Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Security questions (2FA, Lastpass authenticator, etc.)
Old 08-25-2021, 05:09 PM   #1
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 8,650
Security questions (2FA, Lastpass authenticator, etc.)

Questions for the security informed here:
1) If I use my iPhone with an app from the app store and then login with facial recognition on my secure wifi at home, is that basically two factor authentication (something you physically have and something you know)?

Example: I use the Vanguard app with facial recognition on the iPhone. Is that 2FA or equivalent?

2) Would security be even better if I turn off wifi (home) calling and use cellular while doing this?

3) Is #1 or #2 superior or equivalent to using the Lastpass authenticator? I have no experience with the Lastpass authenticator but I do use Lastpass all the time.

It seems that using the iPhone to check my financial sites is really easy but I want to be quite secure too.
Lsbcal is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 08-31-2021, 12:05 AM   #2
Recycles dryer sheets
 
Join Date: Sep 2016
Posts: 332
I have not used an iPhone in years, and I am not claiming expertise but I believe:
1) No. I would not consider this an example of two-factor authentication. I suppose it could be considered a form of two-factor the first time an App was loaded, where you had to enter normal login credentials (e.g. username + password) and then use the phone's bio-metric capability to authenticate to bootstrap the proces. But thereafter from my perspective it is only device authentication backed by bio-metrics.

I have also wondered how apps are written that utilized this approach. a) How the bank trusts that its phone app has not been later compromised, b) what does the phone app communicate back to the bank to indicated that the person has been authenticated, as it would seem unwise for the app to have cached any prior credentials or to just send a binary yes/no indication that the person has been authenticated.

2) Probably not. If your home wifi is running very old security protocols then this could be an issue. Or if you really do not trust your home internet service provider. But otherwise I don't think there is much extra security to be gained.

3) I have not used a separate software based authenticator but have considered it for sites that accept it in place of SMS. It would arguably increase security over approach #1, except if you are using the phone to both login to the bank (App) and run the Lastpass authenticator it would seem to be practically the same. If you were using a phone for the authenticator and tablet (something with bio-metrics) for the App then arguably more secure as a person would need both devices.
triangle is offline   Reply With Quote
Old 08-31-2021, 01:15 AM   #3
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: May 2008
Posts: 7,202
Quote:
Originally Posted by Lsbcal View Post
Questions for the security informed here:
1) If I use my iPhone with an app from the app store and then login with facial recognition on my secure wifi at home, is that basically two factor authentication (something you physically have and something you know)?

Example: I use the Vanguard app with facial recognition on the iPhone. Is that 2FA or equivalent?

2) Would security be even better if I turn off wifi (home) calling and use cellular while doing this?

3) Is #1 or #2 superior or equivalent to using the Lastpass authenticator? I have no experience with the Lastpass authenticator but I do use Lastpass all the time.

It seems that using the iPhone to check my financial sites is really easy but I want to be quite secure too.
No. FaceID or TouchID is just verifying the password you have at Vanguard.

2FA would be to get a code texted to you AFTER you enter your login and password.

It's the second-factor.

I use a Google Voice number for 2FA, not regular texts or SMS. Hackers have fooled telephone companies into giving them control over cell phone numbers, so that if they have your password, now they get texts to their phones with the 2FA code, not you.

Unfortunately, most financial institutions use regular texts for 2FA. Some won't even accept a Google Voice number, which is more secure than SMS>

One of the few exceptions is eTrade, which requires that you append an always-changing numerical code to your regular password. The number generator app is called VIP from Symantec.

You also need to secure your main email accounts with 2FA, since often, financial institutions tie your login to an email account.

Also some institutions will offer to email you the temporary code rather than send a text.
explanade is online now   Reply With Quote
Old 08-31-2021, 03:55 AM   #4
Moderator
braumeister's Avatar
 
Join Date: Feb 2010
Location: Flyover country
Posts: 23,920
Much better than a text message for 2FA is to use an authenticator app on your phone. There are quite a few of them, they are free, and are very secure.

