Phones and MFA

Topic

New Reply

HARDWARE By Susan Bradley How do you plan for getting rid of your old phone? Eventually, you will get a new phone. Perhaps you dropped your iPhone 9 i
[See the full post at: Phones and MFA]

Susan Bradley Patch Lady/Prudent patcher

8 users thanked author for this post.

abbodi86, dried_squid, fisher75, rc primak, pnshldn, DLivesInTexas, lmacri, Alex5723

Reply | Quote

Replies

Never used nor needed MFA app.

Logging into my bank account using iPhone and FaceID.
Still get SMS/Notification with digital code from some services (including Apple).

Reply | Quote

Susan Bradley wrote:

The most robust kind of authentication is a device such as Yubico’s YubiKey. It combines hardware tokens with biometric checks — you must touch the key’s fingerprint reader to authenticate.
…
Sadly, I’ve yet to see this kind of authentication be supported by financial institutions; admittedly, it’s expensive.

Most YubiKeys don’t include a fingerprint reader, and those that do are two to three times as expensive (for the convenience of not typing a PIN).

Bank of America has supported YubiKey authentication for three years.

1 user thanked author for this post.

rc primak

Reply | Quote

Only for high value transfers, not day to day logging in.

https://www.bankofamerica.com/security-center/online-mobile-banking-privacy/usb-security-key/

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

TechTango, rc primak

Reply | Quote

“Only for high value transfers, not day to day logging in.”

In Denmark, if you log in via a browser, this is now compulsory, and has been for years. A keyfob giving a OTP or a FIDO dongle is used, issued by a state operator. For the brave/foolish/impatient there is also a smartphone app, but it contains a number of the usual security compromises for the sake of convenience, apart from being buggy.

I’m not sure that I would trust Face Recognition for that level of use, but I suppose it is better than nothing.

Reply | Quote

I have noticed that the credit union and my credit card app that I use will send a code by text or call your cell phone and not use MFA apps.

Reply | Quote

This practice needs to stop. SMS is not secure, and this has been known for many years.

-- rc primak

Reply | Quote

Please define MFA somewhere – it took me awhile to figure out MFA was Muti-Function Authentication. (This is just a gentle request from someone who has forgotten to define an acronym a time or two in my career.)

Reply | Quote

MFA is “Multi-factor Authentication”. It is usually something you know (ex. username and password), 1st factor, with something you physically possess (like sending a code to your mobile phone with SMS), the 2nd factor.

The idea is that if you lose or have stolen the 2nd factor you would report it and that factor would be disabled and likely change your password in the process. If someone steals or guesses your password but doesn’t have the 2nd factor, that password would be useless to them.

My earliest use of a 2nd factor was a RSA token which generated a new one time password (OTP) every minute for my company’s VPN for remote access.

 

1 user thanked author for this post.

rc primak

Reply | Quote

Great article but one comment about MFA. For those users who use DASHLANE as a password minder, they are discontinuing their embedded authenticator app very soon. Folks using it need to migrate immediately.

Reply | Quote

Dashlane and many others are transitioning to Passkeys. So no one needs to migrate away from Dashlane because of this change. Passkeys are more secure than previous types of authenticator apps. Get used to Passkeys, because they are going to replace passwords in the not too distant future.

-- rc primak

Reply | Quote

MFA (“Multi-Factor Authentication”) is also sometimes called 2FA (“Two-Factor Authentication”) or 2SV (“Two-Step Verification”). My webpage has a fuller explanation of the principle behind it, as well as some of the pros and cons of the various methods.

4 users thanked author for this post.

satrow, SueW, windbg, rc primak

Reply | Quote

I use a YubiKey when logging on to Vanguard since 2018. I have two keys registered with them. So when I provide username & password, I am then instructed to insert the YubiKey and tap the button on the key. Great! Except if I decline or don’t have a key handy, Vanguard reverts to the good old SMS message. I understand why this is done, but it still isn’t the iron clad security one might wish. BTW two keys are registered so that if one becomes non-functional (fill in your choice of problem) you know where the second one is and can use that to quickly gain access to de-register the non-functioning one.

I agree with Susan that it is very frustrating each financial institution seems to have their preferred MFA solution (not SMS messaging that is)  and some won’t work with others. This is the major reason I have been reluctant to use MFA apps/devices that banks favor. SMS messaging isn’t the best MFA security but it beats not having any MFA security.

Another issue with the YubiKey can arise in that not all browsers work with them. I now use Brave and had to turn on a USB capability (or something like that – I forget, it was a few years ago). Vanguard recommends Google Chrome or Microsoft Edge.

1 user thanked author for this post.

rc primak

Reply | Quote

Susan Bradley wrote:

But increasingly, an authentication app such as Microsoft Authenticator, Google Authenticator, or Authy is required. And it would be nice if you could choose your own — however, you may be forced to use several, based on the requirements of the company with which you’re dealing.
…
When you end up using more than one MFA app, there is a minor annoyance. You’ll need to remember which app to use for which service. Even the services are coy; when they ask you to authenticate, they don’t remind you which app to use. That’s good for security, but tough on your memory.

