The Stack Overflow Podcast

It's 2FA's world, we're just living in it

Episode Summary

On today's episode we talk about Microsoft's big push towards a world without passwords. We also discuss what it's been like to live and work in a world increasingly dominated by two-factor authentication (2FA), and sometimes three-factor authentication. Last but not least we talk a little bit more about our favorite game, Dwarf Fortress, and the joys of procedurally generated worlds.

Episode Notes

Check out more about Microsoft's efforts to ditch passwords here.

When  2FA just won't do, 3FA to the rescue. Just pray we aren't headed towards five factors.


Episode Transcription

Ben Popper I'm pretty sure the password and the biometric like were enough, right? Like what—somebody cuts off my finger, like they deserve to see my Google Docs, you know?[Cassidy & Ryan laugh] They've earned it.

Ryan Donovan They did the work.

BP Did the work, yeah.

[intro music]

BP Visit and see why Linode has been voted the top infrastructure as a service provider by both G2 and TrustRadius. Linode makes cloud computing fast, simple and affordable. Visit, and you'll get $100 in credit. All right, head on over there. Let them know the podcast sent you and support the show. 

BP Hello, welcome to the Stack Overflow podcast everybody! I am Ben Popper, Director of content here at Stack Overflow and I'm joined as I will be, forevermore, by my great crew of co-hosts—we have to come up with a good system. I don't think me saying "Hello, I'm this person." And then name checking all of you is right. I think we're supposed to do like a like record that at the beginning. And it's like "These are your hosts!" And like a little bit of fun music and whatever. And then we just come in cold open. 

Cassidy Williams So you can do something like "It's Ben! Cassidy! Ceora! And Ryan!" [Ceora laughs]

BP Yeah, yeah. Super cheesy like Brady Bunch era music. That fits your vibe.

RD Yeah, let's do the pre-recorded. 

BP Okay, so now you already know a podcast you're listening to because there's a really clever and fun intro. And we were just here chit chatting about video games. So Ryan loves this game Dwarf Fortress, and he got the chance to interview the guy. He's been working on this text based adventure game for 20 years. So it's pretty fun to talk to him about what it's like to code something for 20 years and you like forget even what's your own—there's three tarns? There's tarn from the past, tarn from the present, and future. And then today again, Dwarf Fortress is at the top of Hacker News. I had never heard of this. Cassidy, Ceora, have you ever heard of this much beloved game?

CW Oh yeah.

Ceora Ford I haven't. I will say though, I know nothing about gaming except for like the very basic like Mario Brothers. But other than that, like, I know nothing. 

RD Yeah, this one is not not quite user friendly. It's all text based.

CW It's procedurally generated, right?

RD Yeah. Everything is procedurally generated. Like the world you play in, the history, the myths, everything is procedurally generated

BP For your little instance? Or can you play with multiple people like inside of one?

RD I mean, you can do that if you want to send save files to people. Real old school like that. Cassidy, have you tried it out?

CW I haven't. But I've read so much about it, because I love the idea of making a procedurally generated game. But there's like a disconnect there with my traditional web back end, front end, that end of my brain with this kind of game development, because it's so interesting. And so math based. I love the idea of it.

CF Can you explain what procedurally generated means?

CW Yeah. And so every single map or I guess it's it's text based—

RD It's maps, it's just displayed with text. 

CW Yeah. So every single map that you see in a procedurally generated game is different. And it's the kind of thing where, okay, there's a somewhat short tunnel here. If you take a few steps, could it continue being a short tunnel? Or could it get much larger? Or will it twist around a curve, and there's like a random chance of any of those things. And so because there's a random chance of all of these different options, you end up getting a custom level every single time.

RD Yeah, basically, instead of there being you know, a set level file, everything is generated by procedures within the code.

CW It's very cool. I love the concept. And there's quite a few modern games that use that as well.

CF Is it complicated to code though? It kind of sounds like it.

RD I think so. I mean, he does have a math PhD. [Ryan laughs]

CF Ah! That's enough—that's enough for me.

BP He has his PhD in geometry?

CW I do think that anybody can do it. It's just a different mindset of the style of coding. Because really, it's based on where you are like in the map or based on what type of thing you have, you have a certain set of options and you randomly pick one of those options. And then you continue with every single step, randomly picking from those options and there can be repeats, there can be twists and turns. But like I worked with a guy for example, who he's a designer who knows some JavaScript, and he would procedurally generate buildings in this one little game he was making. And so he would say okay, if the building is 10 units tall, that means it can have this many sets of Windows. What should the window style be? Okay because I chose this window style that means the door can be one of these styles. He procedurally generated a block on a little street in his game with all of these random buildings based on those kinds of parameters.

