Multi-factor authentication
- Thread starter supton
- Start date
- Status
- Joined
- Sep 26, 2010
- Messages
- 9,807
Originally Posted by OVERKILL
Originally Posted by AlaskaMike
2 factor auth is currently one of the best defenses against compromises. Ask anyone who's ever had their bank account cleaned out because their phone got compromised, and I bet they probably won't be complaining about the inconvenience of 2 factor auth.
This. I use 2FA on everything.
Ditto - everything that can use 2FA should, otherwise, you are a hack away from losing your identity, bank account, etc.
Originally Posted by AlaskaMike
2 factor auth is currently one of the best defenses against compromises. Ask anyone who's ever had their bank account cleaned out because their phone got compromised, and I bet they probably won't be complaining about the inconvenience of 2 factor auth.
This. I use 2FA on everything.
Ditto - everything that can use 2FA should, otherwise, you are a hack away from losing your identity, bank account, etc.
Seems most security experts are saying 2FA or MFA is broken, in the sense most sites' accounts configure it to also allow recovery via SMS, and SMS hijacking is relatively easy. To rephrase: 2FA itself isn't broken, but account recovery is too weak.
As far as I've seen, Google's Advanced Protection Program is the correct way to do it. But, one should really buy and register two keys, and keep one of them in a safe place, for when you inevitably lose the other one.
As to the OP's complaint "...annoying because I'll leave my phone in the other room and have to go get it". Yes, it's 2FA, you'll have to get the "device you own" periodically. It's a core definition of 2FA. I assume you're getting a software-based "device you own", an authenticator. The other type is a hardware-based "device you own", which are more expensive and slower to deploy.
As far as I've seen, Google's Advanced Protection Program is the correct way to do it. But, one should really buy and register two keys, and keep one of them in a safe place, for when you inevitably lose the other one.
As to the OP's complaint "...annoying because I'll leave my phone in the other room and have to go get it". Yes, it's 2FA, you'll have to get the "device you own" periodically. It's a core definition of 2FA. I assume you're getting a software-based "device you own", an authenticator. The other type is a hardware-based "device you own", which are more expensive and slower to deploy.
I haven't spent much time with it, but now realize that I've been conflating two different systems. At work we use MS Authenticator which lives on the smartphone. Now IT made it sound like they themselves had to be involved when I changed phones--but my tech savvy coworker says he's moved between phones and handled it himself--so I'm not sure to what extent it involves a third party. Seems like something I should be able to move by myself. But on my retirement stuff it is a different in that it texts me a code which I then enter into the website, no app involved.
Two different systems. The MS one is annoying only because it's random, it seems, but it's probably doing it every 2 weeks. It's just that when it does it, I have to "approve" every location (?) and every device for that day.
Two different systems. The MS one is annoying only because it's random, it seems, but it's probably doing it every 2 weeks. It's just that when it does it, I have to "approve" every location (?) and every device for that day.
OVERKILL
$100 Site Donor 2021
Originally Posted by supton
I haven't spent much time with it, but now realize that I've been conflating two different systems. At work we use MS Authenticator which lives on the smartphone. Now IT made it sound like they themselves had to be involved when I changed phones--but my tech savvy coworker says he's moved between phones and handled it himself--so I'm not sure to what extent it involves a third party. Seems like something I should be able to move by myself. But on my retirement stuff it is a different in that it texts me a code which I then enter into the website, no app involved.
Two different systems. The MS one is annoying only because it's random, it seems, but it's probably doing it every 2 weeks. It's just that when it does it, I have to "approve" every location (?) and every device for that day.
Both systems are MFA. Many account providers will allow you to use either SMS or an Authenticator app, both have their pros and cons. The Authenticator app doesn't tie you to SMS, but if you lose your phone, recovering it can be problematic if you didn't properly secure the recovery code for each of the accounts being secured in this manner, and that in itself is a potential security issue. SMS is dramatically more simple, but, if somebody is [censored]-bent on getting your info and already has your password, SIM cloning/SMS hijack is possible.
Ultimately, as I stated earlier in the thread, both will protect you against the typical Russian/Chinese/Indian phishing scam, which, in my experience, is the most common means of having one's account hijacked.
I haven't spent much time with it, but now realize that I've been conflating two different systems. At work we use MS Authenticator which lives on the smartphone. Now IT made it sound like they themselves had to be involved when I changed phones--but my tech savvy coworker says he's moved between phones and handled it himself--so I'm not sure to what extent it involves a third party. Seems like something I should be able to move by myself. But on my retirement stuff it is a different in that it texts me a code which I then enter into the website, no app involved.
Two different systems. The MS one is annoying only because it's random, it seems, but it's probably doing it every 2 weeks. It's just that when it does it, I have to "approve" every location (?) and every device for that day.
Both systems are MFA. Many account providers will allow you to use either SMS or an Authenticator app, both have their pros and cons. The Authenticator app doesn't tie you to SMS, but if you lose your phone, recovering it can be problematic if you didn't properly secure the recovery code for each of the accounts being secured in this manner, and that in itself is a potential security issue. SMS is dramatically more simple, but, if somebody is [censored]-bent on getting your info and already has your password, SIM cloning/SMS hijack is possible.
Ultimately, as I stated earlier in the thread, both will protect you against the typical Russian/Chinese/Indian phishing scam, which, in my experience, is the most common means of having one's account hijacked.
Originally Posted by spackard
As far as I've seen, Google's Advanced Protection Program is the correct way to do it. But, one should really buy and register two keys, and keep one of them in a safe place, for when you inevitably lose the other one.
I've been debating buying a Yubikey or a Google Titan key but not all the things I use have USB-C or Bluetooth LE. And not all apps/banks are on board with non-SMS based 2FA challenges yet.
Google has incorporated the Titan M security co-processor into the Pixel 3/3a and perhaps the 4 - the same one used in their security keys. It works on a similar concept as the Secure Enclave on an iPhone 6 or higher. Qualcomm is doing something similar with their Snapdragon SoCs and I think Samsung is using it as part of their Knox suite.
As far as I've seen, Google's Advanced Protection Program is the correct way to do it. But, one should really buy and register two keys, and keep one of them in a safe place, for when you inevitably lose the other one.
I've been debating buying a Yubikey or a Google Titan key but not all the things I use have USB-C or Bluetooth LE. And not all apps/banks are on board with non-SMS based 2FA challenges yet.
Google has incorporated the Titan M security co-processor into the Pixel 3/3a and perhaps the 4 - the same one used in their security keys. It works on a similar concept as the Secure Enclave on an iPhone 6 or higher. Qualcomm is doing something similar with their Snapdragon SoCs and I think Samsung is using it as part of their Knox suite.
- Status
