Results 1 to 9 of 9

Thread: Two-factor authentication (2FA) irritation

  1. #1
    Still Exploring
    Join Date
    Aug 2013
    Posts
    37

    Two-factor authentication (2FA) irritation

    Oh, look, I've got a message!

    "Turn on two-factor authentication?" Well, I was hoping for something more juicy than that... but sure, that sounds good.

    Okay, so there are two options: GMBill, and... really? I've got to install a random app on my phone? A random app, that I don't know and don't really trust, for the *sole purpose* of topping up my AW account, which I do probably once or twice a year?

    You know how many one-off apps I *already have* on my phone because every goddamn online service has been going hog-wild with "install OUR app so we can stick our icon on your home screen and spread our branding!!" marketing nonsense? More than zero, which is already too many.

    No thanks. GMBill is fine.

    Wait, GMBill is already selected. In fact, it's selected by default... for everybody... which means that "turn on 2FA" is misleading, since it's already on. I'm just not using AW's *preferred* 2FA method.

    Hey, I've still got a message: "Turn on two-factor authentication?" How do I get rid of this thing?

    Oh. I can't. It's stuck in my inbox until and unless I switch.

    AW admins... this doesn't seem very user-friendly. In fact, it's a pain in the ass.

  2. #2
    Forum Admin
    Join Date
    Apr 2006
    Location
    The Axiom hovering over the Netherlands
    Posts
    15,292
    Hi,

    It's not a 'random app' really, it's Google Authenticator or another app which can handle one-time-pass codes provided by google. The security questions are a sort of 2FA but not as secure.

    More info: https://support.abbywinters.com/diff...tions-for-pps/

    You're main issue is that you can't get rid of the 'turn on 2FA' message, where.... in your mail ??

  3. #3
    Still Exploring
    Join Date
    Aug 2013
    Posts
    37
    Well... if my sole use of Google Authenticator is for this one purpose, it seems pretty random and unnecessary to me.

    The message I'm seeing is the red "(1)" indicator in the top bar of every single page.

    Also - minor bug, just happened after topping up a $3.00 balance with a $25.00 deposit (for the Sienna G / Zinia B shoot, which looks divine):

    Your balance is now $28.00999999999998.

  4. #4
    Forum Admin
    Join Date
    Apr 2006
    Location
    The Axiom hovering over the Netherlands
    Posts
    15,292
    nice balance

    I see your point on the red '1' thing now, it looks a bit like 'you have an unread message', with now way to mark it read. I'll ask web-team how to get rid of it.
    (besides using GAuth-2FA)

  5. #5
    Owner garionhall's Avatar
    Join Date
    Dec 2007
    Posts
    1,137
    As the FAQ Frans linked to explains, The Google Authenticator app is the simplest to use (I've used it for four years now, never got an alert from it), but there are several alternatives (that may send alerts, dunno) that can be tried.

    You're not correct that the current GMB "security question" system is 2FA already. The generally accepted factors of authentication are:

    • knowledge (something the user and only the user knows, eg, a username, password or address information)
    • possession (something the user and only the user has, a device, like a phone or token)
    • inherence (something the user and only the user is, eg, fingerprint, face scan)


    The GMB-info approach is better than nothing, but it's not good enough. Unfortunately, we're finding abuse with the GMB system - asking for CC or email info as a second factor is not ideal, and we're finding this information has been shared online (not by us!) or is guessable, and once shared it cannot be fixed: that info is permanently out there (until you change CC or email address, hassle everyone prefers to avoid). That's a fundamentally flawed system, which is a concern when it comes to online security.

    The Google Authenticator app is just 13Mb, provides no alerts or annoyances, takes three minutes to set up, works reliably and - most importantly - secures your credit card from unauthorised charges on our platform. I honestly cannot see why anyone would decide to willfully be less secure - it's irrational.

