The Two-Factor Verification code is supposed to be an extra step of security when accessing a website (such as your bank) but when the code comes it appears on the actual device you’re using. You just have to click it below to enter it.
So if a scammer had gained access to your computer/phone, the scammer gets the code on the screen on the device he’s hacked, and not on and only on another of your devices separately.
Is there an alternate question.
How secure is 2FA if one has not adequately protected the device or email account receiving the verification code?
I use 2FA knowing one still needs to manage all aspects of device and account security. 2FA in our home is an added layer of protection. It’s not a substitute that permits one to take less precautions in other areas.
The real benefit of the code sent in multi-factor authentication is that it is one time use, and good for only a short time.
So if your userid and password were hacked and put onto the dark web, as mine was a while ago, it is of no use to anyone trying to access the systems that are using MFA.
Now, being sent a code over the phone network or to email is really not secure. Far better are devices that generate the code, and do not need to be part of any network.
I presume you are talking about the TOTP (time-based one-time passwords) apps? Like Google Authenticator, or Authy?
Quite correct. We had one of our phones stolen recently, with all manner of apps useful for spending money - including, of course, our banking app. With the phone in hand, the theif would have had reasonably easy access to all our bank accounts, online shops, and lots more - plus, if challenged, could ask for a verification code to be sent … to the phone!
(In the event, I used a security feature of the phone’s antivirus program to wipe everything, thus preventing any further disaster.)
Absolutely neither of those two.
I am talking about OTP code systems that are independent of any network connection.
They secure against one risk, but how best should the OTP be secured?
Similar advice to one needing to ensure the security of your bank supplied RSA device.
Well in my experience, the RSA device, for those unfamiliar is about the size of a usb memory stick, was not stored with anything related to its use, like a laptop, nor was it stored on anything I could accidentally loose, like my carkeys or wallet.
Not hard to be secure when one thinks about it.
Actually, Wikipedia seems to think that RSA devices might have some security issues. According to their page, although the RSA device (in its physical form) can be stored in the safest place in the world between uses, at some point it has to be taken out into the real world if it is to be used. They say:
A user authenticating to a network resource—say, a dial-in server or a firewall—needs to enter both a personal identification number and the number being displayed at that moment on their RSA SecurID token
For a high-value system - say, a bank’s or government’s server - I’d imagine that every little bit of extra security, no matter how inconvenient, might be good. Having to go to the wall-safe to get out one’s RSA gadget to log in might be entirely reasonable. Personally, I’ve felt them more trouble than they were worth - and riskier, for fear of being lost or mislaid - in protecting my humble little online accounts.
What my point was that the code should only appear on another of your devices, not on the device you’re using.
Can you give an exact description of your experience, please? What sort of devices are you using? Where exactly is the code appearing?
Are you trying to say such as a stolen phone or a computer where there has been screen sharing/remote access with a scammer.
I think in such cases, even with the most sophisticated authentication system, it is still vulnerable as a individual is willing to share login credentials with another person - namely the scammer.
Most scams which succeed with 2FA isn’t because a computer/phone is unknowingly hacked, but through the sharing of login credentials with the scammer - such as communicating verification codes over the phone to a scammer.
Unauthorised access to an online account with 2FA needs at least three bits of information. A user name, password and 2FA code to succeed. If one’s login credentials have been hacked, advice is to immediately change one’s password. Then to be successful if a password has been changed, a password and 2FA code would need to be communicated to someone to allow access to a online account.
Hmmm. I think your question, @Gaz, may be something like this: you have two phones, call them #1 and #2. You also have an online account of some kind, which you wish to long into. So, holding your phone #1 in your hand, you attempt the login. The account responds by sending you a 2-factor code by SMS… except that they send you the code to the phone you are holding (#1) instead of your other phone (#2). And that you think is somehow stupid, since sending to the device you are using adds no extra security at all.
Have I got this right?
It is the case that account name and password is no longer secure. This combination can be broken easily. If this is all that is offered then use a different pass phrase for each service. Pass phrase is like a short sentence or use a password manager or the one built into your phone (keychains etc) or browser (passwords.google.com)
2FA delivered a higher level of security than account+password. However, there are different levels of 2FA. (email, SMS, HOTP, TOTP and others).
A code sent by SMS is the lowest as a user’s phone number can be easily compromised. Theft of ID and reissuing of a SIM is typical.
A code sent by email is similar as email can also be easily compromised. Never trust email privacy unless you’re using S/MIME and nobody uses that.
But these codes only work once and for a limited period of time. So if somebody does get the code you’ve probably already used it.
The next level are authenticator apps like Google or Microsoft Authenticator (or even your bank app these days) that calculate an identical time based code independently from a backend system.
These are more secure as the Authenticator app is protected by separate authentication before they work. e.g. face recognition or PIN.
So if this level is offered, install an Authenticator app and learn how to use it rather than SMS or email 2FA.
The next level is hardware based like security key like USB based devices or a fob with displays the code on an LCD.
And many more after that.
So each level is designed for different levels of risk. $1,000 needs a low level SMS or email
$100,000 maybe an Auth app
$1,000,000 maybe a hardware token or fob
And on it goes.
I would disagree that passwords are easily broken. It is the implementation that can make passwords insecure.
The long used four digit PIN for various cards would seem to be hopelessly guessable. But one has only a few goes at it. So in reality very secure.
The short string of digits, six with RSA and most OTP implementations, is also hopeless as all combinations could be calculated in milliseconds.
But very secure as one does not have the ability to try all combinations before the time expires, or access blocked.
Passwords, as we know them, and all the silliness of password managers because people cannot remember them, may well become a thing of the past. And good riddance.
Card and PIN is a two factor authentication system. The second factor being the card.
Two factor systems are characterised by something you have and something you know.
So far as I know, any password can be broken easily - provided that one goes at it long enough (that is, one has long-enough access to it, and patience enough to try). At issue is the length, structure and age of the password. A short simple password can, as you say, usually be cracked quite quickly… but probably not if it is changed every millisecond. It is the long, complicated passwords that are so hard to crack - and to be secure, they need to be stored in a password manager. And then that password manager has itself to be managed - such as by giving it a very strong password, which must then be recorded somewhere of safe-keeping, with suitable fail-safe systems. A password is not the answer: it is only one element of a security system. If people get rid of passwords, all that means is that they will have to invent another comparable element of security to make up the other arm of two-factor security - and that might be far more difficult to manage!
A ‘broken’ password is one that has been successfully guessed and has been used to access a system or decrypt data, or one that has been revealed and now public knowledge.
Now, most people have passwords that never change. Like on their PINs for cards. Or logins to various systems.
Others may have passwords that they have to change regularly, like monthly. And try to keep track of that.
Now think of a password system that can only ever be used once, and can only be used within a few minutes before it expires. Well it has been around for a long time.
OTP, TOTP, HOTP, who cares. Not me. All the same idea.
It is called multifactor authentication. Or MFA. 2FA is a subset where only two verifications are required.
I’m not sure what exactly you are advocating. MFA apparently - and apparently also more than two factors. Also that you don’t like passwords, and reject them as acceptable factors. So what kinds of factors do meet your standards? Assuming that we are all joe-citizens here, and not managing security for ultra-high value systems such as a bank or national security agency, what three or more factors (none of them being a password) do you recommend?