Jump to content

2FA is broken


pyroxide
 Share

Recommended Posts

It's been over a week since I submitted a ticket because I can't get 2FA verification emails with my account (because DE doesn't know how to make them not look like untrusted junk mail) and I still haven't gotten a response. I had migrated my account from Gmail to Lavabit and they enabled 2FA without having me verify that I could even receive the emails by submitting a code when set up.

I wonder though; what possible reason would they have to force this on after an email address change? There would be absolutely no benefit in doing so, as control was already released from one account to the other. I did have to answer some questions before the address was changed, but the fact still remains: It's a broken feature as even Microsoft email accounts do not get them. It would cost DE nothing to have 2FA set up for Google Authenticator or similar apps...or even into the Warframe app via notification -> Approve or Deny.

  • Like 1
Link to comment
Share on other sites

7 minutes ago, Aoden said:

Personally, text authentication wouldn't be half bad.

I've had nothing but trouble with Google Authenticator on my phone, with it randomly forgetting my accounts and leaving me locked out.

These apps are a dime a dozen. LastPass Authenticator is my preferred one.

I've NEVER had a problem with these unless I had changed the ROM on my phone. Either way, there is the option to have a list of hard authentication codes to use in the event your device is not available (lost, stolen, etc). When I set up my google account, I was given a list of ten to use when in this circumstance.

2 minutes ago, DogManDan said:

I just installed WF on a new PC and had no problems with the 2FA coming through my email. Honestly that is all on you for not marking it as trusted source so it does not go to your junk mail folder!

Ever heard of SEO? It's essentially the same thing. If your web site looks awful or untrustworthy, you're ranked poorly. The same happens to emails that look like junk.

Either way, you're missing the point. When enabling 2FA on actually anything, you are forced to verify your code when setting it up before it is finalized. Upon submission of a valid code, it is enabled, thus verifying that it was set up correctly.

DE support conducted the email address change as I was unable to do this the automated way. And they force enabled this feature before verifying I received them or that my address was even valid.

Link to comment
Share on other sites

24 minutes ago, Shalath said:

If DE had any way of influencing your spam filter then it isn't a very good spam filter.

Ah, but you are wrong. These emails appear to be spam because they are merely a bland template that has only 2 variables: the account name that it is sent to and the 5-digit code that is included in the body.

If tens of thousands of this template are sent out on a daily basis, they are already seen as negative by a server's filter. Several ecommerce websites send out hundreds of thousands of identical promotional messages every day and they never get flagged by the server or even sent to junk, because this content changes every day. They may even include your name in the body or subject.

When looking at 2FA emails, so much of the content of the message is the same material as is always sent.

AvhrhLA.png

I examined the content of one of these emails that I had received on my old account. These are HTML-formatted messages and we can see that only 2 out of 133 words is different making this message 98.5% identical to everyone else's. Even if we were to ignore spaces and strip HTML tags, 13 out of 250 characters are the same which equals 5.2% of the body.

This can be circumvented by leaving out so much of the extra content of the message, thus reducing the amount of content that is identical. They could even throw in a random quote in the message.

Even if DE did none of these things that I mentioned above, the biggest problem lies in the fact that e-mail verification is the only method of 2FA.

My server is filtering these out before I have the chance of seeing them. They do not even go to a junk folder as that would be a client filter and I would not be complaining about that as it would be an easy fix that I could do.

Link to comment
Share on other sites

3 minutes ago, pyroxide said:

Even if DE did none of these things that I mentioned above, the biggest problem lies in the fact that e-mail verification is the only method of 2FA.

My server is filtering these out before I have the chance of seeing them. They do not even go to a junk folder as that would be a client filter and I would not be complaining about that as it would be an easy fix that I could do.

Using the same factor for password reset and 2nd authentication is not the best of ideas, I can agree with that, but blaiming DE for horrible spam filtering implementation, youre kidding, right?

