2 factor ID?

[Rustic23]

I have been playing with this for awhile now and I am not sure it is as safe as I thought.

First I have two devices to protect, an Iphone & Ipad. When I use my phone number as the destination for the 2 Factor Code (2fc), it goes to both devices. If I use say Google Authenticator the 2fc goes to both devices as that app has to be on both. So the code is going to the device I am authenticating on and thus is no more secure than using the password only.

Now I could keep the authenticator on one device only, say my Ipad, as it is the least likely to be stolen or misplaced. But then I have to carry both. Thus making it easier to loose.

So far, the solution I have found is to use Lastpass Authenticator and have it use a pin to open/fingerprint to open.

Has anyone found a better work around?

 

[savory]

Hmm, my knowledge on this is very limited but I also try to protect my data with 2fc and/or keeping some passwords secured on a Kingston Data Traveler thumb drive. As my SIL continues to reinforce to me, the easier you make it for yourself, the easier it is for the other guy. I guess the Last Pass is a solution that combines enough difficulty for you, to provide fairly good protection. I will be interested if others have a solution.

I am not sure it would be helpful for you but monthly I use the Yubico key to verify my Gmail/Chrome account. Perhaps it could be set up for daily use but so far this has worked OK.

 

[Fedup]

I haven't tried this yet. Still avoiding it.

 

[Alan]

2FC on an iPhone is fine by me either as a text to the phone number or Google authenticator on the device because to access my iPhone requires my fingerprint or 8 character access code.

My bank, HSBC, uses its own authenticator built into its fingerprint protected app.

ETA
I have the notifications settings for text messages to not show on screen when iPhone is locked so a fingerprint is needed to read any SMS code that has been sent.

 

[braumeister]

2FC on an iPhone is fine by me either as a text to the phone number or Google authenticator on the device because to access my iPhone requires my fingerprint or 8 character access code.

+1
Also, my Fidelity account and USAA Bank account both work with the Symantec VIP app on my phone, so to login to those accounts I have to input a six digit number that changes every 30 seconds. Pretty good security IMHO.

 

[Blue Collar Guy]

I have been playing with this for awhile now and I am not sure it is as safe as I thought.

First I have two devices to protect, an Iphone & Ipad. When I use my phone number as the destination for the 2 Factor Code (2fc), it goes to both devices. If I use say Google Authenticator the 2fc goes to both devices as that app has to be on both. So the code is going to the device I am authenticating on and thus is no more secure than using the password only.

Now I could keep the authenticator on one device only, say my Ipad, as it is the least likely to be stolen or misplaced. But then I have to carry both. Thus making it easier to loose.

So far, the solution I have found is to use Lastpass Authenticator and have it use a pin to open/fingerprint to open.

Has anyone found a better work around?

OMG i cant even google what you said to figure out what all this means. im positive i dont have anything protecting me except for windows defender and what ever is built into the ipad

 

[Fedup]

I thought this is for Vanguard only?

 

[MichaelB]

Here's an article on 2FA deadspin-quote-carrot-aligned-w-bgr-2

 

[Alan]

I thought this is for Vanguard only?

A great many services have it available and many financial institutions insist on it because of the extra security it provides - you need to have something you know like a password or PIN and something you have like a security key or a phone* or an authentication app on a computer or smartphone or tablet.

*Living in England I don't have a US cell phone to receive texts but I do have a US Skype number so a call is made to that number and when I answer it a robotic voice tells me the code.

 

[sengsational]

You don't want to use LastPass for your password and your second factor because that would collapse into a single factor. You should try a non-LastPass solution for time based one time keys.

 

[Fedup]

2FC on an iPhone is fine by me either as a text to the phone number or Google authenticator on the device because to access my iPhone requires my fingerprint or 8 character access code.

My bank, HSBC, uses its own authenticator built into its fingerprint protected app.

ETA
I have the notifications settings for text messages to not show on screen when iPhone is locked so a fingerprint is needed to read any SMS code that has been sent.

HSBC is just plain awful. We didn't log in to the online banking because it's just too hard. Every time we have to do it, both my husband and I had to sit together and try a few times. Not only that some of the key they sent was not working. And it's overseas. I can only think of madness. And it's us going bonkers or whatever the term is appropriate.

 

[Chuckanut]

One problem with getting a text message with you 'secret code' number as the 2nd factor is that the SMS messaging system is very insecure. if the bad guys know your phone number they can interecept your code.

Use of a random number generator such as Google's Authenticator is better. Or have the number sent to you via email if possible.

 

[Alan]

HSBC is just plain awful. We didn't log in to the online banking because it's just too hard. Every time we have to do it, both my husband and I had to sit together and try a few times. Not only that some of the key they sent was not working. And it's overseas. I can only think of madness. And it's us going bonkers or whatever the term is appropriate.

Really?

The vast majority of the time I log onto my uk HSBC account from a pc I select "without secure key" because that is only needed for transactions to send out money to new payee or change account settings. To view and move money between accounts only requires password access.

Mostly I access my accounts with their app which is just a fingerprint needed. Maybe you are still using the physical key to generate access codes.

