Menu
What's new
By:
Filters

2-Factor Authorization not working

Alternatively, you can use and app to verify your identity using 2FA/MFA authentication, like Google or Microsoft Authenticator. These are as secure as the Yubikeys.
 
Marcus Millfield said:
Alternatively, you can use and app to verify your identity using 2FA/MFA authentication, like Google or Microsoft Authenticator. These are as secure as the Yubikeys.
Click to expand...
This is what I'm using now. I heard it's less secure than a physical key but I can't really see how unless somebody jacks my iphone or something.,
 
José Herring said:
This is what I'm using now. I heard it's less secure than a physical key but I can't really see how unless somebody jacks my iphone or something.,
Click to expand...
The claim that Yubikey is more secure is because it stores your secrets like username/password on the key itself, while the authenticator apps store them on your phone and, if you synchronize or back-up them, on the servers of the company. Potentially, this would mean that malware/hackers don't have access to your secrets when the Yubikey isn't connected, while the authenticator apps are always vulnerable.

So theoretically, they're right. But a lot of companies use an authenticator app to secure their user, including governments and financials. If it's safe enough for them, it's safe enough for your VI-C and FB login ;) I've been using the Google and Microsoft Authenticator for years now, both personally as professionally.
 
I had a minor scare this morning related to 2FA/passwords. Out of the blue, Amazon sent me a text message to change my One Time Password. Since I wasn't trying to log into Amazon or ordered anything recently, the text seemed suspicious.

After some digging around online, I received the text because of an attempted hack into my account. I immediately changed my password.
 
tressie5 said:
I had a minor scare this morning related to 2FA/passwords. Out of the blue, Amazon sent me a text message to change my One Time Password. Since I wasn't trying to log into Amazon or ordered anything recently, the text seemed suspicious.

After some digging around online, I received the text because of an attempted hack into my account. I immediately changed my password.
Click to expand...

Good thing you caught it! Wow.
 
Marcus Millfield said:
I've been using the Google and Microsoft Authenticator for years now, both personally as professionally.
Click to expand...
Thanks for your post, Marcus. Do you have a preference between the Google and Microsoft solutions? And where does one get your preferred choice?

-- one more for everyone: do any of these solutions interfere with VE Pro if you're using it to connect multiple computers?
 
JohnG said:
Thanks for your post, Marcus. Do you have a preference between the Google and Microsoft solutions? And where does one get your preferred choice?
Click to expand...
Microsoft, but that's just a personal preference guided by the professional knowledge I have of their services. I personally know people who work with Microsoft on these kinds of cloud services and know what's involved. Furthermore, this integrates perfectly with the other Microsoft services I use personally, like their browser (Edge) and Microsoft 365 subscription.

I have no doubt however that Google's services are as secure and well maintained.

JohnG said:
-- one more for everyone: do any of these solutions interfere with VE Pro if you're using it to connect multiple computers?
Click to expand...
There is no relation between the two, so no.
 
[edit: NVM -- I see the MSFT solution is Windows only]

I would like to secure a bunch of Apple products (Mac Pro, iMac, iPad Pro, iPhone, MacBook Pro). We have a lot of Apple products around here. And PCs as well.
 
Last edited:
JohnG said:
found this interesting:

Click to expand...

Good find.

Yes, today I just learned that a friend of mine in August was also hacked on FB in a very similar way to the way I was hacked. Unfortunately his account was permanently closed so he's started a new one. All his FB data was lost.

So I compared notes and found out that we both didn't have 2FA active at the time of the hack.
So these little things can save a lot of pain. Up until recently I found 2FA annoying. Now I consider it mandatory if you're going to engage any any social media.
 
José Herring said:
This is what I'm using now. I heard it's less secure than a physical key but I can't really see how unless somebody jacks my iphone or something.,
Click to expand...
Afaik it's relatively easy to clone sim-cards. I wouldn't voluntarily trust my phone with securing anything important (often don't have a choice though). For stuff that really matters and supports it I use dedicated devices. Pisses me off that my two banks don't support the same ones though and I just had to spend 20 bucks for a new authenticater because they decided to no longer support their old devices anymore. I miss the days where you just got a paper TAN list by snail-mail and read your 2FA numbers from a piece of paper. Way more secure than any App imho.

The advice I've heard for using phone based 2FA is getting a second sim-card and treating the phone number of that card like a sensitive password. But this was long ago, not sure it's still valid. YMMV, better do your own research to be safe.
 
MartinH. said:
he advice I've heard for using phone based 2FA is getting a second sim-card and treating the phone number of that card like a sensitive password. But this was long ago, not sure it's still valid. YMMV, better do your own research to be safe.
Click to expand...
Hi Martin,

Are you saying that you oughtn't use two-factor authentication if the phone is the device that receives the temporary code?

Even if someone had cloned your SIM card, if you were logging on to, say, your bank and got a code from the bank, someone with an identical SIM card could see the pass code, but they would have to know that you were logging on right then, no?

