Just experienced the most hostile MFA login I've seen in a while, from, naturally, a tax accountant (for a nonprofit I'm an officer of).
You get sent a 20 character mixed case code, which is sent to your phone as a image via MMS, in a font suitable for use in difficult CAPTCHAs. You have 3(!) minutes to receive it and enter it correctly or you have to get a new code.
Accountants seem to have singularly bad client login systems.
@mattblaze
Sounds bad enough to be a phishing attempt
@mattblaze for extra spice I hope there was one O and no 0, and one of l, I and 1.
@karl I think it was all alphabetic, amazingly.
@mattblaze That reminds me of trying to activate a phonebook software from the local Telecom about 20 years ago – it came on a CD, and used a floppy for copy protection, but since laptops at that time already didn't have a floppy drive any more, you could instead call them for activation, which required you to press a secret key combo during install (when it asked for the floppy), then read a long numeric code to the operator, then type in a code that the operator read to you – this code was 21 characters long, contained small and capital letters, numbers, / and + characters and always ended with == (this gives you a clue about how they encoded the secret). At least it wasn't time-limited (at least I hope so), because just typing all of the characters properly always took forever, as their operator never used phonetic alphabet.
@mattblaze obviously the only ethical thing to do is is search for exploitable weaknesses which force a change.
I'd complain, but I'd undoubtably just get told it's all there for security reasons and also, no one knows who set it up or how to change it.
@mattblaze The second factor authentication had been in place for what seems like forever. No one knew where it came from, no one ever asked for it to be upgraded. And yet, it changed, only slightly evolving to always be more annoying than whatever the industry's current standard was, always maliciously complying with the letter of the regulatory requirements in ways no one might have foreseen.
@mattblaze Memories are made of this.
At one company, we needed customers to leave their dial-up modems (I am so old) on overnight for updates. To handle the nasty business of logging in for automatic maintenance, a new concept at the time, I had the honor of inventing a secure-ish login system.
You had to have a key, a small code snippet, to unlock the system, without which the hacker would be left on a peripheral board. Getting to the CPU from there, in that direction, would require hardware knowledge. No hacks ever happened.
In hindsight, it is a good thing that the company did not ask me to design a login system for humans.
@mattblaze Ah, yes, security. Many years ago, when I was living in NJ, my local library set up a WiFi system that blocked outbound access to ports 22 (ssh) and 993 (IMAP over TLS). I complained, and was told it was for security. I tried to explain that security didn't work that way. "Sir, the person who set this up has set up WiFi for most of the libraries in the county." I decided not to try to enlighten them, and instead set up an ssh daemon on port 443 (HTTPS) of a server I control, and I tunneled IMAPS. Security!
@mattblaze Good thing SMS messages are always delivered immediately! (/s)
