As far as I know MGM may be the only one...but all I know is Draft Kings and Caesars.
Thanks
Thanks
-
-
Trying to re-phrase my question. I dislike having to type in a 6 digit code before being able to sign into the sportsbook. In Virginia, for over a year, maybe 2 years, this was not necessary. Then all of a sudden, Caesars and DraftKings required a text message with a 6 digit code to log into account. MGM has not . Is this normal for most books today?Comment -
For me in LA:
Caesars, barstool, betrivers all require text
DK and MGM dont (i log in with fingerprint). Wynn doesnt either.
Fanduel is fingerprint too but every once in a while it requires a 2FA code with authenticator app
I dont play on pointsbet so I'm not sure about them.Comment -
I hate everything about 2FA. In particular a-hole companies who think they have some right to force me to do it.
It does very little to protect end users really. Opens up another attack vector via porting your phone number, and the ONLY reason companies love it really is becauses it puts more responsibility for account hacks back on to the end user instead of them.
/rant grrr.Comment -
Thanks for the info. If it was 100% safeproof, one would think all the books would use it....That is unless it has a financial cost to their business. This old timer just HATES having to get my phone when logging in online. Unless of course, they have proof it's safer!Comment -
Wynnbet is requiring 2FA today all of a sudden. Wasn't required before.Comment -
Honestly it’s crazy to not have 2FA on any account that has money attached to it. Your smart phone should have the ability to take the code right from the messages instead of typing it in also. It’s just the world we live in where this is needed.Comment -
Attack vector, I like that can I borrow it Opti?Comment -
Why would you need to add an extra layer of vulnerability if you use an un-brute-forceable password and are careful enough to keep it safe?
Especially adding a system that will result in you being told it's now all your fault and not the providers problem if you end up hacked?
No matter if it's your fault or not, when 2FA is involved that is what you will be told 100% of the time without the CS person even caring to think about it further.
Put down the koolaid. You've been fooled..Comment -
Definitely haven’t been fooled, you just aren’t being realistic about this. It’s not an if but when your account is going to be compromised either on the site itself or if your phone logs on to public wifi for a split second, etc. Anyone in the security would will tell you this. You’re better safe than sorry , 2FA protects you in these circumstances unless you managed to also get your phone compromised as well and then in that case you’re going to have a lot of other problems. If your account is compromised you’re always going to have to go further than CS regardless.Comment -
The "anyone in security" you speak of are just parroting the same stuff they have been told like you are.
You can come up with some rare examples where it might save a careless user, but in the real world "anyone in security" who is senior enough to be actually advising corporations, and not just parroting the "common knowledge", will tell you the primary motivation for implementing it is to shift responsibility from the service provider to the end user.
And you won't get past CS with your claim it's their fault and not yours, ever!
And you won't even have a snowflake's chance in hell or success in court either.
It was a fine idea turned into a scam.
If you use strong passwords and don't log into your money accounts over public wifi, and use your brain, and not be lazy, 2FA does ZERO for your benefit. Full stop.
Go ahead and try to come up with a scenario where it can help you that does not involve you being careless....Comment -
Have you got any logic to back up that statement? Or are you actually just parroting what you've heard without any critical thought?
The thread is about companies who FORCE you to use it.
You can make your own choice about if it helps you, and be as slack as you like and feel more protected.
But don't confuse that with why companies force it upon you without a choice. It's to protect them only and nothing to do with making you more secure.
As asked above, can you come up with any scenario where 2FA actually protects you more than good password habits that does not involve you being slack?
I don't think you can. So yes if you think you are incapable of making and protecting a good password, I guess it can help you. But if you are like that you probably will be compromized one day for sure and if it happens at a site where you use 2FA, you will be outa luck trying to get them to take any responsibility. So yeah it's for real. And I hope people here at least take it on board and think about it when any company tries to force 2FA on you. Use another company instead..Comment -
One crazy feature noticed. For me : Caesars: they only require the 6 digit code once a day if logging back in up to 6 hours or thereabouts. DraftKings: You have to do a new 6 digit code EVERY TIME, even if less than 5 minutes after logging out. Nutty!Comment -
Only book it ever happens to me on is Cesears maybe 1 time week. None of the other legals I use do that in my state including DKsComment -
Optional, are you skeptical about 2FA via SMS or about all 2FA types including apps like Google authenticator?Comment -
Google authenticator is no more secure than SMS codes.
