Page 1 of 2 12 LastLast
Results 1 to 16 of 20

Thread: 2FA workaround suggestions, sms to email or similar?

  1. #1
    Ghost of Hexus Present sammyc's Avatar
    Join Date
    Nov 2007
    Posts
    3,294
    Thanks
    761
    Thanked
    483 times in 385 posts

    2FA workaround suggestions, sms to email or similar?

    With ebay, amazon &c poised for 2FA now among others that's a bridge too far for me in terms of faffing about picking up codes & otp's every 5 mins, so am looking around for a simple time & effort-saving alternative to texts.. maybe an sms to email option. I was looking at twilio forward sms to email because I already us Authy but that offers a US domestic number only & I couldn't even work out the pricing & details for porting a number in so I kind of gave up. Shame because the idea of a number supplied by the application would be an advantage in itself. Any similar or indeed completely different type of suggestions gratefully received.
    Aliorum vitia turbaverunt me

  2. #2
    sig
    sig is offline
    Registered+
    Join Date
    Feb 2016
    Posts
    29
    Thanks
    0
    Thanked
    1 time in 1 post

    Re: 2FA workaround suggestions, sms to email or similar?

    I think the only proper and secure 2FA now is hadrdware key, like https://www.yubico.com/

  3. Received thanks from:

    sammyc (29-05-2022)

  4. #3
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,134
    Thanks
    794
    Thanked
    763 times in 556 posts

    Re: 2FA workaround suggestions, sms to email or similar?

    I don't trust 2FA via SMS at all. It is (I'm told) too easy to break (via social engineering and SIM hijack, etc). Yubico etc is probably the best option for 2FA except, first, it ain't cheap (especially if you add in a second for backup) and you aren't getting a lot of people fork that £100 or so out. More than a few simply can't, especially in times like we have right now.

    Second, too many places don't support it, or at least don't fullysupport it anyway.

    Nothing done online is fully secure. For example, Twitter just getting a $150m fine (peanuts) for abusing customer's 2FA data. Anyone want to bet they're the only ones doing that? I sure don't. There's a reason I have a second 'junk' phone that's ONLY used, and indeed, only turned on, when I need it for such uses, and why I refuse to give phon number out unless it's to a service I really, really want. Social media companies? Hell, no. I just don't trust them. Not an inch.
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  5. #4
    Ghost of Hexus Present sammyc's Avatar
    Join Date
    Nov 2007
    Posts
    3,294
    Thanks
    761
    Thanked
    483 times in 385 posts

    Re: 2FA workaround suggestions, sms to email or similar?

    Quote Originally Posted by sig View Post
    I think the only proper and secure 2FA now is hadrdware key, like https://www.yubico.com/
    Interesting thanks; possibly not for me.. maybe.. but certainly worth further reading.

    Quote Originally Posted by Saracen999 View Post
    There's a reason I have a second 'junk' phone that's ONLY used, and indeed, only turned on, when I need it for such uses, and why I refuse to give phon number out unless it's to a service I really, really want.
    Same, but I really dislike having to receive texts for 2FA at all, and only have really lumped it when it's relatively few. That's why I wanted to get away from SMS altogether if possible as I prefer using the Authy app (if I absolutely must) than a text OTP.
    Last edited by sammyc; 29-05-2022 at 05:09 PM.
    Aliorum vitia turbaverunt me

  6. #5
    Senior[ish] Member Singh400's Avatar
    Join Date
    Jun 2008
    Posts
    2,935
    Thanks
    136
    Thanked
    310 times in 247 posts

    Re: 2FA workaround suggestions, sms to email or similar?

    Where possible enable app-based 2fa. Most password manage support storing the shared secret, so you'll be able to see the codes being generated in real time. I use Bitwarden (family accounts) and Authy (personal accounts) to store my 2fa secrets. They both have mobile and desktop apps.

  7. #6
    Ghost of Hexus Present sammyc's Avatar
    Join Date
    Nov 2007
    Posts
    3,294
    Thanks
    761
    Thanked
    483 times in 385 posts

    Re: 2FA workaround suggestions, sms to email or similar?

