[gruez]

>IT "Security" is reaching new heights of being bullshit. You can't win, and asking people to buy multiple devices and keep them continuously in sync is a bit much

You likely don't need to buy multiple devices. I log in from random countries/VPNs all the time and never have issues, but I do have 2fa enabled. If your account only has a password and there was a suspicious sign in attempt, it's reasonable for them to ask for additional verification somehow because you could be a victim of a credential stuffing attack. It's hard for companies to win here. Either people complain about their accounts getting randomly locked because they were on vacation in Romania and tried signing in on a new device, or the companies get grilled by the media for "failing to proactively protect their users' data" or whatever.

[TeMPOraL]

I would agree with you if there actually was anything different in a suspicious way about those logins. There weren't. Same devices, same ISP, same browsers, not even an OS update in between. Just one day, few days ago, out of the blue, Facebook decided to pop up a conformation request, offering no alternative to confirming from "another device", and that's with them knowing (or at least having that information available) that there are no live sessions of that account (the whole browser in private mode thing).

Maybe the companies can't win, but they also have themselves to blame. They shouldn't have convinced people to entrust their only copies of data with them. Your vacation photos should not depend on someone's cloud platform. Half of your entire offline life shouldn't depend on Google not randomly locking you out of GMail. But here we are, and I'll keep calling those "security updates" bullshit because they don't care about long tail, and they don't care about hazards they create for most of their users.

[figglestar]

My experience with Meta is it is just a PII fishing expedition masquerading as a security check.

I abandoned my facebook account when they asked for my driver's license scan, a few weeks later suddenly they didn't need it after all. My BIL recently wanted me to check sout omething he had setup on facebook and I found I could "login" by clicking one of the "what are people doing" spam emails they send. I've never used it on this PC before and have no idea what the password even is anymore. Super secure.

[GoblinSlayer]

What would happen if you send them a realistic, but fake generated scan?

[zadokshi]

How many laws would that break?

[GoblinSlayer]

It breaks a law when you are legally required to authenticate. But when a random dude on the internet asks you, you're not required to do anything.

[dns_snek]

> and that's with them knowing (or at least having that information available) that there are no live sessions of that account (the whole browser in private mode thing).

Unless you explicitly logged out, they likely to see the opposite picture, i.e. numerous "valid" sessions (as opposed to active) that haven't been used for varying lengths of time because you logged in, but from their perspective, you never logged out. You just cleared your cookies which means the session is still "valid", even if it's inaccessible to you because the session cookies have been cleared from your device.

I don't know if they take any of this into account but as you've pointed out, assuming that the rightful owner of the account must have access to a different session is a huge assumption to make.

[GoblinSlayer]

That's the reason to setup 2fa, because otherwise monopolies can legally kick you. Well, they can kick you anyway, because they are monopolies.

[TeMPOraL]

2FA makes it easier, not harder, to lose access to your account though.