Two-Factor Authentication: Methods and Myths

[dkpope]

When I mentioned to a few friends that I was writing a feature about two-step authentication, the typical response was an eye-roll and "Oh, that annoying thing?..." But wait. There's more to it.

Read the full article here.

https://www.techspot.com/article/1226-about-two-factor-authentication/

 

[Arris]

Having implemented 2FA for secure data systems I can say that it can be a pain for users but does add protection. Particularly with systems where the second factor is provided with a short period of validity. For instance, a third party system I integrated with my company's system issues a OTP (one time password) over an app which has a minute or two of validity before it expires, before generating a new one. This means that even if something is intercepted over supposedly secure channels, the window for someone to use it with the other factors (username and standard password) is small.

To state that 2FA is flawed is probably not the best way of phrasing it. Perhaps saying it isn't perfect, that it isn't foolproof or 100% secure. "Flawed" when discussing software or technology suggests that there is a fundamental imperfection with the whole concept, or a poor implementation that causes the technology to fail. If 2FA is to be labelled as "flawed" what does that make single factor authentication?

2FA that uses RSA tokens or even the likes of Battle.net authenticator to log into World of Warcraft really need you to have access to the physical token to gain access making it, in my opinion, one of the most secure types. Also the systems that use biometric methods for the second factor are inherently more secure (other than the laughable face recognition systems that can be circumvented with a picture of the person's face).

There is often nowadays a tug of war between convenience and security. If you increase the security to a level where it is close to impenetrable then it will also be edging towards unusability. Often compromises to the security are made if it's something that users have to interact with frequently, obviously factoring in the critical nature of the data they are going to be accessing.

 

[davislane1]

To read this comment please enter the six digit security code sent to your mobile phone in a comment below.

If you did not receive a security code, please refresh the page and try again.

 

[theruck]

If 2FA is not annoying I am sure there will be 3FA coming soon
2FA is a joke. it says that my super secret password is not safe to put in on computers so somebody else has to send me another password which does not conform to any password best practice policies and rules to be it safe.
basically it's like secret questions without knowing answers and relying that the secret answer comes to me from a magic provider of secrets.
pathetic...

 

[davislane1]

If 2FA is not annoying I am sure there will be 3FA coming soon
2FA is a joke. it says that my super secret password is not safe to put in on computers so somebody else has to send me another password which does not conform to any password best practice policies and rules to be it safe.
basically it's like secret questions without knowing answers and relying that the secret answer comes to me from a magic provider of secrets.
pathetic...

^^^ This is that guy at the gym who thinks the combination lock on your locker should be replaced with a Brinks safe inside an armored security truck inside a bank vault inside a military compound (possibly on the moon) to protect your keys.

 

[RustyTech]

If 2FA is not annoying I am sure there will be 3FA coming soon
2FA is a joke. it says that my super secret password is not safe to put in on computers so somebody else has to send me another password which does not conform to any password best practice policies and rules to be it safe.
basically it's like secret questions without knowing answers and relying that the secret answer comes to me from a magic provider of secrets.
pathetic...

It sounds like you have NO idea what 2FA is. The "stupid" and "not best practice" code you get on a SEPARATE devise is in ADDITION to your super secret best practice password that you already use; and not just in addition, but also from a different source/device.
It's like triangulating your exact position using multiple towers, except this is using multiple devises - for your identity.
Do you know how hard it's for a hacker to mimic this? obviously you don't.

 

[bexwhitt]

The problem with Google Authenticator is when you change phones you have to unlink and then generate new keys or you can end up screwed.

Authenticator plus solves that by saving the keys encrypted to your google drive or wherever. Its $2.99 but you can set pin or fingerprint protection too which adds extra security.

 

[mbrowne5061]

The problem with Google Authenticator is when you change phones you have to unlink and then generate new keys or you can end up screwed.

Authenticator plus solves that by saving the keys encrypted to your google drive or wherever. Its $2.99 but you can set pin or fingerprint protection too which adds extra security.

THAT is actually really good to know - I am planning on changing phones soon, and it never even occurred to me.

 

[robb213]

The problem with Google Authenticator is when you change phones you have to unlink and then generate new keys or you can end up screwed.

Authenticator plus solves that by saving the keys encrypted to your google drive or wherever. Its $2.99 but you can set pin or fingerprint protection too which adds extra security.

