60°F

Aaron Parecki

  • Articles
  • Notes
  • Photos

#2fa

  • Aaron Parecki
    Chase sends 8-digit 2fa SMS codes, which seems excessive compared to the 6 that most other places use, but even weirder is that the first digit of them has always been the same, effectively making it a 7 digit code. Anyone know what's up with that?
    Portland, Oregon, USA • 41°F
    4 likes 7 replies
    Sat, Feb 15, 2025 5:56pm -08:00 #security #sms #2fa
  • Aaron Parecki
    I'm a big fan of using more secure two-factor authentication methods like a security key or TouchID, but I will admit I never expected charging people to use SMS would be a viable strategy to get them off it 😅 https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter
    Portland, Oregon, USA • 43°F
    46 likes 6 reposts 12 replies
    Fri, Feb 17, 2023 9:26pm -08:00 #security #2fa #mfa #twitter
  • Phishing Campaign Targets YouTube Creators With Cookie Stealing Malware To Hijack Accounts And Stream Cryptocurrency Scams - CPO Magazine (www.cpomagazine.com)
    "The hackers also used the “pass-the-cookie attack” to compromise YouTube accounts and take control. Google says that although the method has been around for decades, it has recently skyrocketed because of the adoption of multi-factor authentication (MFA)."
    Sat, Nov 6, 2021 8:14pm +01:00 #youtube #google #hacking #security #mfa #2fa
  • Evilginx 2 - Next Generation of Phishing 2FA Tokens (breakdev.org)
    Tue, Jun 29, 2021 11:04am -07:00 #hacking #phishing #2fa #security
  • Aaron Parecki
    lol the phone system is so broken https://twitter.com/josephfcox/status/1371509983842598918
    Portland, Oregon, USA • 45°F
    8 likes 4 reposts 1 reply
    Mon, Mar 15, 2021 4:15pm -07:00 #sms #security #2fa
  • Aaron Parecki
    Me: I'm getting 2FA errors trying to add this device to my account

    Support: We received your request to disable 2FA. Confirm by telling us the date you last logged in.

    Me: No I would like to keep 2FA on, I just am getting this error msg.

    Support: Okay, we disabled 2FA.

    🤦‍♂️
    Portland, Oregon • 43°F
    3 likes 1 reply
    Thu, Feb 25, 2021 6:23pm -08:00 #unifi #2fa #support
  • That’s not how 2FA works – Terence Eden’s Blog (shkspr.mobi)
    Sun, Jan 17, 2021 12:12pm -08:00 #security #2fa
  • Two Factor Auth (twofactorauth.org)
    Fri, Jun 19, 2020 5:41pm -07:00 #security #2fa
  • Aaron Parecki
    Stay safe out there kids https://twitter.com/digitallawyer/status/1181348689756864513
    Washington, Washington, D.C. • 64°F
    12 likes 14 reposts 1 reply 2 mentions
    Tue, Oct 8, 2019 9:27pm -04:00 #security #2fa
  • Aaron Parecki
    Yet another example of why SMS is terrible for 2fa and account recovery.

    "the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable"

    https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/
    Chicago, Illinois, USA • 39°F
    7 likes 9 reposts 2 replies
    Fri, Nov 16, 2018 3:23pm -06:00 #security #sms #2fa
  • The Value of a Name (ello.co)
    as of Saturday morning my number had been forwarded to a number I did not recognize. Unreal. So, as far I can tell, the attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.
    Fri, Oct 31, 2014 6:43pm -07:00 #security #2fa
  • I work as a sales rep in-store for a telco. From a security perspective, it's ridiculous... | Hacker News (news.ycombinator.com)
    Anyone relying on two-factor auth with a phone number who uses my company is vulnerable. Simple as that. It would take a determined attacker a day to get control of your number.
    Fri, Oct 31, 2014 6:27pm -07:00 #2fa #security
  • https://twitter.com/pebble
    Aaron Parecki
    @pebble I would really love to see the ability for notifications to include custom-defined actions for the three right buttons! For example, a notification arrives that says "would you like to approve this login?" and the top and bottom buttons say "Yes" and "No". Each button has a URL defined that will be requested when the respective button is pressed. This would make for a slick two-factor auth utility among other things, and could even be developed without writing any code that runs on the Pebble!
    Portland, Oregon, USA
    Fri, Oct 3, 2014 12:06pm -07:00 #pebble #2fa
  • Aaron Parecki
    Thinking about two-factor auth at a nano level, requiring human confirmation before any client can actually post to your site via your micropub endpoint.

    For example, I sign in to barnaby's experimental Taproot interface but don't trust it entirely yet. Instead of giving him blanket access to post to my site, every time his app makes a request to my micropub endpoint, it goes and asks me for confiramtion before publishing.

    Either OOB confirmation (2-factor auth via SMS or something) or an OAuth-like confirmation dialog from the same browser window.

    #indieauth #micropub #2fa
    Portland, Oregon, USA
    2 likes 1 reply
    Wed, May 21, 2014 11:10pm -07:00 #indieauth #micropub #2fa
older

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv