your comment, apologies in advance and disregard the rest.)

The parent comment is basically suggesting that if there are two possibilities for password entry with two different experiences, then we may be telling hackers that passwords are correct, too.

Scenario 1: Password is incorrect and user sees "Oops, wrong password!" message.

Scenario 2: Password is correct and user sees 2FA prompt.

You are correct in that Scenario 1 doesn't help the hacker -- but Scenario 2 does! It tells them that the for username jabbany@email.com, password hunter2 is a valid password. Even if they do hit the 2FA surprise and can't crack it, they can now take jabbany@email.com to any other website and try password hunter2, and any other site using the same credentials that is NOT secured by 2FA is now compromised!

There's also username leakage here. Imagine you had an OnlyFans account, and your coworkers or friends or parents were to put jabbany@email.com into it, and it simply said "Oops, wrong password" instead of something more generic. Now they know you have an OnlyFans account -- which, depending on your relationships, could be problematic, regardless of whether they actually accessed the account.

So to the parent comment's point, it is amazing how often credential leakage happens. And to OOP's point, we should go to 2FA every time, whether the credentials are correct or not. And the error messages should (generally) be more vague than specific, so as not to leak info unintentionally.

Does that make sense? I'm not sure I explained it very well, but I think the parent and I are making a different point than yours -- which is also a valid point, just not what we were talking about.


That’s a tough decision. Going straight to the 2fa page immediately tells the attacker the account exists and does or does not have 2fa enabled… assisting them in narrowing down their efforts to less secure accounts and/or telling them which accounts they need to start phishing/etc for the 2fa code.

So you’re asking for the business to implement something that makes their own users less secure so that sites that don’t provide 2fa can be more secure. Maybe it would be better for those sites to improve their own security instead of asking others to compromise theirs to help cover for someone else’s lack of effort.


But the moment the attacker knows the password is correct, you/the platform would also know the password is compromised assuming they cannot get past 2FA. There is an extremely limited amount of situations that end up with "passed password authentication but failed 2FA" and all the platform needs to tell them apart is a simple "Hmm, were you attempting to login?" email or notification.

The leak of the password's correctness here is ultimately not problematic as it acts as a tripwire and a surprise for the attacker. In fact the platform can take action on the user's behalf and lock logins with that password until the user confirms it was them trying to login via a separate channel (if you used Google 2FA this is what they do). It also protects accounts without 2FA because it becomes risky for the attacker to just try a password list they find. Maybe they're lucky and get in, or maybe the account has 2FA and you've just burned the password by trying it and alerting the user/platform about the compromise.

If it were the other way around with 2FA first, you would have no way of knowing your password is compromised somewhere. Even if the attacker knew the right password, the would not attempt to login unless they defeated the 2FA. Now you have no early warning system, and it becomes all-or-nothing: attacker get full access or they wait silently.

To sum it up: The login is no weaker if you put 2FA after password auth (same amount of compromises needed to get in). 2FA after password can leak password validity information for a short duration of time (on the scale of 15mins), but it also sets in motion an alarm that invalidates that password when an attack is attempted. 2FA after password also provides a tiny bit of extra protection to non-2FA accounts by letting them hide among the 2FA ones.

(Also, the original purpose of 2FA after password is to cut down costs for the platform back when SMS 2FA was the only 2FA. This is largely irrelevant today with TOTP and FIDO2 relegating SMS based authentication as the least secure option.)


I think we're still talking past each other. In both of your comments, you seem focused on the particular site with the 2FA. I'm suggesting that that vector is irrelevant.

I'm not concerned about someone hacking this site with the 2FA tripwire, but instead about leaking password's correctness could impact usage of that password on other sites that use the same username/password and do not have 2FA.

Imagine if I go to Amazon and put in jabbany@email.com / hunter2 and then come up against a 2FA prompt instead of a password error prompt. Okay. I have a signal that suggests that hunter2 is, in fact, your password. I bail immediately. No point in randomly trying to guess a 2FA auth code.

Now I go to Walmart.com and put in jabbany@email.com / hunter2, and it works -- because there's no 2FA on Walmart.com and you re-used the password!

In this scenario, 2FA doesn't actually stop the hacker from compromising your accounts! It only stops this account with 2FA -- in that sense, you are 100% correct! -- but perhaps only temporarily, because they may be able to compromise other accounts that would allow them to eventually reset your 2FA tokens and get through.

