Author Topic: 2FA two step verification & the obsession with security  (Read 9327 times)

0 Members and 1 Guest are viewing this topic.

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1195
  • Country: ca
    • VE7XEN Blog
Re: 2FA two step verification & the obsession with security
« Reply #50 on: February 14, 2022, 09:46:57 pm »
Now it's assumed everyone  has a phone, it's always with them, and it's always the same phone (or, at least, the same number).

I always argued that the phone number/SMS OTP is not a proper 2FA. The phone number does not fully belong to you. Mobile operator can connect your number to another SIM without you realizing, there happened fraud cases because of this when SMS OTP started to be used by banks 10+ years ago. It is not a big issue anymore but I still think there is a difference and I prefer to not use it if there is an alternative.

It bothers me quite a bit. 'SIM swapping' means this generally just degrades to 'what's your mother's maiden name' type security that the phone company uses to 'secure' your account with them. If even that, since the phone reps tend to be too lazy to bother verifying this. The only difference is that it requires a bit of targeted effort by the attacker, but for high enough value targets, it's totally worth it. And there's plenty of evidence of this actually happening in the real world, it's not like it's a theoretical attack.

When it's available it's also *very often* the only method offered. Which is just absurd. It's more costly and more difficult to implement the much less secure SMS-based OTP than standard TOTP, so it just makes no sense at all why at the very least services don't offer both. Especially when it's something high security, like the Canada Revenue Agency that recently started requiring '2FA' but only offer it via SMS  |O. Same with one of my credit cards. It's infuriating because not only is it less secure, it's *much* less convenient.

Likewise anyone that tries to force you to use their own authenticator app is  |O. We have standards for this for a reason. The standards mean the friction is lower for users, so they are more likely to use it / use it correctly. Looking at you Steam, I have no reason to have your mobile app installed.

As far as forcing it on users, I think it's perfectly reasonable for anything that confers an identity or has economic consequence. It should have come earlier.

For real-world identity-tied things like taxes and bank accounts, I am a strong proponent of government-issued key material. We've had the technology for decades, but AFAIK only one country (Estonia) has ever issued such an identity document which is just absurd to me.
« Last Edit: February 14, 2022, 09:50:00 pm by ve7xen »
73 de VE7XEN
He/Him
 
The following users thanked this post: Someone

Offline metebalci

  • Frequent Contributor
  • **
  • Posts: 460
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #51 on: February 14, 2022, 10:26:21 pm »

It bothers me quite a bit. 'SIM swapping' means this generally just degrades to 'what's your mother's maiden name' type security that the phone company uses to 'secure' your account with them. If even that, since the phone reps tend to be too lazy to bother verifying this. The only difference is that it requires a bit of targeted effort by the attacker, but for high enough value targets, it's totally worth it. And there's plenty of evidence of this actually happening in the real world, it's not like it's a theoretical attack.


Naturally this is not easy to do in practice. The cases I know involves identity theft, which is I guess a bigger problem then stealing the phone number. But still I think theoretically it is wrong to assume hardware based (eg TOTP) and SMS based OTP is same.


When it's available it's also *very often* the only method offered. Which is just absurd. It's more costly and more difficult to implement the much less secure SMS-based OTP than standard TOTP, so it just makes no sense at all why at the very least services don't offer both. Especially when it's something high security, like the Canada Revenue Agency that recently started requiring '2FA' but only offer it via SMS  |O. Same with one of my credit cards. It's infuriating because not only is it less secure, it's *much* less convenient.


I think the implementation complexity depends. I tend to think SMS based solution is simpler considering everything. Because the devices change and TOTP or any security tokens are not always migrated to new devices, whereas the phone number does not change, this is a big plus for operations for SMS based solutions.


Likewise anyone that tries to force you to use their own authenticator app is  |O. We have standards for this for a reason. The standards mean the friction is lower for users, so they are more likely to use it / use it correctly. Looking at you Steam, I have no reason to have your mobile app installed.


I think it is converging to standards but it is hard for regulated domains eg financial institutions to quickly adapt.


For real-world identity-tied things like taxes and bank accounts, I am a strong proponent of government-issued key material. We've had the technology for decades, but AFAIK only one country (Estonia) has ever issued such an identity document which is just absurd to me.