    Yes, this is what I would prefer, unfortunately something like Authy has few of the things I need, I use it for PayPal, I could add Amazon I think, that's pretty much it.
    Aliorum vitia turbaverunt me

  8. #7
    Senior Member
    Join Date
    Jun 2008
    Posts
    1,486
    Thanks
    2
    Thanked
    142 times in 118 posts
    • BobF64's system
      • Motherboard:
      • Asus P8Z77-V Pro
      • CPU:
      • Intel Core i7-3770K
      • Memory:
      • 16GB Corsair XMS3 PC3-12800
      • Storage:
      • Multiple HDD and SSD drives
      • Graphics card(s):
      • ASUS DUAL-GTX1060-06G
      • PSU:
      • 750W Silverstone Strider Gold Evolution
      • Case:
      • Silverstone Fortress FT02
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • HP ZR24w

    Re: 2FA workaround suggestions, sms to email or similar?

    I can see why they chose SMS, convenience for shoppers, almost entirely universal, doesnt require a smart phone, likely to work if you hold your arm up in the air from the roof of your house in poor signal areas.

    It's just a shame they decided that the spoofing wasnt really a problem, but in fairness, you do need both the card number, address details and mobile phone number. So, for the majority of people, that would be an unlikely problem.

  9. #8
    Goron goron Kumagoro's Avatar
    Join Date
    Mar 2004
    Posts
    3,118
    Thanks
    37
    Thanked
    156 times in 129 posts

    Re: 2FA workaround suggestions, sms to email or similar?

    At work we were forced into MFA for outlook 365 email accounts. I found using Microsoft authenticator to be the most convenient compared to just SMS or a call.

    The number one reason I would use it though is in case I lost my phone or it went wrong. If you have an authentication app on a second phone you don't need the phone number. It is a proper ball ache if something goes wrong and you only had one device to authenticate with.

    My colleague wasn't getting sms or calls and something needed to be reset account wise. It wasn't a fast process...

  10. #9
    Senior[ish] Member Singh400's Avatar
    Join Date
    Jun 2008
    Posts
    2,935
    Thanks
    136
    Thanked
    310 times in 247 posts

    Re: 2FA workaround suggestions, sms to email or similar?

    Quote Originally Posted by sammyc View Post
    Yes, this is what I would prefer, unfortunately something like Authy has few of the things I need, I use it for PayPal, I could add Amazon I think, that's pretty much it.
    It's not clear what it is you need. But Authy/Bitwarden will do what you want and more. I'm not sure what hurdles you are encountering?

  11. #10
    Ghost of Hexus Present sammyc's Avatar
    Join Date
    Nov 2007
    Posts
    3,294
    Thanks
    761
    Thanked
    483 times in 385 posts

    Re: 2FA workaround suggestions, sms to email or similar?

    Quote Originally Posted by Singh400 View Post
    It's not clear what it is you need. But Authy/Bitwarden will do what you want and more. I'm not sure what hurdles you are encountering?
    Sorry, I don't mean 'things I need' as in features it has or hasn't got, just as in sites I'd want it to work with, eg eBay -
    https://www.howtogeek.com/718530/how...ation-on-ebay/
    'It’s not unknown for services to use app-based logins within their own app, but it’s unusual that there’s no option to use an authenticator app like Authy (our preferred authenticator app), Google Authenticator, or Microsoft Authenticator.' Still the case (I assume).
    A reddit poster used a VOIP number for eBay SMS, this is something else I was already looking at, whilst aiming to end up with the fewest different systems.
    Aliorum vitia turbaverunt me

  12. #11
    root Member DanceswithUnix's Avatar
    Join Date
    Jan 2006
    Location
    In the middle of a core dump
    Posts
    12,523
    Thanks
    736
    Thanked
    1,461 times in 1,231 posts
    • DanceswithUnix's system
      • Motherboard:
      • Asus X470-PRO
      • CPU:
      • 3700X
      • Memory:
      • 32GB 3200MHz ECC
      • Storage:
      • 1TB Linux, 2TB Games (Win 10)
      • Graphics card(s):
      • Asus Strix RX Vega 56
      • PSU:
      • 650W Corsair TX
      • Case:
      • Antec 300
      • Operating System:
      • Fedora 35 + Win 10 Pro 64 (yuk)
      • Monitor(s):
      • Benq XL2730Z 1440p + Iiyama 27" 1440p
      • Internet:
      • Zen 80Mb/20Mb VDSL

    Re: 2FA workaround suggestions, sms to email or similar?

