Source: https://www.newgrounds.com/art/view/roverdose/baking-bad

From a deal on racknerdtracker.com (so RackNerd as the name suggests).
But their panel is a bit limited. If you want a custom OS that isn’t provided, you have to open a ticket with them to get an ISO mounted. You can also boot into recovery environment, but that is outdated minimal installation of Debian 9 without working APT. I was still able to use it to install Arch Linux from bootstrap image though. I just had to decompress it on my PC, create a temporary partition for it and scp it over.

And I am again mentioning Arch. It comes naturally.

I didn’t notice, and I don’t tend to talk to people, so no idea.
The person next to me didn’t use 2FA, that’s all I know.

?

I like the ideas here, so much so that I feel bad for giving you a disappointing answer: exam.

No own electronic devices in the exam room. That included everything, phones, watches, calculators and they also specifically mentioned “hearing aid” while giving out all instructions verbally.
Perhaps if there was someone it applied to they wouldn’t but…
And I had to log into our system to take it, which uses TOTP 2FA. An odd situation. Since the only other thing from clothes being allowed was a pen and paper with password (if needed), here we are.

But one real world example I heard from someone is no unapproved devices being brought into the server room.

Sorry, nothing interesting going on in here.

https://racknerdtracker.com/ keeps all the deals that don’t expire.

Not at all. And that’s without whois privacy.
.com .net .org .us .me are $24.95/year
.meme is $24.99/year
.io is whopping $69.00/year

I wasn’t allowed to bring in my phone, which has the authenticator app. And I had to log in on a provided device. And I use 2FA.

The guy didn’t even seem surprised when I asked him for current time to look up the current code, so probably this indeed was within the expectations.
“You can have the password printed out” - part of the instructions

Oh, how could I forget that. My bank uses them. But it also needs my (physical) debit card and its PIN.
Bit cumbersome to use.

Brute-forcing would take some bit of time. If the 6 digit code, 3 combinations of which are likely valid at a time becomes your only factor, you’ve already lost. Long randomly generated combinations are unrealistic to brute-force. For now at least.

And here’s a screenshot from when I brute-forced the 2FA to my Lemmy account because I trusted the wrong app (Cisco Duo and its backups without version control wiping everything after turning on older device):
6 digits isn’t much.

Also I hate how it’s implemented everywhere. We figured out that telling someone whether the password or username is incorrect is a bad thing, so now we do “username or password incorrect”. But what about 2FA? Username is easy to get if targeting a specific person.
If you can get to 2FA, you know the password was correct. That’s the case basically everywhere. Then it’s just 6 digits to guess. And typically you also only get notified about logins when successful. Too late at that point.
My wish would be to take both password and 2FA code at once, and just return “password or 2FA invalid” if one or both of them are wrong.

Whether yes or no I can’t answer, which is what people seem to be discussing. Also “hormone blockers” probably doesn’t sound that scary (at least it seems that’s what they do anyway).

Anyway, this is just sex part. Do you feel like telling your parents “I will not be having sex”? Someone you should consult it with is a medical professional, but parents just if you feel like it makes sense. I don’t know how open you are with them.

I don’t follow what you’re trying to say here. (The last 2 sentences contradict in my mind)

Anyway, phone vs this tomfoolery, it might not be more/less secure, just different.
What’s on paper is all there will be, as it doesn’t include the secret for generating additional codes.
Phone has that, but also has a screen lock. Whether that is easy to bypass will depend on environment, but after the first unlock, it is at least realistic.
Plus you have people like my father who go by “no lock, nothing to hide”.

For immediate exploit, paper looses.
For later persistent exploitation, phone looses.

Also, no one’s going to have endless scrolls of codes like this. 2 pages for less than 4 hours. Round that up to 2 hours per page, that would be 12 pages per day, 360 pages per month, 4,380 pages per year.
I had to do this, because it was a requirement (they even recommended to print out the password). Actually, they didn’t mention 2FA, just to print out the password (and no use of personal devices). This is the best I could do given the environment.

Same for banks in Slovakia, but you typically have monthly packages that will include unlimited withdrawals. Say, €7/month.

But it’s all over the place.

about as secure as using someone’s SSN for the 2fa

I’ll give you one better. For a certain thing, the university I attend decided to use birth numbers as a password. And that was the only factor.
Mind you, in Slovakia, the birth number consists of birth date + random 4 digits.
Much safety.

Anyway, SSN doesn’t expire in less than 4 hours.

But they’d also need the password.

Alternative would be disabling 2FA altogether.

cupholder.exe

Sorry, but the argument above was for a regular user, who doesn’t know what Rufus is, who doesn’t know the concept of OS, who simply knows thinks the files are saved “on the computer” (while they somehow ended up on OneDrive).

No.
Password I remember is the 1st factor, a valid code from this list (which depends on time) is the second factor.

It’s same as using the phone, except that here they were precomputed and on paper for some time span. None of these are valid now (well, maybe there is one, it’s a bunch of number combinations after all), and you don’t have the private key to generate more.
Say, you can tell that at 10:02:30 UTC the valid code was 262887, but you don’t know what it is now.

That’s the advantage of TOTP, they expire. If it were plain HOTP, I’d only need 1 code at a time anyway.

https://en.wikipedia.org/wiki/Time-based_one-time_password

February 31st, 24:59 is going to be wild.

The start.
Pretty obvious.