Security questions (2FA, Lastpass authenticator, etc.)

[Lsbcal]

Questions for the security informed here:
1) If I use my iPhone with an app from the app store and then login with facial recognition on my secure wifi at home, is that basically two factor authentication (something you physically have and something you know)?

Example: I use the Vanguard app with facial recognition on the iPhone. Is that 2FA or equivalent?

2) Would security be even better if I turn off wifi (home) calling and use cellular while doing this?

3) Is #1 or #2 superior or equivalent to using the Lastpass authenticator? I have no experience with the Lastpass authenticator but I do use Lastpass all the time.

It seems that using the iPhone to check my financial sites is really easy but I want to be quite secure too.

[triangle]

I have not used an iPhone in years, and I am not claiming expertise but I believe:
1) No. I would not consider this an example of two-factor authentication. I suppose it could be considered a form of two-factor the first time an App was loaded, where you had to enter normal login credentials (e.g. username + password) and then use the phone's bio-metric capability to authenticate to bootstrap the proces. But thereafter from my perspective it is only device authentication backed by bio-metrics.

I have also wondered how apps are written that utilized this approach. a) How the bank trusts that its phone app has not been later compromised, b) what does the phone app communicate back to the bank to indicated that the person has been authenticated, as it would seem unwise for the app to have cached any prior credentials or to just send a binary yes/no indication that the person has been authenticated.

2) Probably not. If your home wifi is running very old security protocols then this could be an issue. Or if you really do not trust your home internet service provider. But otherwise I don't think there is much extra security to be gained.

3) I have not used a separate software based authenticator but have considered it for sites that accept it in place of SMS. It would arguably increase security over approach #1, except if you are using the phone to both login to the bank (App) and run the Lastpass authenticator it would seem to be practically the same. If you were using a phone for the authenticator and tablet (something with bio-metrics) for the App then arguably more secure as a person would need both devices.

[explanade]

Quote:

Originally Posted by Lsbcal Questions for the security informed here: 1) If I use my iPhone with an app from the app store and then login with facial recognition on my secure wifi at home, is that basically two factor authentication (something you physically have and something you know)? Example: I use the Vanguard app with facial recognition on the iPhone. Is that 2FA or equivalent? 2) Would security be even better if I turn off wifi (home) calling and use cellular while doing this? 3) Is #1 or #2 superior or equivalent to using the Lastpass authenticator? I have no experience with the Lastpass authenticator but I do use Lastpass all the time. It seems that using the iPhone to check my financial sites is really easy but I want to be quite secure too.

No. FaceID or TouchID is just verifying the password you have at Vanguard.

2FA would be to get a code texted to you AFTER you enter your login and password.

It's the second-factor.

I use a Google Voice number for 2FA, not regular texts or SMS. Hackers have fooled telephone companies into giving them control over cell phone numbers, so that if they have your password, now they get texts to their phones with the 2FA code, not you.

Unfortunately, most financial institutions use regular texts for 2FA. Some won't even accept a Google Voice number, which is more secure than SMS>

One of the few exceptions is eTrade, which requires that you append an always-changing numerical code to your regular password. The number generator app is called VIP from Symantec.

You also need to secure your main email accounts with 2FA, since often, financial institutions tie your login to an email account.

Also some institutions will offer to email you the temporary code rather than send a text.

[braumeister]

Much better than a text message for 2FA is to use an authenticator app on your phone. There are quite a few of them, they are free, and are very secure.

I've used the Symantec VIP app for years with a number of financial and other accounts, and it has never failed me. It even works on my Apple Watch. There is a six digit number shown by the app that changes every 30 seconds. You enter that on the site after entering your password.

The combination of Face ID, password, and authenticator app is about as secure as you can get.

[levindb]

Two Factor Authentication is traditionally 2 of the following 3 items:

1. Something you know (password, PIN, security question)
2. Something you have (token, phone, code generator)
3. Something you are (face, fingerprint, retina, voice)

Using 2 of the same things like 2 passwords or a password and a security question is not actually two factor authentication...but it is better than just one.

The idea of using a SMS text message is that it is supposed to go to your phone (something you have) to compliment the password (something you know) you entered on your laptop. It gets messy when you use your phone app to enter the password.

When your phone saves your password, then it is uses facial recognition to confirm who you are, and then it sends the password to your bank for you...so it is only 1 factor authentication to the bank.

