I'll play devil's advocate here, and say that "proper password hygiene" is utterly broken. Use a strong password more than 12 characters that includes a capital, lowercase, number, symbol, no dictionary words, cycled every 3-6 months without repeating old passwords, AND must be unique for every site you visit on the internet? Is that humanly possible? It's no wonder people go with password managers (which aren't immune from massive breaches), or like my wife, simply use garbage passwords she doesn't bother remembering and going through email password recovery for every site, every time
. These unrealistic expectations for human security are why people don't practice good opsec, and why passwords are so universally insecure/reused/guessable.
Yes, been doing it for decades. I guess your question points out another lack of education; password managers.
I agree with your assessment right up until the point you let AI insinuate that email/SMS 2FA is less secure than no 2FA. This simply isn't true. Are there significantly better/more secure ways to implement 2FA? No doubt. But is it somehow less secure than not having it? Absolutely not.So ... I hesitate to get into threads like this, but I felt pretty strongly about this one.. so here goes. While my background isn't specifically cyber-security, I run the cloud infrastructure for a large public social network, and have worked in the industry for 25+ years now. I've had my Rivian for nearly 3 years now (vin ~2400), and I've had a Rivian account since 2019.
I strongly oppose the decision Rivian is making right now... but hope they will fix it!
First ... I want to say that I applaud Rivian for trying to improve the security of our accounts within their platform. Sadly but understandably, most of the Rivian account holders are not super-tech-savvy users who are proactively taking all of the best security measures ... so sometimes you have to force things along. (Not dissimilar to parents forcing kids to brush their teeth.. its annoying, but it has to be done).
The problem is SMS/Email 2FA is bad. Why?
Without getting into all the nuances... you can simply search Google for "why 2fa sms is worse than no 2fa" and get the following AI answer:
If you look deeply, you'll find a series of articles (posted below) that discuss the major problems with SMS and Email based 2FA ... but fundamentally these methods of 2FA are broken.
What should Rivian Do?
Rivian should be introducing modern secure methods for 2FA - including (but not limited to) Passkeys, FIDO2 Hardware Keys, and legacy One Time Passcode (TOTP) keys. These solutions are battle tested, widely supported on hardware that the Rivian owners already have (iPhones and Android phones), and are frankly just industry standards. There should be many supported 2FA methods, and we-the-customers should be selecting which one is appropriate for our use case.
Why does this matter so much?
Look ... no one is going to steal your Rivian by logging into Rivian.com. However, they can (at the very least):
* Lock you out of the account, holding you hostage
* Track your vehicle location without your knowledge (by signing up a service like Electrafi without your knowledge)
* Potentially cancel or make pre-orders
What should we do?
I immediately emailed every @Rivian email address I could find begging them to implement real 2FA solutions before making this a requirement for all Rivian accounts. I encourage everyone here to do the same. Also, if you know technical people at Rivian, send them your feedback... and beg them to do the right thing here.
Articles:
- https://www.itsasap.com/blog/why-stop-using-sms-2fa
- https://sec.okta.com/articles/2020/05/sms-two-factor-authentication-worse-just-good-password
- https://anderscpa.com/why-sms-2fa-isnt-enough
- https://www.cnet.com/news/privacy/d...factor-authentication-heres-why-you-shouldnt/
- https://www.securemac.com/news/is-sms-for-2fa-insecure
Technically the SMS capability *does* make it worse since it's apparently not difficult to play man in the middle games, get a duplicate/replacement SIM, or spoof a a phone number to the effect that someone else could receive the SMS without you even knowing it was requested in the first place. SMS is a terrible way to do 2FA and has been for a long time.