If Amazon were to tell me "hey, someone failed the 2FA auth attempt, you should you change your password," then that's one thing. But we both know most sites don't do that.


Password reuse is a very different issue. You should not be reusing passwords on accounts you care about period. 2FA isn't meant to protect against reuse (though it does help). If a password is reused your 2FA becomes just 1 factor.

This does not make reuse more dangerous either. An attacker with a leaked password list will try them against known sites anyways. If they wanted to try a leaked password against Walmart they'd have done it regardless of the 2FA signal. There's no reason to assume that if a password is (in)correct on one site that it would (not) be on another. The information of whether a password worked or not on a site means nothing to someone trying to hack your account.

Also 2FA sites do do this already. Google and Amazon both do this along with many others (and increasingly many). Also it does not have to force a password reset. A notification email about an attempt is sufficient, you can decide for yourself whether it was you or a suspicious attacker.


This is fine as long as you notify the account holder based on both a failed 2FA OR just ignoring the 2FA prompt rather than making an attempt.

Personally I don't know enough to know if that's the case?


I agree with the general thought process here, but there is a greater leakage: no service will allow you to create an account with an email that is already registered.

So all this discussion about how to handle the failed login is somewhat pointless.


While this is true in the absolute sense, it's one of those things where you have to think about non-technical users: something like this would just confuse them, unless you make it very clear in the message that either one of those are bad, and provide a clear path to recovery... Having a good UX/security UX is hard.


Same thing goes for email address when registering. Correct email => “already in use” is still frequent, although some websites (such as github) have changed it to “incorrect or already in use email”


This is the real leakage. I guess we solve it by sending an email to the address to continue account creation.


This is technically superior for things like TOTP but falls apart if not all users use TOTP.

1. Users who aren't using 2FA have a confusing box to leave empty.

2. SMS, Email and similar OTP codes should only be sent after the password is verified.

3. U2F requires the site to share which devices are registered which can only be done after the password is verified.

You may be able to make it work UX-wise if you separate username from auth information (such as a lot of sites do to support SSO auth). But even then it isn't clear to me if you should be leaking information about their 2FA configuration (especially their U2F device) list without a password.


Your login form doesn't need to display an empty second factor input. Your server can send back a specific error code on first login attempt that can be used by the UI to prompt for the user's second factor, whatever that may be (or even give a choice, in the case of multiple second factor types).

For example, given this /login request to our server:

    POST /login
    Authorization: Basic Zm9vQGJhci5leGFtcGxlOmJhego=
Depending on the user's second factor, the server could send back a response like this:

    { "error": { "code": "TOTP_REQUIRED" } }
Then, depending on the error code, our UI could prompt for the second factor and we could send a new /login request:

    POST /login
    Authorization: Basic Zm9vQGJhci5leGFtcGxlOmJhego=
    { "totp": "123456" }
This flow can work for any type of second factor, not just TOTP. It also works for good and bad passwords, and doesn't leak any information (well, other than the fact the user exists, but that road introduces a lot of other UX issues.)


Good point.

It does leak a little information. It leaks the type of 2FA the user has configured and a list of devices for U2F (since that needs to be provided to authenticate). But that is likely acceptable.


> You should verify a user's second factor before password.

the cost of sending those 2fa texts is not zero and also the idea of them is that they are ephemeral so them being tied to the successful entering of username and password and limited in time is a feature... not a bug.


Sure. But I’d argue that nobody should be using SMS 2FA. There are more secure, and cheaper, methods.


> leak whether or not a password is correct

Errm, could you elaborate what is the issue here?


tl;dr: The code should verify the user's second factor before the user's password.

Consider this, scenario A:

1. When attacker enters a username and bad password. then they receive a bad password error.

2. When attacker enters a username and good password, then they receive a 2FA prompt.

And then scenario B:

1. When attacker enters a username and bad password, then they receive a 2FA prompt.

2. When attacker enters a username and good password, then they receive a 2FA prompt.

In scenario A, the website leaks password validity to the attacker. In the case of a brute force attack, the attacker can use the 2FA prompt as a signal that they found a good password. Scenario B does not leak that information, because the second factor was wrong or missing.

