So a while ago I wrote about how 2FA was missing a key feature: <a href="https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781c3861db" rel="nofollow">https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781...</a><p>Having not had any feedback on it in a while and the idea not taking off, today somebody messaged me to say that had implemented it in their product.<p>1. Obviously I think this is great and more secure<p>2. Tell people about things you do that they played a part it- it might just make their day.
Years back, every web browser's built-in password manager locked up the page when submitting a login form, waiting for the user to answer "do you want to save this password?" before proceeding.<p>I thought that was silly: how do I know if I want to save the password before I've seen whether it's correct? Which I can't see until the form is submitted.<p>At the time I was using Opera, so I wrote in to their customer support suggesting that the prompt appear after the new page loaded. I never heard back, but a couple months later their next major release implemented exactly that behavior. A few months after that, every other browser followed suit.<p>I can't have been the only one bothered by the existing behavior, but given how long browsers had worked that way before I wrote in, I like to tell myself that the timing wasn't a coincidence, and that my little suggestion rippled out into a change that made a small thing better for the whole world :)
That’s awesome. I was expecting a lament on how an amazing startup idea was stolen and monetized by someone else. Glad I’m wrong and the world is a little bit better.
I havnt done this in many years but for a while I was making creative content that was published online. Once in a while someone would contact me saying they liked what I did. I started doing the same. If I read an article I liked a lot I would contact the person and tell them I liked it and why. About half the time they responded with Thanks.<p>I didnt do this with NYT writers or anything. Just people who clearly dont get paid/paid much to make this content but I found it useful/interesting/helpful. I think that stuff goes a long way and it really doesnt take that long to do.<p>I've got a tech podcast now and about once every month or two someone contacts me to say they liked it or something nice. It's a huge reason why I keep doing it. I know that sounds silly but the internet can be such a black hole. A little feedback goes a long way.
OWASP actually includes this suggestion in their guidance for implementing MFA:<p><a href="https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html" rel="nofollow">https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_A...</a><p>> When a user enters their password, but fails to authenticate using a second factor...:<p>> ...<p>> Notify the user of the failed login attempt, and encourage them to change their password if they don't recognize it.<p>> The notification should include the time, browser and geographic location of the login attempt.<p>> This should be displayed next time they login, and optionally emailed to them as well
I enjoyed when a french hacker used information from my blog to set off all the alarms of Bird scooters in Lyon France for an evening.<p>I had written about (what I considered as) a vulnerability that allowed remote triggering of Bird Scooter alarms (Bird disagreed of course) on my blog [1]. I then saw this github repo linked in the comments for setting off alarms of Bird scooters [2] and reached out to the author.<p>The author let me know that they had used the info in my blog to script a tool for setting off Bird Scooters en masse. They then targeted the script at all the scooters in Lyon and subsequently fell asleep. When they woke up the noticed the end point was disabled... Bird had taken the action to disable the API endpoint in response of course.<p>Probably would've been easier to fix before someone scripted it out but it made for a fun story.<p>[1] <a href="https://theappanalyst.com/bird.html" rel="nofollow">https://theappanalyst.com/bird.html</a>
[2] <a href="https://github.com/pcouy/bird-whisperer" rel="nofollow">https://github.com/pcouy/bird-whisperer</a>
If any Spotify devs are here, please let me explore and add songs, artists and albums to my library without “hearting” it.<p>I often just want to follow up later by “adding to my library,” and it feels weird to “LOVE” it before ever hearing it.
I really feel pain when I hear something terrible that I’ve already “liked” and consider the impacts to my algorithm.<p>Please distinguish between “like” and “save.”<p>A simple “plus sign” or really any other symbol that signifies “adding to a collection” without “liking” connotations (stars are out too).
Yes! That’s such a nice feeling.<p>One of my GitHub projects was used in a demo at Google Cloud next a while ago. the presenter was considerate enough to attribute the project to me by name during the demo and even sent me an issue just letting me know about it. That was so nice! Absolutely people should do this.
I emailed Tim O’Reilly in ~2001 and suggested they release PDF versions of their “Pocket Guide” reference books. I wanted to be able to have all of my pocket guides on my Sharp Zaurus (Linux handheld with keyboard, color screen, and Wi-Fi).<p>He went for it and offered me PDF copies of every Pocket Guide as a thank you.