    For now, we will not be removing the alert (but it's likely in the future we'll make 2FA required, not optional, for logging in to AW as well!).

    (I take your point about "required" apps that make alerts, or even need updates, that shit is annoying, but Google Authenticator does not do this. I don't take your point on there being "too many apps". You (presumably) don't complain there are "too many web pages" on the internet, or "too many books" in a library... you just look at the pages / books you want to, when you want to.)
    Last edited by garionhall; 12th April 2019 at 03:20 AM. Reason: Revised details on GMB info used to verify purchases.

  6. #6
    Still Exploring
    Join Date
    Aug 2013
    Posts
    37
    I appreciate the reply. Good information.

    I honestly cannot see why anyone would decide to willfully be less secure - it's irrational.
    There's a gradient between security and convenience. As the anecdote goes: you can get excellent security against online malware by permanently airgapping your computer... even better, never turn it on.

    CCBill / GMBill has had my credit card info for over 20 years. I've had my credit card information stolen maybe three times in that period, with absolutely no way to identify how it got stolen - which of the 40 websites or 300 physical places I've bought something from in the last five years leaked my info? ... no idea. And in each case, one call to the credit card company got the charges reversed and a new card within 24 hours.

    If it's become less secure recently... well, I guess I haven't heard about it. I'll take your word for it.

    ...it's likely in the future we'll make 2FA required, not optional, for logging in to AW as well!
    Really? You don't view that as a pretty serious obstacle for enrolling new users?

    How many other adult websites require not just a credit card, not just 2FA, but a specific mobile app to complete 2FA? I've never heard of such a thing. Literally never.

    (I don't take your point on there being "too many apps". You (presumably) don't complain there are "too many web pages" on the internet, or "too many books" in a library... you just look at the pages / books you want to, when you want to.)
    First, it's not just the availability of apps. I'm glad the App Store has 19 bajillion apps. Variety is nice.

    Rather, it's the number of apps that I've been grudgingly obligated to stick on my phone because a website withheld functionality unless I did.

    And second, I certainly do avoid websites that make it too difficult to enter. Paywall? Nah. "Sign up here to browse our - " Nah. I walk away from those websites... specifically because, as you noted, there are millions of other webpages out there that don't throw roadblocks between new users and their content.

    That's my view. Now, I'm just a casual consumer of high-grade adult content. I've never developed a commercial website, let alone one as long-lived and successful as AW. I presume, genuinely, that you understand your user base and all that. I'm just providing, I suppose, a minority report for consideration.
    Last edited by sfsdfd; 12th April 2019 at 06:16 AM.

  7. #7
    Owner garionhall's Avatar
    Join Date
    Dec 2007
    Posts
    1,137
    There's a gradient between security and convenience. As the anecdote goes: you can get excellent security against online malware by permanently airgapping your computer... even better, never turn it on.
    I'm familiar with the adage, and I like it.

    CCBill / GMBill has had my credit card info for over 20 years. I've had my credit card information stolen maybe three times in that period, with absolutely no way to identify how it got stolen - which of the 40 websites or 300 physical places I've bought something from in the last five years leaked my info? ... no idea. And in each case, one call to the credit card company got the charges reversed and a new card within 24 hours.
    I'm glad you got your money back without much hassle (and I agree, there's no way to know how the info got out). Like most consumers, you probably don't care, but here's what happens behind the scenes when you do that.

    • nicework.com is a lovely small business selling access to online media that some people choose to pay for.
    • Someone joins up, with a credit card. They're charged $39.25.
    • The person who signed up downloads all the content in a few days
    • 10 days after the join, we get a notification from our merchant bank: that charge may have been fraudulent! Please provide evidence of the charge in the next few days, or you're in trouble. And by the way, don't make sales to fraudulent customers.
    • 13 days after the join, we get a notification from our merchant bank: you've not provided evidence, so we've automatically debited your account the $30 fee you charged, and fined you a further $45 for being so stupid (this is called a "chargeback")
    • The person who signed up posted all the content they "bought" onto Torrent sites or to a Bitlocker site, where they get money for posting content


    Turns out, of course, the person who signed up used stolen credit card details. Oh, well, at least the poor cardholder can get their money back, right? What a relief!

    nicework.com is out the join fee, the fine, the cost of the service they provided, plus the piracy hit - plus, someone else is making money on the content they worked so hard to create in the first place!