More concretely, this pseudo-code:

    if user.authenticate_with_password(password)
      if user.authenticate_with_second_factor(code)
        # ...
      else
        raise InvalidSecondFactorError
      end
    else
      raise InvalidPasswordError
    end
Should instead be this pseudo-code:

    if user.authenticate_with_second_factor(code)
      if user.authenticate_with_password(password)
        # ...
      else
        raise InvalidPasswordError
      end
    else
      raise InvalidSecondFactorError
    end
Hope that makes sense. :)


But which 2FA prompt should they receive?

If MFA can be configured using myriad choices, should a user be prompted to "Insert security key" or "Input security code" or "Send code to your email/SMS" or "Tap YES on your mobile device"?

Since you can't know a priori what the second factor will look like, I'd say it's troublesome to try and present a challenge to every user regardless of their MFA configuration.


Note that this is not universal to all systems.

If your 2FA options all require the user to enter a code, you can simply display a "Please enter your 2FA code" dialog without divulging what kind of 2FA the user has.


How would you prevent someone from spamming a user just by knowing their username? Say, if the 2FA is done by SMS, or email.

An attacker brute-forcing the password could flood the user with multiple messages. The usual response is doing a password reset, but that wouldn't work in your system.

I wonder how systems that use magic links handle this.


> How would you prevent someone from spamming a user just by knowing their username?

Wasn't something like this how Uber got hacked recently? Spamming the target until they clicked "yes" on the 2FA prompt?


Your authentication system should have per-user and per-IP rate limits.


In my pseudo-code example, we're raising a couple errors, InvalidSecondFactorError and InvalidPasswordError. You could imagine there could be finer grained errors, such as TotpRequiredError or HardwareKeyRequiredError, depending on the user's second factors, which could then propagate down to the UI via specific error codes.

The UI could then use these error codes to display the correct prompt, and then resend the request with the appropriate second factor.


You would have to randomize the error when the wrong password is inputed and ensure that for a particular username the returned error is invariant. Else an attacker could infer that when you get a different error you have a correct password.


The bad password error would only be sent if the second factor is valid, though.


It sounds good for stopping attackers, but if I am the real user and enter a bad password it is going to be pretty infuriating spending time troubleshooting the 2FA not working problem that doesn't actually exist. I suspect your service will get a reputation for completely unreliable 2FA which may have unintended consequences.


This can be solved with an error message at the end with something like "You either provided an incorrect password or your 2FA code is incorrect. Check and try again". This still ensures that someone is not able to guess the correct password and reuse it somewhere else where 2FA may not be enabled.


If you input a username and wrong password, in some cases, the service won't prompt you for your 2FA code.

If you input the right username and password, it will then go forward in the flow and prompt you for the 2FA.

I believe parent comment is suggesting the system should prompt for 2FA even if the password was incorrect, so that you can't infer whether you guessed the correct password without also compromising the 2FA method.

This only matters if you re-use passwords, though.


Well, doesn't it also matter if the 2FA method sucks? For example, maybe you can use a SIM swap to get the one-time code, but if you don't have the password, too, then that doesn't help you. In the above scenario, they can figure out whether they have the password or not, and once they do, then use a SIM swap to get the second factor (or whatever), and then they're in. If the login never tells them which factor is bad, it's a bit harder, right?


Correct, ideally it should always prompt for both the MFA and the password before failing


that gives the attacker an easy way to check which accounts have 2fa enabled. One attempt on each account and they can tell which accounts will need more work.


The Iceland NIC does this (https://www.isnic.is/en/site/login).

Customer support burden when the lose the 2FA key is solved by adding a hefty fee (around €100) to recover it. No webauthn support yet though.


Interesting- I think that is the first time I've seen password and 2FA code on the same page. Guess that means you may not know if your password or 2FA code is incorrect depending on the error page


Or the login process should just go ahead and ask the 2FA either way - and just fail you in the end without explaining why. And then notify only behind the scenes via mail that the password was correct but the 2fa wrong. That would be the way to handle it. I'd receive such notifications from time to time - I mix up the 2FA accounts sometimes, other times I'm slow typing and it expires - but I can live with that little extra email.


All my TOTP prompts (on websites I run) account for such delays and clock skews by checking against the previous and next TOTP. So even if the user is a little bit late to enter the OTP, I can still validate it and complete authentication.


This is standard practice with big corporate RSA remote login.


