Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site

Two Factor Authentication

Investment discussion for beginners. Why you should invest your money, get help getting started
Gilgongo
Lemon Slice
Posts: 415
Joined: November 5th, 2016, 6:51 pm
Has thanked: 154 times
Been thanked: 127 times

Re: Two Factor Authentication

#279819

Postby Gilgongo » January 25th, 2020, 7:46 am

Arborbridge wrote:When you "regenerate" I think I needed to get another activation code or something. I


Indeed, but if you need to log in to the account to get the activation code, and you've lost your phone so cannot log in, then without an offline backup code (or alternative option given by the account provider like SMS or email) then you could be in trouble.

Arborbridge
The full Lemon
Posts: 10378
Joined: November 4th, 2016, 9:33 am
Has thanked: 3605 times
Been thanked: 5234 times

Re: Two Factor Authentication

#279824

Postby Arborbridge » January 25th, 2020, 8:39 am

Gilgongo wrote:
Arborbridge wrote:When you "regenerate" I think I needed to get another activation code or something. I


Indeed, but if you need to log in to the account to get the activation code, and you've lost your phone so cannot log in, then without an offline backup code (or alternative option given by the account provider like SMS or email) then you could be in trouble.


With my Bell account one can print out back up codes for that purpose. Presumably, there has to be an alternative method with all accounts otherwise the system wouldn't function successfully. This might be the weak spot because it entails phoning the company and manually going through security whic, as someone commented, is often relatively rudimentary. It's this latter factor which makes SMS theft so easy, apparently.

Arb.

Gilgongo
Lemon Slice
Posts: 415
Joined: November 5th, 2016, 6:51 pm
Has thanked: 154 times
Been thanked: 127 times

Re: Two Factor Authentication

#279895

Postby Gilgongo » January 25th, 2020, 2:11 pm

Arborbridge wrote:With my Bell account one can print out back up codes for that purpose.


Exactly. I currently have about 15 2FA accounts set up (some I have to have as part of my work), and I don't think I can rely on having one-time backup codes for all of them, hence my use of Athenticator Plus. But I should also take print outs and store them somewhere safe too.

Arborbridge
The full Lemon
Posts: 10378
Joined: November 4th, 2016, 9:33 am
Has thanked: 3605 times
Been thanked: 5234 times

Re: Two Factor Authentication

#279896

Postby Arborbridge » January 25th, 2020, 2:13 pm

Gilgongo wrote:
Arborbridge wrote:With my Bell account one can print out back up codes for that purpose.


Exactly. I currently have about 15 2FA accounts set up (some I have to have as part of my work), and I don't think I can rely on having one-time backup codes for all of them, hence my use of Athenticator Plus. But I should also take print outs and store them somewhere safe too.


That many accounts does sound like a headache - my sympathies!

UncleEbenezer
The full Lemon
Posts: 10694
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1460 times
Been thanked: 2965 times

Re: Two Factor Authentication

#279953

Postby UncleEbenezer » January 25th, 2020, 6:56 pm

fca2019 wrote:Do you know if this makes your account any more secure?


Yes.

I was put off by it as with investment platform you have to download the investment platform app first on your phone and log onto this on your phone to enable two factor authentication.


No. That's a separate issue.

However I am old fashioned and wary of having my investments on my phone, as I thought mobile phones are not secure if on public wi-fi which I use frequently? Just strikes me as a lot less secure all round.


There are good reasons to be wary of entrusting anything of value to your mobile phone. Public wifi isn't one of them: it makes no difference one way or the other to your security.

Is Google authentication any better? Or are you just safer sticking to desktop PC without two factor authentication?


Can't speak for Google: I expect it's OpenID, but the crux of using it to identify yourself is how you identify yourself to google in the first place. Desktop PC is fine, but do use it with 2FA if your bank has a half-decent solution.