THAT is actually really good to know - I am planning on changing phones soon, and it never even occurred to me.

Use Authy by Twillo instead. It's free, updated, has backups, and a fine UI. It's literally the case that there's no point in paying for a 2FA app like above.

Side note, NIST recommended deprecating SMS 2FA. Wish Yahoo would drop it and allow people to use 2FA OTP generation like Google, Microsoft, Dashlane, etc.

 

[bexwhitt]

Use Authy by Twillo instead. It's free, updated, has backups, and a fine UI. It's literally the case that there's no point in paying for a 2FA app like above.




Side note, NIST reccomended deprecating SMS 2FA a bit ago. Wish Yahoo would drop it and allow people to use 2FA OTP generation like Google, Microsoft, Dashlane, etc.

It depends on what you want, I for one am not comfortable in giving my keys to a third party that could get hacked or more likely stop supporting it.
As my google account as money I have to spend on something from surveys I have to spend it on apps or music or lose it, my point is google's app will leave you high and dry if the lose or break your phone so use something else that will back up your keys

 

[mbrowne5061]

Use Authy by Twillo instead. It's free, updated, has backups, and a fine UI. It's literally the case that there's no point in paying for a 2FA app like above.

Side note, NIST reccomended deprecating SMS 2FA a bit ago. Wish Yahoo would drop it and allow people to use 2FA OTP generation like Google, Microsoft, Dashlane, etc.

I was talking about just Google Authenticator. I rarely pay for app, and only if it offers a significantly improved experience over any free version (and is an App I use often - and not many services need 2FA, and lack their own built-in solution)

 

[robb213]

It depends on what you want, I for one am not comfortable in giving my keys to a third party that could get hacked or more likely stop supporting it.
As my google account as money I have to spend on something from surveys I have to spend it on apps or music or lose it, my point is google's app will leave you high and dry if the lose or break your phone so use something else that will back up your keys

It's your money, so I'm not one to say what you do with it. I get that you gotta spend it or lose it though

However, Google is a third party as well and since the data is stored online there's always the possibility of it being broken into. Twillo is also a large corporation that markets to enterprise needs, so Authy wouldn't be going away anytime soon. I feel safe giving this information to either Google or Twillo, as they are both reputable here.

 

[bobc4012]

The problem with Google Authenticator is when you change phones you have to unlink and then generate new keys or you can end up screwed.

Authenticator plus solves that by saving the keys encrypted to your google drive or wherever. Its $2.99 but you can set pin or fingerprint protection too which adds extra security.

What do you do when one has no cell phone nor tablet? Can't provide a phone number nor a fingerprint.

 

[osa1011]

The problem with Google Authenticator is when you change phones you have to unlink and then generate new keys or you can end up screwed.

Authenticator plus solves that by saving the keys encrypted to your google drive or wherever. Its $2.99 but you can set pin or fingerprint protection too which adds extra security.

What do you do when one has no cell phone nor tablet? Can't provide a phone number nor a fingerprint.

As the article states, you can use a physical authentication key which you plug into the USB port of your keyboard.

 

[StrikerRocket]

The problem with Google Authenticator is when you change phones you have to unlink and then generate new keys or you can end up screwed.

Authenticator plus solves that by saving the keys encrypted to your google drive or wherever. Its $2.99 but you can set pin or fingerprint protection too which adds extra security.

When changing phone, install google authenticator on the new phone, initiate a transfer on the OLD Google app and scan the QR codes. The new phone then instantly gets the data, and it is removed from the old phone. Not a big deal really...

 

[Julnor]

I use it for important things but realistically it's yet another excuse by these companies that aren't protecting data. It's almost never at the user level. It's institutional breaches. But they never get punished for it.

Never had my bank, amazon, paypal get hacked, but virtually everything else my account info is at risk. You can check the site haveibeenpwned.com and put in your e-mail or passwords to see if they're in a database.

If there was real, stiff punishment for both just selling data and putting people's private data at risk, you'd see more places actually have security and more lawsuits actually going through on the particularly stupid and lazy places. I once worked at a company that literally just gave away payroll data in a phishing scheme, they didn't bother mentioning anything until many months later and maybe gave that one year of credit monitoring which is worthless. Had a fraudulent charge get caught by my bank from an online retailer everyone recommended that I also didn't get notice from for over half a year later, after I'd already gotten breached. Even Newegg spent months with malicious code on their checkout, and did nothing. You can use generated passwords and even 2FA but if these companies don't have protections it really still doesn't matter.

