and the companies that know better should be fined and sanctioned, particular the ones that are demanding SMS based OTP so they can also add your phone number to their social graph
Nonsense. SMS is a great recovery factor, both for people who forget their password, and for those who lose access to their other second factors. (E.g. email address or a smartphone app). The thing that makes SMS uniquely good at this is that there is infrastructure around for people to replace their lost SIM cards, and that SMS available globally (vs regional identity systems like the bank ids in Nordic countries).
The problem is purely with how some companies are applying SMS as an auth factor. In cases where SMS us being used as a recovery factor, it should not be allow for immediate recovery. Instead the user should be notified via other channels (email, phone notifications) about the recovery attempt, be given the opportunity to reject it, and for the recovery to only succeed if it is not denied after e.g. 3 days.
Not being able to access your account for 3 days when you need to recover your password is not going to be a viable business decision for most services. I think you are SEVERELY underestimating how often the average user needs to recover their password.
My partner resets her Google password every time she logs in. It's just part of the normal flow for her. She probably does it with everything, but I'm not listed as a recovery on the other things.
Something better would be great. She's probably an extreme example, but I think we techy people tend to have a warped view of how comfortable "normal people" are with effective password management.
I.e. use smartphone prompts as the first factor (without causing password resets), while the password is just a backup when the phone is not available.
tell me. On some little-used accounts of mine i need a new password for every login. Then there's one particular account which never lets me login. I have to make a new password every time...
wha? Who does that? I don't think that's my problem, though i go crazy every time my password isn't recognized, i go through the process and this message comes up "you must use a different password". And i can't even just go back to the login menu. It's too late! And i paid money for this account.
I hate having to use a smartphone for auth in general. Especially when I have an app on my phone that expects me to be able to receive an SMS on the same phone. It’s like I need my phone to recover having lost my phone.
> I hate having to use a smartphone for auth in general.
Same, especially since I don't have a smartphone.
Often times I'll go a week without looking at my phone and by then it has lost its charge so if an app requires a OTP to do something I often need to wait a while before it's charged enough to receive a text.
I do have a Google Voice number but I've mistakenly used my real number for a few services that frequently require SMS confirmations.
I use Google Voice when at all possible, but there are a few cases where it doesn’t work. The easiest way to piss me off is to make me use a USA number that isn’t my Google Voice number! It doesn’t help that some services won’t even let me log from a non-USA IP when I’m traveling.
No. Send me an email, let me upload my ID, anything but SMS. SMS is completely insecure. Not only can it be passively sniffed along the way, not only can malicious actors intercept it without access, not only can pretty much any employee at my telco access it, not only can pretty much any employee at my telco get tricked into intercepting it, but by default (and therefore for the vast majority of users), it'll show up while the phone is locked!
Google is also a culprit in this same way. Activate normal 2fa, but when you click forgot password, conveniently it says Should we send a code to your phone?
Google does not offer me this option, I just checked.
If I claim to have forgotten my password, the first idea it has is that I should prove I still have my Security Key
Then it suggests it could send codes to my GMail (which might actually be useful if I have another device signed into that) or to another email address it knows about (it deliberately redacts part of each address in case I am not me)
Then it resorts to suggesting I try passwords I remember using on this account. I don't know what happens if I give it a password I haven't used for a few years, 'pass' means I keep a complete git history of Google passwords but I am reluctant to mess with this
> Then it resorts to suggesting I try passwords I remember using on this account. I don't know what happens if I give it a password I haven't used for a few years
I can't say what it does currently but it used to say something along the lines of "you haven't used that password in a while. try something else."
Note that it sends a code to your phone which is logged into your Google account, via a (presumably/allegedly, but at least it's not SMS) secure channel.
(Actually, it doesn't send a code to your phone. It either sends a prompt to your phone, OR you can open a buried menu in some app to GET a - essentially TOTP - code.)
Oh no, if I cycle enough through Other Ways or I don't have my phone (while having my phone number connected with Google Account), it offers me to confirm my phone number with showing number as *** & last 4 digits.
When I confirm the phone number, it sends a 6 digit SMS code prefixed with G-, like G-123456 The input box on page has already a read only G- text, & then a box for 6 digit code. After I confirm code from SMS, it gives the option to reset password.
Most of the forgot password ways to reset password is Tap on other Device prompt OR get a code from Google App.
Sample Google SMS to reset code with fictional number.
```G-007007 is your Google verification code.```
After I removed the phone number, now if i click Other Ways enough times, it simply says, give us the information about last time logged, creation date, some address I email frequently, & some other stuff, & sats it will take few days for them to get back to me.
Oh yeah, I also agree n believe that's the reason. Although having a key active does not mean the super secure government level threat protection, if one activates that threat from state protection, many of the account recovery options become unavailable.
I assume the number of account recovery options diminish with increasing levels of protection.