 

[rayinpenn]

A few weeks ago I was speaking to my brokerage company and asked if they there was any additional security I could add to my account. I discovered I could get a security token to be used in conjunction with my password. - you press the button and a number pops up. Just like my super security conscience employer requires. I mentioned it to my sister in law and she learned her firm didn't offer anything like it..

I am not a security expert but without that little device I'm thinking (more hoping) it will be difficult to get into my account. My goal is to make it as difficult as possible...maybe the crooks will focus on easier prey...

 

[pb4uski]

.... Has anyone found a better work around?

I usually do not use my phone for any websites that I want 2fc on... so the app would be on my laptop and the authentication is done to my phone.... suspect that is what 2fc was designed for.

 

[Alan]

Voice recognition is being rolled out in the UK, don't know if it will make it to the USA. Last year HSBC UK introduced it and although I have only had to call them twice since setting it up, it was nice to be able to get through without a lot of key punching and security questions before speaking to someone.

On Friday DW called the UK SS folks with questions on her contributions record and to make some back payments. She already has an online account (with 2FA), and after making the call they finished off by establishing voice recognition for future use.

 

[timo2]

I sign up for two factor whenever it is available. Here is why: someone hacked my brother's gmail, and changed the password. the hacker then proceed to send requests for emergency funds to all my brother's contacts. Google support was no help in rectifying the situation. My brother somehow got the police involved and google finally did something. With two factor ID, that scenario can not happen. a hacker accessing my gmail would need the code sent to my phone. end of story. If I don't have a phone, there are alternate ways to obtain the code.

 

[grasshopper]

I use Fido U2f, for Google and financial accounts. I think using it for Google is important as a comprised email account affects most everything else now days.

 

[Fedup]

Really?

The vast majority of the time I log onto my uk HSBC account from a pc I select "without secure key" because that is only needed for transactions to send out money to new payee or change account settings. To view and move money between accounts only requires password access.

Mostly I access my accounts with their app which is just a fingerprint needed. Maybe you are still using the physical key to generate access codes.

That was new. It was not like that a few years back. A few years back we had to use the secure key for log in.

 

[Alan]

That was new. It was not like that a few years back. A few years back we had to use the secure key for log in.

Yes I remember the key well, and it is still available for those who do not wish to use the app. Technology moves on. With the app most functions can be performed using fingerprint authentication, but sensitive functions such as setting up a new payee require a randomly generated authentication code which the app then provides.

 

[walkinwood]

One problem with getting a text message with you 'secret code' number as the 2nd factor is that the SMS messaging system is very insecure. if the bad guys know your phone number they can interecept your code.

From what I understand, they need to "clone" your SIM card. That's not as easy as knowing your phone number.
Is there another way?

 

[Alan]

One problem with getting a text message with you 'secret code' number as the 2nd factor is that the SMS messaging system is very insecure. if the bad guys know your phone number they can interecept your code.

Use of a random number generator such as Google's Authenticator is better. Or have the number sent to you via email if possible.

I think that if the bad guys know your username, password and are able to intercept your SMS messages then you are in bad shape. ( not seen any movies where the cops or intelligent services do this so it may be harder than just knowing your phone number).

However, I much prefer receiving a code via email (such as used by the Treasury Dept to access bonds) or a random number generator because being out of the country can be a pain in the butt receiving SMS messages. (My ATT carrier allowed phone and text over wifi which was great while traveling.)

 

[easysurfer]

I try to use 2FA when available.

 

[mpeirce]

From what I understand, they need to "clone" your SIM card. That's not as easy as knowing your phone number.
Is there another way?

No need to clone a SIM card. There are known weaknesses in the phone system's SS7 -

the protocol that allows telecom networks to communicate with each other. Hackers can exploit SS7 to spoof a change to a user’s phone number, intercepting their calls or text messages. “Any network can tell any other network ‘your subscriber’s here now,’ and until your phone says otherwise, every call and text is diverted to this other network,” says Karsten Nohl, the chief scientist at Security Research Labs, who recently demonstrated the attack for 60 Minutes. “If there’s an attacker, they get all your text messages. it’s completely trust-based…It’s so simple it’s almost embarrassing to call it a hack.”

https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

So if you are using two factor authentication for enhanced security, DO NOT use an SMS message as one of the factors.

Frankly, skip the phone network completely if you really need privacy (most of us don't really). You have to assume governments have full access all voice and text communication. And if governments have access, then bad guy hackers do to.

 

[Rustic23]

Not sure what I'm going to do with it, but I have an iPhone 4s. I reset it and logged it onto my Apple account. I put two apps on it, Lastpass, and Lastpass Authenticator. This phone has no service and after I downloaded the software, I turned off WIFI. The Authenticator still works! The numbers are in sync with the app on my IPhone 6s, and Ipad for Google, Amazon, and Lastpass. Apparently, the authenticator works without a data conection and works as a stand alone Authenticator. While interesting, I don't think I will carry both phones. I am OK using the fingerprint reader for security, and this works with all my major 2fd accounts.