RD I mean, a game like No Man's Sky has sort of done that procedurally generating an entire universe of planets and animals and plants.

CW Minecraft to and Stardew Valley.

CF Oh! I did not know that. 

BP Cassidy good news, he's at work on a graphical version. So there will be something for your front end brain to enjoy in the future.

RD Wishlisted on Steam.

Yeah, I'll check that out. Wow.

BP So Ceora, you brought us a few links this morning? Why don't you queue up one of your favorites, and we'll see if we can apply our gab skills to it. Our chit chat arts.

CF Sure! I'm really interested in talking about Microsoft. They are implementing a new passwordless system, where basically, the way you'll get into your account is through like authentication apps and things like that. I don't have a huge background in like infosec or cybersecurity, or anything like that. I found out about this on Twitter initially. And I was kind of like, what? Like no passwords, how are we going to like handle this? But I did a little more research. And it's a super interesting topic. So I definitely want to dive into that a little bit today with everyone here. 

CW Yeah, we did talk to Stytch.

BP We had an a podcast episode recently about this. And it was actually proved to be super popular, I think, yeah, this is like a topic that's really on the air. So Stytch, those folks came from—where do they come from, Stripe?

CW Plaid, they used to work at Plaid. 

BP Yeah, they used to work at Plaid. And they are trying to build essentially some developer tooling so that if you're building an app or a service, you can easily through their API SDK, get this kind of simple passwordless authentication set up for your users, and they use email magic links a lot. But in general, okay, this makes so much sense to me, one of the most frustrating experiences I have recently, with all the 2FA that we have now that we're all remote, is, I'll try to log into something, octo will open, it'll ask for my password, I'll give it my fingerprint. And then it'll send me a 2FA code. It's like, I'm pretty sure the bot the password and the biometric, like were enough, right? Somebody cuts off my finger, like they deserve to see my Google Docs, you know? [Ceora & Cassidy & Ryan laugh] They've earned it.

RD They did the work.

BP Yeah. They did the work.

CF The article that I was reading was mentioning how the way Microsoft is going to do is that they're going to have you use an authentication app, like Authy or something like that. And then they'll also I think, email use, like some something like a link or something like that. And one of the concerns that was brought up in the article that I sent, was that if you somehow lose access to both of those things, how could you—or one of those things, especially if you have like two factor authentication on/ How are you going to get into your account? And I actually ran into something like this before, when I worked with Digital Ocean. I had gotten a new phone, and was like locked out of my—I don't know if I was using Authy or not, but one of those like authentication apps. I was like locked out of my account. And I couldn't remember my like, key or whatever, like my special key to get back in. And like it was a whole hassle with like the IT department to like, figure out how to get myself back on track. And the only reason why I was able to figure that out was because we had like a whole IT department whose job it is to fix problems like this. So I was thinking, if I just want to log into Skype, right, which is under Microsoft now. And I got a new phone, whole new, like authentication app, whatever. How would I like be able to get over issues like that, potentially? I don't know. I'm sure they'll figure out a possible solution. But that was one of the things that the article did bring up. But I don't want to be a hater, right? Like, I don't want to just hate this because it's new. I actually, I've heard a lot of people say that they hate having to come up with new passwords, or like, now everybody wants you to have like passwords, they don't have real words in them. And you have to have plus signs and like underscores and all kinds of special characters in them and stuff like that, too. So it's getting like harder and harder to remember, especially because you had to have a unique password for everything. So maybe this is like a better solution to that, that whole problem that a lot of users are having now.

CW Is this coming to Windows as well or is it just Microsoft Services? 

CF I'm not 100% sure.

CW Okay.

RD Yeah, one of the things that people point out in the comments is that you're basically offloading your authentication to your email or your phone. So you have one single thing that you still need a password for. So if somebody cracks that, they get the jackpot, they get everything. But I mean, also, if there's any breach anywhere, and you are using a password that anybody has ever used, your passwords could be compromised.

BP I mean, like your phone, which you keep on you at all times, and I sleep with under my pillow, and that requires biometric identification to open is clearly a much smaller and safer attack vector than a password you put in and forget and which will inevitably be revealed in the latest data breach, right? Like those things are just out there.

RD I mean, I know a lot of people who are super careless with their phones, like you're gonna get that—

BP Do they have a password on it at least? Like you might lose your phone that doesn't mean somebody's gonna get in.

CF I know for me one thing I think about all the time—this is why I got my phone was my life now—is because like I use Apple Pay a ton. So like all my like credit cards are tied to my phone. And I'm always like, if I lose my phone or someone who pretends to be my friend, but isn't like "I know your password now. I'm going to steal your phone and like get into all your stuff." Like they have access to everything, right? Like my whole life was on my phone. And that's something I think about a lot like, because I have everything there. someone steals my phone, and they can ruin my whole life. You know? I don't know. If they can forgot the password too. But I know Apple is trying to be super secure with things now because I think they realize this as well. 

BP Although I will say one hack that I sort of realized recently, you know how they send you like a short pin to your phone and it pops up? That pops up on my notifications on my—before the lockscreen. So it's like a four digit PIN. You don't even have to open a phone.

CW Yeah, exactly. You can hide that now where you can say like you got a text message, but you can't actually see what it is. But I really appreciate all of these security things. It's a good thing to have two factor authentication and all that stuff. But man, it's such a pain. [Ceora laughs] It's like the whole Okta thing. The fact that my company is as Okta and I have to log in every 15 minutes to be able to get to my email. 

CF Oh wow.

CW And that is annoying. And it's two factor auth every single time. And same with a lot of different banking apps and a lot of social apps and stuff, like I appreciate the two factor auth I love the security. But I wish it were easier. Because that is a pain.

RD Right? I mean, they make it difficult so people can't break in. And yeah, I think to Ceora's point, if you lose your information, you have all that sort of secret, you know, mother's maiden name stuff. But I've been seeing a lot of stuff on Facebook, where they're like, you know, what's your dog's name or whatever the street you grew up on? What's your what's your porn name? It's your mother's maiden name and the first letter of the street you grew up on or something, but just harvesting that secret information from people.

BP Yeah, for sure.

CF Yeah, I've seen stuff like that a lot on Twitter as well. And it kind of makes me go, hmm.

RD Don't give this out.

CW I had a scam phone call recently where, honestly, it was pretty good. Normally I just ignore them. But this one like they spoofed who this was coming from they said, Hi, this is at&t data. And they're just like, there's this charge on your account, you're going to have to cancel it if you want us to cancel it. And I was just like, okay, this is starting to seem like a scam. Figure out how to hang up. And they're just like, yeah, so all we need to do to cancel this transaction is to verify some information. So what's your birthday? And I was like, why would you need my birthday to cancel a transaction. And they're just like, well, we just need it. We just they started pushing, and I was just like, no, but actually the sounds sketchy. Why would you need my birthday? And then they're just like, okay, we'll cancel it bye. And then they hung up. And I was just like, hmm.

CF You know what, though, for things like that, I always think about older people. 

CW Yeah! Exactly.

CF I help parents a lot with their technology exam, like even thinking about all this, like authentication stuff. Like, I don't think my grandmother or my grandfather would be able to, like really understand all this stuff. Or like if they got a phone call from their phone company right now. I'm sure they'd be like, yeah, I was born on such and such date. Here's my address. Here's my security number. Like I'm really sure that they would give all the information out. That's who I fear for the most with things like this.

BP They do awful things like around tax time, they'll call you and be like, you didn't pay your taxes. Like you've got to send in a mail order money form right now. Like you're the IRS and people just freak out and send the money.

CF Yeah. And like that's a legitimate fear.

RD I always wonder what what our version of that's going to be in the future. Like, kids are like, oh, you're going around touching buildings with your bare hands? [Ceora & Cassidy laugh] Like, you're not wearing gloves? [Ryan laughs]

CW What Ceora was saying, preying on the people who just aren't as savvy. Just recently, I was helping a relative who called me and she was saying, Hey, I signed up for Offer Up and I'm selling this dining table. And this person says they have cash in hand. They just want to verify I'm real. And so they asked me to send them a code that they sent to my phone. And it was a two factor auth code. And I was like, don't send it! They're just like, well, I just did. I was like, okay, we need to log out of everything. We're gonna change your passwords across all these accounts. And I had to like, walk them through just on the phone through everything.

CF Difficult.

CW It's a lot but that's what so many people—this is just like one story of so many people I've talked to where these social engineers are figuring out the demographics of people that they can prey on for that kind of stuff.

BP Here's something that I don't understand how this doesn't get everybody all the time. And if I'm like opening the Pandora's box now I apologize. But whenever I get like a crappy email and there's an unsubscribe button, I click unsubscribe. So that's step one. I'm clicking a link and then it takes me to the web. And it's like, if you really want to unsubscribe click here and then I click that button. And often they'll be like put in your email. So I do that all the time.That seems like a super simple setup to just be like, whatever it is give me the giving me the malware or harvesting my stuff. But like, I must do that a dozen times a week from like random email to random website. I'm like, click, click, click, click.

