-
person
chevron_right
2FA (two factor authentication) done right?2FA (two factor authentication) done right?
Tuesday, 5 September, 2017 - 21:19 edit
Hi Supernova and readers! I realized it was time to get social again after a great summer on the Goodland island. Back in the city again now though.. Yuck.
Yeah, 2FA using sms, as we talked a little about in previous articles, is a big no no these days. Considering all the latest thefts made possible by social engeneering and stupid phone companies. 2FA should only be used in a service/application/method not tied to any phone number/other identifiable means.
Actually I belive "phone" calls and sms will be a thing of the past soon. IP calls and different IM solutions with VV will take over. SIM card will only be used as an identifier for the phone company.
That is another topic though.
Edit: Oh, that is funny. You disabled comments on the article, supernova so my reply ended up being an own post.
-
chevron_right
2FA (two factor authentication) done right?2FA (two factor authentication) done right?
This is a follow-up on my previous post on people using social engineering to hijack someone's cell phone number to get their 2FA SMS messages. Original post is here I could have named this post: Most sites do 2FA wrong; 2FA via SMS isn't true 2FA; A better 2FA Anyway, yes I started out doing 2FA via SMS messages because that is what most websites prompt you to do, register your phone number to get a code via SMS to use as 2FA. I thought it was a great idea, until I read how easy it is for anyone to call your cell phone provider and "steal" your phone number and associate it with another physical phone. So they don't even need the phone that "you have", they just need your phone number. Not good! (I'm not even going to get into intercepting your SMS messages on the network). But there is hope. Using an authenticator application on your phone, someone would truly need to steal your physical device for any chance at intercepting your 2FA method. Even if they do steal your phone number, they don't have the app on your phone. This seems much more secure. Even before switching to an authenticator app I was getting annoyed by SMS 2FA. Most annoying would be sitting at a login screen for a minute or two just waiting for an SMS message to arrive. And sometimes the SMS wouldn't even arrive and I'd have to click "I didn't get the SMS" and try again. Such a waste of time. Authenticator apps are much quicker, the number is generated instantly. If you have looked into these apps you have probably read about Google Authenticator and Microsoft Authenticator. I've used the Google one and it was fine, but I have since gone Google free on my Android, but there is another option that I have found is excellent called Duo Authenticator. It does present a warning about Google services not being installed but it works just fine. (If I remember correctly I used the Yalp Store app to download Duo from the Google Play Store without a google account). There are also some open source authenticator apps on FDroid but I haven't tried those. The only thing that concerns me now is what happens if I upgrade my phone or lose it and need to replace it? If anyone knows please comment, I'll have to read up on that. Do I need to log into each website using my old 2FA app, then update the 2FA settings to my new phone? How do you use 2FA?
group_work digital-life 19 July, 2017