Thank you for posting this. It's a very long read so I fear it won't gain much traction, but I think it helped shed light on a malaise that I've felt since adolescence. Therapists and partners have told me I don't practice enough self-love, but to say I self-loathe also felt like a lie. This line in particular crystallized the disparity: "Pathological shame is an irrational sense of defectiveness, a feeling not of having crossed to the wrong side of the boundary but of having been born there." I'll keep this writing in mind as I move forward.
I recently learned of Dave Grossman and his police training courses that appear to encourage murder[0]. I'm not sure how prolific his teaching is, but it says a lot about the fearful mindset these officers have.
I recently lost access to my two factor authenticator. I had saved most but not all of my recovery codes. I was surprised that a couple of websites I didn't have recovery codes for allowed me to disable 2FA after login but before authentication. It saved me from having to contact support, but it seemed to defeat the purpose of 2FA.
This happened to me as well with Uber. They use SMS 2FA and didn't provide any backups. I left my phone in an Uber and I couldn't log into my account to notify the driver because 2FA was in place. I also couldn't contact Uber about the issue because they try as hard as possible not to provide customer service mechanisms for people to leverage.
At the end of the day I had to use another friend's Uber account to contact Uber and explain the situation. They disabled 2FA and let me back into my account. I suppose Uber could validate the GPS position of the driver and my phone and use that to validate my story, but I doubt they went through all that trouble :(
This was not my recent experience with Uber's 2FA at all.
I had purchased a new phone, but lost cellular service and couldn't authenticate into Uber. I found contact info and they asked me to verify my recent ride history (including fares, times, and destinations) before disabling 2FA for me.
>I suppose Uber could validate the GPS position of the driver and my phone and use that to validate my story, but I doubt they went through all that trouble :(
For that, I assume they would need to have tools built for that specific purpose, with security/audit in place. I doubt any support guy could just randomly query for GPS data for drivers/users.
> I doubt any support guy could just randomly query for GPS data for drivers/users.
There was a very widely publicised case a few years back when their support people were doing just this to stalk celebrities and exes. How quickly the world moves on, I guess.
github for example says if 2FA is lost there is not way to recover.
i have lost a phone number before... and although github also supports other 2FA devices, such as a rotating key app which can be on multiple devices, you have to set up all devices at once. so i can put it on my laptop and my phone, but not my home and my work computer unless i carry one to the other place. phone and laptop is not enough. if i use my bag, both are gone. and i'd have to reset all devices if i ever want to add a new one.
at that point i am more afraid to loose access through stupidity than through theft.
> this is what scares me the most about using 2FA.
My solution for TOTP/HOTP 2FA (aka "Google Authenticator"-2FA) is quite simple:
I print out the QR codes used to activate the 2FA, and keep them in a safe. That way I can always re-activate the 2FA on a new device, and it's still just as secure (because, if an attacker can break into my home and break open the safe, they could just as well take my phone with them)
A very valid concern- I was in a serious vehicle accident this year and it took weeks for all of my keys and possessions to make it back to me. Luckily I didn't need 2FA for my email or insurance.
There are still benefits of 2fa even if codes are stored in your password manager. It protects against most keyloggers. It probably makes phishing a little less likely (because most websites cache 2fa, so you'll be a little more suspicious when asked for it by a phishing site). It protects people who use weak or reused passwords. Sometimes it causes support staff to be more careful with regard to social engineering.
For what it’s worth, when i switched phones my Authy app went out of sync. It was a work account so I just had my boss reset my 2fa, but if there isn’t a way to re sync you may be out of luck.
2FA is usually to protect you against your password being stolen. If that's the only threat model, then it's fine to allow 2FA to be disabled without a new 2FA code, as long as it's from a device that has entered a 2FA code at some point in the past.
There are other potential threat models though that would require a re-enter of the 2FA code to be safe, such as cookie theft, or temporary computer compromise. Both of these though seem less likely of attacks.
This is not an insignificant consideration. Companies track support calls (call volume - and their reported reason, is monitored closely) as a matter of business. I have heard companies going back on enabling two/multi-factor auth, once realizing support volume goes up. (Which is silly, because of course it goes up compared to not if you didn't allow it before.)
I feel like I'm the only person who uses Caps Lock. When I learned to touch type, I was taught to use the shift key on the side opposite the letter being typed. When typing more than two capital letters in a row, I'd rather hit Caps Lock than paddle my pinkies back and forth. It's a hard habit to break.
I lost some respect for Chalmers when I heard his TED talk that suggested consciousness was a fundamental force. He has some good ideas about consciousness but also a bit too mystical for me to agree with.
