2FA Problems Anyone?

MuzzMelbourne

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
Yeah, well, the code in the cache wouldn't the current code. Sort of defeats the purpose of the 30 second validity rotation.

Something is wrong here. If you logout, you should have to renegotiate site login in full, not half here and half there. Otherwise 2FA is bloody pointless.

Mods? Heeelp...
 
  • Like
Reactions: TairikuOkami, [correlate] and upnorth
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
MuzzMelbourne said:
Mods? Heeelp...
Click to expand...

2023-04-17_14-45-15.png


Clear the browsers cookies/history and restart ( not refresh ) the browser. That should make you see that message again, and now make sure to un-tick it.
 
  • Like
  • +Reputation
  • Applause
Reactions: Trident, amirr, piquiteco and 9 others
simmerskool

simmerskool

Level 37
Verified
Top Poster
Well-known
Apr 16, 2017
2,610
MuzzMelbourne said:
In the past 24 hours I have logged in to MalwareTips several times where my 2FA code was not requested. Asked for Email address, Password and then straight through to the main page, no 2FA!

Anyone else, or am I just special...?
Click to expand...
I just logged in to MT at 1545z and I was asked for my 2fa.
 
  • Like
Reactions: MuzzMelbourne
simmerskool

simmerskool

Level 37
Verified
Top Poster
Well-known
Apr 16, 2017
2,610
upnorth said:
View attachment 274624

Clear the browsers cookies/history and restart ( not refresh ) the browser. That should make you see that message again, and now make sure to un-tick it.
Click to expand...
I have always thought it "odd" for a computer security forum to have as default [checked] trust this device for 30 days. IMHO the default should be unchecked and if user trusts her device, she can manually check the log-in trust box. :unsure::whistle:
 
  • Applause
Reactions: MuzzMelbourne
I

Ink

Administrator
Verified
Jan 8, 2011
22,490
simmerskool said:
I have always thought it "odd" for a computer security forum to have as default [checked] trust this device for 30 days. IMHO the default should be unchecked and if user trusts her device, she can manually check the log-in trust box. :unsure::whistle:
Click to expand...
Agree to disagree.

MalwareTips is an online community forum, not a security body. Most members log in using a trusted device (ie. personal computer, phone), therefore it's not practical to re-authenticate themselves 12 times per day. Trusted devices streamline the process of logging for 30 days. Security should be an inconvenience to an unauthorised user, but not for the account holder.

Edit: If you believe your security is compromised, it's recommended to change passwords on a trusted device.

If you don't trust your device to remain logged in, there are some options available.
  • Logout after each session
  • Let the browser delete cookies upon exit
  • Incognito
  • Pretend you're using a public computer
 
Last edited:
  • Like
  • Thanks
  • Hundred Points
Reactions: Trident, amirr, MuzzMelbourne and 5 others
Jonny Quest

Jonny Quest

Level 22
Verified
Top Poster
Well-known
Mar 2, 2023
1,103
simmerskool said:
ok for us to disagree on this point. IMO if vendor goes to the trouble of setting up 2fa, then the default should not be automatic reduced security. :whistle: I appreciate hearing your (MT's) perspective. thanks!
Click to expand...
I get what you're saying, having to manually enable trust this device, helps to automatically back up our 2fa security desire. But, as a standard for me, I'm always allowing it to be checked, as I can easily uncheck it or log out.

On the Bitdefender forum, we had a little back and forth on this one, as there is no option to check or uncheck remember me when logging in. I can't remember if it automatically did it after so many days or what we ended up with.
 
  • Like
Reactions: Trident, piquiteco, MuzzMelbourne and 2 others
MuzzMelbourne

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
upnorth said:
View attachment 274624

Clear the browsers cookies/history and restart ( not refresh ) the browser. That should make you see that message again, and now make sure to un-tick it.
Click to expand...

I'm with simmerskool on this one I'm afraid. I think you should have to go the extra yard to reduce security on a site, not enhance it. Surely, in this day and age, the default should be security over convenience, forum subject not withstanding.

A user poll might be interesting upnorth.
 
  • Like
Reactions: simmerskool
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
I’m with @Ink on this one.
Logging in should be inconvenient to unauthorised users but not the account holder.

If a new device is used (for example the password has been compromised) a 2FA prompt will appear and will terminate the attack there. It will not be feasible for criminals to perform any further attacks, as MalwareTips offers very little gain (no personal information, no payment methods saved). Any attempts to compromise members’ security will result in a very quick ban.
It won’t be great to ask users to authenticate again and again.

Users who believe their account is somehow at risk can untick the option to be authenticated every 30 days and make use of other methods (automatic log-off/device lock, cookie clearing and others). Either way, the user is in control.
Now obviously your bank and Amazon account should be subject to different security procedures.
 
  • Like
Reactions: simmerskool, MuzzMelbourne and piquiteco
piquiteco

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Trident said:
I’m with @Ink on this one.
Logging in should be inconvenient to unauthorised users but not the account holder.
Click to expand...
I agree in parts, nowadays there are many PMs that have TOTP integrated that fills the token automatically, this eliminates the inconvenience factor. Here are some examples of PMs that have this feature integrated: Keepass,KeepassXC,1password,Roboform,bitwarden,Dropbox Passwords and other password managers that may have the feature and I do not know.;)
 
  • Like
Reactions: simmerskool, MuzzMelbourne, Jonny Quest and 1 other person
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
piquiteco said:
I agree in parts, nowadays there are many PMs that have TOTP integrated that fills the token automatically, this eliminates the inconvenience factor. Here are some examples of PMs that have this feature integrated: Keepass,KeepassXC,1password,Roboform,bitwarden,Dropbox Passwords and other password managers that may have the feature and I do not know.;)
Click to expand...
Apple Key Chain as well, starting from iOS 15/Mac OS Monterey. But it requires FaceID/Touch ID again.
 
  • Like
Reactions: simmerskool, MuzzMelbourne and piquiteco

Similar threads

vtqhtr413
    • Like
    • +Reputation
Security News Threat actors use Tycoon 2FA kits to target MS 365 and Gmail accounts
Replies
3
Views
1,365
Security News
vtqhtr413
vtqhtr413
enaph
    • +Reputation
Security News Nintendo Warns of Spoofed Emails Impersonating Official Account
Replies
0
Views
824
Security News
enaph
enaph
I
    • Like
Crypto Opinions & News Malicious Chrome extension steals crypto from Binance accounts
Replies
0
Views
652
Crypto News
Ink
I

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top