Tell HN: Somebody implemented something I wrote a blog about

Years back, every web browser's built-in password manager locked up the page when submitting a login form, waiting for the user to answer "do you want to save this password?" before proceeding.

I thought that was silly: how do I know if I want to save the password before I've seen whether it's correct? Which I can't see until the form is submitted.

At the time I was using Opera, so I wrote in to their customer support suggesting that the prompt appear after the new page loaded. I never heard back, but a couple months later their next major release implemented exactly that behavior. A few months after that, every other browser followed suit.

I can't have been the only one bothered by the existing behavior, but given how long browsers had worked that way before I wrote in, I like to tell myself that the timing wasn't a coincidence, and that my little suggestion rippled out into a change that made a small thing better for the whole world :)

I found a bug in firefox where the two letters of the weekdays appeared as 3 letters for portuguese (pt-PT). Eventually found that it was an error in the unicode standard, so submited the proposal for change. Probably there's dozen of people involved in this... but seeing it being changed brought me great joy.

I was a tiny part in changing a tiny mostly irrelevant detail that was causing a slight inconvenience to millions of people daily. Improving humanity one bit at a time...

Opera was the most innovative web browser ever. They brought so many new things to the world of web browsing. Tabbed-browsing, mouse gestures, colored tabs, browser themes, in-built security integration with anti-virus software, an extensible browser - so many wonderful innovative features. It was a paid software initially, but then they made it free for everyone. I used to use it as my default browser, maybe 13-15 years ago.

Spatial navigation is a feature I really do miss. I don't think any other browser supports this. It made keyboard-based browsing possible without resorting to stuff like hit-a-hint. You could just hit Shift+Arrow Key (which I mapped to the home row) and select a the nearest link (or anything interactive) in that direction. I think it worked in a visual fashion so order in the DOM didn't matter at all. It behaves exactly like one would expect.

Are you sure tabbed browsing was Opera? I mean, Mozilla browser (predating Firefox) had it in 1998.

Mozilla had multiple documents first, by just following Windows' MDI standard.

Then Netscape and IE got into a war for mindshare, and part of that was to ignore MDI and splash their browser windows all over the taskbar instead, to be more visible and grab more user attention.

Tabbed browsing was never a new invention, it was just a re-implementation of what we already had by way of MDI.

Opera also had tab groups, MRU tab switching, and saved sessions. Those exist in some form or fashion now, but the implementations are not as smooth.

Well, I used to love Opera as well, it was my first "serious" browser as I became a netizen. But now I wouldn't even dare to try it as it's owned by a consortium of Chinese investors, rather than a Norwegian company.

Vivaldi is pretty good and though it's based on chromium, is the new opera in spirit.

No coincience. Vivaldi is co-founded by ex-CEO and co-founder of Opera.

I quit using Opera after he did not keep his promise to swim across the Atlantic in 2005: https://www.zdnet.com/article/opera-boss-starts-atlantic-swi...

I submit suggestions, features, bugs, detailed reports, new use cases etc. I'm more than happy to write detailed submissions, or do some traces when there's a bug.

But if I notice there's no feedback or implementation within a reasonable period of time, I will stop doing that ever again for that company (large, small, doesn't matter).

I refuse to waste my energy on that kind of process.

In a similar vein, I wrote to Microsoft suggesting their "Authenticator" TOTP app for Android would benefit from a search feature. I can't have been the only one, but it did make me happy when they actually implemented it a few months later

I also suggested it but their iOS app still does not have it. Really annoying with >20 totp tokens.

i still see this behavior in firefox. the save password popup disappears by the time the page is loaded. and it baffles me every time how that is supposed to be useful.

The stupid thing is that it already is async and not locking up like it was in the very old days op refers to. They were just so clever as to add a timeout after which that dialog closes, regardless of whether the page actually finished loading. So on a slower page you end up with the popup disappearing while the page is still (mostly) blank and you don't know yet whether the credentials were correct.

I think just clicking in a blank spot (or the text fields) in that dialog stops the timeout, but it's one of these things I'm not actually sure about and it's almost like a cargo cult kind of ritual...

I find that it usually sticks around long enough. But I agree that it should stay open at least until I interact with something else.

On the bright side it just collapses into a "key" icon in the URL bar that you can click to open it back up and save the password.

It’s like that Teams pop up that informs you that a colleague started a meeting, the one that always disappears after you finish typing your sentence and start to move your mouse towards it.

