You're absolutely right! It doesn't make sense to show the user the 2fa code! removes 2fa completely
Oh, I get it! You still want 2fa, you just don't want the code to be shown! colors the text white
No, no, make it ultra secure and display none it, every website will be a database of important information, you just have to put everything into a hidden table!!
Font size 0
*Includes it in the URL
Oh you want the code not rendered into html!
Drops the code in javascript when it is received from the backend.
It took me way too long to figure out what was wrong with this screenshot
Yeah, same here. I was counting the boxes thinking they'd got the wrong amount of numbers.
I need help. I don’t get it…
The "secret" code sent to your phone is spelled out in the text
SMS/email-based 2FA should die.
Luckily, you don't even need to check SMS or input a valid number with the “verification” in the screenshot!
mission failed successfully
It’s better than nothing and some people would really struggle to do other types of 2FA.
I'll be homest with you, some people really struggle with email 2fa. The amount of working Americans I have spoken with who don't understand how to have two tabs open at once is genuinely frightening.
As a reset method it's worse than having nothing
It's wild how standard SMS is given how (relatively) trivial it is to exploit.
Even with autofilling it on iOS, macOS you still have developers that need to fuck with form fields using JavaScript because they think they’re smarter than you.
What's the best alternative?
App based 2FA is better. Either the app generates a time based code that you enter into the site or the site sends a push notification to the app asking you to verify the login attempt.
Passkeys are good too as they replace the password completely and leave the 2FA part to the device.
Passkey or notification please. So sick of entering these codes on a daily basis.
If it's alright with your threat model, you can put the time-based OTPs into your password manager of choice, like Bitwarden. Upon filling your username and password, it places your OTP in your clipboard, so that you can simply paste it in. This does of course reduce the security of the system slightly, since you centralize your passwords and your OTPs. When opting for this method, it is therefore imperative to protect your password manager even more, like via setting up 2FA for the password manager itself or making sure your account gets locked after something like 10 minutes of inactivity. The usability aspect is improved by using a yubikey or another similar physical key technology.
I just save the cookies tbh
Okay, but then you have to develop an app
I wonder if there are any TOTP apps for Linux phones (though I think I'll have to keep an Android or Apple device around for my workplace's 2FA which doesn't have anything for anything other than apple and Android phones, and only with full security)
TOTP, FIDO2 or not worrying about logins and just using {GitHub,Google,Microsoft,selfhosted.lan} as identity provider with OIDC
no factor authentication
That's up there with: "You cannot use this password, it's already in use by ... "
But that's so practical. Maybe I can contact them and ask them if we can swap. Haha
IIRC the screenshot in the tweet is from a shitpost in reddits r/badUIbattles
Feels like testing feature, hopefully the screenshot isn't from production.
We test in production, silly.
vs
It's not like QA would've caught these problems before it went to production anyway
Everyone has a test environment. Some are just lucky enough to have a separate production environment.
It's the only way to fly.
I will be honest, it took me a good while to figure out what's wrong
Me too, but I woke up.... Checks watch .... 25 minutes ago, and I'm still pretty out of it.
Assuming this is real, how the fuck do you fuck up so badly?
What!? It's more user friendly this way. No need to make the user switch to a totally different device when you can tell them right here!
/s
(I hate pointing out sarcasm, but it's better not to risk it these days.)
(you don't need to apologise for using tone tags, they're a useful accessibility tool and hurt nobody)
When I first added 2fa to page, I had a bug and made it do that to compare the values.
production or test, it's likely debug code.
New intern
i'm ashamed to say that took me a while to figure out what was wrong mostly because i didn't think someone would be that dumb.
Just delay accepting the numbers for 10 seconds to simulate the time needed to check SMS and type them.
Repost.
This could be vibe coding, or just an intern "doing the web site".
Neither should have write access to production code.
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