Dont know the worldwide status but there are actually countries other than Estonia providing certificates equivalent to real identity through SIM or card etc. based solutions that can be used for things like accessing bank or e-government services or contract signing so effectively replacing the wet signature.
 

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1195
  • Country: ca
    • VE7XEN Blog
Re: 2FA two step verification & the obsession with security
« Reply #52 on: February 14, 2022, 10:37:50 pm »
Naturally this is not easy to do in practice. The cases I know involves identity theft, which is I guess a bigger problem then stealing the phone number. But still I think theoretically it is wrong to assume hardware based (eg TOTP) and SMS based OTP is same.

It probably varies quite a bit on regional regulations, competence of the phone provider, and the like. But at least in my own non-malicious dealings with the phone company, it seems like it'd be pretty trivial if you know some basic information about the legitimate owner, they barely do anything that could be called 'identity verification' at all. And if you fail you can just call back and try again with a different rep. Eventually you're likely to be successful. There are more than enough anecdotes to demonstrate that it's not good enough.

Quote
I think the implementation complexity depends. I tend to think SMS based solution is simpler considering everything. Because the devices change and TOTP or any security tokens are not always migrated to new devices, whereas the phone number does not change, this is a big plus for operations for SMS based solutions.

There are pros and cons for support considerations and whatnot, but this isn't what I meant by implementation. If you want to do SMS-based OTP, you need to interact with a 3rd-party service to deliver those SMS messages, but all the rest is basically the same, you need to generate key material, produce OTPs and so on just like you would with TOTP. Since there's a 3rd-party integration involved though, I'm considering it more complicated. But I guess you could argue that having to produce your own UI to manage TOTP and recovery codes and the like swings the balance.

Quote
I think it is converging to standards but it is hard for regulated domains eg financial institutions to quickly adapt.

I'll give them the benefit of the doubt if they've had a 2FA implementation in place for a long time and it happens to have been based on SMS. Many of these are things that have come online recently though. CRA added their requirement last tax-year. The credit card I complained about added their SMS verification to online transactions and their web app in 2020. The TOTP RFC is more than a decade old at this point, it's not really an acceptable excuse, especially when the SMS way is incredibly weak.

Dont know the worldwide status but there are actually countries other than Estonia providing certificates equivalent to real identity through SIM or card etc. based solutions that can be used for things like accessing bank or e-government services or contract signing so effectively replacing the wet signature.

Glad to hear it :-+!
73 de VE7XEN
He/Him
 

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3559
  • Country: se
  • SA0XLR
    • My very static home page
Re: 2FA two step verification & the obsession with security
« Reply #53 on: February 14, 2022, 11:48:25 pm »

For real-world identity-tied things like taxes and bank accounts, I am a strong proponent of government-issued key material. We've had the technology for decades, but AFAIK only one country (Estonia) has ever issued such an identity document which is just absurd to me.

With the caveat that it is a separate government-approved entity that issues the ID, I just today used one of my electronic ID's to fetch and store a Covid-19 vaccination certificate from the government agency who deal with this. 

Increasingly, we can use electronic identification to access services; most government systems require it. I must use it to access my children's school systems, when I file my taxes (which for most people is about as complicated as logging in and saying, "Yes, it's correct" because the tax forms come pre-printed with all collected data here. Unless I've sold stock I can do the same most years.), when I book an appointment for vaccination, and when I log in to pay my bills.  Of course online gambling uses it for age checks, and in many online shops  showing ID lets them populate shipping address et c and also check if they can invoice you or you need to pay upfront.

Quite convenient. But of course could be even better.

Offline metebalci

  • Frequent Contributor
  • **
  • Posts: 460
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #54 on: February 15, 2022, 06:55:12 am »
There are pros and cons for support considerations and whatnot, but this isn't what I meant by implementation. If you want to do SMS-based OTP, you need to interact with a 3rd-party service to deliver those SMS messages, but all the rest is basically the same, you need to generate key material, produce OTPs and so on just like you would with TOTP. Since there's a 3rd-party integration involved though, I'm considering it more complicated. But I guess you could argue that having to produce your own UI to manage TOTP and recovery codes and the like swings the balance.

That is right, you need to use a service provider for sending SMS. This was more difficult in the past but now there are non-operator providers, Twilio etc., which makes the integration (both technical and non-technical) simpler. Sometimes the mobile operators have a different service to be used by banks for OTPs due to security, availability and performance concerns, this may make it a bit more complicated.