Oh, that's so cool! :-) Could you please write to Whatsapp or Telegram and ask them not to delete the EXIF information from shared images on their platform? I understand that they compress images so they don't take too long to transmit and load, but I think there's a big group of their users (especially for Whatsapp) that use their platform to share family pictures. For this purpose, having the EXIF date (if it's available) could be very handy, since the picture could be properly timestamped and archived without having to ask again to the original poster for the specific files.

I think the EXIF data is removed because, for the vast majority of people that don't think to remove it, it's a safety risk. Posting a picture of your house? Your kid arriving at their first day of school? Some other location you'd rather a bad person not have info on? Most people don't think to remove that data before posting (and sometimes post directly from their phone camera?)... removing that data removes a lot of risk for them. Leaving it in is only considered a small benefit to a smaller subset of people (comparatively)

As a general privacy rule I like stripping this by default. Couldn't you just zip up some images to retain this?

Every few years I get an automated email from Wordpress where someone finally fixed a bug I submitted over a decade ago, lol

I discovered a bug in Java 1.0.1's GridBagLayout and posted about it to USENET. It was fixed in JDK 1.0.3.

I also emailed the GIMP maintainers about a bug in their select color region tool in GIMP 0.99.x that made it ignore 1-pixel-wide barriers. By 1.0 it was fixed.

I was chuffed when it happened, but the internet was a smaller, chummier place back then, so we expected that kind of response more than we do today, I think.

This still sometimes happens on iOS Safari. I don’t know what is different about the pages where it happens, but it’s annoying.

Even MacOS Safari does this. I don't know whether the latest update fixed it though.

If any Spotify devs are here, please let me explore and add songs, artists and albums to my library without “hearting” it.

I often just want to follow up later by “adding to my library,” and it feels weird to “LOVE” it before ever hearing it. I really feel pain when I hear something terrible that I’ve already “liked” and consider the impacts to my algorithm.

Please distinguish between “like” and “save.”

A simple “plus sign” or really any other symbol that signifies “adding to a collection” without “liking” connotations (stars are out too).

While we have Spotify's ear: why is the default behavior to clear my queue if I play another song? It's especially an issue on mobile, where viewing a playlist or album means that an errant tap almost anywhere on the screen undoes all of my queueing so far. Just a toast with an 'Undo' button whenever the queue is erased would be plenty.

I'm confused. I thought I missed something in the article. Why are we talking about Spotify in this thread? I'm all for your suggestions, I'm just confused how we got here. Haha. What did I miss?

I think their idea is that you don't have/shouldn't want a personal library because everything on Spotify is your library.

If there is a feature I want to see on Spotify is a easier way to see my friends playlists.

I'd be happy with just being able to consistently access my own playlists and currently playing queue on Android. I swear it's a coin flip whether the button appears or not.

What's wrong with a playlist: Saved for later?

Valid. One way around it would be to create a "Follow Up" or "In The Queue" playlist that you add it to. Obviously not as easy as just a + button though.

I like how Instagram has solved this. You can like a post but you can also save it for later viewing or showing to someone else.

Spotify should totally have a save to library function but also a heart function that trains their personalized mixes for me. I’ve just stopped looking at my library for my music catalog. Every album I like goes into a “favorite albums” folder. It shooldn’t have to be this way.

Another thing that bothers me, in Spotify and pretty much everything else: you can't add playlists to other playlists. Like union directories. The most important thing is that it's a link, so every list updates whenever I update the included one.

If there's a program with this type of functionality, lmk.

I don't really understand how that is useful but if you need to do it manually you can just shift click all the songs and add them all to a playlist on the desktop app

Yeah, I get why it wouldn't be. I just have a peculiar way to organize my music.

I know I can do that, it just doesn't sync when I change another list, which breaks everything.

You can use the Spotify Smart Playlists feature to do this. I used to do something similar before giving up. It's clunky, but it works. You basically set it to pull all new songs from the feeder playlists into the accumulation playlists, every night.

Now that you opened this forum for Spotify feedback: If I do "like/heart" a few songs and then go to the Radio based on one of them, please don't show the songs I already liked in that Radio. I mean, I already "liked/saved" them, why are they appearing in my discovery phase?

That's one of their best features!! I'm using discovery bcs I want to listen to tracks similar to the one i use as a basis. If they mix some of my liked tracks in there that are similar too (which they usually are), that makes it even more enjoyable. Idk about you, but I use Spotify to listen to good music.

