LastPass shows how to do two-step verification wrong

I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.

Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.

Two-step verification, if any reminder is needed, secures your accounts by confirming any unusual login with a one-time code. The easy but brittle way to get a two-step code is to have a service text one to you, which works great unless somebody hijacks your phone number with a SIM swap. Using an app like Google Authenticator takes your wireless carrier’s security out of the equation but requires regenerating these codes each time you reset or switch phones.

Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.

Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.

A LastPass tech-support notice doesn’t quite capture the broken state of this user experience:

If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.

The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.

This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.


Should I be on Patreon?

I’m not a millennial and I don’t have any tattoos or piercings, so I would appear to be wildly ineligible for Patreon.

Yet I’m still curious about using that crowdfunding site to give people a chance to underwrite my work if they feel so inspired. I can’t tell if that is me being entrepreneurial or vain, so I’m writing this post to try to untangle my thoughts.

I first encountered Patreon when founder Jack Conte gave an exuberant presentation on the site’s backstory at 2013’s XOXO conference. (His talk rambles a bit–which is fine if you enjoy dancing robots–but overall merits 24 minutes of your time.) I decided that letting fans pledge as little as a dollar or two a month to indie creatives was a smart response to declining ad rates and the overall horribleness of the content industry. And then I thought little more about that concept until I started seeing more people and sites I know pop up on Patreon.

You can sum up the Patreon proposition as “Kickstarter over time.” Instead of asking for support for a particular project, creators invite fans to kick in a defined sum each month to support their ongoing efforts–and can also offer extra rewards for contributions above a certain level.

For example, my friend Glenn Fleishman‘s typographic-centric pitch includes exclusive or early access to his articles, science-minded podcaster Rose Eveleth offers a patrons-only newsletter, and the Arlington news site touts a private Facebook group for more-generous contributors.

After conversations with a few Patreon fans at XOXO this September, I e-mailed Glenn to ask how that was working for him.

His two bits of advice: Find something you can provide to Patreon contributors that they couldn’t get elsewhere, and show what their support lets you do that you couldn’t accomplish otherwise.

I think I have a good answer for that first item: my time. As most people who have e-mailed me can attest, getting my attention when I’m constantly changing channels between stories and clients is… problematic. If I could offer something like a private Slack group or some other closed forum, I’d like to think that would appeal to people who miss the Web chats I did at the Post. (I miss them too.)

The second thing, though, is harder to answer. I think I do a decent job of selling enough stories from each out-of-town event to cover my travel costs… although conferences like the Online News Association’s annual gathering routinely defy my attempts to monetize them. Would that be enough of a what-you-helped-me-do story?

My other concerns: I wouldn’t have enough time to tend a Patreon page (note that I’m typing this near 10 p.m. on a Saturday); nobody would support it; worst of all, nobody would support it, and outsiders would then point and laugh.

At the same time, I like the idea of generating another stream of income, even if it only underwrites one trip a year. Getting acquainted with the inside of a crowdfunding platform seems like an overdue to-do item for me. And the last few months have made me increasingly uneasy about relying on my Facebook page for occupational banter with readers.

Having spent this much time musing about crowdfunding, I might as well crowdsource part of this decision. Please take the poll below, and if you have suggestions for what you’d want me to do at Patreon or another crowdfunding platform, please share them in the comments.


Credit where it’s due: Thanksgiving tech support has gotten easier

I spend a lot of time venting about tech being a pain in the neck, but I will take a break from that to confirm that my annual Thanksgiving-weekend routine of providing technical support has gotten a lot easier over the last 10 years.

The single biggest upgrade has been the emergence of the iPad as something usable as the only computer in the house. It took a few years for Apple to make that happen–remember when you had to connect an iPad to a computer for its setup and backups?–but Web-first users can now enjoy a tablet with near zero risk of malware and that updates its apps automatically.

As a result, when I gave my mom’s iPad a checkup Wednesday afternoon, the worst I had to do was install the iOS 12.1 update.

That left me free to spend my tech-support time rearranging that tablet’s apps to keep the ones she uses most often on the first home screen.

Things have gotten easier on “real” computers too. Apple and Microsoft ship their desktop operating systems with sane security defaults and deliver security patches and other bug fixes automatically. The Mac and Windows app stores offer the same seamless updates for installed programs as iOS and Android’s. And while Google Chrome and Mozilla Firefox aren’t in those software shops, they update themselves just as easily.

But the openness of those operating systems makes it easier for people to get into trouble. For example, a few weeks ago, I had to talk a relative through resetting Chrome’s settings to get rid of an extension that was redirecting searches.

Other computing tasks remain a mess. On a desktop, laptop or tablet, clearing out storage to make room for an operating-system upgrade is as tedious as ever, and it doesn’t help when companies like Apple continue to sell laptops with 128-gigabyte SSDs. Password management continues to be a chore unless (duh) you install a password manager.

Social media looks worst of all. Facebook alone has become its own gravity well of maintenance–notifications to disable to curb its attention-hogging behavior, privacy settings to tend, and propaganda-spewing pages to avoid. There’s a reason I devoted this year’s version of my USA Today Thanksgiving tech-support column to Facebook, and I don’t see that topic going out of style anytime soon.

Of course I didn’t see how social media could be an accelerant for bigotry

It took a few years after I first reviewed Windows XP for me to realize the enormous omission from my initial assessment of that operating system: It didn’t even include the word “security.” It feels like I’ve devoted much of my work since to making up for that shortfall.

I’ve had the same unpleasant realization over the past few years about social media. Just as my first look at XP showed no imagination about how an OS designed to run on trusted networks would fare on the open Internet, my early writing about social networks evidenced inadequate foresight about how they might help bigots to bond.

Consider, for instance, the Twitter explainer I wrote for the Post in 2008. I loved writing that almost exclusively as a series of 140-character-compliant paragraphs, and I think as prose it holds up well. But although Twitter was still figuring out the basic mechanics of @ mentions then, the piece reveals no consideration of how Twitter’s architecture might let bigoted trolls recruit like-minded people to scale up a Twitter mention’s compelled attention into a denial-of-service attack.

The evidence was there: A year before, writer Kathy Sierra had endured a hail of death threats for the crime of having two X chromosomes while expressing value judgments about technology. But my attention was elsewhere.

I can file away my naïveté about Windows security on not doing enough background research, but I can’t untangle my lack of imagination about social networks from having used them exclusively as a straight white man with an Italian (read: Catholic) last name. On every social network I’ve used–from Usenet newsgroups to Slashdot to the Post’s comments to Twitter and Facebook–I’ve had the unrequested benefit of not being routinely attacked for my gender, sexuality, race or religion.

But I never quite realized that until writing about Gamergate. I spent the day before that Yahoo Tech post ran locking down every important account and steeling myself for a toxic response online. Then nothing bad happened and nobody tried to destroy my critique by impeaching my identity. I can now confirm that white privilege is a hell of a drug.

Since then, we’ve had another unforeseen development: a president who has bragged about sexual assault, regularly evokes such anti-Semitic memes as “globalists”–a laundered code word for international Jewish financiers–and said neo-Nazis in Charlottesville last August included “very fine people.” Trump’s dog-whistling seems to have encouraged some bigots to crawl out from under their rocks and look for company.

Some have also been inspired to look for ways to kill people they see as “the other.” This bigotry boom has a growing body count–in C-ville last year, where I paid my respects at the memorial to Heather Heyer earlier this month, and today at a synagogue in Pittsburgh’s Squirrel Hill neighborhood. Last week’s pipe-bombing attempts could have added to that toll.

I’m sorry that I was asleep to so much of this before. I think I’m awake now, but I want you to tell me if you see otherwise.

A different default browser with a different default search

Several weeks ago, I switched my laptop to a setting I’d last maintained in the previous decade: Mozilla Firefox as the default browser.

Firefox took the place of Microsoft’s Edge, which I’d decided to give a shot as part of my reintroduction to Windows before seeing Edge crash too often. In another year, I would have made Google’s Chrome the default instead–but a combination of privacy and security trends led me to return to an old favorite.

Firefox had been my default browser in Windows since February of 2004, when it was an obvious pick over the horrific Internet Explorer 6. But a few years after the 2008 introduction of Chrome, Firefox had stopped keeping up, and I began relying on Chrome in Windows.

I kept Safari as the default on my Macs for its better fit with the operating system–although its memory-hogging habits had me close to also dumping it for Chrome until a recent round of improvements.

Last year, however, Mozilla shipped a faster, more memory-efficient version of Firefox. That browser has since finally caught up with Chrome in supporting “U2F” two-step verification, where you plug in a cryptographically signed USB flash drive to confirm a login. And as I realized when writing a browser-comparison columns for USA Today, Firefox comes close to Safari at protecting your privacy across the Web–especially if you install its Facebook Container extension, which blocks Facebook’s tracking at other sites.

This doesn’t mean I’ve dropped Chrome outright. I almost always keep both browsers open, with much of my Chrome tabs devoted to such Google services as Gmail and Google Docs. (Confession: I only learned while writing this that Google Docs’ offline mode now works in Firefox.) Chrome continues to do some things better than Firefox–for instance, while it doesn’t offer a simplified page-display option like Firefox’s Reader View, it’s been more aggressive at disciplining intrusive ads.

When I set Firefox as the default in Windows, I also switched its default search from Google to the privacy-optimized DuckDuckGo. That’s something I’d done in my iPad’s copy of Safari years ago, then recommended to readers last July in a Yahoo post; it seemed a good time to expand that experiment to a browser I use more often.

Since DuckDuckGo doesn’t match such Google features as the option to limit a search to pages published within a range of dates, I’m still flipping over to Chrome reasonably often for more specialized searches. But even there, I’ve reduced my visibility to Google by setting a sync password to encrypt my browsing history.

All this adds up to considerably less Google in my Web life. I can’t say it’s been bad.

Twitter Moments: where context goes to die even more

Two articles recounting politicians not telling the truth caught my eye Tuesday morning. That would have made it another day ending in “y,” except that the story each candidate sold didn’t make them look that much better or worse than the reality documented in contemporary records–why stick to the unsupportable story?

So I tweeted that thought and linked to these pieces about Democratic senatorial candidates: a report by the New York Times’ Jonathan Martin on how Rep. Kyrsten Sinema’s (D.-Ariz.) tales of childhood homelessness didn’t square with her family’s utility bills from those years of grinding poverty, and a fact-check by the Washington Post’s Glenn Kessler ruling out a debate claim by Rep. Beto O’Rourke (D.-Tex.) that he did not try to flee a 1998 DWI arrest that he has otherwise owned up to as inexcusable.

Four hours later, Twitter’s app notified me that this tweet had been added to a Moment–a curated collection of tweets on a topic that can show up in the timelines of people who don’t follow you. You can’t opt out of this publicity without blocking the account that created the Moment, which seems impossible if Twitter’s editors were behind it.

Then my notifications started getting a little weird.

I got a bunch of retweets and likes from people who had stuck #MAGA hashtags in their bios (as in, the acronym for President Trump’s favorite slogan) or added a red X to their name (a protest against Twitter “shadow-banning” right-wing voices, an allegation that has yet to survive independent scrutiny). Maybe they thought they’d found a kindred spirit; if so, they could not possibly have looked at my other recent political tweets.

But I also received shout-outs from a few people with Resistance hashtags or blue-wave emojis conveying their outrage at Trump’s GOP. They might have approved of my overall output on Twitter, but they could not possibly have read the reports I shared in that tweet–maybe they thought I was talking about Trump or his Supreme Court nominee Brett Kavanaugh?

This kind of context asphyxiation can happen any time on Twitter, but a Moment’s ability to catapult a tweet far out of your normal audience and its usual context magnifies the odds enormously. I got a sense of that from watching Helen Rosner’s XOXO talk three weeks ago, but now I understand this from firsthand experience. Thanks, I guess?

Why I attended two monetization-resistant conferences

I spent the past two weeks betraying a basic rule of self-employment: Don’t go someplace without having enough work lined up to pay for the trip. Worse yet, I paid for a conference badge–twice.

I had my reasons. The XOXO festival in Portland promised a repeat of the mind-expanding, heartening talks I watched with rapt attention in 2013 and 2015, plus the side reward of getting to spend a few days in a city I like but hadn’t visited since 2015. The Online News Association conference in Austin, meanwhile, would bring its usual mix of professional development and catching up with old friends.

XOXO stageI had hopes of selling a post or two from each, but I’d still lose money from each trip (and then I wound up not selling anything at all). So what did I get for my $500 XOXO pass and $439 ONA registration, plus airfare and lodging for each?

This year’s XOXO was not the same independent-creativity pep talk as before, because most of the speakers didn’t address that theme. But there were some seriously compelling talks anyway:

  • Jonny Sun and then Demi Adejuyigbe talked with candor and hilarity about battling impostor syndrome;
  • Jennifer 8. Lee explained how she worked the emoji-governance system (yes, there is one) to get a dumpling emoji added;
  • Claire L. Evans retold some forgotten stories about female computing pioneers;
  • Helen Rosner spoke about being defined by an out-of-context tweet and having to defend her expertise, then led the audience in a recitation of this pithy, profane self-affirmation: “I am really smart, and I am really good at what I do, and you should fucking listen to me.”

Trust me, you will want to watch these whenever the organizers post the video to their YouTube page.

XOXO also had a day of meetups across Portland and endless conversations with fellow attendees. Somehow, this conference manages to attract some of the kindest, nicest people on the Internet; it’s a wonderful contrast to the acid bath that is Twitter on a bad day.

XOXO postcardThe people at ONA may not have been as uniformly pleasant–look, if we journalists had a full set of social skills, we’d all have real jobs–but that event had the advantage of being much more tightly focused on my professional reality. It’s not by accident that I’ve gone to every ONA conference since 2014.

There, too, the talks were terrific:

ONA was as great as ever for networking, I had more than my fill of delicious tacos, and I got to hear Dan Rather give a brief talk at an evening event and then shake his hand afterwards.

In retrospect, XOXO is an expense I wouldn’t repeat–although I’ve yet to go to that festival in consecutive years anyway. My takeaway from this year’s version is that instead of flying across the country to get these different perspectives, I should try harder to find them around D.C.

ONA, however, is pretty much guaranteed to be on my schedule next year–the 2019 conference will be in New Orleans. How can I not do that?