Five years back, YouTube didn't have the feature to queue your videos on the fly. You could have created a playlist, but then it is the same sequence of songs every time. So I hacked a chrome extension to add/remove songs to a dynamic queue saved on your LocalStorage[1]. Later, YouTube added the queue feature. Sometimes I go on long hikes and think that it wasn't merely a coincidence. :)

[1]: https://github.com/nishnik/Play_Next


AFAIR, a 1980's MIT AI Lab "how to do research" memo, suggested as one way to build things: describe what you'd like to build, and maybe someone else will be inspired to do it, long before you'd have gotten around to it.


I'm still waiting for the Memex, you would think someone did it between 1945 and now, but nope. 8(


I asked Notion to implement inline LaTex, bcs it's the last thing missing for me to use Notion during math lectures. They did so a couple weeks later, even told my I was part of the reason they did!


Also, if someone logs in with correct username and password and -does not- attempt to try the 2FA, I also want to know about it.


Yeah, it should basically be a timeout. If within a few minutes of entering the correct password a correct second factor is not provided then it should notify the user.

I think you can probably skip notifying on a single failed OTP code to avoid spamming the user when they make a typo (or are a bit too slow for TOTP) but if you were very paranoid you could also send in this situation.


Bravo!!! Such a simple (and more secure) change to the way 2FA works. This should be the standard and also mandatory in many similar cases. Good for you and for sharing this improvement, that’s the mentality all of us should have. Reminds me on how Volvo shared the 3 point safety belt patent with everyone else so as to make all cars safer, instead of keeping it to themselves I order to profit [ https://www.forbes.com/sites/douglasbell/2019/08/13/60-years... ].


Re: Volvo's good deed -- In contrast, Edward Land (the Polaroid camera guy) came up with a system for polarizing car headlights and windshields to lessen glare from oncoming headlights in 1948. Apparently, none of the car manufacturers implemented it because there was nothing to gain financially from such a safety feature. https://www.polarization.com/land/land.html


The email notification for incorrect 2fa entry seems like a great idea.

We already get emails for suspicious login attempts, which isn't too useful as it's probs brute force and guessing. Too bad it requires mass adoption to become a norm.


Honestly I'm shocked reading this. I _NEVER_ considered that scenario. Now I will be doing this in all my apps. Thank you!


No kidding -> I am a beta tester for Whatsapp on Android (I don't really do anything much nowadays but some years ago I wrote a feature request for it that there should be a way for a small business to communicate with it's users (my parents own a small business). A couple of years later, Facebook rolled out a Whatsapp for Businesses API. So you maybe have me to thank for this

(I don't really believe that my message really caused this to happen, it's for sure a weird coincidence to me)


I had a similar experience and it certainly made my day! I wrote some code to parse nested JSON and fill a hole in a tutorial. Here's my relevant post: https://bcmullins.github.io/parsing-json-python/.

Here's the plug for the project using my code: https://github.com/sinnfeinn/microweather.


It's a nice courtesy from the product authors/implementors. Not only it's polite, it also acknowledges your contribution to the idea, not sure to which extent it is formally.

All in all it is a great feeling to see your idea getting a concrete life. In a way, reporting an issue and a possible improvement to any product you care about is an essence of collaboration. Open source further helps to contribute by augmenting such effort with a skill to implement it.


I filled in a market research survey for Hetzner they sent me by email. There were many questions on how can we do better, etc. I suggested to use the fact that they are Germans to convey high-quality and attention to details. Months later, I received a promotional email by them in which they were using almost word by word what I had suggested. I guess this one is on me, Hetzner.


I once contacted Patreon about re-adding support for non-SMS-based 2FA & while the customer service agent didn't seem to entirely understand, they did forward my request to the dev team when I asked. A few days/weeks later, it was back[1]. I'm grateful for all those involved who made that happen, as most companies don't listen when contacted about 2FA.

And tangentially, while I can't be as certain about my involvement in this next part, Nickelodeon eventually uploaded a non-pixelated version of ATLA on Google Play shortly after the second time I contacted them. I still can't understand how an MS Paint quality version was uploaded in the first place, but I'm glad no one else will have to suffer through that like my brother did.

[1] https://blog.patreon.com/TOTP-two-factor-authentication


Actually, PSD2 SCA (Strong Customer Authentication) talks about requiring 2 different elements (out of knowledge, possession, inference) for authentication, while also requiring that information on which one was wrong when authentication failed, to not be disclosed. This directive needs to be implemented by all payment processors in EU (I am not an expert on this).