I've used the Symantec VIP app for years with a number of financial and other accounts, and it has never failed me. It even works on my Apple Watch. There is a six digit number shown by the app that changes every 30 seconds. You enter that on the site after entering your password.

The combination of Face ID, password, and authenticator app is about as secure as you can get.
__________________
I thought growing old would take longer.
braumeister is offline   Reply With Quote
Old 08-31-2021, 05:03 AM   #5
Recycles dryer sheets
 
Join Date: Jan 2011
Location: Hilton Head Island
Posts: 301
Two Factor Authentication is traditionally 2 of the following 3 items:

1. Something you know (password, PIN, security question)
2. Something you have (token, phone, code generator)
3. Something you are (face, fingerprint, retina, voice)

Using 2 of the same things like 2 passwords or a password and a security question is not actually two factor authentication...but it is better than just one.

The idea of using a SMS text message is that it is supposed to go to your phone (something you have) to compliment the password (something you know) you entered on your laptop. It gets messy when you use your phone app to enter the password.

When your phone saves your password, then it is uses facial recognition to confirm who you are, and then it sends the password to your bank for you...so it is only 1 factor authentication to the bank.

LastPass and other password generators are just creating and saving complex passwords. Some of them may change your password at every logon...but it is still one factor authentication.

The text message or phone call after you entered your password is a pretty decent form of two factor authentication for the general consumer because it is easy to use for most people. Can it be compromised? Sure, if someone can duplicate or spoof your phone.

When using financial sites, I recommend getting alerts (text and/or email) when transactions occur. This should let you know if something happens that you did not initiate. That will give you the opportunity to work with your financial institution and lock things down, and possibly reverse the transaction. Credit card transactions, for example, may take a couple days to clear.
levindb is online now   Reply With Quote
Old 08-31-2021, 05:36 AM   #6
Recycles dryer sheets
 
Join Date: Jun 2021
Posts: 65
Others covered this well, but I'd also add that if you have the choice between text authentication or using an authenticator, ALWAYS choose the authenticator. Text authentication is not nearly as secure (just google sim swapping to see what I mean). I really wish companies would stop thinking of our phone numbers as some secure magic thing; they're not.
Kerfuffle is offline   Reply With Quote
Old 08-31-2021, 05:42 AM   #7
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: May 2008
Posts: 7,202
Do people have a list of institutions which use authenticator apps instead of texts?

Seems like a small minority.
explanade is online now   Reply With Quote
Old 08-31-2021, 05:49 AM   #8
Moderator
braumeister's Avatar
 
Join Date: Feb 2010
Location: Flyover country
Posts: 23,920
Quote:
Originally Posted by explanade View Post
Do people have a list of institutions which use authenticator apps instead of texts?

Seems like a small minority.
I use mine at Fidelity, Schwab, USAA, Amazon, one hobby site, and a couple of government sites.
__________________
I thought growing old would take longer.
braumeister is offline   Reply With Quote
Old 08-31-2021, 06:44 AM   #9
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 12,614
I use 2FA with an authenticator app when possible.

In other words, I collect the QCR codes. Some places include Amazon, Facebook, Newegg, Kickstarter, Dropbox.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is offline   Reply With Quote
Old 08-31-2021, 08:33 AM   #10
Thinks s/he gets paid by the post
Sojourner's Avatar
 
Join Date: Jan 2012
Posts: 2,484
Quote:
Originally Posted by explanade View Post
Do people have a list of institutions which use authenticator apps instead of texts?

Seems like a small minority.
Here you go: https://2fa.directory/#banking

Support for 2FA is pretty widespread, but support for authenticator apps and physical keyfobs (like Yubikey) is very spotty. Vanguard still doesn't support authenticator apps (like Authy), which is bewildering to me. And Ally doesn't support any kind of authenticator, hardware or software!
Sojourner is offline   Reply With Quote
Old 08-31-2021, 09:19 AM   #11
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
ExFlyBoy5's Avatar
 
Join Date: May 2013
Location: ATL --> Flyover Country
Posts: 6,649
My preferred 2FA is a physical key, such as the Yubikey. Unfortunately, there aren't a whole lot of commercial enterprises using them for customers which I think is a shame.