Disagree on that - Radio is not just for discovery but also for easy random playlist creation.

Oof! They used to have this for Songs, then they removed the feature, and I lost the major way I used Spotify. I used it to make sure I could listen to music offline while traveling and it was an infuriating few flights before I could download everything again.

This kinda sounds like a use case for a playlist to me.

That’s awesome. I was expecting a lament on how an amazing startup idea was stolen and monetized by someone else. Glad I’m wrong and the world is a little bit better.

Same here. Came to say the same and to explain how i publicly share all my 'great' ideas publicly even though so many friends think I'm nuts in case someone 'steals it' and makes a successful startup from my idea. My answer: "Great for them. At least they had the determination and focus to follow through with bringing the idea to fruition when I couldn't."

People tend to overvalue ideas. I see this all the time in writing where people are worried someone will steal their great idea for a story. The truth of the matter is that it’s unlikely that you’ve come up with something truly new and in any event, ideas tend to breed and multiply. I will never write all the stories and novels that I have jotted down in my notebook before I die and there are more every day.

If an idea is any good, you generally have to fight tooth and nail to get anybody to listen to it, and put in a hundred times that to get anybody to understand it, and that again to act on it.

If you don't directly control how that happens they will implement it fundamentally wrongly.

But after it is finally implemented more or less correctly, everyone will agree that the idea was trivial and obvious, and they had already thought of it themselves, in exactly the form where they first encountered it, even if that is actually not quite right.

Victory has a hundred fathers, but defeat is an orphan.

On that note though, is there a way to protect your story if you want to pitch it to a publisher, or anywhere else ? Like a registry for story ideas ?

Not really, and it’s not a problem. Ideas for stories are abundant, the ability to turn them into finished books or scripts is much rarer.

Same. I'll often share relevant ideas in comments here and elsewhere in the hope that I inspire someone to go implement something I might like but will never find the time+organisation to get around to creating!

Hey me too, a little sunshine this morning :).

I havnt done this in many years but for a while I was making creative content that was published online. Once in a while someone would contact me saying they liked what I did. I started doing the same. If I read an article I liked a lot I would contact the person and tell them I liked it and why. About half the time they responded with Thanks.

I didnt do this with NYT writers or anything. Just people who clearly dont get paid/paid much to make this content but I found it useful/interesting/helpful. I think that stuff goes a long way and it really doesnt take that long to do.

I've got a tech podcast now and about once every month or two someone contacts me to say they liked it or something nice. It's a huge reason why I keep doing it. I know that sounds silly but the internet can be such a black hole. A little feedback goes a long way.

I have a little blog that occasionally gets hits when the SEO winds blow my way and twice people have reached out thanking me for a post. It's made my whole month! And encourages me to keep posting stuff. So I really appreciate that you do that, I should make an effort to do the same.

I write the blog as more of documentation for myself than something to share, but knowing that I've helped someone else is icing on the cake.

I tend to see a lot more negativity than positivity as the default response so I like this thread.

OWASP actually includes this suggestion in their guidance for implementing MFA:

https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_A...

> When a user enters their password, but fails to authenticate using a second factor...:

> ...

> Notify the user of the failed login attempt, and encourage them to change their password if they don't recognize it.

> The notification should include the time, browser and geographic location of the login attempt.

> This should be displayed next time they login, and optionally emailed to them as well

I enjoyed when a french hacker used information from my blog to set off all the alarms of Bird scooters in Lyon France for an evening.

I had written about (what I considered as) a vulnerability that allowed remote triggering of Bird Scooter alarms (Bird disagreed of course) on my blog [1]. I then saw this github repo linked in the comments for setting off alarms of Bird scooters [2] and reached out to the author.

The author let me know that they had used the info in my blog to script a tool for setting off Bird Scooters en masse. They then targeted the script at all the scooters in Lyon and subsequently fell asleep. When they woke up the noticed the end point was disabled... Bird had taken the action to disable the API endpoint in response of course.

Probably would've been easier to fix before someone scripted it out but it made for a fun story.

[1] https://theappanalyst.com/bird.html [2] https://github.com/pcouy/bird-whisperer

Cool, well done. Hope the idea gets picked up by a few more developers here.

If you don't mind I'm just just pasting the URL into a comment to make it a link:

https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781...

The comment is a link in the HTML I am served. However there is no underline which is confusing.