I'm exploring the Yubico dongles but honestly they are pretty confusing.

thanks,

John
 
MartinH. said:
Afaik it's relatively easy to clone sim-cards. I wouldn't voluntarily trust my phone with securing anything important (often don't have a choice though). For stuff that really matters and supports it I use dedicated devices. Pisses me off that my two banks don't support the same ones though and I just had to spend 20 bucks for a new authenticater because they decided to no longer support their old devices anymore. I miss the days where you just got a paper TAN list by snail-mail and read your 2FA numbers from a piece of paper. Way more secure than any App imho.

The advice I've heard for using phone based 2FA is getting a second sim-card and treating the phone number of that card like a sensitive password. But this was long ago, not sure it's still valid. YMMV, better do your own research to be safe.
Click to expand...
In general the only thing I access via phone is this forum and 1 email.

I did speak to my phone provider and they assured me that even with a cloned SIM it was nearly impossible for another to use my same number. The number is locked to one phone at a time. I kind of believe them because a phone is so location specific that if 1000 calls started originating from Bangladesh it would be suspicious.

I was concerned about my number because FB used my phone number as part of the login. I have no idea how FB even got my number. I think it may have been when I had chat on my phone. I have since deleted all that crap from my phone and took my number off FB.

In learning how to secure accounts I was horrified to find how many fake FB accounts were in my name. 4 or 5 Accounts all over the world.

So now I only have access to sensitive accounts on my home computer and will put a 2FA key on it so only me can have access to sensitive accounts. In the meantime I am using an Authenticator app.
 
JohnG said:
Hi Martin,

Are you saying that you oughtn't use two-factor authentication if the phone is the device that receives the temporary code?

Even if someone had cloned your SIM card, if you were logging on to, say, your bank and got a code from the bank, someone with an identical SIM card could see the pass code, but they would have to know that you were logging on right then, no?

I'm exploring the Yubico dongles but honestly they are pretty confusing.

thanks,

John
Click to expand...
I lack the knowledge to answer that. I tried googling for more info and came up with this:

www.phishlabs.com

SIM Swap Attacks are making SMS Two-Factor Authentication Obsolete

SMS-based two-factor authentification is accessible and improves security, but unfortunately, social engineering can allow threat actors to skip through through it with SIM swapping.
www.phishlabs.com www.phishlabs.com
www.yubico.com

What is a Sim Swap?

Learn the definition of Sim Swap and get answers to FAQs regarding: What is a Sim Swap, What Does a Sim Swap Do, Risks of a Sim Swap attack, and more.
www.yubico.com
us.norton.com

What is SIM swapping? SIM swap fraud explained and how to help protect yourself

SIM swap fraud occurs when scammers take advantage of a weakness in two-factor authentication and verification and use your phone number to access your accounts.
us.norton.com us.norton.com

Please note though, that all those sites have incentives to make this seem like a bigger deal than it is, since they all offer security solutions of some kind. I wasn't able to find anything unbiased on the quick.


José Herring said:
In learning how to secure accounts I was horrified to find how many fake FB accounts were in my name. 4 or 5 Accounts all over the world.
Click to expand...
Wow! Using your profile photos too? That's horrible!
I don't even wanna know if there are any accounts impersonating me, I just hope everyone that knows me, knows that I have never been on facebook. Also there isn't exactly an abundance of photos of me online.
 
MartinH. said:
The advice I've heard for using phone based 2FA is getting a second sim-card and treating the phone number of that card like a sensitive password. But this was long ago, not sure it's still valid. YMMV, better do your own research to be safe.
Click to expand...

There is no relation between the SIM card and a 2FA solution on your phone. Even if you would not have a SIM card in your phone and only use Wi-fi from your home internet provider, you will be able to receive 2FA codes on that phone. You could swap your SIM card every day and the 2FA solution would still work, as long as there is some kind of internet connection.
 
MartinH. said:
I lack the knowledge to answer that. I tried googling for more info and came up with this:

www.phishlabs.com

SIM Swap Attacks are making SMS Two-Factor Authentication Obsolete

SMS-based two-factor authentification is accessible and improves security, but unfortunately, social engineering can allow threat actors to skip through through it with SIM swapping.
www.phishlabs.com www.phishlabs.com
www.yubico.com

What is a Sim Swap?

Learn the definition of Sim Swap and get answers to FAQs regarding: What is a Sim Swap, What Does a Sim Swap Do, Risks of a Sim Swap attack, and more.
www.yubico.com
us.norton.com

What is SIM swapping? SIM swap fraud explained and how to help protect yourself

SIM swap fraud occurs when scammers take advantage of a weakness in two-factor authentication and verification and use your phone number to access your accounts.
us.norton.com us.norton.com

Please note though, that all those sites have incentives to make this seem like a bigger deal than it is, since they all offer security solutions of some kind. I wasn't able to find anything unbiased on the quick.



Wow! Using your profile photos too? That's horrible!
I don't even wanna know if there are any accounts impersonating me, I just hope everyone that knows me, knows that I have never been on facebook. Also there isn't exactly an abundance of photos of me online.
Click to expand...
It was weird different profile photos but had my personal information on them.
 
You must log in or register to reply here.
Top Bottom