We were using a version of this in my Air Force days (common access card or ID that had a chip) that interfaced with almost every single application/program you had to use...and I have been out of that game for almost 7 years! Why it hasn't been more widely adopted, I don't know.

At least more organizations are allowing you to use authenticator apps, this is a step in the right direction.
__________________
FIRE'd in 2014 @ 40 Years Old
Professional Retiree
ExFlyBoy5 is offline   Reply With Quote
Old 08-31-2021, 12:24 PM   #12
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
steelyman's Avatar
 
Join Date: Feb 2011
Location: NC Triangle
Posts: 5,772
This is a bit off to the side because itís specific to the iPod Touch, which I love.

The LastPass app (what you get on the App Store) has been failing to launch on the Touch. After quite a bit of investigation I decided the problem is related to Yubi. The app assumes it can load a specific Yubi-required library that isnít present on the Touch (NFCcore). Why isnít it present? Because the Touch doesnít have an NFC chip.

Iíve raised this with LastPass (Logmein) and while they acknowledge it, they havenít fixed it.

This ONLY applies to the Touch, LastPass on iPhone works fine.
__________________

steelyman is offline   Reply With Quote
Old 08-31-2021, 12:47 PM   #13
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 8,650
Thanks for all your replies. When I looked up 2FA for Vanguard I saw:
Quote:
The index fund company Vanguard supports two-factor authentication (2fa) with SMS. SMS is known to be the worst form of 2fa, because it is vulnerable to so-called SIM-swapping attacks. In this type of attack, the malicious party impersonates you and tells your telephone company you've lost your SIM card.
We use a pretty strong password with our mobile service provider. If news comes in of a breach I immediately change the password. The only SMS we will receive is if another computer other then my up to date PC is used. Seems the best way to handle this. I do not rely on SMS for normal account access but rather my computer and mesh network security and best practices.

I think I am using all VG's security features. I believe there are other VG protections that don't make transferring account money at all likely.

Any other suggestions for Vanguard?
Lsbcal is offline   Reply With Quote
Old 08-31-2021, 01:44 PM   #14
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Katsmeow's Avatar
 
Join Date: Jul 2009
Posts: 5,237
Quote:
Originally Posted by Lsbcal View Post

Any other suggestions for Vanguard?
I do have it turned on so that they text me when I do a transaction or some change is made. Also, I nearly always log in daily to Vanguard. I specifically look to see if any transactions have been made or are pending. I also look at messages on Vanguard. I figure that this at least gives me a chance of stopping something before it gets completed.
Katsmeow is offline   Reply With Quote
Old 08-31-2021, 01:45 PM   #15
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: May 2008
Posts: 7,202
Quote:
Originally Posted by Sojourner View Post
Here you go: https://2fa.directory/#banking

Support for 2FA is pretty widespread, but support for authenticator apps and physical keyfobs (like Yubikey) is very spotty. Vanguard still doesn't support authenticator apps (like Authy), which is bewildering to me. And Ally doesn't support any kind of authenticator, hardware or software!
Hmm, only a couple of my accounts are supported but they're pretty small accounts.
explanade is online now   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do you protect ? (devices, 2FA, etc.) wanaberetiree Technology, Media & e-Gadgets 41 05-10-2021 11:49 AM
Lastpass and Dashlane ?s Katsmeow Other topics 10 07-05-2017 02:28 PM
LastPass Users Vulnerable to Devastating Phishing Attack ClockWatcher Other topics 60 01-29-2016 01:33 PM
LastPass hacked MichaelB Other topics 25 06-19-2015 12:54 PM

» Quick Links

 
All times are GMT -6. The time now is 02:50 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2023, vBulletin Solutions, Inc.