You can choose. You don’t need to remember. You only need one:

Microsoft Authenticator, Google Authenticator and Authy are compatible and interchangeable for Time-based One-Time Passwords (TOTP). TOTP is an open standard defined in RFC 6238, which allows these apps to generate short-lived authentication tokens used for two-factor authentication (2FA). Because of this standard, you can use any of these apps to scan the same QR code or enter the same setup key when enabling 2FA for an account.

This means that if a service suggests using Google Authenticator, you can also use Authy, Microsoft Authenticator, or any other app that implements the TOTP standard to set up 2FA. Each app will generate the same one-time passwords based on the shared secret key and the current time.

Did you know? TOTP is an open standard, so any time an app says to use Google Authenticator, you can scan the QR code with Authy, Duo, Microsoft Authenticator, or any app like those that implements the standard.

https://www.twilio.com/en-us/blog/authy-api-and-google-authenticator

But Microsoft Authenticator has more features than Google Authenticator:

Microsoft Authenticator vs Google Authenticator: A Quick Comparison

2 users thanked author for this post.

windbg, rc primak

Reply | Quote

I’d like to see a similar discussion about wiping personal information from Smart TVs prior to disposal.

1 user thanked author for this post.

rc primak

Reply | Quote

I definitely do not understand people who change their email address from time to time. You want a “lifetime” email address, something that will remain the same as long as you live — and also briefly after that.

Disagree for personal phone numbers. Business numbers are a different matter. I change my personal phone number every time I buy a new phone. I think it is good “infosec.” It takes a little effort; you must keep the old phone up and running for a month while you change numbers on your various online accounts.

It’s the same idea as declaring email bankruptcy. Delete the old account, create a new one, and only give your new address to those with whom you want to correspond. With the advent of email aliases, email bankruptcy may not be necessary for much longer.

Now if someone would just invent phone number aliases …

Reply | Quote

Cell phone number portability is the norm for non-business users. Like my primary email addresses, my cell phone number is registered so many places that changing it would be a major hassle. All those places would have to be contacted. i would have to prove who I am. There would be delays in restoring access. Nope, not going to give up my number. Once the porting process is complete, the old phone’s SIM or eSIM can’t be used with the number anymore.

-- rc primak

1 user thanked author for this post.

wavy

Reply | Quote

WUBRINY wrote:

Now if someone would just invent phone number aliases

Apps already exist to do that!

25 Best Second Phone Number Apps

3 users thanked author for this post.

TechTango, windbg, rc primak

Reply | Quote

The other way to avoid dealing with MFA apps is by using a “token,” a battery-operated device that syncs with a server looking for a matching code. These are low-power devices, so the battery lasts several years. It’s unlikely you’ll be caught short, with no way to authenticate.

What kind of device are we talking about here?

Are there any to recommend?

I use an old flip phone and I want to avoid buying even a cheap android smartphone if I can avoid it.

Reply | Quote

Two-Factor Authentication Methods – Tokens & Passcodes | Duo Security

Scroll down and you can see the hard token.  But you have to check what the web site/vendor supports.

Some banks have their own branded hard tokens.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

TechTango, rc primak

Reply | Quote

It seems I have fobs and tokens for everything these days. I may need to get a larger keychain.

-- rc primak

1 user thanked author for this post.

wavy

Reply | Quote

I only use flip phones too. Couple years ago, for two-factor authentication with OKTA, I was set-up with Google Authenticator and a QR code on my PC. On the other hand, for another network, a smart-phone (web-c0nnected) phone was required because of some Cisco requirement. I prefer flip phones because my only use case is telephone service. For computing, I want a mouse and a keyboard – primarily, for file management and editing. I once had a tablet, a Jornada by HP, and I have two Spectres – all had/have touchscreens. I thought I would learn to use the pen on the Spectres, but I never find the time to learn how to make it useful. I hope 4G remains available in my area.

Reply | Quote

Susan Bradley wrote:

Two-Factor Authentication Methods – Tokens & Passcodes | Duo Security

Scroll down and you can see the hard token.  But you have to check what the web site/vendor supports.

Some banks have their own branded hard tokens.

Thanks.  I’d need something for the Microsoft Authenticator.  It’s the only one my company accepts.

And I also notice the MS Authenticator only goes on smartphones and not laptops or desktops.

I’d need something that bypasses me having to buy a new phone.

 

Reply | Quote

For $10 per year, you could use Bitwarden Authenticator (TOTP) as a browser extension on Windows.

1 user thanked author for this post.

rc primak

Reply | Quote

I’ve been using the free portable WinAuth app on Windows 10 22H2 for the last 3 years and it works just fine for Amazon, PayPal, ID.me and various other sites I use that require TOTP style MFA.

3 users thanked author for this post.

rc primak, TechTango, windbg

Reply | Quote

Anytime a web account requires a cell phone for MFA/2FA, I do my best to switch to a more secure method. Cell phones and their cell numbers are least secure.

Do authentication from safer form factors, a desktop or a laptop.

Use safer MFA methods:
– A password protected authenticator where you can backup the authenticator keyfile
– Multiple hardware security keys such as a USB YubiKey or a timer-based token.
– EMail to get those 6 digit codes, also protected by the two MFA methods above
– A virtual phone number protected by the safer methods above

For critical accounts such as EMail, have multiple MFA methods available.