I have a security key active but it still offers to send me an SMS code for some reason (worryingly, to a phone number I no longer have... should probably get on to changing that)
One Time Passcode seeds are a globally available ID system.
and I really don't call them second factor, that conflates the whole issue of where they are stored, how they are synced and used. people should be able to recover access to their one time passcode seed and there is little excuse for this.
TOTP is globally available, but does not have an established way of recovering your key if it's lost. ("Little excuse" or not, people will not back up the key or print backup codes.)
While if I lose my SIM card, I'll walk to one of my operator's shops (there's probably one within 1km), show them my ID, and they'll replace the SIM. It's the only digital identifier that I could bootstrap from if I lost access to everything in one go.
If you have multiple accounts, services, etc, then backing up your 2FA codes, or registering two devices/phones at the same time should be on your radar.
They have it, it’s called FIDO2, and it even works with existing devices such as Touch ID or Windows Hello in common browsers such as Chrome. Even Google doesn’t promote Google Authenticator now, but they keep it around for legacy reasons because it still works, until you lose your phone. That’s where FIDO2 shines: just authenticate more than one device, including purchased hardware tokens if you want something cheaper than a phone, and you’ll always have at least one device with access, somewhere.
My biggest issue with FIDO is that it is tied to a hardware device. So if I ever lose it it is a huge pain. So you need at least 2 (so only one can be your laptop with fingerprint or face recognition) and if you even get another one you need to remember every single service that you used 2fa for and enroll it in each of them.
> if you even get another one you need to remember every single service that you used 2fa for and enroll it in each of them
This is perhaps why FIDO2 works best when combined with single-sign-on systems, such as those promoted by large email providers, etc. Fewer accounts to have to manage 2FA devices for, and a greater chance that you've already signed in and authenticated your devices with all of them.
Personally, though, I use a password manager, and have some (but not all) sites tagged as 2FA in the password manager. So if and when it's time to add another key, I can just go down the list. Not as convenient as SSO-based 2FA, but sometimes you really don't want to sign in with Facebook, say. :)
can FIDO2 be implemented for day-to-day use right now, such as email access? sms 2FA and authenticator are built-in to most applications, so it makes it easy to use.
and how do you do estate planning? I'd like to give my family access to all of my private keys for everything when I pass.
It’s built in to Safari, Chrome, Edge and other browsers, apps can easily integrate with system libraries for Windows Hello or Touch ID as they would anyway.
As for estate planning, set up a spare key that you can keep at a relative’s place, or add others’ accounts to your “Family” in Google/Microsoft/Apple/etc. Either they have their own keys and the company is aware of the handover or they have a copy of yours — such as you logging in on their device or keeping a FIDO2 key at their house and they can pretend to be you. A service like 1Password Family could also be of use here.
True, but last I checked, Google Authenticator and other similar apps (except maybe Authy or password managers) would refuse to upload or backup keys to iCloud Backups for odd reasons. Presumably they wanted the same sort of identity properties that something like Touch ID has, and thus would be solved by having more than one ID.
Unfortunately most people have only one phone, so that didn’t work until options came along where you could add more than one token/device instead as backup.
Oh no, the string and/or QR code should be backed up when one is setting up the 2FA.
If you have that seed phrase, & any device with correct time can calculate the TOTP code, even a simple local javascript app.
Obviously that phrase leaked would mean hacker can also generate codes. So that's why those phrases should be kept extra safe, away from normal passwords.
> Does anyone know why services like Google Authenticator were ditched industry wide in favor of SMS codes? It has never made any sense to me.
This is not the case in my experience. Many apps that once used Authenticator-based TOTP now use app-based push alerts (Steam Authenticator, Blizzard Authenticator, Google->GMail App, etc.), but I haven't noticed a trend toward actual SMS.
Are there major orgs that switched to SMS 2FA and disabled authenticator apps? If so, I'd be interested in learning why, also.
The shit part is I now need 50 apps on my phone to use stuff. I don't want the steam app, I have no use for it. But features of my steam account are now limited because I don't use the app.
Service providers that are very behind the curve (e.g. banks, brokerages) started providing SMS-only 2FA years after internet companies started with TOTP. That could create the perception of a shift towards SMS.
SMS isn't about protecting your account from hackers, it's about protecting the service from bots. You'll notice if you have a VOIP account that the number can't be used to set up something like a GMail account, it requires an honest to god phone number, something you presumably paid money for. If you try to sign up a hundred accounts using one number you can be assured that it will cut you off very quickly. This is true of all major services.
This is also why they won't let you set up a good 2 factor authentication system (like a Yubikey) they'll force you to first set up a SMS 2 factor. It's very important to remember to delete that SMS second factor after setting up your good second factor or social engineers will use it to steal your account.
I think it's more that companies who did not previously offer 2FA, are offering only SMS-based 2FA. Not that companies who previously offered TOTP 2FA are now only offering SMS-based 2FA.