    Quote Originally Posted by BobF64 View Post
    ... , likely to work if you hold your arm up in the air from the roof of your house in poor signal areas.
    Works anywhere in my poor signal household, thanks to VoLTE (WiFi Calling) on modern phones also supporting SMS.

  13. #12
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,134
    Thanks
    794
    Thanked
    763 times in 556 posts

    Re: 2FA workaround suggestions, sms to email or similar?

    Quote Originally Posted by DanceswithUnix View Post
    Works anywhere in my poor signal household, thanks to VoLTE (WiFi Calling) on modern phones also supporting SMS.
    One of the things that worries me about mandatory moving to 2FA is that that might be fine for us lot, but try explaining that to people like my mum-in-law. She'd just about got used to using the remote on her TV recorder. A VHS recorder, I might add. By which, i mean playing back a tape, as scheduling a new recording still escaped her.

    Explaining "2FA" is a challenge, never mind VoLTE and SMS. Or even just SMS.

    Morse code? Maybe.
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  14. #13
    sig
    sig is offline
    Registered+
    Join Date
    Feb 2016
    Posts
    29
    Thanks
    0
    Thanked
    1 time in 1 post

    Re: 2FA workaround suggestions, sms to email or similar?

    Install her password manager, only two passwords (manager and mail to reset the passwords just in case something goes wrong to database) to remember, and much more secure because they are full proof against phishing. If login and password are not autofill, you are not on your bank / social media etc website, leave immediately. not 2FA, but easy and enough secure for private person.

  15. #14
    Ghost of Hexus Present sammyc's Avatar
    Join Date
    Nov 2007
    Posts
    3,294
    Thanks
    761
    Thanked
    483 times in 385 posts

    Re: 2FA workaround suggestions, sms to email or similar?

    Quote Originally Posted by Saracen999 View Post
    One of the things that worries me about mandatory moving to 2FA is that that might be fine for us lot, but try explaining that to people like my mum-in-law. She'd just about got used to using the remote on her TV recorder. A VHS recorder, I might add. By which, i mean playing back a tape, as scheduling a new recording still escaped her.

    Explaining "2FA" is a challenge, never mind VoLTE and SMS. Or even just SMS.

    Morse code? Maybe.
    Ditto, to a large extent. Or is that dit-dah-ditto. Much as I would like to be one of us lot I'm probably closer to the can't do / won't do side of things in reality. And TOTP, well that's something with Depeche Mode on it on a Thursday night.

    I will carry on poking about for the best/least worst option for this even if only to be going with, in the short term probably a mixture. Part of my objection to SMS is purely resistance to having a number demanded of me which is why I was looking into things that supply you with a number; most of which seem to have fatal hitches so far.
    Aliorum vitia turbaverunt me

  16. #15
    root Member DanceswithUnix's Avatar
    Join Date
    Jan 2006
    Location
    In the middle of a core dump
    Posts
    12,523
    Thanks
    736
    Thanked
    1,461 times in 1,231 posts
    • DanceswithUnix's system
      • Motherboard:
      • Asus X470-PRO
      • CPU:
      • 3700X
      • Memory:
      • 32GB 3200MHz ECC
      • Storage:
      • 1TB Linux, 2TB Games (Win 10)
      • Graphics card(s):
      • Asus Strix RX Vega 56
      • PSU:
      • 650W Corsair TX
      • Case:
      • Antec 300
      • Operating System:
      • Fedora 35 + Win 10 Pro 64 (yuk)
      • Monitor(s):
      • Benq XL2730Z 1440p + Iiyama 27" 1440p
      • Internet:
      • Zen 80Mb/20Mb VDSL

    Re: 2FA workaround suggestions, sms to email or similar?

