3 AM: Authentication Nightmare - a story

Woke up in a cold sweat. Dreamed I tried to check my email.

First, the password. Not my password. The password requirements. Minimum 12 characters. Maximum 128. Must contain uppercase, lowercase, number, symbol. But not THAT symbol. Or that one. No spaces. No quotes. No backslashes. Can’t be similar to previous 47 passwords.

Finally get a password. Site rejects it. “Too similar to a commonly used password.” It’s 32 random characters from /dev/urandom. How is that common?

Get past that. Now 2FA. Download their app. App needs an account. Account needs email verification. Email needs… 2FA. It’s circular. It’s always circular.

Phone buzzes. SMS code. Type it in. “Code expired.” 30 seconds. They gave me 30 seconds. Phone buzzes again. New code. Site says “Too many attempts. Try again in 24 hours.”

Start over. This time with authenticator app. Google Authenticator? Microsoft Authenticator? Authy? Duo? FreeOTP? Seventeen different apps, all incompatible. All want their own account. All want their own 2FA.

Scan QR code. Camera won’t focus. Type the secret manually. 87 characters of base32. Make one mistake. Start over. Finally works. Codes don’t match. Time drift. Phone is 12 seconds off. Codes invalid.

Fix time. Codes work. Click login. “New device detected!” Email verification required. Check email. Need to log in. Need 2FA. The code I just used? “Already used.” Wait 30 seconds. New code. Email arrives. Click link. “Link expired.” It’s been 45 seconds.

Get past that. Security questions. “What was your first pet’s name?” I’ve never had a pet. “Where did you meet your spouse?” Not married. “Favorite teacher?” They’re all dead.

Make up answers. Write them down. Insecure? Everything’s insecure. The site stores passwords in plain text anyway. Found out last breach. 500 million passwords. Mine was “********”. Very secure.

CAPTCHA. Click all squares with traffic lights. Is the pole part of the light? Nobody knows. Click submit. “Please try again.” More traffic lights. Then crosswalks. Then bicycles. Then stairs. Fifteen rounds. Finally pass. “Session expired.”

Start completely over. This time: hardware key required. YubiKey. Solo. Titan. OnlyKey. Buy one. $70 for a USB stick that proves I’m me. Arrives in 3 days. Doesn’t work with Firefox. Use Chrome.

Chrome wants to sync. Needs Google account. Google wants phone verification. Phone needs carrier login. Carrier wants… hardware key. It’s turtles all the way down and the turtles all want different passwords.

Finally logged in. Site redesigned. Can’t find anything. Settings buried under seventeen menus. Dark patterns everywhere. “Enable notifications?” No. “Are you sure?” Yes. “You’ll miss important updates!” Don’t care. “Last chance!” FUCK OFF.

Try to read email. Need to accept new terms. 400 pages. Agree to arbitration. Waive class action rights. Allow data sharing with “partners.” 12,000 partners. Facebook. TikTok. Random company in Belarus. All to read text. Plain text. That used to work with:

telnet mail.server.com 110
USER me
PASS mypass
LIST
RETR 1
QUIT

Four commands. No JavaScript. No cookies. No tracking. No 2FA. Just email.

The nightmare continues. Need to reset password. Site emails a link. Link opens an app. App needs update. Update needs OS update. OS update needs Apple ID. Apple ID needs… 2FA.

Finally update everything. Click reset link. “Invalid token.” Get new link. “Too many reset attempts.” Account locked. Contact support. Support needs ticket. Ticket system needs account. Account needs email verification. Email needs…

Wake up screaming.

Check the time on my VT100. Still works. No authentication. No updates. No passwords. Just green text on black screen. Beautiful.

Modern “security” isn’t security. It’s liability management. It’s compliance theater. It’s making everything so unusable that when it breaks, they can blame you. “You should have enabled 2FA.” I did. “You should have used a stronger password.” It was 64 random bytes. “You should have…”

The most secure system is one nobody can use. We’re almost there.

Meanwhile, my mail server from 1987 is still running. Password is eight characters. No 2FA. Never been hacked. Because it’s not worth hacking. No JavaScript means no XSS. No database means no SQL injection. No features means no vulnerabilities.

But sure, make me verify I’m human again. The robots have already won. They can solve CAPTCHAs faster than me.

Going back to sleep. If I dream about OAuth, I’m formatting everything and becoming a farmer.

P.S. - Your password must contain the blood of a virgin, three Sanskrit symbols, and the true name of God. For security.