The key material issue is not the same for both. With SMS OTP, you can just randomly generate a code, keep it and its timestamp in the database, and then check when the user enters it. With TOTP, there is a need to share a symmetric key material because TOTP is generated with a HMAC algorithm, so both generator/user and verifier/service needs to know the secret. Sharing the secret can be as simple as generating/entering some numbers/codes, a QR code, or an online key exchange algorithm. When there is a key material, that has to be kept securely, for example banks may want to use HSM. The same is true for the client side implementation, the key material has to be kept on the device (phone) securely, so the imlementation is not as simple as just keeping any data (however it became simpler in recent years).

A service/bank etc. probably already have some SMS service provider integration, so it is pretty simple for them the code this. It probably takes more time to create user documentation for it. TOTP or any such implementation (FIDO etc.) is more complicated, because some things provided by the SIM card and GSM network has to be replicated. Potentially an HSM is involved. Because this is considerable more complex than SMS OTP, the security review will probably take also a longer time.

I might be a bit biased, I started worked on these when TOTP/HOTP specs. were still drafts and OTP/2FA was not mainstream, and worked until TOTP/HOTP (there is also OCRA for signing) became mainstream and FIDO appeared. Now, I guess everybody knows more about these, so the implementatin process might be more seamless than I think.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: 2FA two step verification & the obsession with security
« Reply #55 on: February 15, 2022, 12:42:38 pm »
One thing highlighted by its absence in this TOTP discussion is that to use it the end user needs to be running either a special product-specific app or generaic authenticator. Not so hot if they are PC users, and the support for user errors is likely to be greater than zero. OTOH, SMS just works and you don't need an iPhone or Android or anything special - a simple decade-old dumb phone will work. Further, the end user isn't in a race to read and type before the pretty short timeout (sods law says they will start with 15 seconds to go).

Won't anyone think of the chiuser?
 

Offline metebalci

  • Frequent Contributor
  • **
  • Posts: 460
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #56 on: February 15, 2022, 01:35:16 pm »
One thing highlighted by its absence in this TOTP discussion is that to use it the end user needs to be running either a special product-specific app or generaic authenticator. Not so hot if they are PC users, and the support for user errors is likely to be greater than zero. OTOH, SMS just works and you don't need an iPhone or Android or anything special - a simple decade-old dumb phone will work. Further, the end user isn't in a race to read and type before the pretty short timeout (sods law says they will start with 15 seconds to go).

Won't anyone think of the chiuser?

Very correct, that is another reason why SMS OTP is offered either as alternative or as a fallback method even if there are other mechanisms.

About the timeout, SMS OTP also have or must have a timeout. You might have heard there was an Android issue, a trojan was forwarding the SMS OTPs in the background. A timeout eliminates offline man in the middle attacks. The issue is if standard SMS gateways are used to send SMS the time it takes for SMS to reach to the end user cannot be guaranteed I think or it cannot be guaranteed to a low value. That is why some operators offer low latency gateways particularly for this purpose so 60 seconds timeout can still work.
 

Offline mac.6

  • Regular Contributor
  • *
  • Posts: 226
  • Country: fr
Re: 2FA two step verification & the obsession with security
« Reply #57 on: February 15, 2022, 01:47:21 pm »
SMS OTP is not secure *at all*
SIM theft/hijacking is a thing that is awfully simple and happens everyday:
https://arstechnica.com/information-technology/2022/02/police-in-spain-dismantle-a-sim-swapping-ring-that-drained-bank-accounts/
 

Offline metebalci

  • Frequent Contributor
  • **
  • Posts: 460
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #58 on: February 15, 2022, 01:54:47 pm »
SMS OTP is not secure *at all*
SIM theft/hijacking is a thing that is awfully simple and happens everyday:
https://arstechnica.com/information-technology/2022/02/police-in-spain-dismantle-a-sim-swapping-ring-that-drained-bank-accounts/

Wow I didnt know it is still an issue. I remember after this happened (in Turkey, 10+ years ago) they changed the processes and there was a lock period, so you can easily figure out something is going on with your number before bad things happen. On the other hand, if identity theft is involved, this is a much bigger problem.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 8276
  • Country: de
  • A qualified hobbyist ;)
Re: 2FA two step verification & the obsession with security
« Reply #59 on: February 15, 2022, 02:15:00 pm »
For real-world identity-tied things like taxes and bank accounts, I am a strong proponent of government-issued key material. We've had the technology for decades, but AFAIK only one country (Estonia) has ever issued such an identity document which is just absurd to me.

