Comments

tra3 9d
That’s awesome. I was expecting a lament on how an amazing startup idea was stolen and monetized by someone else. Glad I’m wrong and the world is a little bit better.
hanoz 9d
Cool, well done. Hope the idea gets picked up by a few more developers here.

If you don't mind I'm just just pasting the URL into a comment to make it a link:

https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781...

frakkingcylons 9d
Yes! That’s such a nice feeling.

One of my GitHub projects was used in a demo at Google Cloud next a while ago. the presenter was considerate enough to attribute the project to me by name during the demo and even sent me an issue just letting me know about it. That was so nice! Absolutely people should do this.

Aethylia 9d
Congratulations! Really good to hear, and definitely a nudge to me to let people know when their blog was useful.
spiffytech 9d
Years back, every web browser's built-in password manager locked up the page when submitting a login form, waiting for the user to answer "do you want to save this password?" before proceeding.

I thought that was silly: how do I know if I want to save the password before I've seen whether it's correct? Which I can't see until the form is submitted.

At the time I was using Opera, so I wrote in to their customer support suggesting that the prompt appear after the new page loaded. I never heard back, but a couple months later their next major release implemented exactly that behavior. A few months after, every other browser had followed suit.

I can't have been the only one bothered by the existing behavior, but given how long browsers had worked that way before I wrote in, I like to tell myself that the timing wasn't a coincidence, and that my little suggestion rippled out into a change that made a small thing better for the whole world :)

spuz 9d
OWASP actually includes this suggestion in their guidance for implementing MFA:

https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_A...

> When a user enters their password, but fails to authenticate using a second factor...:

> ...

> Notify the user of the failed login attempt, and encourage them to change their password if they don't recognize it.

> The notification should include the time, browser and geographic location of the login attempt.

> This should be displayed next time they login, and optionally emailed to them as well

NKosmatos 9d
Bravo!!! Such a simple (and more secure) change to the way 2FA works. This should be the standard and also mandatory in many similar cases. Good for you and for sharing this improvement, that’s the mentality all of us should have. Reminds me on how Volvo shared the 3 point safety belt patent with everyone else so as to make all cars safer, instead of keeping it to themselves I order to profit [ https://www.forbes.com/sites/douglasbell/2019/08/13/60-years... ].
Ayesh 9d
The Iceland NIC does this (https://www.isnic.is/en/site/login).

Customer support burden when the lose the 2FA key is solved by adding a hefty fee (around €100) to recover it. No webauthn support yet though.

Lendal 9d
As 2FA adoption spreads, the possibility increases that someone could be using 2FA but not know the rule about not reusing a password. This feature improves the spread of that gospel. It seizes the opportunity to impress an abstract concept to the technically-challenged in a way that is no longer abstract. I like it.
jonas-w 9d
I don't know about wrong 2fa codes but bitwarden notifies you if you have an "unfinished" 2fa login. If you type username and password correctly and then don't type in your totp token it will notify you.
ezekg 9d
Related: I think it's surprising how many services leak whether or not a password is correct. E.g. bad password => error, good password => 2FA prompt.

You should verify a user's second factor before password.

zoomablemind 9d
It's a nice courtesy from the product authors/implementors. Not only it's polite, it also acknowledges your contribution to the idea, not sure to which extent it is formally.

All in all it is a great feeling to see your idea getting a concrete life. In a way, reporting an issue and a possible improvement to any product you care about is an essence of collaboration. Open source further helps to contribute by augmenting such effort with a skill to implement it.

wannabebarista 9d
I had a similar experience and it certainly made my day! I wrote some code to parse nested JSON and fill a hole in a tutorial. Here's my relevant post: https://bcmullins.github.io/parsing-json-python/.

Here's the plug for the project using my code: https://github.com/sinnfeinn/microweather.

mooreds 9d
Such a great idea! I filed a feature request on our GH issues list to implement this: https://github.com/FusionAuth/fusionauth-issues/issues/1888
Taylor_OD 9d
I havnt done this in many years but for a while I was making creative content that was published online. Once in a while someone would contact me saying they liked what I did. I started doing the same. If I read an article I liked a lot I would contact the person and tell them I liked it and why. About half the time they responded with Thanks.

I didnt do this with NYT writers or anything. Just people who clearly dont get paid/paid much to make this content but I found it useful/interesting/helpful. I think that stuff goes a long way and it really doesnt take that long to do.

I've got a tech podcast now and about once every month or two someone contacts me to say they liked it or something nice. It's a huge reason why I keep doing it. I know that sounds silly but the internet can be such a black hole. A little feedback goes a long way.

mncharity 9d
AFAIR, a 1980's MIT AI Lab "how to do research" memo, suggested as one way to build things: describe what you'd like to build, and maybe someone else will be inspired to do it, long before you'd have gotten around to it.
bilekas 9d
We implemented something that avoids the original articles, 2FA notification.

After your password is approved before 2FA you get an email. So even if someone is somehow using the right 2FA you are aware.

Our thinking was the mosly likely outcome was someone would hit 2FA, not have the code and so close the request without even entering a bad code.

Apart from that though, it is always nice to get recognition for the stuff you put out there. I know I should do it more myself too.

Kalanos 9d
Normies: what the heck he stole your idea :angry:
nishnik 9d
Five years back, YouTube didn't have the feature to queue your videos on the fly. You could have created a playlist, but then it is the same sequence of songs every time. So I hacked a chrome extension to add/remove songs to a dynamic queue saved on your LocalStorage[1]. Later, YouTube added the queue feature. Sometimes I go on long hikes and think that it wasn't merely a coincidence. :)

[1]: https://github.com/nishnik/Play_Next

egberts1 9d
I once wrote something obscure.

About communication piggybacked over TCP/IP without changing any one bit of packet data.

https://egbert.net/blog/articles/pulse-width-covert-channel....

Some 20 years later, a guy posted on GitHub.

https://vimist.github.io/2019/01/30/Steganographic-Packets.h...

And made my day.

coenhyde 9d
When Apple released the very first iPod, I wrote to Steve Jobs to tell him that I would buy it if it was a phone too, as i don't want to carry two devices. I doubt I was the only one who had this thought, but I like to think i influenced the development of the iPhone. I never received a response from Steve.
wallfacer 9d
If any Spotify devs are here, please let me explore and add songs, artists and albums to my library without “hearting” it.

I often just want to follow up later by “adding to my library,” and it feels weird to “LOVE” it before ever hearing it. I really feel pain when I hear something terrible that I’ve already “liked” and consider the impacts to my algorithm.

Please distinguish between “like” and “save.”

A simple “plus sign” or really any other symbol that signifies “adding to a collection” without “liking” connotations (stars are out too).

theappanalyst 9d
I enjoyed when a french hacker used information from my blog to set off all the alarms of Bird scooters in Lyon France for an evening.

I had written about (what I considered as) a vulnerability that allowed remote triggering of Bird Scooter alarms (Bird disagreed of course) on my blog [1]. I then saw this github repo linked in the comments for setting off alarms of Bird scooters [2] and reached out to the author.

The author let me know that they had used the info in my blog to script a tool for setting off Bird Scooters en masse. They then targeted the script at all the scooters in Lyon and subsequently fell asleep. When they woke up the noticed the end point was disabled... Bird had taken the action to disable the API endpoint in response of course.

Probably would've been easier to fix before someone scripted it out but it made for a fun story.

[1] https://theappanalyst.com/bird.html [2] https://github.com/pcouy/bird-whisperer

jaxn 9d
I emailed Tim O’Reilly in ~2001 and suggested they release PDF versions of their “Pocket Guide” reference books. I wanted to be able to have all of my pocket guides on my Sharp Zaurus (Linux handheld with keyboard, color screen, and Wi-Fi).

He went for it and offered me PDF copies of every Pocket Guide as a thank you.

weaksauce 9d
great stuff rexfuzzle! that is indeed something that should be part of the standard security of apps nowadays. it costs surprisingly little to clone a phone number and get those 2fa requests on a new phone so any heads up would be great to know.
v64 9d
> Tell people about things you do that they played a part it- it might just make their day.

Thank you for putting this out there!

I once reverse engineered the protocol for a popular mobile game so I could write my own client for it and posted my library online for others to do the same without any expectation it'd ever get seen. Months later, I received an email from someone reverse engineering the protocol as well for different purposes. They got stuck on a particularly difficult issue I also encountered (and documented), and googling it led them to my library, saving them hours of future work.

It definitely made my day and I'm still very proud of that project because of that.

Edit: There's a second part too! I just remembered that I've posted this story on HN before, and the last time I did a dev for the game emailed me saying he looked over the code and was impressed that I was able to figure out so much despite their deliberate efforts to keep the protocol locked down. Another great day!

call-me-al 9d
I filled in a market research survey for Hetzner they sent me by email. There were many questions on how can we do better, etc. I suggested to use the fact that they are Germans to convey high-quality and attention to details. Months later, I received a promotional email by them in which they were using almost word by word what I had suggested. I guess this one is on me, Hetzner.
HorizonXP 9d
This is precisely what I love about the Internet and humanity.

Recently, I got into RC cars. I was watching a YouTube video discussing the long-term issues that can arise with the particular model I own. In the video, the presenter mentions that “maybe you could 3D print something” to help address a deficiency in the vehicle design.

I just purchased a 3D printer, and thought, “Maybe I can design it myself.”

Lo and behold, someone already did, and cited the same YouTube video as their inspiration: https://www.thingiverse.com/thing:4982263

How amazing and cool is that??!

anshumankmr 9d
No kidding -> I am a beta tester for Whatsapp on Android (I don't really do anything much nowadays but some years ago I wrote a feature request for it that there should be a way for a small business to communicate with it's users (my parents own a small business). A couple of years later, Facebook rolled out a Whatsapp for Businesses API. So you maybe have me to thank for this

(I don't really believe that my message really caused this to happen, it's for sure a weird coincidence to me)