Don't trust Two-Factor Authentication on 500px.com
Basically, I made a factory reset on my phone and forgot to backup my Google Authenticator codes. Because of this, I lost access to 17 web services where I use this app to generate codes.
All of the web services provided backup codes when I enabled the 2FA, except one: 500px.com (or maybe they did but I couldn't find them / forgot to get the codes).
When I try to log-in I'm asked for a Google Authenticator code, which I don't have. No SMS token, no backup code.
Because of this, I emailed 500px support asking them for a solution and their response was:
---------------
Hey there,
Thanks for getting in touch. I have gone ahead and reset the authenticator for you as requested.
Best wishes,
<S. B.>
Customer Excellence
500px
---------------
(I removed the employee name because I don't know if its good or bad idea to post names here.)
Customer Excellence, really?
Basically, if you get your email compromised, the offender can just email 500px support and get the 2FA disabled without ANY check.
This reminds me the history of N on Twitter (https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd#.253of5gmx).
So why companies do this? 2FA is useless if they disable on a per-request basis without any check. The 2FA is supposed to help when your email is compromised.
So basically, use a social login on 500px or don't rely on the 2FA because it doesn't works. I'm happy that now i can login, but breaking my security this way is not funny and no companies should do this, that's why I post it here, for awareness.
PS. I had a similar problem with OVH but at least they have a process of requesting personal information, a signed letter with a copy of your ID card.
No comments yet.