 

[sdms96825]

One of the problems is that different entities use different 2FA methods.

Another of the problems is that some people live or work for time periods outside of the US in locations where SMS texts and phone calls will not work. I am familiar with this one. One of my banks (for which I had to close my account since I could not access it) could physically call me overseas, but its 2FA mechanism could not dial the 011 to get the call out of the US.

 

[tellmewhy]

 

[Arbie]

I follow and recommend the "Krebs On Security" blog / site. In the not too distant past, Krebs was against using SMS for 2FA, largely because of the spread of SIM-swapping scams. Of course those may be aimed primarily at people known to be high-value targets, and tend to get more press when they occur. It's also possible that the carriers have taken steps to eliminate that.

Anyway, I've decided to pass on SMS 2FA. Maybe one of the alternatives mentioned here would be good, but there's only a couple of sites I really care about.

For those I have an un-guessable password that I can't possibly lose. Establishing any 2FA would just create a path for criminals to get around that safeguard. There's no upside to that.

 

[sdms96825]

Anyway, I've decided to pass on SMS 2FA. Maybe one of the alternatives mentioned here would be good, but there's only a couple of sites I really care about. For those I have an un-guessable password that I can't possibly lose. Establishing any 2FA would only serve to create a path for criminals to get around that safeguard. There's no upside to that.

But if your bank forces it on you (even worse with no notice), what are you going to do? Almost all the banks are doing this now.

 

[rrwards]

I follow and recommend the "Krebs On Security" blog / site. In the not too distant past, Krebs was against using SMS for 2FA, largely because of the spread of SIM-swapping scams. Of course those may be aimed primarily at people known to be high-value targets, and tend to get more press when they occur. It's also possible that the carriers have taken steps to eliminate that.

Anyway, I've decided to pass on SMS 2FA. Maybe one of the alternatives mentioned here would be good, but there's only a couple of sites I really care about.

For those I have an un-guessable password that I can't possibly lose. Establishing any 2FA would just create a path for criminals to get around that safeguard. There's no upside to that.

An unguessable password that can't be lost is a great first step, but it ignores the biggest problem. You're not the weakest link in most cases, it's the company/site that usually gets hacked. So you aren't covered if the site/company loses your information either due to an internal hack or an unsecured database. Without 2FA, a malicious actor with a stolen database can get into your accounts without you knowing at all because some site gave them that unguessable password tied to your username.

 

[Arbie]

So you aren't covered if the site/company loses your information either due to an internal hack or an unsecured database.

You're right. I was thinking of 2FA mostly in regard to password recovery if I lose or forget it. 2FA does add security on logins, but if it's also vulnerable to attack it can be used to fake a password recovery. I do have 2FA with my bank, which insists on it, but which allows me to set my landline phone as the method. That's more secure than my cellphone so it's a very strong combo.

 

[RaXelliX]

When changing phone, install google authenticator on the new phone, initiate a transfer on the OLD Google app and scan the QR codes. The new phone then instantly gets the data, and it is removed from the old phone. Not a big deal really...

That's nice, in theory. In practice it can be clunky as was my case where selecting all my accounts and generating the QR codes did not work properly. I scanned these codes on my new device but only some accounts were imported. So I figured out I had to generate these QR codes in groups of 5 just to be safe. Then importing them properly imported all accounts.

Maybe they fixed this or maybe it's a device specific issue but in my case it was less than seamless.

 

[StrikerRocket]

That's nice, in theory. In practice it can be clunky as was my case where selecting all my accounts and generating the QR codes did not work properly. I scanned these codes on my new device but only some accounts were imported. So I figured out I had to generate these QR codes in groups of 5 just to be safe. Then importing them properly imported all accounts.

Maybe they fixed this or maybe it's a device specific issue but in my case it was less than seamless.

I guess you can only import so many accounts with only one QR code. The amount of data you can include on a single QR code is limited by its size, so, when you have numerous accounts, I think you have to process them in smaller groups, just like you did. It's a little tedious, but it works, and its something you don't do every day.