I could be wrong, but I'm fairly sure that wasn't the case originally.

Yes! That’s such a nice feeling.

One of my GitHub projects was used in a demo at Google Cloud next a while ago. the presenter was considerate enough to attribute the project to me by name during the demo and even sent me an issue just letting me know about it. That was so nice! Absolutely people should do this.

When Apple released the very first iPod, I wrote to Steve Jobs to tell him that I would buy it if it was a phone too, as i don't want to carry two devices. I doubt I was the only one who had this thought, but I like to think i influenced the development of the iPhone. I never received a response from Steve.

Ah but you didn’t add that you wanted it to be an internet communicator as well!

Only would you have been able to claim some credits ;)

Related: I think it's surprising how many services leak whether or not a password is correct. E.g. bad password => error, good password => 2FA prompt.

You should verify a user's second factor before password.

This is not a huge deal in practice and can be a good honeypot/alarm system.

Most services today have fairly low "lockout" + "notify" thresholds on wrong passwords so brute force spraying passwords is already out of the question.

Now, if someone fails the password check, clearly the user's current password is still secure so leaking that the attempted password was wrong to an attacker is not particularly helpful to them. If, however, the password is correct, then the attacker gets hit with the 2FA surprise. Assuming the great suggestion in this post is implemented (it really should be), the attacker now is stuck--abandoning the login or trying an incorrect 2FA could all trigger notifications to the user that their password was breached [re: the "Was this login you?" prompts implemented by major services after these situations]. Attackers would need to also solve the 2FA in some reasonable period to "disarm" such an alarm.

Real users who happen to fumble once or twice are also fine, since they won't be surprised about the login confirmation as it really was them.

This is technically superior for things like TOTP but falls apart if not all users use TOTP.

1. Users who aren't using 2FA have a confusing box to leave empty.

2. SMS, Email and similar OTP codes should only be sent after the password is verified.

3. U2F requires the site to share which devices are registered which can only be done after the password is verified.

You may be able to make it work UX-wise if you separate username from auth information (such as a lot of sites do to support SSO auth). But even then it isn't clear to me if you should be leaking information about their 2FA configuration (especially their U2F device) list without a password.

Your login form doesn't need to display an empty second factor input. Your server can send back a specific error code on first login attempt that can be used by the UI to prompt for the user's second factor, whatever that may be (or even give a choice, in the case of multiple second factor types).

For example, given this /login request to our server:

    POST /login
    Authorization: Basic Zm9vQGJhci5leGFtcGxlOmJhego=

Depending on the user's second factor, the server could send back a response like this:

    { "error": { "code": "TOTP_REQUIRED" } }

Then, depending on the error code, our UI could prompt for the second factor and we could send a new /login request:

    POST /login
    Authorization: Basic Zm9vQGJhci5leGFtcGxlOmJhego=
    { "totp": "123456" }

This flow can work for any type of second factor, not just TOTP. It also works for good and bad passwords, and doesn't leak any information (well, other than the fact the user exists, but that road introduces a lot of other UX issues.)

Good point.

It does leak a little information. It leaks the type of 2FA the user has configured and a list of devices for U2F (since that needs to be provided to authenticate). But that is likely acceptable.

While this is true in the absolute sense, it's one of those things where you have to think about non-technical users: something like this would just confuse them, unless you make it very clear in the message that either one of those are bad, and provide a clear path to recovery... Having a good UX/security UX is hard.

Same thing goes for email address when registering. Correct email => “already in use” is still frequent, although some websites (such as github) have changed it to “incorrect or already in use email”

> leak whether or not a password is correct

Errm, could you elaborate what is the issue here?

tl;dr: The code should verify the user's second factor before the user's password.

Consider this, scenario A:

1. When attacker enters a username and bad password. then they receive a bad password error.

2. When attacker enters a username and good password, then they receive a 2FA prompt.

And then scenario B:

1. When attacker enters a username and bad password, then they receive a 2FA prompt.

2. When attacker enters a username and good password, then they receive a 2FA prompt.

In scenario A, the website leaks password validity to the attacker. In the case of a brute force attack, the attacker can use the 2FA prompt as a signal that they found a good password. Scenario B does not leak that information, because the second factor was wrong or missing.