The German ID card offers an eID function for several years now. Before 2017 is was an option, after that it's activated by default.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 8276
  • Country: de
  • A qualified hobbyist ;)
Re: 2FA two step verification & the obsession with security
« Reply #60 on: February 15, 2022, 02:27:22 pm »
SMS OTP is not secure *at all*
SIM theft/hijacking is a thing that is awfully simple and happens everyday:
https://arstechnica.com/information-technology/2022/02/police-in-spain-dismantle-a-sim-swapping-ring-that-drained-bank-accounts/

It's not just SIM swapping. There are also many security issues in the SS7 protocol/networks allowing rogue parties to hijack or redirect SMS'. Or some home banking trojan runs on your smart phone.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: 2FA two step verification & the obsession with security
« Reply #61 on: February 15, 2022, 03:34:38 pm »
SMS OTP is not secure *at all*
SIM theft/hijacking is a thing that is awfully simple and happens everyday:
https://arstechnica.com/information-technology/2022/02/police-in-spain-dismantle-a-sim-swapping-ring-that-drained-bank-accounts/

It's not just SIM swapping. There are also many security issues in the SS7 protocol/networks allowing rogue parties to hijack or redirect SMS'. Or some home banking trojan runs on your smart phone.

It's better than the alternative of not using it, if you won't or can't rely on passwords alone. The big problem with things like SMS is that they are treated as infallible, which is one reason why hijacks and similar work so often. Same with biometrics - computer says it's their fingerprint therefore it must be them without question.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: 2FA two step verification & the obsession with security
« Reply #62 on: February 15, 2022, 03:42:08 pm »
Sorry, posted before I'd collected my complete thoughts :)

What's happening here, with SMS and the like, is that they are not perfect, and are therefore deemed to be abhorrent to use. The same is said of security by obscurity wherever that crops up. Sure, it's not perfect but by, for instance, moving your POP3 port to 2371 to hide it you disappear off the radar of a lot of opportunistic hacks. SMS isn't perfect, but by using it you've stiffed the opportunistic hacks where a password has been compromised. Taking it further - obtaining the duplicate SIM (or scanning every port) - is extra work that many, many bad guys aren't going to bother with.

So, SMS isn't perfect, but it strikes a balance between being wide open and having the user jump through flaming hoops. For many applications, that's fine.
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 7043
  • Country: nl
Re: 2FA two step verification & the obsession with security
« Reply #63 on: February 15, 2022, 03:45:46 pm »
It's not good enough for crypto gambling/tax evasion at any rate.
 

Online ejeffrey

  • Super Contributor
  • ***
  • Posts: 4033
  • Country: us
Re: 2FA two step verification & the obsession with security
« Reply #64 on: February 15, 2022, 04:46:07 pm »
One thing highlighted by its absence in this TOTP discussion is that to use it the end user needs to be running either a special product-specific app or generaic authenticator. Not so hot if they are PC users, and the support for user errors is likely to be greater than zero. OTOH, SMS just works and you don't need an iPhone or Android or anything special - a simple decade-old dumb phone will work. Further, the end user isn't in a race to read and type before the pretty short timeout (sods law says they will start with 15 seconds to go).

Won't anyone think of the chiuser?

In my opinion SMS is still OK to support is a method of last resort in low security scenarios.  It still prevents against most brute force attacks even if SMS is relatively insecure.  It's not perfect but nearly universal and people understand how to use it pretty easily.  I just don't think it should be the default.

Also, with 2G mostly shut down and 3G scheduled for turn down over the next few years in much of the world the list of phones that can receive SMS but don't have an authenticator app is low, and for sure far less than the reverse: mobile devices able to run a TOTP app but without a cellular connection or with a data-only connection.
 

