this post was submitted on 10 Oct 2025
1284 points (99.5% liked)

Programmer Humor

27246 readers
2142 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
1284
Vibecoding is the future (lemmy.ml)
submitted 1 month ago by cm0002@sh.itjust.works to c/programmer_humor@programming.dev
82 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] undefined@lemmy.hogru.ch 80 points 1 month ago (4 children)

SMS/email-based 2FA should die.

[–] ColdSideOfYourPillow@anarchist.nexus 54 points 1 month ago (1 children)

Luckily, you don't even need to check SMS or input a valid number with the “verification” in the screenshot!

[–] bamboo@lemmy.blahaj.zone 31 points 1 month ago

mission failed successfully

[–] nogooduser@lemmy.world 14 points 1 month ago (2 children)

It’s better than nothing and some people would really struggle to do other types of 2FA.

[–] djsoren19@lemmy.blahaj.zone 8 points 4 weeks ago

I'll be homest with you, some people really struggle with email 2fa. The amount of working Americans I have spoken with who don't understand how to have two tabs open at once is genuinely frightening.

[–] Natanael@infosec.pub 6 points 1 month ago

As a reset method it's worse than having nothing

[–] null@lemmy.nullspace.lol 5 points 4 weeks ago (1 children)

It's wild how standard SMS is given how (relatively) trivial it is to exploit.

[–] undefined@lemmy.hogru.ch 1 points 4 weeks ago

Even with autofilling it on iOS, macOS you still have developers that need to fuck with form fields using JavaScript because they think they’re smarter than you.

[–] dharmacurious@slrpnk.net 3 points 1 month ago (2 children)

What's the best alternative?

[–] nogooduser@lemmy.world 13 points 1 month ago (3 children)

App based 2FA is better. Either the app generates a time based code that you enter into the site or the site sends a push notification to the app asking you to verify the login attempt.

Passkeys are good too as they replace the password completely and leave the 2FA part to the device.

[–] victorz@lemmy.world 6 points 1 month ago (2 children)

Passkey or notification please. So sick of entering these codes on a daily basis.

[–] Opisek@piefed.blahaj.zone 4 points 1 month ago (1 children)

If it's alright with your threat model, you can put the time-based OTPs into your password manager of choice, like Bitwarden. Upon filling your username and password, it places your OTP in your clipboard, so that you can simply paste it in. This does of course reduce the security of the system slightly, since you centralize your passwords and your OTPs. When opting for this method, it is therefore imperative to protect your password manager even more, like via setting up 2FA for the password manager itself or making sure your account gets locked after something like 10 minutes of inactivity. The usability aspect is improved by using a yubikey or another similar physical key technology.

[–] victorz@lemmy.world 2 points 1 month ago (1 children)

Very good point. I have Bitwarden set up as a passkey for at least one account. I should remove that. 👍

[–] Opisek@piefed.blahaj.zone 2 points 4 weeks ago* (last edited 4 weeks ago)

Well, they're not a bad thing per se, it's just important to remember that by doing that you are essentially delegating the access security (including any means of MFA) from the target website to the password manager. I.e., instead of inputting password and 2FA code for example.com, you have to input your password and 2FA code for the password manager itself. This has the same security guarantees, so long as you don't set your vault to—for example—never lock automatically.

For the case of passkeys, using Bitwarden, even with 2FA does reduce the security level in my eyes somewhat, since I'd argue passkeys to be a more secure measure than password + OTP. Unless, of course, you use a different passkey to authenticate yourself to Bitwarden.

TLDR; be careful about putting everything inside Bitwarden. You'll be fine if you make sure to protect your password manager adequately, but if you put OTP secrets (or passkeys) for other website inside Bitwarden AND only use password authentication for Bitwarden without any MFA, then you are effectively reducing your MFA back to a single factor (the Bitwarden password).

I'm afraid user authentication on the internet is broken beyond salvation. It's already complex enough to grasp fully for tech-savvy people, meanwhile we've taught the general population to use password123 for all their accounts and write it on a post-it for a good measure.

[–] RaivoKulli@sopuli.xyz 1 points 4 weeks ago (1 children)

I just save the cookies tbh

[–] victorz@lemmy.world 1 points 4 weeks ago (1 children)

Aren't cookies invalidated after a while anyway? Doesn't seem viable to me.

[–] RaivoKulli@sopuli.xyz 1 points 4 weeks ago (1 children)

After some time, yeah. Depends on the site.

[–] victorz@lemmy.world 1 points 4 weeks ago

And the browser saves those cookies for you, right? Throws them out when they expire.

[–] psud@aussie.zone 2 points 4 weeks ago

I wonder if there are any TOTP apps for Linux phones (though I think I'll have to keep an Android or Apple device around for my workplace's 2FA which doesn't have anything for anything other than apple and Android phones, and only with full security)

[–] djsoren19@lemmy.blahaj.zone 0 points 4 weeks ago (1 children)

Okay, but then you have to develop an app

[–] nogooduser@lemmy.world 4 points 4 weeks ago

You don’t for the one time codes because there is a standard that is supported by many authenticator apps.

[–] PlexSheep@infosec.pub 1 points 4 weeks ago

TOTP, FIDO2 or not worrying about logins and just using {GitHub,Google,Microsoft,selfhosted.lan} as identity provider with OIDC