    Quote Originally Posted by Saracen999 View Post
    One of the things that worries me about mandatory moving to 2FA is that that might be fine for us lot, but try explaining that to people like my mum-in-law. She'd just about got used to using the remote on her TV recorder. A VHS recorder, I might add. By which, i mean playing back a tape, as scheduling a new recording still escaped her.

    Explaining "2FA" is a challenge, never mind VoLTE and SMS. Or even just SMS.

    Morse code? Maybe.
    Thankfully VoLTE seems to have become standard and simple. My now year old Moto G30 just worked, so if I have WiFi then I can take calls and texts. Even though it is only a 4G phone, it is able to make use of some of the IP based services that 5G is based on. Nice when tech actually simplifies things and stays compatible with what we know.

  17. #16
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,470
    Thanks
    1,540
    Thanked
    1,029 times in 872 posts

    Re: 2FA workaround suggestions, sms to email or similar?

    As usual lately, I'm late to the thread! But might have something to add anyway.

    First of all, a nod to the Yubikey (other similar devices are available but these are a solid recommendation), however it might not be as expensive as it first appears. For many services that support the FIDO/WebAuthn standards, you don't need the fully fledged Yubikey, the much cheaper 'Security Key' will do. I think they recently discontinued the even cheaper non-NFC version but the NFC version has the advantage of working with your NFC-equipped phone too. Devices like this are 'proper' second factor authentication, as in you need two 'things' to authenticate. Two step authentication like TOTP authenticators are better than nothing but are still somewhat vulnerable to phishing or social engineering (someone can potentially be conned into telling a malicious actor their time-based code if the attacker is quick enough, for instance).

    There are different methods of FIDO login, and without getting into the details, the most commonly used way is where your device is used in combination with say a password - you just plug in the device and tap it when prompted, that's it. You can 'store' an unlimited number of accounts this way, because they're not actually held on the key itself. This means that the key holds no record of the accounts it's tied to using this method (so make sure to keep track of it yourself in case you ever need to unpair it!)

    There is also the resident key mode which out of the popular services only Microsoft spring to mind as using this method - in this method the key has space for 25 (in the current version at least) resident keys, and in combination with a pin used to secure the storage, can be used to authenticate without a password. A good pin is necessary for obvious reasons.

    Worth noting that TOTP-compliant authenticators like Google/Microsoft/etc apps do not require an Internet connection to work - they work based on a shared cryptographic secret and the time - so as long as your phone's time is reasonably accurate, it can be in flight mode and still work just fine.

    Also another interesting bit - yes, SMS is vulnerable to attack, very in some cases. Many high profile accounts have been breached as a result of this sort of attack, which is often a form of social engineering. Attacker goes to a phone shop pretending to be you and convinces the assistant to give them a new sim as you 'lost your phone' or something. Then either alone as a recovery method or in combination with a known password (shared password from password dumps for example - never re-use passwords), the account attack can take place. It's a terrible system. However... Banks are aware of this and it's still probably better than nothing at all, and at least in some countries, work with the mobile network operators to do a bit of digging. Banks can for example check if a SIM has recently been re-issued, or other such heuristics of the sort they already implement for automated fraud detection. It's still a terrible authentication method but it's comforting to know there's at least some attempt to strengthen it for some of the major services like banks. I doubt a video game online account has such protection though! Unfortunately, despite it being one of the worst, it's the only '2FA' method available for some services. Even using it 'only' as a backup presents a risk as it remains a weakness even if it's not regularly used by the account owner.

    One thing I will say is that you MUST plan your use of 2FA and have some sort of backup/account recovery; how will you regain access if you lose your keys/break your phone/etc. Never rely on just one 2FA method, especially where the service is not likely to have any recovery methods, or where your recovery methods are linked to other accounts that also rely on the same 2FA methods! Most services will give you recovery keys - take their advice seriously, write them down and store somewhere safe immediately. They are generally single use, so replace them when used up. And don't store them in your phone case if your phone is the original 2FA device!

    Oh and another thing, it's only really used for the likes of Google accounts, but due to the fact many modern mobile devices contain secure processing elements, they can be used as a second factor themselves. So you can login to an account on a PC for example, then just accept the prompt on your phone.

  18. Received thanks from:

    Saracen999 (15-06-2022)

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •