Two factor auth


#1

Guess I’m part of the 90%, but I’ve always hated two factor that involves mobile somehow.

Unfortunately, that seems to be the most common way…

There’s no way I’d bother with that crap for gmail, I’d rather just close the account.


#2

Is there a better way to do two-factor that doesn’t involve mobile? There are, of course, things like Yubikeys and the like for real security pros, but most people don’t have such things…


#3

I actually work for a company called Miracl trying to solve that problem.
We’ve a cool solution that allows for 2 factor in the browser.
I post only for interests sake, not to shill :slight_smile:


#4

It only occurred to me today, during a conversation, that I’d be sunk if I lost my phone. If I break it, I can take the SIM out and put it in a new phone and I’m fine. But if I lose it? I can’t receive SMSes, and so I can’t log in to anything. This is not ideal. Suggestions for how I can solve this problem?

(I mean, clearly the thing @peterthehermit describes would solve it, but all the 2fa systems people I use have implemented – Google, Twitter, etc – don’t use it :))


#5

Yea I’ve been in exactly that situation.
Phone took a bath on holiday could get into nothing, would have been screwed but I had backup codes in my wallet.
What may work for you is authy as you can backup the token.
They even offer a backup solution themselves
https://authy.com/blog/how-the-authy-two-factor-backups-work/
I know you can use authy with google and twitter, it might not work for everything but it’s fairly ubiquitous.


#6

To add to this problem, if you are using Google Authenticator on your device. You may think that its linked to your google account, so if you transition to another device and login to Google it will go with you.

The authenticator is local to your phone, and in order to transition (at least the last time I checked was):

  • adb copy the raw db from one device to another and hope it works (which it did the times I tried)
  • go through a google process which involves both phones being in the land of the living.

I understand why there is this conundrum, but its not obvious in the times of cloud and data moves with your account days we live in.


#7

@sil, Thanks for the heads up. I didn’t realise Google offered two factor authentication as an option. Up to an hour ago I was one of the 90% but no more.
I was a bit reluctant at first to rely solely on my positively archaic LG Nexus 5 to unlock my account should it finally decide to die on me.
I decided to go ahead anyway as you can add an option to receive the code via text messages, which kinda links it to my mobile number instead of the specific device.

Add a few landline numbers just in case so you can receive the code through an automated voice call.
I’ve added the numbers for my home landline and my SIP phone service as well. The SIP phone should enable me to receive an automated voice call from Google pretty much anywhere, probably.


#8

What gets me about 2-factor auth is that the level of extra security you get isn’t higher than the level of pain in the ass it requires.

You’re more than doubling the pain in the ass. The only account I have 2-factor on is my bank account. Now, in order to check my balance, I have to have my phone on me, I have to wait for a phone call, I have to type in a code from my computer onto the phone. The reception at my house isn’t the greatest, so there have been times that I didn’t receive the call at all. This made paying bills an adventure right before work. More the double the pain in the ass.

And in exchange, I’m getting what is hopefully a slightly more secure bank account. In theory, it’s harder for someone else to log in as me (just as it’s harder for me to log in as me). But… the bigger worry is that with every bit of infrastructure that the bank implements to make this happen, there is more room for more possible bugs. If we assume that their setup is perfect, then it makes everything more secure. I get that. It’s unlikely (though not impossible) that a criminal would have access to both my phone and my computer. It’s unlikely that they would find a bug in both my phone and my computer, to exploit this with. But that’s assuming that the setup is perfect, and one consistent thing in computer security (and computer programming, and really any sort of engineering) is that nothing is ever perfect. So, the exact implementation of 2 factor is now suspect, and it could be an additional vector to get into my account that wasn’t there before.

So I actually intentionally avoid 2 factor auth. Make a more secure single factor and I’m all for it, but this just seems like a bad idea to try to account for and patch over previous bad ideas.


#9

I quite like the compromise the Santander online banking website takes. First page you supply your username. If you’ve logged on using this browser before, then on the next page you see the picture and phrase you chose at account creation (to verify you’ve not been hijacked, but before you’ve provided anything too sensitive) and have to provide your password and registration number.

If you haven’t used that browser before, then there is an additional step after supplying your username where you have to provide more information - one of your “security questions” I think, before you can move on.

This is good for me - my place of birth was Gehshycozklqy and my secondary school name was Matnshdkqyjzwqwn whereas I imagine the average person tells the truth.

It’s at least a little better than a straight username/password then “nth letter from your secret word” but not too much more hassle.


#10

For my personal stuff I use KeePass

To unlock the password database I use

  1. a complex memorised password
  2. a key file that is stored separately from my computer

I think that acts as 2 factor auth?

KeePass is open source and runs through wine, has lots of nice plugins too.


#11

My employer began requiring 2 factor authentication a few months ago, and a mobile or landline number is required. Unfortunately I live in an area with no cell service and getting landline validation codes just sucks. I set up a google voice account, registered the # for validation and directed it to forward all my texts to gmail. Works pretty smoothly from my desk or wherever I might be and all that is required is to have a tab open for gmail.

Not that I think 2FA increases security even a little.

How can I have broadband at home but no cell coverage? No idea, that’s just how Vermont is.


Please respect our code of conduct which is simple: don't be a dick.