Cool, well done. Hope the idea gets picked up by a few more developers here.<p>If you don't mind I'm just just pasting the URL into a comment to make it a link:<p><a href="https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781c3861db" rel="nofollow">https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781...</a>
> Tell people about things you do that they played a part it- it might just make their day.<p>Thank you for putting this out there!<p>I once reverse engineered the protocol for a popular mobile game so I could write my own client for it and posted my library online for others to do the same without any expectation it'd ever get seen. Months later, I received an email from someone reverse engineering the protocol as well for different purposes. They got stuck on a particularly difficult issue I also encountered (and documented), and googling it led them to my library, saving them hours of future work.<p>It definitely made my day and I'm still very proud of that project because of that.<p>Edit: There's a second part too! I just remembered that I've posted this story on HN before, and the last time I did a dev for the game emailed me saying he looked over the code and was impressed that I was able to figure out so much despite their deliberate efforts to keep the protocol locked down. Another great day!
I once wrote something obscure.<p>About communication piggybacked over TCP/IP without changing any one bit of packet data.<p><a href="https://egbert.net/blog/articles/pulse-width-covert-channel.html" rel="nofollow">https://egbert.net/blog/articles/pulse-width-covert-channel....</a><p>Some 20 years later, a guy posted on GitHub.<p><a href="https://vimist.github.io/2019/01/30/Steganographic-Packets.html" rel="nofollow">https://vimist.github.io/2019/01/30/Steganographic-Packets.h...</a><p>And made my day.
When Apple released the very first iPod, I wrote to Steve Jobs to tell him that I would buy it if it was a phone too, as i don't want to carry two devices. I doubt I was the only one who had this thought, but I like to think i influenced the development of the iPhone. I never received a response from Steve.
A few months ago I had a ghastly time trying to take a bike along with me for a multi-stage train journey across the UK. Trainline is good about abstracting away the (pointless) differences between the train operating companies -- it's just a single interface and you never have to know which company operates which section of the route. But this abstractions breaks the minute you want to bring a bike on board -- you need to contact each company separately, and each one has its own bespoke and annoying way of doing it. Some by phone, some by email, some through their website (that you need an account for), some by social media(!). So I emailed Trainline's customer support saying how lovely it would be, if bike reservations were as seamless as people reservations, and to pass along the idea to their dev team.<p>Lo and behold, while booking a journey the other day I noticed a new option for bike reservations on the route planner interface, that I'd never seen before. I haven't had opportunity to use it yet, but I hope it works well, and I'd like to think that it was my email that tipped the scales into it getting implemented (Lord knows I can't have been the first to ask for it).
Related: I think it's surprising how many services leak whether or not a password is correct. E.g. bad password => error, good password => 2FA prompt.<p>You should verify a user's second factor before password.
The Iceland NIC does this (<a href="https://www.isnic.is/en/site/login" rel="nofollow">https://www.isnic.is/en/site/login</a>).<p>Customer support burden when the lose the 2FA key is solved by adding a hefty fee (around €100) to recover it. No webauthn support yet though.
Five years back, YouTube didn't have the feature to queue your videos on the fly. You could have created a playlist, but then it is the same sequence of songs every time. So I hacked a chrome extension to add/remove songs to a dynamic queue saved on your LocalStorage[1]. Later, YouTube added the queue feature. Sometimes I go on long hikes and think that it wasn't merely a coincidence. :)<p>[1]: <a href="https://github.com/nishnik/Play_Next" rel="nofollow">https://github.com/nishnik/Play_Next</a>
AFAIR, a 1980's MIT AI Lab "how to do research" memo, suggested as one way to build things: describe what you'd like to build, and maybe someone else will be inspired to do it, long before you'd have gotten around to it.
I asked Notion to implement inline LaTex, bcs it's the last thing missing for me to use Notion during math lectures. They did so a couple weeks later, even told my I was part of the reason they did!
Bravo!!! Such a simple (and more secure) change to the way 2FA works. This should be the standard and also mandatory in many similar cases.
Good for you and for sharing this improvement, that’s the mentality all of us should have. Reminds me on how Volvo shared the 3 point safety belt patent with everyone else so as to make all cars safer, instead of keeping it to themselves I order to profit [ <a href="https://www.forbes.com/sites/douglasbell/2019/08/13/60-years-of-seatbelts-volvos-great-gift-to-the-world/?sh=52a6809a22bc" rel="nofollow">https://www.forbes.com/sites/douglasbell/2019/08/13/60-years...</a> ].
