Dealing with MFA

Topic

New Reply

ON SECURITY By Susan Bradley In my excitement about the three-day weekend for Memorial Day, I left my phone at the office. In years past, I would mere
[See the full post at: Dealing with MFA]

Susan Bradley Patch Lady/Prudent patcher

6 users thanked author for this post.

MHCLV941, lmacri, pksimmang, DrBonzo, windbg, jburk07

Reply | Quote

Replies

It remains the case, in the UK at least, that many financial institutions will only use text messages as their second factor. That presents a problem if you lack mobile signal in the home. I have found some of them extremely unhelpful in solving that problem, and even sometimes insisting (erroneously) that the financial regulator insists they use  text messaging despite its relative insecurity.

Chris
Win 10 Pro x64 Group A

1 user thanked author for this post.

windbg

Reply | Quote

When adding an MFA account to my Google authenticator app, I tack a screenshot of the QR code and save that and the backup codes to a VeraCrypt encrypted drive.  Is there a better way to backup Google MFA?   Although I have multiple phone (including my spouse’s) with all my MFa accounts, I believe there is a way to trick to use my computer to get an MFA ( https://crgsoft.com/how-to-use-google-authenticator-on-a-windows-pc/ ) if I forget my phone, but should I switch to WinAuth?  I used to use Yubikeys but I could not get it to work easily and automatically with my phones.

Reply | Quote

On the subject of MFA, I currently use KeePass as my password manager.  It’s free, open-source, and works on my Windows desktop, Mac laptop, Android phone, previous iPhone, etc.  I use a cloud storage account to keep the encrypted file synced between devices (and the cloud storage itself is protected with MFA).  One of the handy features is that KeePass handles authentication codes and generates them on-demand.  But more than that, it can generate the QR code needed to share with a standalone app if necessary.  Having a strong password for the password manager gives me some level of confidence in this method–and seems more secure than a standalone authenticator app on my phone.  And it’s easier than using two separate apps for login and authentication.

My question is whether this all-in-one approach is a good idea.  I have a couple of Yubikeys but haven’t gotten very far with deploying them.  Maybe my expectations were off, but they seemed overly complicated to set up and use.

Reply | Quote

I faced this problem and have now changed my software. I switched to Authy authentication app. It accepts Google codes to make switching easy. Biggest bang is it runs on multiple devices simultaneously! So I have Authy on my Apple watch as well as Windows desktop and phone or tablet as you choose.

Totally free and secure from a major security firm. Codes can be backed up as you choose but you still get the latest code from every device. Totally removes my fear and annoyance of having my phone in hand every time I needed a code.

Best tool ever!

Reply | Quote

In regards to temporarily toggling MFA off, setting up a new PC/laptop/phone/etc., then toggling it back on.  I’ve been curious about doing this, but haven’t yet tried.

In my case, it’s setting up Microsoft 365 accounts on new laptops.  If I toggle Microsoft’s MFA off, install the various Microsoft 365 whiz-bangs, then toggle MFA on, will Microsoft invalidate the original MFA settings, and require the user setup MFA again?  Or, will be it as if nothing happened, and the user will continue with the same old MFA process they’re currently using?

I’m hoping it’s the latter.

Reply | Quote

pksimmang wrote:

My question is whether this all-in-one approach is a good idea

It’s only a good idea if you can easily reproduce your setup after a disaster.
It’s really about what you are comfortable using.

cheers, Paul

Reply | Quote

Online banking itself seems to be a scam. If i die or am incapacitated then i am suppose to know a tech savy person who i can trust with all finanes. This is a horrible joke played on people of retirement age.  Lots of people have had their finances drained by relatives and this just makes it a lot easier.  Tell me do you know someone you trust with all your passwords and financial info.

Reply | Quote

anonymous wrote:

ell me do you know someone you trust with all your passwords and financial info.

Yes, I do.
No one can access your bank account after you die.. without court approval.

Reply | Quote

You do not necessarily need court approval in the United States. It depends on the circumstances and the conditions the owner of the account had made with the bank. You may need documentation such as a death certificate and will, but court approval is not always required.

Reply | Quote

DrBonzo wrote:

death certificate and will

Both usually require court approval.