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1195
  • Country: ca
    • VE7XEN Blog
Re: 2FA two step verification & the obsession with security
« Reply #65 on: February 15, 2022, 07:42:37 pm »
The key material issue is not the same for both. With SMS OTP, you can just randomly generate a code, keep it and its timestamp in the database, and then check when the user enters it. With TOTP, there is a need to share a symmetric key material because TOTP is generated with a HMAC algorithm, so both generator/user and verifier/service needs to know the secret. Sharing the secret can be as simple as generating/entering some numbers/codes, a QR code, or an online key exchange algorithm. When there is a key material, that has to be kept securely, for example banks may want to use HSM. The same is true for the client side implementation, the key material has to be kept on the device (phone) securely, so the imlementation is not as simple as just keeping any data (however it became simpler in recent years).

Yeah, I realized I'd overlooked this a while after I posted, but didn't think it was worth an edit. You're coming at this from clearly a different side of the equation than me, but in my experience, any time you have to involve a 3rd party service, the complexity balloons substantially. Things I can keep entirely in-house are easier to manage, easier to (continually) test, and easier to rely on, but that might not be the equation for everyone. I imagine that's especially true if you can 'outsource' most of the certification work and liability.

Quote
One thing highlighted by its absence in this TOTP discussion is that to use it the end user needs to be running either a special product-specific app or generaic authenticator. Not so hot if they are PC users, and the support for user errors is likely to be greater than zero. OTOH, SMS just works and you don't need an iPhone or Android or anything special - a simple decade-old dumb phone will work. Further, the end user isn't in a race to read and type before the pretty short timeout (sods law says they will start with 15 seconds to go).

I'm definitely not a fan of product-specific authenticators. For one, it's annoying. For two, it's a security-critical purpose, and I don't trust random lowest-bid app developers working in a completely different domain to do it properly. NIH is a real problem with security-critical code.

Maybe I'm just one of the kids these days, but I think the number of people who have ditched their phone number entirely is higher than the number of people that don't own a device that can run a TOTP authenticator, which is practically any general purpose computing device made in the last 20 years. This forced SMS authentication is one of the things holding us back from ditching our phone service, to be honest. I don't use it for much of anything else.

In general though, I think both can be a bit of an accessibility problem, but it is much worse with SMS. Not everyone can afford to maintain consistent access to a cell phone plan, and losing your phone number shouldn't be made such a pain in the ass, e.g. if you move. Tying authentication to a third-party for-pay service really just stinks to me, it's so user-hostile. Even the homeless these days often have access to a device that they use with WiFi etc, it's much more ubiquitous and reasonable to expect that someone own a device that is now quite cheap than pay for a monthly service. Hell, FIDO keys are simple and cheap enough to manufacture that you can practically give them away.
73 de VE7XEN
He/Him
 
The following users thanked this post: Someone

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: 2FA two step verification & the obsession with security
« Reply #66 on: February 15, 2022, 09:43:03 pm »
Quote
FIDO keys are simple and cheap enough to manufacture that you can practically give them away

Which misses the user perspective that they are yet another thing you have to carry around with you and lose. Something on a phone works because everyone has a phone now (at least, those that don't are rare) and typically everyone has their phone with them. Phones score well because the shite cameras in them are better than the really good camera you left at home because you didn't want to carry it around 'just in case'. While keys remain a separate item, and particularly when they are a niche item, they're going to remain least desired method of authenticating.
 

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1195
  • Country: ca
    • VE7XEN Blog
Re: 2FA two step verification & the obsession with security
« Reply #67 on: February 15, 2022, 09:55:50 pm »
Quote
FIDO keys are simple and cheap enough to manufacture that you can practically give them away

Which misses the user perspective that they are yet another thing you have to carry around with you and lose. Something on a phone works because everyone has a phone now (at least, those that don't are rare) and typically everyone has their phone with them. Phones score well because the shite cameras in them are better than the really good camera you left at home because you didn't want to carry it around 'just in case'. While keys remain a separate item, and particularly when they are a niche item, they're going to remain least desired method of authenticating.

I was talking specifically about the accessibility issues around assuming everyone has a phone with active (and continuous, or you will lose the number the account is tied to) service. SMS 2FA is getting forced on us for 'critical' things, and it does not address the accessibility issues at all. Yes, it's not ideal to have something else to carry around, and I agree it may not make sense if you own a suitable device, I'm specifically talking about those who don't, and the possibility of support organizations providing them cheap FIDO keys as an alternative to a smartphone. It's much better than expecting them to go to a bank branch or government service centre to have any access to the services at all.