Hacker simply needs to get your google/gmail account password and transfer the auth app to a new phone, or add a backup number to your account and use that. Autheticator is as useless as SMS against a determined attacker..Comment -
That's not honest. That's wrong.
Do tell... you sure sound like you have been.
100% better than what?? Using "password" as your password on every account? Well yeah might be 100% better than that but it's probably more than 50% worse for your security than simply using a strong password and keeping it safe.
Well lads?
Come up with anything yet?
Or feel free to post any logical argument you can come up with to show I am wrong. I am open to learning. (goes for any reader who thinks I am wrong. Send this thread link to the biggest and best security expert you know to debate this if you like.).Comment -
Wrong. Google only recently added the web backup feature to Authenticator and it was a huge mistake. That being said you don’t have to use it. Google Authenticator is a stand alone app and does not require an internet connection or connecting it to a Google account. https://cointelegraph.com/news/the-d...-authenticatorComment -
I was sim swapped by a Verizon manager two years ago, https://www.justice.gov/usao-nj/pr/b...im-swap-scheme . The FBI eventually reached out to me as I was a victim, but the Verizon Manager was paid $1000/swap by hackers and swapped approximately 75 sims. He is supposed to plead guilty next month but I doubt he’ll get any serious punishment. I’ll report back when I find out. The real criminal in my mind was Verizon for letting it go on for six months and 75 accounts. I always knew SMS 2FA was a weak point but I never thought it would happen to me. After that I went on a mission to avoid SMS 2FA and it is virtually impossible. Almost all email accounts require a phone number for account recovery, that is the weak link. So yes being forced to use 2FA is part of the problem.
The best scenario I can think of where 2FA would benefit the user without the user being careless is when the site you were using was careless. My old passwords are all over the dark web thanks to data breaches which were not my fault. An email address of mine on https://haveibeenpwned.com has at least 13 data breaches. Most of these sites never contacted me or let me know my information was exposed. Most sites with any security recognize a new device or ip address and would ask for some type of 2FA , by email or text. If they didn’t ask and since the hacker had my login credentials they would be in.Comment -
Wrong? But they do have that feature??? Confusing statement. And I never mentioned web backup btw. I was talking about the ability to add a backup phone number and then choose "use alternative auth method" to get in. But yes that web backup feature does sound like yet another attack angle that can be used.
And who cares if it works offline or online. How does that relate to this conversation?
How about addressing anything I actually said, like if they break into your Google account they can take over your authenticator.
Someone here must know a genuine security expert who can comment on this..Comment -
Good point. That is one case.
But they are likely to also be the type of company who would force you to use 2FA as they know they have holes. Are they trying to save you from harm or them by forcing it on you though? And if they have rotten security, do you really want to use a system that could very likely be used as an excuse to say they can't be to blame as you were using that fancy super-secure 2FA stuff... so obviously you did not keep your phone safe and locked blah blah. That is the sort of crap I hear from some companies in complaint cases..Comment -
Wrong in that if Google Authenticator is used effectively, no connection to a phone number, google account or web backup, it is more secure than SMS 2FA. By not connecting it to the internet it becomes a hardware token and cannot be accessed via Remote Desktop or AnyDesk etc. That being said, if you lose the phone or computer your 2FA is gone unless you made backup codes. If someone gained access to my google account they could not access my Google Authenticator, it is in no way associated with my google account. The only way to gain access is using my actual physical device or restoring it to another device using a backup QR code.Comment -
Don’t get me wrong, I agree with you, 2FA is not secure and forcing someone to use it is a scapegoat, especially SMS2FA or email 2FA. Even with the best 2FA in the world you’re still at the mercy of customer service reps, zero day hacks etc. There are a million ways around 2FA , it wouldn’t surprise me if we eventually see Authenticators, Yubi Keys even cryptocurrency algorithms themselves cracked with the progress of quantum computers then we’re all screwed.Comment
