two factor on amazon

I enabled two factor on many sites last year. Amazon is a bit late to the party, but they finally have two factor support. While they waited a long time, they did a good job with it.

Sign up was easy. They give you a choice of an authenticator app including scanning with your device to connect. Or you can use a mobile phone number for voice or text. Or you can use a landline with voice. You can set a second of these options as a backup. I like that there were choices.

You are also asked if the current device is trusted. Which is good as you don’t get prompted repeatedly from your main/home computer.

I also took this opportunity to check on twofactorauth.org to see if any other sites I use have added support. I was disappointed by how many banks don’t support two factor. I tweeted at four of them with the link on the page. (I don’t have accounts at all four).

griping about a “password” system

I emailed a company today asking for my account to be linked. I did NOT ask for a password reset. What I got was an email with plain text copy of my password. Aghhhhh! That’s just asking for someone to hack my account (or all the accounts.) Passwords should be stored using a one way hash at least.

Problem 1 – username

My user id is not my last name, email or anything I have any shot of remembering. And I didn’t get to pick it. Which means it is written down.

Problem 2 – storing the password in plain text

This company shouldn’t be storing passwords in plain text or any “encoding” where they can get the original password. And the only thing I can think of to make that worse is to email the password.

Problem 3 – password requirements

Since my password was sent in the clear, I went to change it. I wanted to make it a sentence about not emailing the password. That way if someone does it again, he/she at least has to read my note. I changed the letter s to $ in my sentence as one might expect. Guess what? Only letters and numbers are allowed.

Really guys? It’s 2015.

2-factor authentication and twitter

I’ve had two factor for gmail enabled for two years.  This morning, I set up two factor for github and some others due to Heartbleed (check if sites you use are affected), Then there was Twitter.  After the other sites being straightforward, I expected the same from Twitter.  Twitter did not deliver.  I had to turn off two factor.  I’m left with secure my password and hope I notice if someone logs into my account.  (I think my friends would tell me about bad direct messages)

How to enable on a mobile device

  1. Install the official twitter app on my iPad
  2. Follow the menus described here
  3. Write down the backup code
  4. I logged off in a browser and re-logged in.
  5. Then I went to the twitter app and approved my login under settings.

And if it ended here, all would be fine.

Adding a phone number

I thought about adding a phone number as another option.  Don’t bother.  They are mutually exclusive.

Apparently they are mutually exclusive.  I cancelled the phone number sign up process part way through due to usability issues.  (Twitter wants you to text GO to 40404.  I don’t know how to do that on my BlackBerry.  I know how to reply to texts and text real numbers.  And I don’t want to lookup how to do it since I likely never will again.)

Anyway, when I clicked cancel on the process, it had already turned off my iPad option so I had to set it up again.  Grumble.

The BlackBerry app

Once I had two factor turned on, I was no longer able to logon to Twitter using the BlackBerry app.  A quick search online says I’m not the only one with this problem and the BlackBerry app just plain doesn’t support it.  Which means I can’t use two factor for Twitter.