Edit: Not to mention the problems that arise if you're outside of cellular service range (particularly if that's your home location) and need to do an auth check. Sometimes if you're very lucky, a POTS fallback is offered, but it's usually to the same number, so it works (sorta) for people who only have a landline, but is useless if you're out of service. Oh and many of these services block 'VoIP' numbers, though like geolocating IPs, detecting that is horribly unreliable since MNP (my main number is an ex-VoIP number that was ported and is now attached to my cellular service - and I've run into this issue with both Steam and Uber). SMS 2FA / tying accounts to mobile service in general is just a horrible solution.
« Last Edit: February 15, 2022, 10:20:49 pm by ve7xen »
73 de VE7XEN
He/Him
 
The following users thanked this post: Someone

Offline Cerebus

  • Super Contributor
  • ***
  • Posts: 10576
  • Country: gb
Re: 2FA two step verification & the obsession with security
« Reply #68 on: February 15, 2022, 10:13:02 pm »
Quote
FIDO keys are simple and cheap enough to manufacture that you can practically give them away

Which misses the user perspective that they are yet another thing you have to carry around with you and lose. Something on a phone works because everyone has a phone now (at least, those that don't are rare) and typically everyone has their phone with them. Phones score well because the shite cameras in them are better than the really good camera you left at home because you didn't want to carry it around 'just in case'. While keys remain a separate item, and particularly when they are a niche item, they're going to remain least desired method of authenticating.

You do realise that these literally fit onto a keyring don't you? I don't know about you but if I'm out of the house then my keyring is in my pocket complete with the authentication and authorisation tokens for my house and car (mechanical keys) which I'm already obligated to carry and keep track of. Adding another key to the ring hardly increases the burden of responsibility much. Whereas I often deliberately don't always take my phone out with me.

Anybody got a syringe I can use to squeeze the magic smoke back into this?
 

Offline Someone

  • Super Contributor
  • ***
  • Posts: 5155
  • Country: au
    • send complaints here
Re: 2FA two step verification & the obsession with security
« Reply #69 on: February 16, 2022, 12:15:13 am »
Quote
FIDO keys are simple and cheap enough to manufacture that you can practically give them away

Which misses the user perspective that they are yet another thing you have to carry around with you and lose. Something on a phone works because everyone has a phone now (at least, those that don't are rare) and typically everyone has their phone with them. Phones score well because the shite cameras in them are better than the really good camera you left at home because you didn't want to carry it around 'just in case'. While keys remain a separate item, and particularly when they are a niche item, they're going to remain least desired method of authenticating.
As the above posters mention, its great that you would prefer something else, and it should be an option to you. Just as not having SMS should be an option to others.

Thinking here of people complaining all building have ramps as access, when they would prefer stairs.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: 2FA two step verification & the obsession with security
« Reply #70 on: February 16, 2022, 01:36:05 am »
Quote
You do realise that these literally fit onto a keyring don't you?

Yes. Doesn't change my PoV.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: 2FA two step verification & the obsession with security
« Reply #71 on: February 16, 2022, 01:38:56 am »
Quote
and it should be an option to you

Indeed. I note that Google are quite good about this, giving a choice of authenticator, SMS or selecting one of nine secret numbers.
 

Offline David Hess

  • Super Contributor
  • ***
  • Posts: 17427
  • Country: us
  • DavidH
Re: 2FA two step verification & the obsession with security
« Reply #72 on: February 16, 2022, 08:27:38 am »
I read a study, that 2FA makes accounts 2x safer.

Safer from what, and for who?

2FA using a phone protects against a stolen password, and adds an exploit when your phone is compromised.  I cannot do anything about my phone being compromised because that is up to the phone company, but I can protect my password.

 

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1195
  • Country: ca
    • VE7XEN Blog
Re: 2FA two step verification & the obsession with security
« Reply #73 on: February 16, 2022, 06:10:47 pm »
2FA using a phone protects against a stolen password, and adds an exploit when your phone is compromised.  I cannot do anything about my phone being compromised because that is up to the phone company, but I can protect my password.

What? No, it's called 'two (or multi)-factor authentication' for a reason. You need both to authenticate, so if you protect your password but your phone is compromised, you have the same level of security you do today. If your phone is not compromised, then you have considerably more. Just don't store your password in a text file on your phone.
73 de VE7XEN
He/Him
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf