The UX of 2FA could improved considerably, and security along with it, by using a circles of trust model.
Take the example of a code forge, hosting the canonical version of some crucial piece of kit like the Linux kernel, OpenSSL, or GnuPG. You would want a maintainer to be 100% authenticated before they can commit changes to these repositories. Basic security culture.
But ...
(1/2)
TIL all your #2FA's can hit at once.
"Hello, Browser, I'd like to log in."
"Great! Check your email. Also, you have 35 seconds to respond to this before I lock you out."
"Hi Email! Can I see my last message?"
"Um, you've been ignoring me lately so go get your tablet. Also, I have a decade of your email inside me so you better respond within 10 seconds before I nuke it all."
"Hey Tablet, I need to open you up now."
"Who dat? I'm going to need you to grab your phone..."
I'm having some serious issues with 2FA on my whole server but specifically what's biting me now is my #GoToSocial instance. Does anyone have any suggestions one how to get to my settings page if I can't get 2FA to work? I tried using the CLI to change the password which did change the password but it doesn't remove / reset 2FA. Is there anything I can do from the CLI that I'm missing?
Also if anyone has any suggestions on what could be going wrong in general with my server I'd also love to hear that too. I'm running TrueNAS and have tried adding more NTP servers in my settings and I can see anything obviously wrong there. Idk. I'm getting very frustrated with it all.
@ohno_itsnate @GrapheneOS I recommend looking at #TOTP & #HOTP for #2FA.
As for devices, I can vouch for @nitrokey !
"Okay, we need secure 2-factor auth."
"SMS?"
"No, I said SECURE."
"SMS."
"No, SMS is not secure. Implement secure 2FA."
"SMS."
"IF YOU SAY SMS ONE MORE TIME..."
Hallo @bsi , vielleicht hilft es, wenn Ihr ersteinmal der @Bundesregierung erklärt warum das verheimlichen von Sicherheitslücken in Systemen, zu Gunsten des #Bundestrojaner, eine schlechte Idee ist, den ohne vollständig gepatchte Systeme bringen auch #antivirus, #2fa, kurz "die Basics", leider wenig bis nichts.
Meine Datenschutz und Privatsphäre Übersicht 2025, für Jedermann 
als PDF Datei:
https://cryptpad.digitalcourage.de/file/#/2/file/vQv0YkkA+eOK5la9awQ0E+jg/p/
Passwort:
idFLSmEeHa#5w4D$"Jq
#DSGVO #TDDDG #unplugtrump
#Datenschutz #Privatsphäre #sicherheit #Verschlüsselung #Adguard
#encryption #WEtell #SoloKey #NitroKey #Email #Cybersecurity #Pixelfed #Massenűberwachung #Leta
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Apple #Windows10 #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #OpenAndroidInstaller #Nobara
#Digitalisierung #FragdenStaat #Shiftphone #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification
#Bloatware #TPM #Murena #LiberaPay #GnuTaler #Taler #PreppingforFuture
#FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz
What is your favorite app for
Multifactor Authentication, and why do you like it most? 
@JustinDerrick don't use online banking and never have honest answers on security questions!
#Funfact: This would not have been possible if their bank complied with #PSD2, which demands active, on-demand #2FA!
FBI 2FA Bypass Warning Issued — The Attacks Have Started
Qantas attacked days after FBI warning. AFP via Getty Images Update, July 4, 2025: This story, originally published…
#Europe #Business #2FA #2FAAttack #2FAHack #AirlineCyberattack #aviation #business #FBI2FA #FBIAlert #FBIWarning #Quantas #Transport
https://www.europesays.com/2217678/
https://www.europesays.com/2217678/ FBI 2FA Bypass Warning Issued — The Attacks Have Started #2FA #2FAAttack #2FAHack #AirlineCyberattack #aviation #business #FBI2FA #FBIAlert #FBIWarning #Quantas #Transport
https://www.europesays.com/us/38401/ FBI 2FA Bypass Warning Issued — The Attacks Have Started #2FA #2FAAttack #2FAHack #AirlineCyberattack #Aviation #Business #FBI2FA #FBIAlert #FBIWarning #Quantas #Transport #UnitedStates #UnitedStates #US
https://www.europesays.com/uk/237622/ FBI 2FA Bypass Warning Issued — The Attacks Have Started #2FA #2FAAttack #2FAHack #AirlineCyberattack #Aviation #Business #FBI2FA #FBIAlert #FBIWarning #Quantas #Transport #UK #UnitedKingdom
Ein starkes Passwort reicht nicht: Zwei-Faktor-Authentifizierung (2FA) schützt Konten auch dann, wenn Passwörter kompromittiert wurden. Besonders sicher & flexibel: TOTP-Apps – lokal, quelloffen, ohne Tracking. Empfehlungen jetzt in der Empfehlungsecke 
Puisque l’authentification à deux facteurs se fait via Docaposte (un service de La Poste, qui emploie donc des facteurs), est-ce qu’un contournement de cette double authentification est réalisable au bureau de poste d’Arnac-la-Poste ?