The email notification for incorrect 2fa entry seems like a great idea.<p>We already get emails for suspicious login attempts, which isn't too useful as it's probs brute force and guessing. Too bad it requires mass adoption to become a norm.
No kidding -> I am a beta tester for Whatsapp on Android (I don't really do anything much nowadays but some years ago I wrote a feature request for it that there should be a way for a small business to communicate with it's users (my parents own a small business). A couple of years later, Facebook rolled out a Whatsapp for Businesses API. So you maybe have me to thank for this<p>(I don't really believe that my message really caused this to happen, it's for sure a weird coincidence to me)
I had a similar experience and it certainly made my day! I wrote some code to parse nested JSON and fill a hole in a tutorial. Here's my relevant post: <a href="https://bcmullins.github.io/parsing-json-python/" rel="nofollow">https://bcmullins.github.io/parsing-json-python/</a>.<p>Here's the plug for the project using my code: <a href="https://github.com/sinnfeinn/microweather" rel="nofollow">https://github.com/sinnfeinn/microweather</a>.
It's a nice courtesy from the product authors/implementors. Not only it's polite, it also acknowledges your contribution to the idea, not sure to which extent it is formally.<p>All in all it is a great feeling to see your idea getting a concrete life. In a way, reporting an issue and a possible improvement to any product you care about is an essence of collaboration. Open source further helps to contribute by augmenting such effort with a skill to implement it.
I filled in a market research survey for Hetzner they sent me by email.
There were many questions on how can we do better, etc.
I suggested to use the fact that they are Germans to convey high-quality and attention to details.
Months later, I received a promotional email by them in which they were using almost word by word what I had suggested. I guess this one is on me, Hetzner.
I once contacted Patreon about re-adding support for non-SMS-based 2FA & while the customer service agent didn't seem to entirely understand, they did forward my request to the dev team when I asked. A few days/weeks later, it was back[1]. I'm grateful for all those involved who made that happen, as most companies don't listen when contacted about 2FA.<p>And tangentially, while I can't be as certain about my involvement in this next part, Nickelodeon eventually uploaded a non-pixelated version of ATLA on Google Play shortly after the second time I contacted them. I still can't understand how an MS Paint quality version was uploaded in the first place, but I'm glad no one else will have to suffer through that like my brother did.<p>[1] <a href="https://blog.patreon.com/TOTP-two-factor-authentication" rel="nofollow">https://blog.patreon.com/TOTP-two-factor-authentication</a>
Actually, PSD2 SCA (Strong Customer Authentication) talks about requiring 2 different elements (out of knowledge, possession, inference) for authentication, while also requiring that information on which one was wrong when authentication failed, to not be disclosed. This directive needs to be implemented by all payment processors in EU (I am not an expert on this).<p>We have implemented such a system at a company I worked at, where we also took into account the credential stuffing aspect as you talk about it. It is quite challenging to ensure no information leaks (in content and in other request parameters, including response times) when users transition from the partially (un)authenticated state (username + password) towards 2FA. I have to say that security aspect is noticeable in a significant drop in credential stuffing attacks volume, but usability wise I see why this is not a popular approach :). I personally hate it, especially when 2FA that is used is TOTP.
This is a heartwarming post and I enjoyed all of the comments.<p>As an aside I would recommend using U2F over OTP. This article explains some of the benefits: <a href="https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/" rel="nofollow">https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/</a>
As 2FA adoption spreads, the possibility increases that someone could be using 2FA but not know the rule about not reusing a password. This feature improves the spread of that gospel. It seizes the opportunity to impress an abstract concept to the technically-challenged in a way that is no longer abstract. I like it.
Once I realized that Flash .swf files could be compressed to half the size using gz, so I sent an e-mail to Macromedia suggesting that they zip their files. The next version had that feature enabled by default, which made me happy :-)<p>Also, at the time when interactive maps had 4 arrows to click and move North, South, East and West I developed a map using Flash and MapServer where you could drag the map around with the mouse. I sent a message to Google to show my work and they replied saying it was cool. Later Google maps came out with such an interface. I'll never know if my messages had any impact but I can still dream they were my inventions :-)
I agree but there is an even more serious security feature almost all 2FA misses:<p>Telling the user what action they are authorizing by reading back the numbers.<p>That “bank rep” on the phone? They are probably trying to log into your account, or withdraw cash, not verify that you are the right person to send the refund back to.<p>It would save a lot of problems.<p>Also you should be getting an alert on all your devices whenever transactions over X amount per Y time occur, and you should have an opportunity to reverse them for 24 hours (even for debit cards). Also you should be able to make windows during which time it would be longer than 24 hours, such as a Jewish holiday or when out of range. This wouldn’t apply to recurring transactions.
This is precisely what I love about the Internet and humanity.<p>Recently, I got into RC cars. I was watching a YouTube video discussing the long-term issues that can arise with the particular model I own. In the video, the presenter mentions that “maybe you could 3D print something” to help address a deficiency in the vehicle design.<p>I just purchased a 3D printer, and thought, “Maybe I can design it myself.”<p>Lo and behold, someone already did, and cited the same YouTube video as their inspiration: <a href="https://www.thingiverse.com/thing:4982263" rel="nofollow">https://www.thingiverse.com/thing:4982263</a><p>How amazing and cool is that??!
I don't know about wrong 2fa codes but bitwarden notifies you if you have an "unfinished" 2fa login. If you type username and password correctly and then don't type in your totp token it will notify you.
I made a github-codespaces-ish development environment using GCP and terraform mere months before githbu announced codespaces: <a href="https://lockwood.dev/development/remote/2020/03/17/experiments-in-infrastructure-for-remote-work.html" rel="nofollow">https://lockwood.dev/development/remote/2020/03/17/experimen...</a><p>But also, the idea was kind of obvious given the way VSCode was going with its ssh plugins.
I once sent Apple feedback about how activity monitor was missing some metric, I don’t remember what it was. Never heard back from them but in the next OS X release it was there.
> a service that notifies you if your 2FA code was entered incorrectly<p>Even better, let the login pass after some incorrect credential guesses, the login goes to a random fake account.
We implemented something that avoids the original articles, 2FA notification.<p>After your password is approved before 2FA you get an email. So even if someone is somehow using the right 2FA you are aware.<p>Our thinking was the mosly likely outcome was someone would hit 2FA, not have the code and so close the request without even entering a bad code.<p>Apart from that though, it is always nice to get recognition for the stuff you put out there. I know I should do it more myself too.
I've noticed several services in the past that have blocked someone at the 2FA step (either due to getting to that stage and leaving or attempting and failing), then notified the account owner that a login was attempted. I think we just don't hear about it too often because not everyone who has compromised credentials also has 2FA enabled on their accounts in most publicized hacks
Some 10 years ago I pointed out the lack of ssl or starttls on my mail provider’s smtp servers. This was the Netherlands biggest provider Transip they said it was an interesting observation that they were going to discus, some months later I go a big announcement over email about their new secure email platform, yes it was all the same but now with ssl.
About 10 years ago I e-mailed OxfordDictionary asking if they could change the webpage so you could start typing your search right away, and not have to click the search area first.<p>It made my day when they some days later had implemented it, and emailed me back with a message that they now had implemented it.
> Tell people about things you do that they played a part it- it might just make their day.<p>Agree so much! I’ve met numerous people, often co-workers, who say “oh I know you I used your blog post”. Wish they’d have shot me a quick email! It’s always a nice surprise when someone reaches out to say thanks.
Such a great idea! I filed a feature request on our GH issues list to implement this: <a href="https://github.com/FusionAuth/fusionauth-issues/issues/1888" rel="nofollow">https://github.com/FusionAuth/fusionauth-issues/issues/1888</a>
If anyone in the 2FA business is reading this, I find the Google authenticator process annoying! Unlock phone, find app, scroll to find which code to use, wait for it to time out (maybe) then enter code manually on desktop PC. Could this be made smoother?
great stuff rexfuzzle! that is indeed something that should be part of the standard security of apps nowadays. it costs surprisingly little to clone a phone number and get those 2fa requests on a new phone so any heads up would be great to know.
I would consider that as a bug, not as a feature. If the login panel behaves differently on a correct password than on a wrong password, that's an information leak that must be fixed.<p>Authentication must be evaluated and rejected only when all factors are already provided, and the rejection error should not disclose which of the factors failed.<p>So, with a proper login panel, my 2FA being asked does not mean that someone has my password.<p>Edit: this is, for example, the recommendation from PCI to separate "Multi-Step Authentication" from true "Multi-Factor Authentication": <a href="https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf" rel="nofollow">https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authe...</a>