Deleted member 151145
I have no problem with going through a 2 step verification to set up an account. What I'm tired of and no longer going to do, is have to use a 2 step verification EVERY TIME I login to my account. I also object to ANY verification requiring a cell phone. What about people that don't have a phone? What about families that can only afford ONE phone and another person has it at work when another family member needs to login to his account? The forum that has me ticked right now is that WattOS distro that thinks that using a social disease site name Discord is a good way to host a forum. When I tried to login, it demanded I receive an email with a link to verify my login credentials. Once I did THAT, it demanded I then receive a text message on my cell phone. Now, this isn't a one time, account setup procedure. It is EVERY time I try to login. I know that part of the reason social disease websites don't receive me willingly is because everyone of my browsers and every one of my laptops is set to automatically delete EVERYTHING when the browser closes, including any offline crap. That means there are never any cookies left in my browsers and there are a whole bunch of sites that specifically look for that old, cookie. eBay is one of the worst offenders.Email verification should pretty much always be required. It's 'double opt-in', meaning you opted to sign up and opted to confirm the subscription/whatever. That prevents a whole lot of spam and give site owners evidence for when someone later complains and tries to say they didn't sign up for it.
I'm strict with it.
Next, you may want a phone for 2FA - that's two factor authentication. When you login, they send a code to your phone. This means it's most likely you - or someone else has both your password and phone, which means you have bigger problems than signing into a website. Some do a code to email, which is what I prefer for 2FA.
That's just good security.
Security is, who you are, something you have, and something you know... Well, good security is... We don't do much of the 'who you are' online, but you're starting to see it in phones - where you're showing who you are with a fingerprint, which could also be considered something you have but that'd be the phone more or less in that case.
We all clamor about bad security, but we don't really like to implement it.
I have no problem with security. I have a problem with lunacy. eBay's server immediately checks for a cookie when you login. If the cookie isn't there, you have to do at least one, and usually two, Captcha verifications. So, EVERY time I want to login to eBay, I am supposed to jump through hoops to verify my username and password, that I already entered, is who I say I am. I know this to be true because when it first started happening a couple of years ago I went round and round with eBay and they, themselves, told me that was why I am hit with so many verifications. I asked them, and never got a response, if a damned cookie was their definition of computer security.
The bottom line is that the real reason security fails is because the servers for whatever type of site it is aren't truly secure. They are shifting responsibly for security to the users. If any website truly believes that they can make their site servers more secure by shifting responsibility to the users, we're all in trouble. And I'm not kidding a bit when I say that if I have to have a cell phone present to login to an account on my laptop, I will have my account deleted that same day. I will also never own a phone that REQUIRES my thumbprint to use it. It's MY phone. I'll use it the way I want and if I can't then I'll do without a phone. Of course, the shift from REAL computers to, so called, smart phones is one of the reasons there are so many breaches of company servers. Whoever thought it was a good idea to make a phone a computer screwed the pooch.