CF I wonder how much I'm doing this, like unsafe cybersecurity wise. And I'm like, I feel like I'm a pretty tech savvy person, right? But like, I wonder if I talked to someone who actually works in cybersecurity and they just like watched my daily workflow, they would probably be screaming their head off over the things that I do that are just unsafe.

BP Well, you have the black tape over your camera today. So that's good. [Ceora laughs]

RD Yeah, I mean, getting that straight email with an unsubscribe link, by clicking it, you have verified your email, verify that you're a real person. We have a few, you know, broad based emails, and we get a lot that are just empty emails. And I'm like somebody's fishing or something like what are you doing?

CW Oh and they're like waiting to see if you've opened it and stuff. I'm always tried to be careful about letting any read receipts go through or tracking pixels.

RD I've turned off images, I don't display images on my emails because of that.

CW Wow.

CF See, now I'm learning things that I had no idea about.

BP You got to be paranoid. I mean, the best defense is just to be not that important, and not that wealthy. That's what I do. [Ceora laughs] Like, you know, you can have some terrible secrets or kinks, I guess. But like, you know, just keep them offline, like, do all that stuff offline. That's my approach.

CW Do crimes offline! [Ceora & Ryan & Cassidy laugh]

RD That's the lesson here.

BP Yeah, I actually have that on a t-shirt.

CF I know, for me, one thing I've been doing, I've been trying to use the whole multiple steps of like cybersecurity that are like a headache. I've been trying to use that to my advantage. So I'm sure everyone here probably during the pandemic has been online shopping a lot more. And usually I do everything through PayPal. So I've set up to two factor authentication with PayPal. So every time that I make a purchase, I have to go to the Authy app, get my like code and put it in. So it makes me think twice before I make a purchase. It hasn't really worked. [Ryan laughs] It hasn't really stopped me from buying things as much but I thought it would but it didn't work so much. But I tried to use like the the headache of like multiple steps to like be safe and secure and everything to like my advantage and it still didn't work. Yeah, I guess it could be useful.

CW I try to do stuff like that to be financially safe in that it'll stop me from making an impulse purchase. That is still not fully working. But I tried.

CF Yeah! At all.  I tried though, but it didn't work. It did not work.

CW Yeah, ugh.


BP So I hope everybody ordered The Key. It's out now it's available. It's only $29. Ryan, Ceora, Cassidy, don't worry, we'll send you one. But everybody else. you should definitely check out The Key. It is the sweetest coolest macro pad to hit the market in all of 2021 designed by none other than Cassidy Williams.

CW Whaaat.

BP In collaboration with Stack Overflow, brought to you by the fine folks at Drop. And yeah, all the proceeds from Stack Overflow are all the proceeds that would go to Stack Overflow, go to a great charity called Digital Undivided, which works to bring underrepresented groups into the world of software development. So they're a great organization supporting bringing, yeah, all kinds of people into the world software development and Drop also pledged 5% of its proceeds Digital Undivided. So if you go out and get The Key, you're supporting a great cause you're supporting a great meme. More importantly. And yeah, it's programmable, it's customizable. There's an instructions up on Drop's website. But as I learned from Cassidy, you could actually use these three keys to do anything. It's a full keyboard if you want it to be.

CW You could play Dwarf Fortress. [Ceora laughs]

RD You need way more keys. Waaay more keys.

BP  No, no, it's all macros run, its macros all the way down. Alright, everybody. Well, thank you so much for listening. As always, we love to have you tune into the show and send us your ideas and suggestions. You can always email us it's And yeah, if you have ideas for what we should talk about or ideas for guests, please get in touch. And Ben Popper, Director of Content here at Stack Overflow. You can always find me on Twitter @BenPopper, and you can rate and review the show if you like it. It really helps, leave us a rating and review.

RD I'm Ryan Donovan. I'm content marketer here at Stack Overflow. I edit the blog, the newsletter, you can find me on Twitter @RThorDonovan. And if you have a great idea for a blog, send me an email at

CW I'm Cassidy Williams, Director of Developer Experience at Netlify. You can find me @cassidoo on most things.

CF And last but not least, Ceora, I'm a developer advocate at Apollo GraphQL. And I'm pretty much at @ceeoreo on pretty much every social media platform that you can find on the planet right now.

CW Bye!

[outro music]