    And, the merchant bank has tracked how many of these "chargebacks" are occuring. They're increasing the cost of processing credit card transactions, to cover their costs of administering chargebacks (ffs). If it increases any further, the merchant bank will cancel the merchant account entirely. Any time a merchant bank cancels a merchant account, it's pretty much impossible to get a new merchant account, because there's only "good" reasons one of their buddy-merchant-banks would have cancelled the previous merchant account, right?

    (For a year we tried providing evidence such as joining IP address, address, usage IP address, list of downloads, etc to contest the chargeback. Banks ignored it - they only accept a signature from a customer, which of course is not possible in an online transaction).

    If it's become less secure recently... well, I guess I haven't heard about it. I'll take your word for it.
    Well, we're not less secure (we're more secure, in fact), but attackers have become more sophisticated. Glad you have not been affected - not many of our customers have, but even one is too many!

    Really? You don't view that as a pretty serious obstacle for enrolling new users?
    I sure do. It sucks, but if the alternative is going out of business entirely, it's the best option we have.

    Your bank probably requires 2FA now, so it's becoming more accepted.

    How many other adult websites require not just a credit card, not just 2FA, but a specific mobile app to complete 2FA? I've never heard of such a thing. Literally never.
    Yes, well, SMS is the other option, I guess that's what you're referring to. I assumed customers would be far less likely to be comfortable with a porn site having their mobile phone number, than installing a third-party app. But looks like I am wrong on that!

    The real problem here - not to point fingers - is customers selecting insecure passwords. We're about to add a thing that checks a list of passwords known to be shared online (there's a few billion of them; more info), and encourage customers to use a more secure one.

    But most people feel that password security is not their problem and prefer to aggressively use the same few passwords over and over (instead of using a simple Password Manager, which makes it a non-issue to use very secure and varied passwords for every online service).

    Rather, it's the number of apps that I've been grudgingly obligated to stick on my phone because a website withheld functionality unless I did.
    Can you cite some examples? Not sure I know what you mean here.

    And second, I certainly do avoid websites that make it too difficult to enter. Paywall? Nah. "Sign up here to browse our - " Nah. I walk away from those websites... specifically because, as you noted, there are millions of other webpages out there that don't throw roadblocks between new users and their content.
    Yes, it certainly sucks to be a website selling stuff these days! If I had it my way, we'd do everything by Bitcoin and fuck the banks... but if you're not going to use 2FA, Bitcoin's out of the question!

    I'm just providing, I suppose, a minority report for consideration.
    And I certainly appreciate it - it's good to talk about these things, even if there's no ideal solution.

  8. #8
    Still Exploring
    Join Date
    Aug 2013
    Posts
    37
    Quote Originally Posted by garionhall View Post
    I'm glad you got your money back without much hassle (and I agree, there's no way to know how the info got out). Like most consumers, you probably don't care, but here's what happens behind the scenes when you do that.
    That... makes a lot of sense. Food for thought.

    Pretty crazy that the credit card company is charging the vendor - what is the vendor supposed to do? I mean, obvious negligence (or worse, coordination with the grifter) requires attention and penalties, but that's got to be a vanishingly small share of the incidents.

    Quote Originally Posted by garionhall View Post
    (For a year we tried providing evidence such as joining IP address, address, usage IP address, list of downloads, etc to contest the chargeback. Banks ignored it - they only accept a signature from a customer, which of course is not possible in an online transaction).
    I once had a top-spec MacBook Pro swiped on a train. Later that day, Dropbox reported a login attempt... from an IP address... that was tied to a residential account. It would have been trivially easy for the cops to investigate. I couldn't get them to lift a finger.