More concretely, this pseudo-code:

    if user.authenticate_with_password(password)
      if user.authenticate_with_second_factor(code)
        # ...
      else
        raise InvalidSecondFactorError
      end
    else
      raise InvalidPasswordError
    end

Should instead be this pseudo-code:

    if user.authenticate_with_second_factor(code)
      if user.authenticate_with_password(password)
        # ...
      else
        raise InvalidPasswordError
      end
    else
      raise InvalidSecondFactorError
    end

Hope that makes sense. :)

But which 2FA prompt should they receive?

If MFA can be configured using myriad choices, should a user be prompted to "Insert security key" or "Input security code" or "Send code to your email/SMS" or "Tap YES on your mobile device"?

Since you can't know a priori what the second factor will look like, I'd say it's troublesome to try and present a challenge to every user regardless of their MFA configuration.

In my pseudo-code example, we're raising a couple errors, InvalidSecondFactorError and InvalidPasswordError. You could imagine there could be finer grained errors, such as TotpRequiredError or HardwareKeyRequiredError, depending on the user's second factors, which could then propagate down to the UI via specific error codes.

The UI could then use these error codes to display the correct prompt, and then resend the request with the appropriate second factor.

Note that this is not universal to all systems.

If your 2FA options all require the user to enter a code, you can simply display a "Please enter your 2FA code" dialog without divulging what kind of 2FA the user has.

How would you prevent someone from spamming a user just by knowing their username? Say, if the 2FA is done by SMS, or email.

An attacker brute-forcing the password could flood the user with multiple messages. The usual response is doing a password reset, but that wouldn't work in your system.

I wonder how systems that use magic links handle this.

Your authentication system should have per-user and per-IP rate limits.

It sounds good for stopping attackers, but if I am the real user and enter a bad password it is going to be pretty infuriating spending time troubleshooting the 2FA not working problem that doesn't actually exist. I suspect your service will get a reputation for completely unreliable 2FA which may have unintended consequences.

This can be solved with an error message at the end with something like "You either provided an incorrect password or your 2FA code is incorrect. Check and try again". This still ensures that someone is not able to guess the correct password and reuse it somewhere else where 2FA may not be enabled.

If you input a username and wrong password, in some cases, the service won't prompt you for your 2FA code.

If you input the right username and password, it will then go forward in the flow and prompt you for the 2FA.

I believe parent comment is suggesting the system should prompt for 2FA even if the password was incorrect, so that you can't infer whether you guessed the correct password without also compromising the 2FA method.

This only matters if you re-use passwords, though.

Well, doesn't it also matter if the 2FA method sucks? For example, maybe you can use a SIM swap to get the one-time code, but if you don't have the password, too, then that doesn't help you. In the above scenario, they can figure out whether they have the password or not, and once they do, then use a SIM swap to get the second factor (or whatever), and then they're in. If the login never tells them which factor is bad, it's a bit harder, right?

Five years back, YouTube didn't have the feature to queue your videos on the fly. You could have created a playlist, but then it is the same sequence of songs every time. So I hacked a chrome extension to add/remove songs to a dynamic queue saved on your LocalStorage[1]. Later, YouTube added the queue feature. Sometimes I go on long hikes and think that it wasn't merely a coincidence. :)

[1]: https://github.com/nishnik/Play_Next

This is a heartwarming post and I enjoyed all of the comments.

As an aside I would recommend using U2F over OTP. This article explains some of the benefits: https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/

I asked Notion to implement inline LaTex, bcs it's the last thing missing for me to use Notion during math lectures. They did so a couple weeks later, even told my I was part of the reason they did!

I once sent Apple feedback about how activity monitor was missing some metric, I don’t remember what it was. Never heard back from them but in the next OS X release it was there.

I've noticed several services in the past that have blocked someone at the 2FA step (either due to getting to that stage and leaving or attempting and failing), then notified the account owner that a login was attempted. I think we just don't hear about it too often because not everyone who has compromised credentials also has 2FA enabled on their accounts in most publicized hacks

Also, if someone logs in with correct username and password and -does not- attempt to try the 2FA, I also want to know about it.

Yeah, it should basically be a timeout. If within a few minutes of entering the correct password a correct second factor is not provided then it should notify the user.

I think you can probably skip notifying on a single failed OTP code to avoid spamming the user when they make a typo (or are a bit too slow for TOTP) but if you were very paranoid you could also send in this situation.

The Iceland NIC does this (https://www.isnic.is/en/site/login).

Customer support burden when the lose the 2FA key is solved by adding a hefty fee (around €100) to recover it. No webauthn support yet though.