We have implemented such a system at a company I worked at, where we also took into account the credential stuffing aspect as you talk about it. It is quite challenging to ensure no information leaks (in content and in other request parameters, including response times) when users transition from the partially (un)authenticated state (username + password) towards 2FA. I have to say that security aspect is noticeable in a significant drop in credential stuffing attacks volume, but usability wise I see why this is not a popular approach :). I personally hate it, especially when 2FA that is used is TOTP.


This is a heartwarming post and I enjoyed all of the comments.

As an aside I would recommend using U2F over OTP. This article explains some of the benefits: https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/


As 2FA adoption spreads, the possibility increases that someone could be using 2FA but not know the rule about not reusing a password. This feature improves the spread of that gospel. It seizes the opportunity to impress an abstract concept to the technically-challenged in a way that is no longer abstract. I like it.


Congratulations! Really good to hear, and definitely a nudge to me to let people know when their blog was useful.


Once I realized that Flash .swf files could be compressed to half the size using gz, so I sent an e-mail to Macromedia suggesting that they zip their files. The next version had that feature enabled by default, which made me happy :-)

Also, at the time when interactive maps had 4 arrows to click and move North, South, East and West I developed a map using Flash and MapServer where you could drag the map around with the mouse. I sent a message to Google to show my work and they replied saying it was cool. Later Google maps came out with such an interface. I'll never know if my messages had any impact but I can still dream they were my inventions :-)


I agree but there is an even more serious security feature almost all 2FA misses:

Telling the user what action they are authorizing by reading back the numbers.

That “bank rep” on the phone? They are probably trying to log into your account, or withdraw cash, not verify that you are the right person to send the refund back to.

It would save a lot of problems.

Also you should be getting an alert on all your devices whenever transactions over X amount per Y time occur, and you should have an opportunity to reverse them for 24 hours (even for debit cards). Also you should be able to make windows during which time it would be longer than 24 hours, such as a Jewish holiday or when out of range. This wouldn’t apply to recurring transactions.


Yes, that's a cool feature - the Smart-ID app used by many banks in Baltic countries as a second factor does that, it states e.g. the payment and amount you're authorizing before you do so.


This is precisely what I love about the Internet and humanity.

Recently, I got into RC cars. I was watching a YouTube video discussing the long-term issues that can arise with the particular model I own. In the video, the presenter mentions that “maybe you could 3D print something” to help address a deficiency in the vehicle design.

I just purchased a 3D printer, and thought, “Maybe I can design it myself.”

Lo and behold, someone already did, and cited the same YouTube video as their inspiration: https://www.thingiverse.com/thing:4982263

How amazing and cool is that??!


I don't know about wrong 2fa codes but bitwarden notifies you if you have an "unfinished" 2fa login. If you type username and password correctly and then don't type in your totp token it will notify you.


I made a github-codespaces-ish development environment using GCP and terraform mere months before githbu announced codespaces: https://lockwood.dev/development/remote/2020/03/17/experimen...

But also, the idea was kind of obvious given the way VSCode was going with its ssh plugins.


I once sent Apple feedback about how activity monitor was missing some metric, I don’t remember what it was. Never heard back from them but in the next OS X release it was there.


> a service that notifies you if your 2FA code was entered incorrectly

Even better, let the login pass after some incorrect credential guesses, the login goes to a random fake account.


We implemented something that avoids the original articles, 2FA notification.

After your password is approved before 2FA you get an email. So even if someone is somehow using the right 2FA you are aware.

Our thinking was the mosly likely outcome was someone would hit 2FA, not have the code and so close the request without even entering a bad code.

Apart from that though, it is always nice to get recognition for the stuff you put out there. I know I should do it more myself too.


If you are going to send login notifications anyways this makes sense. Since the user will either want to know about the login or the failed 2FA. However if the user doesn't enable login notifications I think it makes sense to give a short timeout to wait and see if the authentication is successful. If the auth is successful you can skip the alert.


But email can be delayed for hours or days.


That's pretty rare in our scenario, also it still would apply to the original post ?


I've noticed several services in the past that have blocked someone at the 2FA step (either due to getting to that stage and leaving or attempting and failing), then notified the account owner that a login was attempted. I think we just don't hear about it too often because not everyone who has compromised credentials also has 2FA enabled on their accounts in most publicized hacks


Some 10 years ago I pointed out the lack of ssl or starttls on my mail provider’s smtp servers. This was the Netherlands biggest provider Transip they said it was an interesting observation that they were going to discus, some months later I go a big announcement over email about their new secure email platform, yes it was all the same but now with ssl.