Treat the "2FA" as if it's not there, and set up a filter which wasn't designed by a 1st year CS student.

Link to comment
Share on other sites

7 minutes ago, trndr said:

Using the same factor for password reset and 2nd authentication is not the best of ideas, I can agree with that, but blaiming DE for horrible spam filtering implementation, youre kidding, right?

Treat the "2FA" as if it's not there, and set up a filter which wasn't designed by a 1st year CS student.

I guess you didn't read the part where a "1st year CS student" at DE forced 2FA on for my account when I asked for my email address to be changed.

Yes, I can blame DE for a 2FA system that is shoddy (at best) as even popular email services (Microsoft and all of its email services) are unable to get these. While I do not care for Microsoft, to ignore their position in the industry as a super power is quite stupid. To argue that my server's filter is poor is also to argue that  every major search engine out there, Google included, use a poor method of determining which websites should be listed first. RIP search engines as websites with every word in the dictionary should take precedence over anything relevant.

Have you ever searched for something very peculiar and arrived with a website with a poorly translated domain containing a list of search results that are irrelevant to anything that you might be searching for and all contain links to malware? If you want to use an email provider that acts like Altavista, go have fun checking your inbox.

Email filters are the same as they weigh content by its perceived merit. Changing the way something perceives your content is as simple as changing the content you deliver.

Link to comment
Share on other sites

5 minutes ago, pyroxide said:

Email filters are the same as they weigh content by its perceived merit. Changing the way something perceives your content is as simple as changing the content you deliver.

How the filter is implemented, or rather with "new" filters, how it's trained, is key.

Short mails sent repeatedly with low variation should not get flaged in a filter, as this was how spam worked in the 90s and by year 2000 filters had cought up forcing spammers to create spam with highly variable spelling on every word, which in addition had the effect of filtering out the not so gullible.

 

There are still many bad filters, as good filters require training data, but if you choose to go from a good filter and no privacy to a bad filter with high privacy, blaming the message helps noone.

 

I ignored the forced enabeling of 2FA on purpose, as I have no intention to enable it to see if it can be disabled.

 

I'm not claiming DE calling it 2FA is ok.

I'm not claiming DE forcing extra hastle for false security is ok.

What I am claiming is no decent filter should stop the mails by their structure.

 

Rocks and glasshouses.

Link to comment
Share on other sites

  • 1 month later...

I submitted a ticket on december 11th that I do not receive 2FA emails (and no, they are not in the junk folder either). The reason was that the IPhone app for weeks had claimed to send verification emails, which I never received (of course it didn't work without the supposed codes). When I clicked on the 2FA link on my account page, it also claimed that it sent a verification email, which I also never received.

DE responded today with the information that my 2FA has now been activated manually, since it wasn't activated (a bit strange since the "unactivated" 2FA had been quite active, just didn't send the verification emails it claimed).

The end result is that I am now COMPLETELY UNABLE TO PLAY at all, since after normal login I get a popup asking for a security code that was supposedly sent, but which of course ALSO NEVER ARRIVES. I have boosters going and friends waiting online, and I am now forced out of Warframe altogether for an undetermined period of time.

I have responded to "ticket solved", but I am afraid that it again will take 20+ days for support to respond and fix this and during this time I will simply be locked out, for no other reason than that the system doesn't work. 

2FA is basically a good thing, but this is completely HORRIBLE. I am sitting here wishing I never activated it (or tried to activate it, because it is clearly not working).

[EDIT >>>] **** 1 hour later ****

Problem fixed!

Once again DE shines, and now I feel abit awkward about being so negative and irritated (above). Support contacted me immediately after my reply, and after going back-and-forth checking a few things the problem was fixed. Having a fairly substantial experience of all kinds of help desks and support, I would say this is WAY above excellent. I am also very happy, being able to play again. And my 2FA is on (as it should be).

Edited by Graavarg
Problem fixed!
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...