Thought it is high time to finally set #2FA on my #DeviantArt account... Turned out it's premium feature for paid accounts 
https://www.europesays.com/us/27358/ FBI Warning Issued As 2FA Bypass Attacks Surge — Get Prepared #2FA #AirlinesCyberattack #Business #ClickFix #FBIAlert #FBIRansomwareAlert #FBIWarning #ITHelpDeskHack #MFA #Ransomware #ScatteredSpider #UnitedStates #UnitedStates #US
https://www.europesays.com/us/24992/ FBI Warning Issued As 2FA Bypass Attacks Surge — Get Prepared #2FA #AirlinesCyberattack #Business #ClickFix #FBIAlert #FBIRansomwareAlert #FBIWarning #ITHelpDeskHack #MFA #Ransomware #ScatteredSpider #UnitedStates #UnitedStates #US
@tychotithonus : thank you for responding. I'm not trying to be aggressive but to make the internet safer.
In your original toot, you wrote: "It's comforting to know that I'm significantly protected from these attempts" while showing phishing messages.
From https://blog.talosintelligence.com/how-are-attackers-trying-to-bypass-mfa/ (a year ago):
"In the latest Cisco Talos Incident Response Quarterly Trends report, instances related to multi-factor authentication (MFA) were involved in nearly half of all security incidents that our team responded to in the first quarter of 2024".
From my own research I know that the number of phishing-sites is exploding. PhaaS makes it easy to take over accounts where weak MFA is used.
The more people use weak MFA, the more of these sort of attacks we'll be seeing. IOW, the security of weak MFA (TOTP, SMS, number matching) will decrease over time (it does since Alex Weinert wrote this in 2019: https://techcommunity.microsoft.com/blog/microsoft-entra-blog/all-your-creds-are-belong-to-us/855124).
Furthermore, from the page referenced by you, https://meta.wikimedia.org/wiki/Steward_requests/Global_permissions#Requests_for_2_Factor_Auth_tester_permissions:
"Testing this service may result in the loss of your access and is not recommended for inexperienced users."
TOTP effectively means a unique strong (server supplied) password per account that people can impossibly remember. A TOTP app simply is a disguised password manager.
There have been lots of incidents where people lost access to multiple MFA-proteced accounts because they lost access to the shared secrets on their phones. Nobody tells people to make sure that backups are made of such secrets, let alone in a secure and privacy-respecting manner.
Note: a lot of TOTP apps had serious security issues a couple of years ago, as documented by Conor Gilsenan et al. in https://www.usenix.org/conference/usenixsecurity23/presentation/gilsenan (source: https://infosec.exchange/@conorgil/109542074585730853). I doubt that things have significantly improved (Authy was really bad, and at the time, Google's app blocked backups of the shared secrets).
Here's an, IMO, way better advice: use a password manager that checks the domain name. Use it to generate long random passwords, and make sure that it's (encrypted) database is backed up after every change you make.
I wrote about the caveats of password managers in, for example, https://infosec.exchange/@ErikvanStraten/113022180851761038.
Recommending people to use TOTP because they use weak passwords is a bad idea IMO: you effectively make them use a password manager (which a TOTP app is, while it does not check domain names) instead of solving the primary problem: weak passwords.