LastPass and other password generators are just creating and saving complex passwords. Some of them may change your password at every logon...but it is still one factor authentication.

The text message or phone call after you entered your password is a pretty decent form of two factor authentication for the general consumer because it is easy to use for most people. Can it be compromised? Sure, if someone can duplicate or spoof your phone.

When using financial sites, I recommend getting alerts (text and/or email) when transactions occur. This should let you know if something happens that you did not initiate. That will give you the opportunity to work with your financial institution and lock things down, and possibly reverse the transaction. Credit card transactions, for example, may take a couple days to clear.

[Kerfuffle]

Others covered this well, but I'd also add that if you have the choice between text authentication or using an authenticator, ALWAYS choose the authenticator. Text authentication is not nearly as secure (just google sim swapping to see what I mean). I really wish companies would stop thinking of our phone numbers as some secure magic thing; they're not.

[explanade]

Do people have a list of institutions which use authenticator apps instead of texts?

Seems like a small minority.

[braumeister]

Quote:

Originally Posted by explanade Do people have a list of institutions which use authenticator apps instead of texts? Seems like a small minority.

I use mine at Fidelity, Schwab, USAA, Amazon, one hobby site, and a couple of government sites.

[easysurfer]

I use 2FA with an authenticator app when possible.

In other words, I collect the QCR codes. Some places include Amazon, Facebook, Newegg, Kickstarter, Dropbox.

[Sojourner]

Quote:

Originally Posted by explanade Do people have a list of institutions which use authenticator apps instead of texts? Seems like a small minority.

Here you go: https://2fa.directory/#banking

Support for 2FA is pretty widespread, but support for authenticator apps and physical keyfobs (like Yubikey) is very spotty. Vanguard still doesn't support authenticator apps (like Authy), which is bewildering to me. And Ally doesn't support any kind of authenticator, hardware or software!

[ExFlyBoy5]

My preferred 2FA is a physical key, such as the Yubikey. Unfortunately, there aren't a whole lot of commercial enterprises using them for customers which I think is a shame.

We were using a version of this in my Air Force days (common access card or ID that had a chip) that interfaced with almost every single application/program you had to use...and I have been out of that game for almost 7 years! Why it hasn't been more widely adopted, I don't know.

At least more organizations are allowing you to use authenticator apps, this is a step in the right direction.

[steelyman]

This is a bit off to the side because it’s specific to the iPod Touch, which I love.

The LastPass app (what you get on the App Store) has been failing to launch on the Touch. After quite a bit of investigation I decided the problem is related to Yubi. The app assumes it can load a specific Yubi-required library that isn’t present on the Touch (NFCcore). Why isn’t it present? Because the Touch doesn’t have an NFC chip.

I’ve raised this with LastPass (Logmein) and while they acknowledge it, they haven’t fixed it.

This ONLY applies to the Touch, LastPass on iPhone works fine.

[Lsbcal]

Thanks for all your replies. When I looked up 2FA for Vanguard I saw:

Quote:

The index fund company Vanguard supports two-factor authentication (2fa) with SMS. SMS is known to be the worst form of 2fa, because it is vulnerable to so-called SIM-swapping attacks. In this type of attack, the malicious party impersonates you and tells your telephone company you've lost your SIM card.

We use a pretty strong password with our mobile service provider. If news comes in of a breach I immediately change the password. The only SMS we will receive is if another computer other then my up to date PC is used. Seems the best way to handle this. I do not rely on SMS for normal account access but rather my computer and mesh network security and best practices.

I think I am using all VG's security features. I believe there are other VG protections that don't make transferring account money at all likely.

Any other suggestions for Vanguard?

[Katsmeow]

Quote:

Originally Posted by Lsbcal Any other suggestions for Vanguard?

I do have it turned on so that they text me when I do a transaction or some change is made. Also, I nearly always log in daily to Vanguard. I specifically look to see if any transactions have been made or are pending. I also look at messages on Vanguard. I figure that this at least gives me a chance of stopping something before it gets completed.

[explanade]

Quote:

Originally Posted by Sojourner Here you go: https://2fa.directory/#banking Support for 2FA is pretty widespread, but support for authenticator apps and physical keyfobs (like Yubikey) is very spotty. Vanguard still doesn't support authenticator apps (like Authy), which is bewildering to me. And Ally doesn't support any kind of authenticator, hardware or software!

Hmm, only a couple of my accounts are supported but they're pretty small accounts.