2FA Problems Anyone?

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
Yeah, well, the code in the cache wouldn't the current code. Sort of defeats the purpose of the 30 second validity rotation.

Something is wrong here. If you logout, you should have to renegotiate site login in full, not half here and half there. Otherwise 2FA is bloody pointless.

Mods? Heeelp...
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
Mods? Heeelp...

2023-04-17_14-45-15.png


Clear the browsers cookies/history and restart ( not refresh ) the browser. That should make you see that message again, and now make sure to un-tick it.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,073
In the past 24 hours I have logged in to MalwareTips several times where my 2FA code was not requested. Asked for Email address, Password and then straight through to the main page, no 2FA!

Anyone else, or am I just special...?
I just logged in to MT at 1545z and I was asked for my 2fa.
 
  • Like
Reactions: MuzzMelbourne

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,073
View attachment 274624

Clear the browsers cookies/history and restart ( not refresh ) the browser. That should make you see that message again, and now make sure to un-tick it.
I have always thought it "odd" for a computer security forum to have as default [checked] trust this device for 30 days. IMHO the default should be unchecked and if user trusts her device, she can manually check the log-in trust box. :unsure::whistle:
 
  • Applause
Reactions: MuzzMelbourne

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,355
I have always thought it "odd" for a computer security forum to have as default [checked] trust this device for 30 days. IMHO the default should be unchecked and if user trusts her device, she can manually check the log-in trust box. :unsure::whistle:
Agree to disagree.

MalwareTips is an online community forum, not a security body. Most members log in using a trusted device (ie. personal computer, phone), therefore it's not practical to re-authenticate themselves 12 times per day. Trusted devices streamline the process of logging for 30 days. Security should be an inconvenience to an unauthorised user, but not for the account holder.

Edit: If you believe your security is compromised, it's recommended to change passwords on a trusted device.

If you don't trust your device to remain logged in, there are some options available.
  • Logout after each session
  • Let the browser delete cookies upon exit
  • Incognito
  • Pretend you're using a public computer
 
Last edited:

Jonny Quest

Level 17
Verified
Top Poster
Well-known
Mar 2, 2023
799
ok for us to disagree on this point. IMO if vendor goes to the trouble of setting up 2fa, then the default should not be automatic reduced security. :whistle: I appreciate hearing your (MT's) perspective. thanks!
I get what you're saying, having to manually enable trust this device, helps to automatically back up our 2fa security desire. But, as a standard for me, I'm always allowing it to be checked, as I can easily uncheck it or log out.

On the Bitdefender forum, we had a little back and forth on this one, as there is no option to check or uncheck remember me when logging in. I can't remember if it automatically did it after so many days or what we ended up with.
 

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
View attachment 274624

Clear the browsers cookies/history and restart ( not refresh ) the browser. That should make you see that message again, and now make sure to un-tick it.

I'm with simmerskool on this one I'm afraid. I think you should have to go the extra yard to reduce security on a site, not enhance it. Surely, in this day and age, the default should be security over convenience, forum subject not withstanding.

A user poll might be interesting upnorth.
 
  • Like
Reactions: simmerskool

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,756
I’m with @Ink on this one.
Logging in should be inconvenient to unauthorised users but not the account holder.

If a new device is used (for example the password has been compromised) a 2FA prompt will appear and will terminate the attack there. It will not be feasible for criminals to perform any further attacks, as MalwareTips offers very little gain (no personal information, no payment methods saved). Any attempts to compromise members’ security will result in a very quick ban.
It won’t be great to ask users to authenticate again and again.

Users who believe their account is somehow at risk can untick the option to be authenticated every 30 days and make use of other methods (automatic log-off/device lock, cookie clearing and others). Either way, the user is in control.
Now obviously your bank and Amazon account should be subject to different security procedures.
 

piquiteco

Level 14
Oct 16, 2022
624
I’m with @Ink on this one.
Logging in should be inconvenient to unauthorised users but not the account holder.
I agree in parts, nowadays there are many PMs that have TOTP integrated that fills the token automatically, this eliminates the inconvenience factor. Here are some examples of PMs that have this feature integrated: Keepass,KeepassXC,1password,Roboform,bitwarden,Dropbox Passwords and other password managers that may have the feature and I do not know.;)
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,756
I agree in parts, nowadays there are many PMs that have TOTP integrated that fills the token automatically, this eliminates the inconvenience factor. Here are some examples of PMs that have this feature integrated: Keepass,KeepassXC,1password,Roboform,bitwarden,Dropbox Passwords and other password managers that may have the feature and I do not know.;)
Apple Key Chain as well, starting from iOS 15/Mac OS Monterey. But it requires FaceID/Touch ID again.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top