Interesting- I think that is the first time I've seen password and 2FA code on the same page. Guess that means you may not know if your password or 2FA code is incorrect depending on the error page

Or the login process should just go ahead and ask the 2FA either way - and just fail you in the end without explaining why. And then notify only behind the scenes via mail that the password was correct but the 2fa wrong. That would be the way to handle it. I'd receive such notifications from time to time - I mix up the 2FA accounts sometimes, other times I'm slow typing and it expires - but I can live with that little extra email.

All my TOTP prompts (on websites I run) account for such delays and clock skews by checking against the previous and next TOTP. So even if the user is a little bit late to enter the OTP, I can still validate it and complete authentication.

This is standard practice with big corporate RSA remote login.

Some 10 years ago I pointed out the lack of ssl or starttls on my mail provider’s smtp servers. This was the Netherlands biggest provider Transip they said it was an interesting observation that they were going to discus, some months later I go a big announcement over email about their new secure email platform, yes it was all the same but now with ssl.

Actually, PSD2 SCA (Strong Customer Authentication) talks about requiring 2 different elements (out of knowledge, possession, inference) for authentication, while also requiring that information on which one was wrong when authentication failed, to not be disclosed. This directive needs to be implemented by all payment processors in EU (I am not an expert on this).

We have implemented such a system at a company I worked at, where we also took into account the credential stuffing aspect as you talk about it. It is quite challenging to ensure no information leaks (in content and in other request parameters, including response times) when users transition from the partially (un)authenticated state (username + password) towards 2FA. I have to say that security aspect is noticeable in a significant drop in credential stuffing attacks volume, but usability wise I see why this is not a popular approach :). I personally hate it, especially when 2FA that is used is TOTP.

Bravo!!! Such a simple (and more secure) change to the way 2FA works. This should be the standard and also mandatory in many similar cases. Good for you and for sharing this improvement, that’s the mentality all of us should have. Reminds me on how Volvo shared the 3 point safety belt patent with everyone else so as to make all cars safer, instead of keeping it to themselves I order to profit [ https://www.forbes.com/sites/douglasbell/2019/08/13/60-years... ].

Re: Volvo's good deed -- In contrast, Edward Land (the Polaroid camera guy) came up with a system for polarizing car headlights and windshields to lessen glare from oncoming headlights in 1948. Apparently, none of the car manufacturers implemented it because there was nothing to gain financially from such a safety feature. https://www.polarization.com/land/land.html

I had a similar experience and it certainly made my day! I wrote some code to parse nested JSON and fill a hole in a tutorial. Here's my relevant post: https://bcmullins.github.io/parsing-json-python/.

Here's the plug for the project using my code: https://github.com/sinnfeinn/microweather.

It's a nice courtesy from the product authors/implementors. Not only it's polite, it also acknowledges your contribution to the idea, not sure to which extent it is formally.

All in all it is a great feeling to see your idea getting a concrete life. In a way, reporting an issue and a possible improvement to any product you care about is an essence of collaboration. Open source further helps to contribute by augmenting such effort with a skill to implement it.

AFAIR, a 1980's MIT AI Lab "how to do research" memo, suggested as one way to build things: describe what you'd like to build, and maybe someone else will be inspired to do it, long before you'd have gotten around to it.

Normies: what the heck he stole your idea :angry:

As 2FA adoption spreads, the possibility increases that someone could be using 2FA but not know the rule about not reusing a password. This feature improves the spread of that gospel. It seizes the opportunity to impress an abstract concept to the technically-challenged in a way that is no longer abstract. I like it.

We implemented something that avoids the original articles, 2FA notification.

After your password is approved before 2FA you get an email. So even if someone is somehow using the right 2FA you are aware.

Our thinking was the mosly likely outcome was someone would hit 2FA, not have the code and so close the request without even entering a bad code.

Apart from that though, it is always nice to get recognition for the stuff you put out there. I know I should do it more myself too.

If you are going to send login notifications anyways this makes sense. Since the user will either want to know about the login or the failed 2FA. However if the user doesn't enable login notifications I think it makes sense to give a short timeout to wait and see if the authentication is successful. If the auth is successful you can skip the alert.

But email can be delayed for hours or days.

That's pretty rare in our scenario, also it still would apply to the original post ?

Honestly I'm shocked reading this. I _NEVER_ considered that scenario. Now I will be doing this in all my apps. Thank you!

