Comment by slyzmud
21 days ago
Actually my bank already requires me to use the phone app for any operation on the website. When I want to login from my laptop I need to use my phone with their app to approve the login, same for almost any operation.
Ah, and it can only be installed in one device at the same time :D Don't have your phone available? Bad luck for you
> can only be installed in one device at the same time
I neither like nor understand this restriction. It makes device failure / loss / theft a much more difficult experience to recover from than it would otherwise be. The device should be throwaway. I specifically keep old phones in case something happens to the new one.
WhatsApp is probably the stupidest example of only being able to be on a single device (but I'm forced to use WhatsApp for one specific purpose, so I already resent it). Signal does the same thing, so maybe it's related to the E2EE that WhatsApp licensed from Signal...
>WhatsApp is probably the stupidest example of only being able to be on a single device
that's not really an artificial limitation but a design choice. They don't store your messages, only deliver them. Once the message is on your device, it's gone from their servers, like old POP3 mail.
You think Meta would pass up an opportunity to harvest data from users?
I use the Signal fork Molly to get messages on multiple phones. One remains the primary and the others linked, but I get messages even if the primary is off.
> It makes device failure / loss / theft a much more difficult experience to recover from than it would otherwise be.
As is with all two factor, but don't point that out, or the "but muh security" bros will shout you down.
The authenticator app that I use for most 2FA can be on multiple devices, and you can export and import some or all of the entries, password protected.
I would be extremely F'd if my 2FA was able to be lost or stolen due to a single device limitation.
I have a huge problem with companies using their own apps for 2FA.
Google started doing this for Gmail. To use Gmail on my laptop, I need to approve it with Gmail on my phone. I never signed up for this. I’m now afraid if I delete the Gmail app from my phone that I’ll lose access to my email.
I hate the direction “security” is taking us. It’s done in the name of security, but it feels more like blackmail to get and keep the company app on your phone.
Is that a thing Google logins can be set to require? I _can_ use the Gmail app on a device for 2FA, I can also press "try another method" and use any 2FA app.
I guess I’ll have to look. It just started happening one day.
One huge fear I have no is breaking my phone while away from home and getting locked out of everything.
I was on vacation several years ago and broke my phone (the only time I’ve ever done that), and got lucky in several ways. I had a 2nd work phone with me. I was able to use that to call an Uber to get to an Apple Store; I was lucky to be in a city with an Apple Store. Then I got lucky again that I was able to talk Apple into giving me a replacement right there instead of a repair, they happened to have a single phone in stock to do that with. Then I got lucky yet again when I went to set it up, because I had an iPad with me by dumb luck, which was able to do my Apple 2FA that I didn’t sign up for.
If I go somewhere with just my 1 phone and no second device… I’m thinking I need to setup and bring a bunch of recovery codes, which has its own risks. My plan would be to cryptically write them down and put them in a money belt, as if those got into the wrong hands I’d be screwed.
I really don’t know what people do who only have a phone and nothing else. It seems they would always have this risk.
i do like how many apps are starting to play nice with 3rd party authenticators. i use ms authenticator for a bunch of things. Although knowing MS it has some massive license fee for them to support.