Reply | Quote

Well, in the United States I have dealt with these situations a handful of times in the last few years and at least in my cases no court approval was needed. Death Certificates were issued by a county medical examiner and the will was witnessed and notarized. The banks were happy or at least satisfied.

1 user thanked author for this post.

Alex5723

Reply | Quote

DrBonzo wrote:

The banks were happy or at least satisfied

Death certificates doesn’t authorize bank account access. A unchallenged will, does.

Reply | Quote

Well Alex5723 if I walk into a bank and say I want access to a deceased person’s account, they will demand proof of death and they will accept a death certificate as that proof. If I only have a will, they will look at it, shrug, and say “so what?” prove to me the person is dead. We can go round in circles all day long but that’s what my experience has been. Perhaps things are different where you live.

Reply | Quote

Alex, that may only apply where you are. I have done two in different countries and there was no need to involve a court at any stage.

cheers, Paul

Reply | Quote

I recently logged into my LastPass Password Manager. It had mentioned that in the future I could go password less instead of logging in with a master password. In which a few methods were listed. The one that I am interested in is using a USB drive. I use LastPass on both my Windows 10 desktop and my (less than two year old) Acer Chromebook Spin 713. I have a USB 3.0 port that I sometimes use with a wireless mouse and to sometimes store various documents onto a 3.0 USB drive. Now I have 2 USB 3.2 Gen 1 Type-C ports. One of which I use for charging up my Chromebook. May I use the other USB 3.2 Gen 1 Type-C port to plug in a USB drive that could meet the requirement for the password less feature of the LastPass Password Manager? Now all the details on the USB drive log in feature is to my understanding in the developmental stage. More info on that will be in the coming months. I would like to use this feature on both my desktop and Chromebook machine. If I am missing something, please feel free to fill me in.

Reply | Quote

Rush2112 wrote:

It had mentioned that in the future I could go password less instead of logging in with a master password.

LastPass introduces passwordless Vault access

LastPass, maker of the password management service, introduced support for accessing a customer’s Vault using passwordless technology in June 2022…

Reply | Quote

Rush2112 wrote:

LastPass Password Manager. It had mentioned that in the future I could go password less

That isn’t really password-less, it’s replacing something you know (password) with something you have (USB).
If you lose the USB, how do you get your passwords back? If it’s by entering your password and you haven’t used that for a year or so, will you remember it?

A password may seem less convenient, but it’s hard to lose, can be easily backed up and I can give a copy to a trusted person in case of emergency.

Rush2112 wrote:

May I use the other USB

Yes – assuming they support a hardware key / device that plugs into USB.

cheers, Paul

2 users thanked author for this post.

MHCLV941, Fred

Reply | Quote

That is a valid point. I hadn’t considered that. Though I have written down my master password just in case. If I were given the opportunity to make multiple USB drives in the event that one becomes corrupt or as backups then I don’t see a harm in doing so. But even if the USB doesn’t work, would I still be able to enter my master password manually? That I think should be an option they should consider.

Reply | Quote

anonymous wrote:

Online banking itself seems to be a scam. If i die or am incapacitated then i am suppose to know a tech savy person who i can trust with all finanes. This is a horrible joke played on people of retirement age.  Lots of people have had their finances drained by relatives and this just makes it a lot easier.  Tell me do you know someone you trust with all your passwords and financial info.

The same person who holds my medical power of attorney. If you don’t have someone you trust so completely, I feel sorry for you.

1 user thanked author for this post.

Fred

Reply | Quote

Alex5723 wrote:

No one can access your bank account after you die.. without court approval.

Not necessarily true, depending on how the account is set up and who else you want to have access to it. The smart move is to sit down with the bank to learn your options and with an estate attorney to properly implement the ones you want. NOTHING that could eventually involve hiring an attorney gets better if you don’t set things up correctly beforehand, e.g., before you get hit by a bus.

Reply | Quote

Thank you for addressing something that’s been on my mind since I started using an authenticator app.

There are many ways you can set up MFA without having a smartphone. In fact, I’d recommend that you set up an MFA “Plan B” — not only to avoid those few pitfalls but also to avoid losing access.

There is at least one LONG article on this topic, which I, for one, would love to read.

Reply | Quote