About 10 years ago I e-mailed OxfordDictionary asking if they could change the webpage so you could start typing your search right away, and not have to click the search area first.

It made my day when they some days later had implemented it, and emailed me back with a message that they now had implemented it.


A few years ago I tweeted them to say that they had a word definition wrong. They changed it!


> Tell people about things you do that they played a part it- it might just make their day.

Agree so much! I’ve met numerous people, often co-workers, who say “oh I know you I used your blog post”. Wish they’d have shot me a quick email! It’s always a nice surprise when someone reaches out to say thanks.


Such a great idea! I filed a feature request on our GH issues list to implement this: https://github.com/FusionAuth/fusionauth-issues/issues/1888


If anyone in the 2FA business is reading this, I find the Google authenticator process annoying! Unlock phone, find app, scroll to find which code to use, wait for it to time out (maybe) then enter code manually on desktop PC. Could this be made smoother?


FIDO solves this. The process is: push button.


Normies: what the heck he stole your idea :angry:


Do people generally find it easy to find a channel for telling the product maker about the bug or potential improvement?


If something bugged me enough I really wanted to provide feedback, I don't think I have ever not found a way to send it. There is normally some way to do it but definitely can be tricky. GitHub issues, feedback forms, or even just the contact us page on their website. Not guaranteed to get a response, but at least an attempt was made. And it certainly can take a level of dedication and technical knowledge not everyone might have.


great stuff rexfuzzle! that is indeed something that should be part of the standard security of apps nowadays. it costs surprisingly little to clone a phone number and get those 2fa requests on a new phone so any heads up would be great to know.


Did you intend the pun? A "key" feature? ;-)


The main feature that 2FA needs is non-existence.


If you have better options, I'm all ears.


Gmail has those features for some years.


Not AFAIK- they email you when a new device logs in, or a new location, but I've never seen one from a wrong 2FA code


Can you share who implemented it?


Who implemented it?


that'll teach you


ytrytryrtet


I don't know of anyone who does 2FA this way.


I would consider that as a bug, not as a feature. If the login panel behaves differently on a correct password than on a wrong password, that's an information leak that must be fixed.

Authentication must be evaluated and rejected only when all factors are already provided, and the rejection error should not disclose which of the factors failed.

So, with a proper login panel, my 2FA being asked does not mean that someone has my password.

Edit: this is, for example, the recommendation from PCI to separate "Multi-Step Authentication" from true "Multi-Factor Authentication": https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authe...


I'm under the impression you misread the original blog post, which by the way does not really do a very good job in terms of explaining how this should be implemented.

IMHO, the idea is not to display the info about wrong 2FA code on the login page but to use a separate channel to inform the account owner about this recent, failed login attempt. So, no info on the login page of the website (adversary would still not know that they have a good password but wrong 2FA) but e.g. an email, a text message, a push notification, etc. with this info. I would certainly like to know that someone, somewhere is trying to login to my account and that this adversary is in possession of my actual password.


If I've understood the linked post, the login panel doesn't have to behave or look different if someone gets the username and password right. You could still show everyone the 2FA input.

It's suggesting that if the username and password are right but 2FA isn't the system should let the account owner know.


I have read the linked post too quickly before sending my initial comment. Indeed, a back-channel notification to the legitimate account owner is probably a good idea.

On the other hand, disclosing to the attacker that they got the password right is not acceptable.


Correct. The blog suggests letting them know out-of-band, like via email, not in the login flow.


Unless you're an especially high-value target, I'd rather you gave quicker feedback about whether or not I have remembered my password correctly than you make it impossible to determine whether or not a password is correct without also having to input the 2FA token.


I don't know of anyone who does 2FA this way.


My employer does it for products requiring PCI certification. Our PCI auditor recommends it even though it's not a formal requirement of PCI v3.


That sounds like a terrible trade-off that makes people more likely to write down passwords on post-it notes or in a clear-text file to cut-n-paste. Especially if you lock accounts after a 10 tries or so (or PCI's ridiculous low number of tries).


This was posted above: https://www.isnic.is/en/site/login First time I've seen it too


You make a good point, but does anyone do that? I’ve been using a PW manager so long, I don’t really enter incorrect passwords.


I think the majority of places I use 2FA, the 2FA prompt is on a screen after the password login. This is because the use of 2FA is an account option, so not all accounts will have it active.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: