crypto.com is a little mysterious when it comes to authentication honestly. I still have not understood it.
But basically in this case, you didn't even need a password to log back in, it was just an email to click a link, then FaceId/PIN and logged in and prompt to re-add 2fa. The app must store the password itself somehow and auto use it.
Anyone know how the do auth on the app?
For users in the US there is no way to change the password, because the webapp (which might have that feature) is not allowed to be used from US.
Once I asked how to change password and support said I can change the PIN on phone and dont worry your funds are safe.
> crypto.com is a little mysterious when it comes to authentication honestly. I still have not understood it.
If you're speaking from experience as a user of their service, I strongly suggest that you use a different exchange. Gemini + Coinbase both have very easy-to-understand authentication systems. If you don't understand the authentication system, that's a good red-flag that you should take as a reason to move to a more trustable platform.
(Just my two cents, as someone who works on authentication system architecture design.)
Agreed. As someone who has integrated with dozens of crypto bank APIs, I can tell you Gemini's authentication and security is top notch (second only to Fireblocks)
An e-mail with a link to actually click? Does anyone else see those flashing red lights and hear that alarm klaxon? Please do me a favor and drop those assholes like a bad habit. They are going to cost you whatever assets of yours they have in their control.
The fight to teach users to not click links in emails had been lost, IME. And if forgot passwords can be resolved via an emailed one-time secret then email is effectively a skeleton key anyway.
I use crypto.com and they removed 2FA from me earlier in the week, asking me to set it up again. It was worrying as I wasn't sure if it was a scam, there was no reasoning behind it.
Of course it matters. Even if we assume someone figured out how to own the 2FA system, that knowledge doesn't magically make its way into the brain of every script kiddy capable of credential stuffing a login form. They're two totally different vectors with different surface area.
My thought is that it’s not really 2FA, and 2FA means temporary tokens, and there’s a method to gain entry with just login+token, e.g. via password reset.
If you want to deliver security then MFA is an interesting strategy that needs careful consideration and planning, you might end up building things like Security Keys so as to solve real threats. You might fix real problems (Google eliminated phishing) at your organisation.
But if your goal is to bamboozle fools into giving you their real money in exchange for Itchy and Scratchy money that you may or may not then "lose" then you don't need all that hard work. Take whatever nonsense you cobbled together and say it's "Two factor" because that means "good" to people who don't know any better.
This is hilarious. This company is literally at the apex of the crypto industry and this is the kind of mistake they make. Yeah, immutable smart contracts written by their fellow proponents will also save the world lol
Calling crypto.com anything near "apex of the cryptocurrency industry" is a very broad lie. Crypto.com is for people who just "wanna invest in crypto and get rich", others who are actually involved in the space (developers, companies and others) are nowhere near crypto.com as they have proven time and time again they are not serious about anything, even the basics like security.
I would argue that by you giving the torch to crypto.com as the company that caters to casual users that "just wanna invest and get rich", it is indeed one of the apexes of the industry. A product successfully marketing a fringe and specialized technology to the average consumer is just that.
Is it? I'm not sure of numbers of total accounts but anyone who knows anything about crypto is suspicious of crypto.com as a platform and I don't know anyone who uses it when things like coinbase are available. They just bought an expensive URL and spammed a bunch of ads. If that makes them the apex of the industry I guess CALL THE GENERAL AND SAVE SOME TIME is the apex of the car insurance industry.
This is a common play in several industries. Art of Shaving markets itself well to casual people interested in traditional shaving products but they take regular products, mark them up by a lot, rebrand and then upsell. Nobody claims Art of Shaving is the apex of shaving. Best Buy does similar marketing in regard to electronics, but Best Buy certainly isn't the apex of electronics retailers. What makes you think cryptocurrency companies would be any different?
It's basically a digital gold standard and the gold standard hasn't lead to an enlightened society either.
"Insanity is doing the same thing over and over again and expecting different results."
For me there are really only two alternatives. Negative interest on cash or competition among currencies (free banking). All those people shouting that Bitcoin should become the global reserve currency don't actually understand that a global reserve currency is a terrible idea and are only in it for the money.
Isn't this equivalent to saying the entire health industry is fake and untrustworthy because of Theranos? I don't it looks kind of same to me, and sounds absurd.
And you are not asked to do this while logging in again. It is assumed you know why you have to reauthenticate and that you have to re-add 2FA in your app settings…
Based on them saying they migrated to a new 2FA system, I think it's the latter - they disabled the current 2FA option and required everyone to register a new 2FA method.
> In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.
If they literally removed 2FA from everyone, that's insane.