Lootman wrote:I am fine with 2FA but it should either involve sending a code to my email address

That's secure if it's encrypted. If not, it's less than secure, though the extent of that depends on many things and it may be more or less secure than a text message to your phone.

or else it should be of the "memorable question" variety.


While that's the worst of all worlds.

Lootman
The full Lemon
Posts: 18685
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Two Factor Authentication

#280012

Postby Lootman » January 26th, 2020, 7:08 am

UncleEbenezer wrote:
Lootman wrote:I am fine with 2FA but it should either involve sending a code to my email address

That's secure if it's encrypted. If not, it's less than secure, though the extent of that depends on many things and it may be more or less secure than a text message to your phone.

or else it should be of the "memorable question" variety.

While that's the worst of all worlds.

You seem to assume that security is the only issue here. But it's also about usability.

So any method that involves my mobile phone may not work at all if I can't get a signal or am out of the country. But we know something to my laptop via the internet will work because that is how I am accessing their site in the first place.

The optimal solution is one that is secure but also practical. All one and none of the other misses the point.

colin
Lemon Slice
Posts: 663
Joined: December 10th, 2016, 7:16 pm
Has thanked: 24 times
Been thanked: 114 times

Re: Two Factor Authentication

#280022

Postby colin » January 26th, 2020, 9:30 am

Lootman wrote:
UncleEbenezer wrote:
Lootman wrote:I am fine with 2FA but it should either involve sending a code to my email address

That's secure if it's encrypted. If not, it's less than secure, though the extent of that depends on many things and it may be more or less secure than a text message to your phone.

or else it should be of the "memorable question" variety.

While that's the worst of all worlds.

You seem to assume that security is the only issue here. But it's also about usability.

So any method that involves my mobile phone may not work at all if I can't get a signal or am out of the country. But we know something to my laptop via the internet will work because that is how I am accessing their site in the first place.

The optimal solution is one that is secure but also practical. All one and none of the other misses the point.

I am completely with Lootman here, sometimes when abroad I have had to buy a local sim card as despite roaming my UK sim has not had reception.
Anything over 3g and 4g is encrypted apparently.

UncleEbenezer
The full Lemon
Posts: 10694
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1460 times
Been thanked: 2965 times

Re: Two Factor Authentication

#280038

Postby UncleEbenezer » January 26th, 2020, 11:13 am

Lootman wrote:The optimal solution is one that is secure but also practical. All one and none of the other misses the point.

Agree entirely. My pet hate is systems that require me to faff about with a card reader that
(a) requires a lot of work to transcribe numbers by hand in its challenge/response.
(b) serves no general purpose that would motivate its existence.

But phone vs pc is surely a red herring when travelling. If you have wifi for the laptop, then the phone can use it too. Indeed, if we don't retain EU data roaming rules, we might want to go back to the days of setting the 'phone never to use data over roaming connections - and find that's a lot less restrictive than it used to be 'cos free wifi is more widespread.

TUK020
Lemon Quarter
Posts: 2039
Joined: November 5th, 2016, 7:41 am
Has thanked: 762 times
Been thanked: 1175 times

Re: Two Factor Authentication

#280064

Postby TUK020 » January 26th, 2020, 12:44 pm

Lootman wrote:You seem to assume that security is the only issue here. But it's also about usability.

So any method that involves my mobile phone may not work at all if I can't get a signal or am out of the country. But we know something to my laptop via the internet will work because that is how I am accessing their site in the first place.

The optimal solution is one that is secure but also practical. All one and none of the other misses the point.


You are right in pointing out that this is a security versus usability trade off.

Good security is underpinned by multiple factor authentication.
The strongest systems involve 3 factors:
- something you know
- something you have
- something you are.
We are still in early days for something you are: fingerprint/iris scan systems etc. Witness the number of false reads on phone fingerprint systems (and that is not telling the really interesting stat which is the probability of a false positive).