While I do own a smart phone, high security accounts cannot be accessed from it. Also, when traveling by air, biometric authentication is disabled on the smart phone and laptop.

When a web account requires a phone number, the last 4 digits are added to the notes section of our password manager, so we know what to do if the number is lost or stolen.

All accounts should be in a password manager, whose password vault is backed up to multiple locations, and includes the MFA methods used in the notes section for each entry.

So, no single point of failure.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

Great article Susan. Thanks.

Reply | Quote

Ever since Brian Livingston’s article on password managers, I have devoted a great deal of time, trying to figure out how these things work.  I have been using KeePass and its auto-type feature for years.  It works quite well for most logins, most of the time, but there are frequent occasions that require its tweaking or simply the need to copy and paste or drag and drop the login credentials.  Being the lazy guy I am, I started to experiment.  This led me down the 2FA path, for which I had been using text messages exclusively.  This led me back to KeePass.  There are a couple 2FA plugins that work quite nicely here.  The one I settled on is called KeeOtp2.  This plugin has the ability to either read the QR code created on a website for 2FA , or to copy the posted secret string for pasting it into the KeePass entry.  Either way, once created, you can monitor or copy and paste the varying six-number numeric onto the requesting website to complete the login process.  This particular plugin also has the ability to create the QR code from the secret string, thus making it a breeze to add the 2FA credential to a different device, like a phone.  I have monitored my PC’s and my phone’s displays as they go through a few cycles, and they are right in synch.

This leads me to ask the question, what difference does it make what brand of authenticator app one uses?  If a website says it needs Authy for 2FA, and KeePass and Authy are both showing the same number, it shouldn’t matter.

I’m still finding that especially for my critical accounts, text or email messages are the only means offered for 2FA.  I’ve got one account that allows the app, but the two-factor screen also gives the option of using text or email.  Seems to defeat the purpose of the app.

So, I’ve settled back in with KeePass, using the  KeePassHttp-Connector plugin (browser extension), available from the Chrome Webstore. This works much better than auto-type.  Combined with the KeeOtp2 plugin for 2FA, even complicated logins are a breeze.  There is a similar plugin from the Microsoft store called EdgeKeePass, which works the same, but not as well for tricky websites, such as those requiring three fields for logins.

Casey H.

Reply | Quote

Casey H wrote:

This leads me to ask the question, what difference does it make what brand of authenticator app one uses?  If a website says it needs Authy for 2FA, and KeePass and Authy are both showing the same number, it shouldn’t matter.

For websites that follow the otpauth standard, you are correct. Google Authenticator, Microsoft Authenticator, Facebook Authenticator, Lastpass Authenticator, Authy, WinAuth, KeePass, Bitwarden, et al, are all functionally identical and will produce the exact same results. If a website offers any of these choices, you can be certain any of the alternatives will work just as well.

Beware that not all websites follow the standard, though. For instance, sites like eTrade.com and, IIRC, the US Social Security Administration will insist you use a proprietary authenticator instead of standard TOTP authenticators.

There’s a nice little webpage that lets you play with TOTP QR codes. (It also allows you to load a QR image and will decode the parameters for you.) As you enter parameters, the QR image changes in real time, and the line right above the image shows the “otpauth” text string that is encoded in the image.

When a given website generates a QR code for you to scan into your authenticator app, this text string is all the app sees. There is nothing in there that is specific to any brand of authenticator, so it should be apparent that the brand of authenticator is immaterial.

 

Casey H wrote:

I’ve got one account that allows the app, but the two-factor screen also gives the option of using text or email.  Seems to defeat the purpose of the app.

You’ve hit the nail on the head, Casey. Sounds like you’ve already figured this out, but for the benefit of others reading this thread, pay attention to Casey’s point here. Security is only as good as the weakest link. If a website lets you bypass your TOTP authenticator app and ask the server to send you a code via SMS instead, then a hacker could do the same. The superior security provided by an authenticator app is all for naught if the bad guys can go around it and revert to SMS.

After enabling an authenticator app on a website, I prefer to go to my account settings on that website and disable any SMS/voice option.

I do like to have a backup authentication method in addition to the authenticator, though, so maybe that’s email (and no SMS/voice option), or a hardware token, or maybe an account “recovery code” that can be written down and saved. It depends on what 2FA options a given website offers. There are desirable reasons for allowing multiple authentication methods, but if you do, be sure you recognize your actual security is only as good as the method most vulnerable to compromise.

 

3 users thanked author for this post.

rc primak, Casey H, satrow

Reply | Quote

How do you plan for getting rid of your old phone?

I use my wife’s old iPhone as a camera. She had a small iPhone, and the camera is excellent quality.

As for logging into my bank account when I have a flip phone, not only could I not do that, I couldn’t even talk to them on the phone, because I was unable to read the authentication text message back to them while talking to them! (I would have had to hang up the call in order to read the text message.) They finally enabled PIN access on my account, so all I need to do now is enter the PIN when I call them or when I log in.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote