2FA workaround suggestions, sms to email or similar?

[sammyc]

With ebay, amazon &c poised for 2FA now among others that's a bridge too far for me in terms of faffing about picking up codes & otp's every 5 mins, so am looking around for a simple time & effort-saving alternative to texts.. maybe an sms to email option. I was looking at twilio forward sms to email because I already us Authy but that offers a US domestic number only & I couldn't even work out the pricing & details for porting a number in so I kind of gave up. Shame because the idea of a number supplied by the application would be an advantage in itself. Any similar or indeed completely different type of suggestions gratefully received.

[sig]

I think the only proper and secure 2FA now is hadrdware key, like https://www.yubico.com/

[Saracen999]

I don't trust 2FA via SMS at all. It is (I'm told) too easy to break (via social engineering and SIM hijack, etc). Yubico etc is probably the best option for 2FA except, first, it ain't cheap (especially if you add in a second for backup) and you aren't getting a lot of people fork that £100 or so out. More than a few simply can't, especially in times like we have right now.

Second, too many places don't support it, or at least don't fullysupport it anyway.

Nothing done online is fully secure. For example, Twitter just getting a $150m fine (peanuts) for abusing customer's 2FA data. Anyone want to bet they're the only ones doing that? I sure don't. There's a reason I have a second 'junk' phone that's ONLY used, and indeed, only turned on, when I need it for such uses, and why I refuse to give phon number out unless it's to a service I really, really want. Social media companies? Hell, no. I just don't trust them. Not an inch.

[sammyc]

I think the only proper and secure 2FA now is hadrdware key, like https://www.yubico.com/

Interesting thanks; possibly not for me.. maybe.. but certainly worth further reading.

There's a reason I have a second 'junk' phone that's ONLY used, and indeed, only turned on, when I need it for such uses, and why I refuse to give phon number out unless it's to a service I really, really want.

Same, but I really dislike having to receive texts for 2FA at all, and only have really lumped it when it's relatively few. That's why I wanted to get away from SMS altogether if possible as I prefer using the Authy app (if I absolutely must) than a text OTP.

[Singh400]

Where possible enable app-based 2fa. Most password manage support storing the shared secret, so you'll be able to see the codes being generated in real time. I use Bitwarden (family accounts) and Authy (personal accounts) to store my 2fa secrets. They both have mobile and desktop apps.

[sammyc]

Yes, this is what I would prefer, unfortunately something like Authy has few of the things I need, I use it for PayPal, I could add Amazon I think, that's pretty much it.

[BobF64]

I can see why they chose SMS, convenience for shoppers, almost entirely universal, doesnt require a smart phone, likely to work if you hold your arm up in the air from the roof of your house in poor signal areas.

It's just a shame they decided that the spoofing wasnt really a problem, but in fairness, you do need both the card number, address details and mobile phone number. So, for the majority of people, that would be an unlikely problem.

[Kumagoro]

At work we were forced into MFA for outlook 365 email accounts. I found using Microsoft authenticator to be the most convenient compared to just SMS or a call.

The number one reason I would use it though is in case I lost my phone or it went wrong. If you have an authentication app on a second phone you don't need the phone number. It is a proper ball ache if something goes wrong and you only had one device to authenticate with.

My colleague wasn't getting sms or calls and something needed to be reset account wise. It wasn't a fast process...

[Singh400]

Yes, this is what I would prefer, unfortunately something like Authy has few of the things I need, I use it for PayPal, I could add Amazon I think, that's pretty much it.

It's not clear what it is you need. But Authy/Bitwarden will do what you want and more. I'm not sure what hurdles you are encountering?

[sammyc]

It's not clear what it is you need. But Authy/Bitwarden will do what you want and more. I'm not sure what hurdles you are encountering?

Sorry, I don't mean 'things I need' as in features it has or hasn't got, just as in sites I'd want it to work with, eg eBay -
https://www.howtogeek.com/718530/how...ation-on-ebay/
'It’s not unknown for services to use app-based logins within their own app, but it’s unusual that there’s no option to use an authenticator app like Authy (our preferred authenticator app), Google Authenticator, or Microsoft Authenticator.' Still the case (I assume).
A reddit poster used a VOIP number for eBay SMS, this is something else I was already looking at, whilst aiming to end up with the fewest different systems.

[DanceswithUnix]

... , likely to work if you hold your arm up in the air from the roof of your house in poor signal areas.

Works anywhere in my poor signal household, thanks to VoLTE (WiFi Calling) on modern phones also supporting SMS.

[Saracen999]

Works anywhere in my poor signal household, thanks to VoLTE (WiFi Calling) on modern phones also supporting SMS.

One of the things that worries me about mandatory moving to 2FA is that that might be fine for us lot, but try explaining that to people like my mum-in-law. She'd just about got used to using the remote on her TV recorder. A VHS recorder, I might add. By which, i mean playing back a tape, as scheduling a new recording still escaped her.

Explaining "2FA" is a challenge, never mind VoLTE and SMS. Or even just SMS.

Morse code? Maybe.

[sig]

Install her password manager, only two passwords (manager and mail to reset the passwords just in case something goes wrong to database) to remember, and much more secure because they are full proof against phishing. If login and password are not autofill, you are not on your bank / social media etc website, leave immediately. not 2FA, but easy and enough secure for private person.

[sammyc]

One of the things that worries me about mandatory moving to 2FA is that that might be fine for us lot, but try explaining that to people like my mum-in-law. She'd just about got used to using the remote on her TV recorder. A VHS recorder, I might add. By which, i mean playing back a tape, as scheduling a new recording still escaped her.

Explaining "2FA" is a challenge, never mind VoLTE and SMS. Or even just SMS.

Morse code? Maybe.

Ditto, to a large extent. Or is that dit-dah-ditto. Much as I would like to be one of us lot I'm probably closer to the can't do / won't do side of things in reality. And TOTP, well that's something with Depeche Mode on it on a Thursday night.

I will carry on poking about for the best/least worst option for this even if only to be going with, in the short term probably a mixture. Part of my objection to SMS is purely resistance to having a number demanded of me which is why I was looking into things that supply you with a number; most of which seem to have fatal hitches so far.

[DanceswithUnix]

One of the things that worries me about mandatory moving to 2FA is that that might be fine for us lot, but try explaining that to people like my mum-in-law. She'd just about got used to using the remote on her TV recorder. A VHS recorder, I might add. By which, i mean playing back a tape, as scheduling a new recording still escaped her.

Explaining "2FA" is a challenge, never mind VoLTE and SMS. Or even just SMS.

Morse code? Maybe.

Thankfully VoLTE seems to have become standard and simple. My now year old Moto G30 just worked, so if I have WiFi then I can take calls and texts. Even though it is only a 4G phone, it is able to make use of some of the IP based services that 5G is based on. Nice when tech actually simplifies things and stays compatible with what we know.

[watercooled]

As usual lately, I'm late to the thread! But might have something to add anyway.

First of all, a nod to the Yubikey (other similar devices are available but these are a solid recommendation), however it might not be as expensive as it first appears. For many services that support the FIDO/WebAuthn standards, you don't need the fully fledged Yubikey, the much cheaper 'Security Key' will do. I think they recently discontinued the even cheaper non-NFC version but the NFC version has the advantage of working with your NFC-equipped phone too. Devices like this are 'proper' second factor authentication, as in you need two 'things' to authenticate. Two step authentication like TOTP authenticators are better than nothing but are still somewhat vulnerable to phishing or social engineering (someone can potentially be conned into telling a malicious actor their time-based code if the attacker is quick enough, for instance).

There are different methods of FIDO login, and without getting into the details, the most commonly used way is where your device is used in combination with say a password - you just plug in the device and tap it when prompted, that's it. You can 'store' an unlimited number of accounts this way, because they're not actually held on the key itself. This means that the key holds no record of the accounts it's tied to using this method (so make sure to keep track of it yourself in case you ever need to unpair it!)

There is also the resident key mode which out of the popular services only Microsoft spring to mind as using this method - in this method the key has space for 25 (in the current version at least) resident keys, and in combination with a pin used to secure the storage, can be used to authenticate without a password. A good pin is necessary for obvious reasons.

Worth noting that TOTP-compliant authenticators like Google/Microsoft/etc apps do not require an Internet connection to work - they work based on a shared cryptographic secret and the time - so as long as your phone's time is reasonably accurate, it can be in flight mode and still work just fine.

Also another interesting bit - yes, SMS is vulnerable to attack, very in some cases. Many high profile accounts have been breached as a result of this sort of attack, which is often a form of social engineering. Attacker goes to a phone shop pretending to be you and convinces the assistant to give them a new sim as you 'lost your phone' or something. Then either alone as a recovery method or in combination with a known password (shared password from password dumps for example - never re-use passwords), the account attack can take place. It's a terrible system. However... Banks are aware of this and it's still probably better than nothing at all, and at least in some countries, work with the mobile network operators to do a bit of digging. Banks can for example check if a SIM has recently been re-issued, or other such heuristics of the sort they already implement for automated fraud detection. It's still a terrible authentication method but it's comforting to know there's at least some attempt to strengthen it for some of the major services like banks. I doubt a video game online account has such protection though! Unfortunately, despite it being one of the worst, it's the only '2FA' method available for some services. Even using it 'only' as a backup presents a risk as it remains a weakness even if it's not regularly used by the account owner.

One thing I will say is that you MUST plan your use of 2FA and have some sort of backup/account recovery; how will you regain access if you lose your keys/break your phone/etc. Never rely on just one 2FA method, especially where the service is not likely to have any recovery methods, or where your recovery methods are linked to other accounts that also rely on the same 2FA methods! Most services will give you recovery keys - take their advice seriously, write them down and store somewhere safe immediately. They are generally single use, so replace them when used up. And don't store them in your phone case if your phone is the original 2FA device!

Oh and another thing, it's only really used for the likes of Google accounts, but due to the fact many modern mobile devices contain secure processing elements, they can be used as a second factor themselves. So you can login to an account on a PC for example, then just accept the prompt on your phone.