The bank where I have my current account seems to have a good trade off for on-line banking. It requires 2FA, but gives you a choice of whether you use a card reader to create an authorisation code (card = something you have, PIN = something you know), or enter a passcode (something you know) and receive an authorisation code on your phone (something you have) to enter into your PC. Some actions (setting up a new payee) require use of the card reader.

This seems to be a good balance; the caveat is that I do not do online banking on my phone, only from my PC at home or work, so in this context the phone is only a receiver of an SMS, and I have an alternative if the phone goes astray.

If this seems like too much hassle on the security/usability spectrum, ask yourself how many times would you want your account cleared out before you change your mind.

Lootman
The full Lemon
Posts: 18685
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Two Factor Authentication

#280492

Postby Lootman » January 28th, 2020, 8:25 am

TUK020 wrote:
Lootman wrote:You seem to assume that security is the only issue here. But it's also about usability.

So any method that involves my mobile phone may not work at all if I can't get a signal or am out of the country. But we know something to my laptop via the internet will work because that is how I am accessing their site in the first place.

The optimal solution is one that is secure but also practical. All one and none of the other misses the point.

You are right in pointing out that this is a security versus usability trade off.

Good security is underpinned by multiple factor authentication.
The strongest systems involve 3 factors:

- something you know
- something you have
- something you are.

We are still in early days for something you are: fingerprint/iris scan systems etc. Witness the number of false reads on phone fingerprint systems (and that is not telling the really interesting stat which is the probability of a false positive).

The bank where I have my current account seems to have a good trade off for on-line banking. It requires 2FA, but gives you a choice of whether you use a card reader to create an authorisation code (card = something you have, PIN = something you know), or enter a passcode (something you know) and receive an authorisation code on your phone (something you have) to enter into your PC. Some actions (setting up a new payee) require use of the card reader.

This seems to be a good balance; the caveat is that I do not do online banking on my phone, only from my PC at home or work, so in this context the phone is only a receiver of an SMS, and I have an alternative if the phone goes astray.

If this seems like too much hassle on the security/usability spectrum, ask yourself how many times would you want your account cleared out before you change your mind.

OK, but what is your "alternative if the phone goes astray"? That's my problem because I may not have my phone with me, or I may not be able to get a signal, or (if overseas) there may be some connectivity issue. And of course some people don't have mobile phones, let alone smart phones.

I have no issue with a text to a phone being an option for authentication. I have a problem if it is the only method. HSBC gave me some clunky device to access my account but I refuse to use it or carry it around with me.

As for having my "account cleaned out", it has never happened in 40-odd years of no-2FA banking, much of which pre-dated smart phones and the internet.

gryffron
Lemon Quarter
Posts: 3608
Joined: November 4th, 2016, 10:00 am
Has thanked: 551 times
Been thanked: 1587 times

Re: Two Factor Authentication

#280546

Postby gryffron » January 28th, 2020, 10:54 am

Lootman wrote:HSBC gave me some clunky device to access my account but I refuse to use it or carry it around with me.

The HSBC phone app replaces the widget, and can generate the same codes for PC banking. Much easier to find your phone than that damn widget. ;)

Though since I got the App, I find it is easier to use for quick checks than the PC.

Gryff

TUK020
Lemon Quarter
Posts: 2039
Joined: November 5th, 2016, 7:41 am
Has thanked: 762 times
Been thanked: 1175 times

Re: Two Factor Authentication

#280689

Postby TUK020 » January 28th, 2020, 6:56 pm

Lootman wrote:OK, but what is your "alternative if the phone goes astray"?
TUK020 wrote: use a card reader to create an authorisation code (card = something you have, PIN = something you know),.



As for having my "account cleaned out", it has never happened in 40-odd years of no-2FA banking, much of which pre-dated smart phones and the internet.

So you are bound to be fine then

Lootman
The full Lemon
Posts: 18685
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Two Factor Authentication

#280693

Postby Lootman » January 28th, 2020, 7:01 pm

TUK020 wrote:
Lootman wrote:OK, but what is your "alternative if the phone goes astray"?
TUK020 wrote: use a card reader to create an authorisation code (card = something you have, PIN = something you know),.

