Do you use Google or Facebook Logins when prompted for a new website?

Nice to see Optus will commence two factor authorisation such as pin no. sent to smart phone. Hard to understand why they hadn’t done it earlier.

2 Likes

It wasn’t done earlier as it wasn’t mandated. The Australian Communications and Media Authority has now mandated all mobile carriers to use two factor verification, the main driver being to prevent fraudulent mobile porting.

2 Likes

The only problem being that it permits SMS - a communications method that is ancient and insecure - as one of those authentication factors.

Here is a link to the ACMA announcement, and one to the relevant Determination. Unfortunately the official version does not provide a decent English language interpreter, so one of my previous links is to a sales-critter’s website.

Poking a little further, it is not at all clear what the Determination means by “account information authenticator”. This term is defined as:

account information authenticator means a process used to establish that the requesting person is the customer, or is the customer’s authorised representative, for the telecommunications service based on the requesting person’s knowledge of a piece of the customer’s account security information.

That is one of the two required factors, the other being:

personal information authenticator means a process used to establish that the requesting person is the customer, or is the customer’s authorised representative, for the telecommunications service based on their knowledge of a piece of the customer’s personal information that is not account security information.

And of course telecoms carriers are expected to interpret this. It is always fun to try to make sense of regulation.

3 Likes

Not the only problem. Another problem is a mobile service that is data only (e.g. not being used in a phone) and hence doesn’t have the interface to receive an SMS (and also doesn’t have the interface or capability to run an authenticator app).

It remains to be seen what is done about that. I think they will accept email as an alternative which, also, for all intents and purposes is insecure.

While SMS is insecure, it is still better than not using a second factor at all.

This is sensible. I do the same. No No No FB, i use YuToob but dont have an account nor any subs. Yes i am honest with banks and important useful sites (Choice) but mostly if I cannot quickly sign in with an alias ID then I will lie. However, using an android phone it appears that i can do little without the knowledge of ggl.

1 Like

I should have mentioned that some password managers allow login details including passwords to be exported into a readable file (such as ascii text files). While this isn’t generally recommended, one can export the file and use a extremely strong encryption program (128+ bit) to save a copy locally (or part of a standard routine backup) in the event the password manager crashes.

Alternatively, if one has a safe or secure storage location, a unencrypted version could be kept (electronic or paper print).

Any kept copies of password manager export data files has risks which one must consider before using this as a form of backup.

Don’t print it while you are in the office. Many business-grade printers now store everything they print on internal hard drives. This is a problem for a lot of businesses that would like to dispose of the printers while keeping their proprietary information to themselves, but also for individuals who use the office printer for personal purposes.

I listen to an IT Security podcast whose host routinely prints out QR codes when enabling two factor authentication on his phone app. Next time he changes phones, he unlocks his cabinet and pulls out the printed codes and rescans them on the new phone - in some cases saving quite a lot of work in reactivating all those existing accounts.

There is a big difference in security risk between online and the physical world. Online attacks can come from any other Internet user, but to get to your printed passwords one needs to physically break into your home and access the storage where those passwords are kept. When weighing up relative risks, unless you work for ASIO or in some other extremely secret squirrel area the physical attacker is more likely to steal your computer and TV than a stack of paper.

If you do work in some secret squirrel job, what are you doing posting in this forum and giving away potentially valuable information about yourself (including the way you write)?

4 Likes

No.

1 Like

No, I avoid using FB or Google logins.

I use:

  1. 6 free email addresses from Firefox. These are for sites that are a bit risky
  2. A few other slightly less disposable email addresses for subscriptions etc.
  3. My 2 main email addresses for anything important for sites that I would generally trust

I also use a password manager and unique passwords for each site.
This has only been a problem once, when I had left both my laptop and phone at home and needed to access some websites from a friend’s phone… the password manager wanted to verify the new device using either email or other 2FA and I didn’t have access to either of these. So I think it’s worth knowing the password for the email address used for the password manager!

3 Likes

The words “10 foot bargepole” spring to mind.

That comment may be a bit terse.

I think what you mean is:

“password manager” - good

online password manager” - not so good - don’t touch with 10 foot bargepole

I would like to add

Accessing anything from someone else’s device carries with it some risk. You must trust the friend and you must trust that the friend’s device has not been compromised by a third party.

1 Like

true enough. In this case, it was actually my mother’s phone and I set up the security on it for her, so I was confident with that. Even so, I would be careful to delete anything, not save any passwords, etc. since she’s still not great at security.

3 Likes

I never use FB to log in, but use a google (or Yahoo mail) email address which I have set up for privacy and spam. I recommend if you are using Firefox and extension called Facebook Container. It alerts you when logging into sites and blocks FB tracking your web movements etc.

1 Like