As more and more of my accounts and schools move towards multifactor authentication for logging in their websites or apps, I find I'm constantly going to get my phone so I go through the process of just getting to my account. What took 10 seconds takes a minute. And then I have to keep on doing it, if I move to a desktop or a different laptop. And then again the time period for authentication expires.
I guess it means we are all safe from hackers. I'm definitely claiming my phone as a work expense next year.
Must you use your phone? I shudder at the thought. I keep mine at home or in the car on long trips. I never want to have to carry it with me at all times like the Millennials.
Hear hear!
My postdoc institution instituted it for email and Canvas just before I left. Once a week you had to haul out a tablet or phone and plug in the code.
I have a few accounts I can no longer access, despite having the password, because the phone number it's associated with no longer exists. Ugh.
I know about security best practices, etc., but it's a pain in the ass and not everything needs it, either.
Another related thing I could will bitch about. The folks who do the software for each college change everything every so often so you have to learn something new just to keep doing what you've been doing. I have five courses currently and each one gets an old fashioned composition notebook. Pencils and paper. As little of their pixels and forms as possible.
It bugs me that even in my office at work, (which I don't share with anyone), on the same computer, (which I don't share with anyone), that I still need the multi-factor authentication. I understand its use when logging in from off campus, and especially with an unfamiliar device, but from my most consistent and physically secure location, it's a pain.
We have MFA for most campus websites that need a login. I have to find the "push button for code" app on my phone or iPad or the little key fob every time I want to log on to my course LMS or a bunch of other sites. I live in terror of loosing the key fob number generator clickey-thing. Why? Because every time there is a software update on my phone or iPad the d@rn "push button for code" app is DELETED.
Thankfully I don't have to use 2FA in my office on my office computer, but I do in the room I lecture in, and in my lab. We have the option for our School to buy us little fobs that generate the 2FA super-secret numbers. They discouraged us from requesting them because they had to pay for them, said we should use our personal phones, but I insisted that they give me one because I cannot be relied upon to have my phone with me on any given day. I keep the fob on the keyring with my office key and lab access card so if I lose one item, I lose them all and can't do a darn thing at work.
Most recent school used 2FA for Google accounts, and simply expected everyone to have a phone available at all times. We could buy our own little fobs, or our own phones; nothing was provided. Fortunately, IT showed me that you can auto-generate 10 codes in one of the secret places on Google, and then enter one of those each time 2FA is needed. I generated 10 each week, wrote them down in a little notebook, and carried it with me everywhere on campus until I had 2 left, at which point I would generate 10 more.
I hate 2FA with a fiery burning passion.
AR.
My school expects me to use my cell phone for MFA even at the podium of a subterranean, concrete auditorium, where no cell phone has ever had reception, ever. I have a workaround, but it took a while to figure out. That made the beginning of this teaching term extra fun.
I am *not* connecting my cell phone to the campus wifi; that is a step too far for me for several specific reasons I won't detail here.
My school implemented 2FA. Most times it only slows me down a bit. When I am in my office, I sometimes take a few minutes to find my phone. At least one of the professors in my department is, well, technologically disinclined. In the past the departmental secretary was able to log onto the system and print out forms, etc. But now she cannot, and he does not understand the concept of 2FA.
The worst, however, is when I lost my iPhone while traveling abroad.
I was able to contact my carrier via my laptop to suspend my number:
Carrier: Sorry to hear that. We can suspend your number until you get a new phone so nobody can use it.
Me: Thanks!
Carrier: I've sent a text message to your number with a code to verify your identity. Could you please tell me what it is?
Me: I've lost my phone....
Carrier: Sorry, without verifying your identity, we cannot make any changes in your account....
I was able to do it through Twitter (!), but it took several hours.
We just got MFA for a lot more stuff, including authenticating Microsoft Office that lives on the computer, not the cloud. So it is several times every day, depending on what I have to access. I've started having to keep my phone with me, something the troglodyte me was not doing before.
One substantive consequence has been that I have bought pants that have a leg pocket for the phone, so I don't have to stand up to get the phone or risk sitting on it.
Quote from: Anselm on September 15, 2021, 04:01:47 PM
Must you use your phone? I shudder at the thought. I keep mine at home or in the car on long trips. I never want to have to carry it with me at all times like the Millennials.
That seems to be the requirement. Every 60 days or so when I try to log onto my campus email, I get a notification to type the code that Microsoft just sent to my phone. This involves getting up from my desk, going to the next room and then hunting for my cell phone in one of my bags. This also happens occasionally with my bank if I'm using my laptop to access my account. But it's quite annoying to have to type a code just to access my campus email.
technology is so fetishized. We are its dutiful subjects/
I'm beginning to feel grateful to my campus IT, which is a discombobulating feeling to feel. MFA is seeping into every aspect of work, but IT allows me to register 10 ways to authenticate, including my office phone.
My employer just recently imposed MFA on Canvas accounts and our Cisco VPN client, after a year of requiring it for access to the university's web portal. Computers installed in the classroom are completely wiped every 24 hours, necessitating the MFA process whenever one teaches a class. Now I just use my laptop, which requires MFA less frequently.
My question: what happens when campus loses power and servers are inoperable? Is the Microsoft MFA system the university has purchased completely cloud-based?
Our MFA only allows for phone calls, it's a huge pain. I originally set it up for my office phone but then quickly realized that I couldn't get into anything when I wasn't in my office. I really enjoy trying to log into my email from my phone, it usually takes 3-4 tries.
What really irritates me is that we are on macs in our department and our IT has no idea how to do anything with them. They locked us down about a year ago so if I need something as simple as updating my browser I have to put in a helpdesk ticket. Every time there is an upgrade IT has to come down here and spend half the day just getting my computer to connect to the printer again.
The last time they installed the new OS my computer was down for almost two days. I also teach digital classes so I have the adobe creative suite, it's a freaking nightmare to update that now.
NYT has an article today about Microsoft no longer requiring passwords. I didn't quite understand it.
I think yahoo mail stopped requiring passwords some time ago. I have no idea what my password is because it is always MFA that gets me in. But that works pretty well. I see more of a need for that since there seem to be real attempts to hack my account, judging from the attempts that get made to log in.
I've never seen any attempts of someone trying to hack into one of my school email accounts. Why would anyone want to?
Quote from: downer on September 16, 2021, 08:15:56 AM
I've never seen any attempts of someone trying to hack into one of my school email accounts. Why would anyone want to?
I received a phishing attempt through my university email address asking for a cryptocurrency pay-off to avoid having my files ("you know which ones") made known to the universe. They claimed to have inserted the email onto my computer directly, without going through the email server (a very odd explanation as to why I should not attempt to have the email traced; and supposed evidence that they could do whatever they wanted with my files). Anyway, your comment questioning why anyone would want to hack our email accounts brought this to mind. They didn't hack my email (or computer), but they wanted me to think so. And, no, had I been so foolish as to respond to said email, MFA would not have saved me.