The main feature that 2FA needs is non-existence.

Congratulations! Really good to hear, and definitely a nudge to me to let people know when their blog was useful.

I don't know about wrong 2fa codes but bitwarden notifies you if you have an "unfinished" 2fa login. If you type username and password correctly and then don't type in your totp token it will notify you.

A few months ago I had a ghastly time trying to take a bike along with me for a multi-stage train journey across the UK. Trainline is good about abstracting away the (pointless) differences between the train operating companies -- it's just a single interface and you never have to know which company operates which section of the route. But this abstractions breaks the minute you want to bring a bike on board -- you need to contact each company separately, and each one has its own bespoke and annoying way of doing it. Some by phone, some by email, some through their website (that you need an account for), some by social media(!). So I emailed Trainline's customer support saying how lovely it would be, if bike reservations were as seamless as people reservations, and to pass along the idea to their dev team.

Lo and behold, while booking a journey the other day I noticed a new option for bike reservations on the route planner interface, that I'd never seen before. I haven't had opportunity to use it yet, but I hope it works well, and I'd like to think that it was my email that tipped the scales into it getting implemented (Lord knows I can't have been the first to ask for it).

> Tell people about things you do that they played a part it- it might just make their day.

Agree so much! I’ve met numerous people, often co-workers, who say “oh I know you I used your blog post”. Wish they’d have shot me a quick email! It’s always a nice surprise when someone reaches out to say thanks.

I agree but there is an even more serious security feature almost all 2FA misses:

Telling the user what action they are authorizing by reading back the numbers.

That “bank rep” on the phone? They are probably trying to log into your account, or withdraw cash, not verify that you are the right person to send the refund back to.

It would save a lot of problems.

Also you should be getting an alert on all your devices whenever transactions over X amount per Y time occur, and you should have an opportunity to reverse them for 24 hours (even for debit cards). Also you should be able to make windows during which time it would be longer than 24 hours, such as a Jewish holiday or when out of range. This wouldn’t apply to recurring transactions.

Gmail has those features for some years.

Not AFAIK- they email you when a new device logs in, or a new location, but I've never seen one from a wrong 2FA code

I would consider that as a bug, not as a feature. If the login panel behaves differently on a correct password than on a wrong password, that's an information leak that must be fixed.

Authentication must be evaluated and rejected only when all factors are already provided, and the rejection error should not disclose which of the factors failed.

So, with a proper login panel, my 2FA being asked does not mean that someone has my password.

Edit: this is, for example, the recommendation from PCI to separate "Multi-Step Authentication" from true "Multi-Factor Authentication": https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authe...

I'm under the impression you misread the original blog post, which by the way does not really do a very good job in terms of explaining how this should be implemented.

IMHO, the idea is not to display the info about wrong 2FA code on the login page but to use a separate channel to inform the account owner about this recent, failed login attempt. So, no info on the login page of the website (adversary would still not know that they have a good password but wrong 2FA) but e.g. an email, a text message, a push notification, etc. with this info. I would certainly like to know that someone, somewhere is trying to login to my account and that this adversary is in possession of my actual password.

If I've understood the linked post, the login panel doesn't have to behave or look different if someone gets the username and password right. You could still show everyone the 2FA input.

It's suggesting that if the username and password are right but 2FA isn't the system should let the account owner know.

I have read the linked post too quickly before sending my initial comment. Indeed, a back-channel notification to the legitimate account owner is probably a good idea.

On the other hand, disclosing to the attacker that they got the password right is not acceptable.

Correct. The blog suggests letting them know out-of-band, like via email, not in the login flow.

Unless you're an especially high-value target, I'd rather you gave quicker feedback about whether or not I have remembered my password correctly than you make it impossible to determine whether or not a password is correct without also having to input the 2FA token.

My employer does it for products requiring PCI certification. Our PCI auditor recommends it even though it's not a formal requirement of PCI v3.

That sounds like a terrible trade-off that makes people more likely to write down passwords on post-it notes or in a clear-text file to cut-n-paste. Especially if you lock accounts after a 10 tries or so (or PCI's ridiculous low number of tries).

You make a good point, but does anyone do that? I’ve been using a PW manager so long, I don’t really enter incorrect passwords.

I think the majority of places I use 2FA, the 2FA prompt is on a screen after the password login. This is because the use of 2FA is an account option, so not all accounts will have it active.