As for having my "account cleaned out", it has never happened in 40-odd years of no-2FA banking, much of which pre-dated smart phones and the internet.

So you are bound to be fine then

It's still a very rare occurrence. The real issue is that banks currently cover the loss and so they want to impose the cost of that onto the customers, by making their systems much more difficult to use. Even if I had been "cleaned out" I would have been reimbursed. It's still their fault.

fca2019
2 Lemon pips
Posts: 220
Joined: July 18th, 2019, 8:37 am
Has thanked: 166 times
Been thanked: 65 times

Re: Two Factor Authentication

#286083

Postby fca2019 » February 22nd, 2020, 1:35 pm

Thanks for advice, all. Have gone with 2FA, and do agree an extra layer of security has to be a good thing.

richbun
Posts: 5
Joined: November 11th, 2016, 3:34 pm
Has thanked: 1 time

Re: Two Factor Authentication

#294461

Postby richbun » March 26th, 2020, 1:24 pm

The biggest threat with 2FA is the SIM swap, although it doesn't seem to have made such an impression on this side of the Atlantic and we are still a bit switched off to it as something to watch out for.

colin
Lemon Slice
Posts: 663
Joined: December 10th, 2016, 7:16 pm
Has thanked: 24 times
Been thanked: 114 times

Re: Two Factor Authentication

#294667

Postby colin » March 27th, 2020, 8:16 am

richbun wrote:The biggest threat with 2FA is the SIM swap, although it doesn't seem to have made such an impression on this side of the Atlantic and we are still a bit switched off to it as something to watch out for.

Yes that's my biggest fear about 2fa, I have found it impossible to get providers of my financial services to take this risk seriously. I would much prefer it if we could just use a second email address for 2fa, but with 2fa as it stands a sim swap allows them to select 'forgot password' against the email address then use my phone number to receive a password change code.

uspaul666
2 Lemon pips
Posts: 232
Joined: November 4th, 2016, 6:35 am
Has thanked: 195 times
Been thanked: 111 times

Re: Two Factor Authentication

#294669

Postby uspaul666 » March 27th, 2020, 8:29 am

SIM swap fraud can be a problem. But 2FA like “Authy” or google’s authenticate avoid replying on the phone number or SIM. A J Bell use authenticate for example. It’s also worth adjusting the notification settings on the phone so that SMS messages are hidden until the phone is unlocked.

88V8
Lemon Half
Posts: 5770
Joined: November 4th, 2016, 11:22 am
Has thanked: 4101 times
Been thanked: 2561 times

Re: Two Factor Authentication

#294698

Postby 88V8 » March 27th, 2020, 9:55 am

Mobile?
Anything involving money?
Haha.

I get 2FA codes on email (PC with good security) or landline.

V8

uspaul666
2 Lemon pips
Posts: 232
Joined: November 4th, 2016, 6:35 am
Has thanked: 195 times
Been thanked: 111 times

Re: Two Factor Authentication

#294789

Postby uspaul666 » March 27th, 2020, 1:06 pm

The safest way to access a financial institution is generally accepted to be via their app on a modern mobile phone, preferably via mobile data. Sorry.

colin
Lemon Slice
Posts: 663
Joined: December 10th, 2016, 7:16 pm
Has thanked: 24 times
Been thanked: 114 times

Re: Two Factor Authentication

#294797

Postby colin » March 27th, 2020, 1:19 pm

uspaul666 wrote:The safest way to access a financial institution is generally accepted to be via their app on a modern mobile phone, preferably via mobile data. Sorry.

Sorry the issue is other people accessing your financial institutions by hijacking your phone number, pay attention.


Return to “How Do I Invest”

Who is online

Users browsing this forum: No registered users and 5 guests