    Quote Originally Posted by garionhall View Post
    The real problem here - not to point fingers - is customers selecting insecure passwords. We're about to add a thing that checks a list of passwords known to be shared online (there's a few billion of them; more info), and encourage customers to use a more secure one.
    That's interesting - and I'm aware of both the existence of "have I been pwned" sites, and some password validation techniques based thereupon. But it does raise the slightly troubling prospect of a website inspecting my password in a substantive way. With all the stories about companies storing passwords in plaintext (most recently Instagram?!), I much prefer that websites let me pick whatever I want and store a ZPK / public-key type of verifier. I doubt most users will care, though.

    Quote Originally Posted by garionhall View Post
    (instead of using a simple Password Manager)
    There's a chicken-and-egg problem here: today's password managers suck. They get better every year, but even after ten years of development, they still *absolutely suck*.

    (1) Poor recognition. It's been my experience that even the best password managers can correctly identify both the login and the password fields of a web page about 60-70% of the time. Even for A-list websites, auto-fill doesn't work consistently if you receive a login prompt on a different page. (Amazon vs. Amazon Prime Music vs. Amazon Prime Video, for instance.)

    (2) Sharing. How do you get a stored password from your workstation to your laptop to your phone to your tablet? You have two options. First, share your passwords online... ALL of them... in one online vault. Does that seem terrifying?) Second, *don't* share them via an online vault, which means not having access to your passwords. (Or third: Password reuse, which is why so many people resort to it.)

    (3) Maintenance. Even when it *was* working, password autofill regularly fails because you changed your password on another device and the changes didn't propagate, or because the website changed its URL or code or even the login scheme (switching the identity field between "email address" and "username" is a big one), etc. So now you have to interact with your password manager to throw out the old l/p record and create a new one. Sometimes your password manager will dutifully insist on providing the old credentials automatically, and you have to fight with it to get it to not do that! So in addition to not making your life easier, your password manager now *requires* more attention and gets in your way.

    So I don't actually blame the plebs who keep their single password on a Post-It stuck to their monitor. Their habits suck because the tech community has failed to give them a better one. Those of us who actually understand and care about security will tolerate the drudgery, but we can't expect realistically expect that of everyone.

    Quote Originally Posted by garionhall View Post
    Can you cite some examples? Not sure I know what you mean here.
    Sure. Back in 2010 or so, when everyone started picking up iPhones, companies rolled out mobile apps. And because they *reallyreally* wanted their customers to use their shiny new app, their web pages had some code that detected mobile browsers and forced those users to a placeholder page: "Get the new mobile app!" Hertz, the car rental agency, was guilty of this one, and it complicated several instances of travel for me.

    Some other, less-obnoxious companies offered a mild facsimile of their desktop site as a mobile version: smaller page data footprint, smaller layout, simpler options. But in simplifying the options, they sometimes *removed* options that couldn't be simplified (or that weren't in the project scope). Amazon was guilty of that for a while.

    Yes, many companies have improved since then. No, they haven't *all* improved. I encounter those behaviors from time to time.

    Yes, it certainly sucks to be a website selling stuff these days! If I had it my way, we'd do everything by Bitcoin and fuck the banks... but if you're not going to use 2FA, Bitcoin's out of the question!

    Quote Originally Posted by garionhall View Post
    I certainly appreciate it - it's good to talk about these things, even if there's no ideal solution.
    I appreciate your detailed responses (and understanding the tone of my comments, which is mostly about interesting conversation). And you've convinced me to switch to AW-approved 2FA. I'll do it later tonight.

  9. #9
    Owner garionhall's Avatar
    Join Date
    Dec 2007
    Posts
    1,137

    Thumbs up

    Quote Originally Posted by sfsdfd View Post
    Pretty crazy that the credit card company is charging the vendor - what is the vendor supposed to do?
    Yah, no one seems to actually care about that one. We're in the process of changing merchant banks right now (for a good reason: a better rate!), so while everyone's all lovey-dovey, I'm gonna ask the question again (I expect they will blame the cardholder's bank and shrug, but let's see).

    (1) Poor recognition. It's been my experience that even the best password managers can correctly identify both the login and the password fields of a web page about 60-70% of the time. Even for A-list websites, auto-fill doesn't work consistently if you receive a login prompt on a different page. (Amazon vs. Amazon Prime Music vs. Amazon Prime Video, for instance.)
    Yah, that's annoying, and I experience that every day (we use LastPass). :/

    I have another related issue: we use subdomains a lot (eg, support.abbywinters.com), some of which use WordPress. Whenever it encounter a WordPress site on a subdo, it lists ALLL the *.abbywinters.com passwords. As you might imagine, I have a few of them...

    Name:  lastpass bullshit.png
Views: 17
Size:  67.6 KB

    And because a lot of my work happens on the abbywinters.com domain, this is annoying 20 times a day. Of course, the rest of my work is on google.com domains, same issue.

    This seems like an easy thing for LastPass to fix, so I am going to complain again again. *time passes* did some searching, turns out they have a solution for this, and it works well!

    (2) Sharing. How do you get a stored password from your workstation to your laptop to your phone to your tablet? You have two options. First, share your passwords online... ALL of them... in one online vault. Does that seem terrifying?) Second, *don't* share them via an online vault, which means not having access to your passwords. (Or third: Password reuse, which is why so many people resort to it.)
    Hm, on LastPass, this works seamlessly, so I assumed it did on other apps as well! Well, yes, stored in an online vault. I'm ok with that, when I understand how they are stored. I acknowledge it's a risk, but I am ok with it for this company.

    (3) Maintenance. Even when it *was* working, password autofill regularly fails because you changed your password on another device and the changes didn't propagate, or because the website changed its URL or code or even the login scheme (switching the identity field between "email address" and "username" is a big one), etc. So now you have to interact with your password manager to throw out the old l/p record and create a new one. Sometimes your password manager will dutifully insist on providing the old credentials automatically, and you have to fight with it to get it to not do that! So in addition to not making your life easier, your password manager now *requires* more attention and gets in your way.
    Hm, LastPass handles this gracefully around 80% of the time, including password updates required by some sites (enter password, enter new password, enter new password again).

    So I don't actually blame the plebs who keep their single password on a Post-It stuck to their monitor. Their habits suck because the tech community has failed to give them a better one. Those of us who actually understand and care about security will tolerate the drudgery, but we can't expect realistically expect that of everyone.
    I agree. Spend three minutes with my mum using a computer and not only will you want to shoot yourself in the face, you'll also understand why password managers are a long way from being widely accepted.

    Back in 2010 or so, when everyone started picking up iPhones, companies rolled out mobile apps. And because they *reallyreally* wanted their customers to use their shiny new app, their web pages had some code that detected mobile browsers and forced those users to a placeholder page: "Get the new mobile app!" Hertz, the car rental agency, was guilty of this one, and it complicated several instances of travel for me.
    Oh yes, got ya now. Agree these were infuriating! I feel like it's swinging back the other way now, almost too far: design sites for mobile first, and they look terrible on my 30" monitor!

    In our defense, the app were suggesting to install is not like that! It's a utility app, that can be used on thousands of sites. I think in a few years, it'll be as ubiquitous as the calculator app no one is concerned about and occasionally uses on their phone.

    And you've convinced me to switch to AW-approved 2FA. I'll do it later tonight.
    🎉 one down, ~16,999 to go!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Subscribe to our e-mail newsletter

 
Sign up for the abby newsletter. Don't worry, we'll NEVER share your email address with anyone.