{"id":11959,"date":"2018-04-09T02:30:25","date_gmt":"2018-04-09T10:30:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/04\/09\/news-5728\/"},"modified":"2018-04-09T02:30:25","modified_gmt":"2018-04-09T10:30:25","slug":"news-5728","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/04\/09\/news-5728\/","title":{"rendered":"A bad day with mobile 2FA"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/images.techhive.com\/images\/article\/2013\/10\/2factorauthentication_primary-100066767-primary.idge.jpg\"\/><\/p>\n<p><strong>Credit to Author: Evan Schuman| Date: Mon, 09 Apr 2018 03:00:00 -0700<\/strong><\/p>\n<p>As a longtime proponent of two-factor authentication (2FA) in a mobile world, I was pained to get hit with two problems using 2FA on Thursday (April 4). But maybe the ability to publicize those two mobile-oriented problems with 2FA will do some good, if sites just pay attention.<\/p>\n<p>The day started with my trying to link to an interesting mobile security story in my social feed (yes, that would shortly prove ironic). The story link wouldn\u2019t work for me, with my browser telling me the site had redirected me too many times. It suggested that I clear out my cookies. That made little sense to me given the immediate problem, but I was overdue for a cookie cleanout anyway, so I gave it a shot.<\/p>\n<p>It didn\u2019t help, of course. I came up with a workaround (I linked to the story\u2019s comments, which worked just fine). Next, I visited various social sites. One of my favorites \u2014 a small and little-known site \u2014 asked for my login and password. I complied, and it then escalated to 2FA. It didn\u2019t give me any options about the second factor (which is mobile 2FA problem number one) and insisted on texting me a confirmation number.<\/p>\n<p>I waited but nothing arrived. So I asked it to do it again and again. Nothing. That\u2019s when I realized that the site was likely trying to text my landline. And that is mobile 2FA problem number two: If you\u2019re asking for my phone number so that you can text me sometime down the road, tell me that, and I\u2019ll give you my cellphone number. Otherwise, you\u2019ll get the number I most often answer, my landline, and it will do you no good when it\u2019s really needed.<\/p>\n<p>And this is where problem number one bumps up against problem number two: If texting doesn\u2019t work, users need another option, at the very least a support number to call.<\/p>\n<p>But wait, there\u2019s more. I next tried to post to Google Plus. Thoughts of my recent 2FA problem flitted through my head, but I thought to myself, fear not, Google uses an excellent 2FA that doesn\u2019t rely on texting confirmation numbers. It knows that process is far too susceptible to man-in-the-middle attacks. No, for Google, I have a trusty USB fob. And when I tried logging in, it insisted on the fob. But it was just not my 2FA day; when the fob was inserted, nothing happened.<\/p>\n<p>And that\u2019s when I learned that I was giving Google too much credit for being security-conscious. When Google couldn\u2019t see the fob, it just defaulted to a texted confirmation number. (It turned out that a laptop reboot made the invisible USB device visible again.)<\/p>\n<p>Companies need to have a human-managed backup to security so that legitimate users aren\u2019t locked out with no way back in. If you can\u2019t justify a call center, then at least have an email address pop up \u2014 and make sure that inbox is watched aggressively.<\/p>\n<p>Also, text messaging is simply too insecure to continue having a role in 2FA. Note to handset manufacturers: How about shipping phones with fobs that can perform physical authenification? USB is not ideal, but if that\u2019s your route, include an adapter if necessary. Phone manufacturers have the means \u2014 all on their own \u2014 to start enabling users to properly authenticate themselves.<\/p>\n<p>2FA is a great idea, but companies need to think through these issues better. For starters, if you want a mobile phone number, just say so.<\/p>\n<p><a href=\"https:\/\/www.computerworld.com\/article\/3268134\/mobile-wireless\/a-bad-day-with-mobile-2fa.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/images.techhive.com\/images\/article\/2013\/10\/2factorauthentication_primary-100066767-primary.idge.jpg\"\/><\/p>\n<p><strong>Credit to Author: Evan Schuman| Date: Mon, 09 Apr 2018 03:00:00 -0700<\/strong><\/p>\n<article>\n<section class=\"page\">\n<p>As a longtime proponent of two-factor authentication (2FA) in a mobile world, I was pained to get hit with two problems using 2FA on Thursday (April 4). But maybe the ability to publicize those two mobile-oriented problems with 2FA will do some good, if sites just pay attention.<\/p>\n<p>The day started with my trying to link to an interesting mobile security story in my social feed (yes, that would shortly prove ironic). The story link wouldn\u2019t work for me, with my browser telling me the site had redirected me too many times. It suggested that I clear out my cookies. That made little sense to me given the immediate problem, but I was overdue for a cookie cleanout anyway, so I gave it a shot.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3268134\/mobile-wireless\/a-bad-day-with-mobile-2fa.html#jump\">To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10554,714],"class_list":["post-11959","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-mobile","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11959"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11959\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11959"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}