Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site

Two Factor Authentication

Investment discussion for beginners. Why you should invest your money, get help getting started
fca2019
2 Lemon pips
Posts: 220
Joined: July 18th, 2019, 8:37 am
Has thanked: 166 times
Been thanked: 65 times

Two Factor Authentication

#279337

Postby fca2019 » January 23rd, 2020, 9:46 am

Do you know if this makes your account any more secure? I was put off by it as with investment platform you have to download the investment platform app first on your phone and log onto this on your phone to enable two factor authentication.

However I am old fashioned and wary of having my investments on my phone, as I thought mobile phones are not secure if on public wi-fi which I use frequently? Just strikes me as a lot less secure all round.

Is Google authentication any better? Or are you just safer sticking to desktop PC without two factor authentication?

I seem to remember an old thread about this, but cannot find it. Thanks
Last edited by fca2019 on January 23rd, 2020, 9:57 am, edited 1 time in total.

Lootman
The full Lemon
Posts: 18681
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6563 times

Re: Two Factor Authentication

#279341

Postby Lootman » January 23rd, 2020, 9:50 am

Like you I am not willing to perform any financial activity on any kind of phone.

I am fine with 2FA but it should either involve sending a code to my email address or else it should be of the "memorable question" variety.

Any institution that insists that I download an "app" will lose my business. Ditto any that assumes I have a smart phone. So far that has not happened.

swill453
Lemon Half
Posts: 7962
Joined: November 4th, 2016, 6:11 pm
Has thanked: 984 times
Been thanked: 3643 times

Re: Two Factor Authentication

#279342

Postby swill453 » January 23rd, 2020, 9:52 am

fca2019 wrote:However I am old fashioned and wary of having my investments on my phone, as I thought mobile phones are not secure if on public wi-fi which I use frequently? Just strikes me as a lot less secure all round.

There's a lot to this, but one thing I would trust is the communication link between a provider's app and the provider itself, whether over the mobile phone network, public or private wifi or a wet piece of string. Snooping the network will get you nowhere. Mainly because the provider has control of both ends, and can use the strongest authentication and encryption they like.

Scott.

Howard
Lemon Quarter
Posts: 2178
Joined: November 4th, 2016, 8:26 pm
Has thanked: 885 times
Been thanked: 1017 times

Re: Two Factor Authentication

#279352

Postby Howard » January 23rd, 2020, 10:06 am

swill453 wrote:
fca2019 wrote:However I am old fashioned and wary of having my investments on my phone, as I thought mobile phones are not secure if on public wi-fi which I use frequently? Just strikes me as a lot less secure all round.

There's a lot to this, but one thing I would trust is the communication link between a provider's app and the provider itself, whether over the mobile phone network, public or private wifi or a wet piece of string. Snooping the network will get you nowhere. Mainly because the provider has control of both ends, and can use the strongest authentication and encryption they like.

Scott.


I'm sure you are right about this particular issue. But the Jeff Bezos example surely indicates that a phone user might themselves inadvertently allow a weakness. I'm not technically qualified, but generally someone like me who uses a desktop for boring stuff like investing and banking may be less likely to naively download a text message from Whatsapp (if that's even possible on a desktop :? ).

I've marvelled at the (useless!) things I can do on my smartphone, but wouldn't dream of trying them on my desktop. The combination of the two machines for security doesn't seem terribly sensible to me. Although I must admit that they share and sync a Google account.

regards

Howard

swill453
Lemon Half
Posts: 7962
Joined: November 4th, 2016, 6:11 pm
Has thanked: 984 times
Been thanked: 3643 times

Re: Two Factor Authentication

#279354

Postby swill453 » January 23rd, 2020, 10:10 am

Howard wrote:I'm sure you are right about this particular issue. But the Jeff Bezos example surely indicates that a phone user might themselves inadvertently allow a weakness. I'm not technically qualified, but generally someone like me who uses a desktop for boring stuff like investing and banking may be less likely to naively download a text message from Whatsapp (if that's even possible on a desktop :? ).

But what you might do is click on a phishing link in an email and get sent to a web site that looks very much like the banking or share dealing one you're used to. (casting no aspersions to you personally).

If you use an app on a smart phone, this isn't an issue.

Scott.

gryffron
Lemon Quarter
Posts: 3606
Joined: November 4th, 2016, 10:00 am
Has thanked: 550 times
Been thanked: 1586 times

Re: Two Factor Authentication

#279367

Postby gryffron » January 23rd, 2020, 10:44 am

First off, 2FA doesn't necessarily mean a smartphone/app. It just means, a second layer of security. Adding a personal question, thumbprint, access to email, access to a phone number, etc.

Is 2FA better than 1FA? - yes, without any question.

So let's assume you are really asking a more general question about smartphone apps then:

Nothing is perfect of course. But as a general rule, modern smartphones have better security than PCs. With thumbprint or facial recognition now being common features. And vendors having much tighter control of the o/s. So I would suggest IN GENERAL smartphone apps are more secure than websites. As Scott says, App writers can implement very strong security within the App. Better than the general purpose security of web browsers. So zero chance of anyone intercepting the data via wifi/phone data being able to use it. And Apps are harder to mimic.

There is a good reason why so many banks are keen for you to use their Apps. Yes, they are safER than PCs and the www.

Gryff

Arborbridge
The full Lemon
Posts: 10369
Joined: November 4th, 2016, 9:33 am
Has thanked: 3601 times
Been thanked: 5227 times

Re: Two Factor Authentication

#279373

Postby Arborbridge » January 23rd, 2020, 11:08 am

What one should avoid, is a passcode being sent to your phone by SMS. There are enough mentions of SIM card ID theft to make me wary of that.

I use Google authenticator for my 2FA and I'm convinced that having it is better than only having a password, i.e 1FA.

I notice that A J Bell will let you print out a page of codes to use in an emergency - so you could do that instead of using Authenticator. Provided you delete the download from your PC, of course!

I have never felt tempted to use a mobile for banking or similar. Logging in on a PC but with the 2nd FA on a mobile seems as good as a normal person might do.


Arb.

jonesa1
Lemon Slice
Posts: 263
Joined: May 27th, 2019, 9:47 am
Has thanked: 103 times
Been thanked: 142 times

Re: Two Factor Authentication

#279412

Postby jonesa1 » January 23rd, 2020, 1:22 pm

Arborbridge wrote:What one should avoid, is a passcode being sent to your phone by SMS. There are enough mentions of SIM card ID theft to make me wary of that.



There is a risk that your mobile phone network provider will send someone else a replacement SIM (use of really poor security questions is a stupid weakness common to most organisations, never use real personal info for security questions, even if that means you need to write down the answers), that potentially gives you a real issue for any account which doesn't have 2FA, especially if that includes email ids controlling bank accounts etc and the provider uses SMS verification. However SMS verification is a lot less of a risk when used as part of 2FA, even if someone steals your SIM, they would need access to the other authentication method (such as a password).

JohnB
Lemon Quarter
Posts: 2497
Joined: January 15th, 2017, 9:20 am
Has thanked: 677 times
Been thanked: 997 times

Re: Two Factor Authentication

#279441

Postby JohnB » January 23rd, 2020, 2:46 pm

I try very hard to avoid putting company apps on my phone, and certainly wouldn't do for financial ones. Apps seem worse written than websites (though Three manages to be equally dreadful on both), and I have less confidence of Android and the mobile system than I do of my Linux box. It also balkanises my interactions with the world, I want to use a web browser as my common interface

At least with the SMS to mobile, I am expecting it, and will notice if never arrives. A thief with a cloned sim won't know what details I used to authenticate on my PC, at least because I don't sync my mobile browser password storage with my PC, and don't access financial sites on my mobile.

I've yet to have a horror story about 2FA not working because my mobile's not got reception, but I'm sure it will come.

johnhemming
Lemon Quarter
Posts: 3858
Joined: November 8th, 2016, 7:13 pm
Has thanked: 9 times
Been thanked: 609 times

Re: Two Factor Authentication

#279453

Postby johnhemming » January 23rd, 2020, 4:20 pm

Anroid is inherently a more secure operating system than windows because it maintains a separation between applications.

Steveam
Lemon Slice
Posts: 974
Joined: March 18th, 2017, 10:22 pm
Has thanked: 1745 times
Been thanked: 534 times

Re: Two Factor Authentication

#279565

Postby Steveam » January 24th, 2020, 7:04 am

This thread is relevant: viewtopic.php?f=39&t=21003

Best wishes,

Steve

Gilgongo
Lemon Slice
Posts: 415
Joined: November 5th, 2016, 6:51 pm
Has thanked: 154 times
Been thanked: 127 times

Re: Two Factor Authentication

#279758

Postby Gilgongo » January 24th, 2020, 4:56 pm

Arborbridge wrote:I use Google authenticator for my 2FA and I'm convinced that having it is better than only having a password, i.e 1FA.


I'd second that, but with the caveat that Google Authenticator is a little risky if one is not diligent in saving offline key codes in case you lose access to your phone.

I use the Authenticator Plus app, which has the ability to back up your keys on Google Drive or Dropbox. In the event that you lose access to your phone, you can install the app on a new phone and retrieve the keys (using a recovery password) and your 2FA codes are restored (An added bonus is that is syncs across devices too).

If you lose your phone with Google Authenticator, you have to re-generate each account on your new phone. And if you haven't saved offline key codes to log back into the relevant accounts to do this, it might present a rather disastrous Catch-22 problem.

Lanark
Lemon Quarter
Posts: 1321
Joined: March 27th, 2017, 11:41 am
Has thanked: 595 times
Been thanked: 582 times

Re: Two Factor Authentication

#279760

Postby Lanark » January 24th, 2020, 5:03 pm

The main problem with 2FA is that if anything breaks, like your phone is disconnected or the number re-routed, then you are locked out of the account - possibly forever.

Really we need 3FA with any 2 out of 3 to get in, but very few places seem to offer that yet.

uspaul666
2 Lemon pips
Posts: 232
Joined: November 4th, 2016, 6:35 am
Has thanked: 195 times
Been thanked: 111 times

Re: Two Factor Authentication

#279764

Postby uspaul666 » January 24th, 2020, 5:34 pm

Just a couple of notes. Google authenticator doesn’t need any internet connection, it’s just a clock with a weird readout. Secondly, there’s nothing to stop you initialising two or three authenticator apps simultaneously on two or three phones to guard against loosing one of the phones. They all then show the same sequence of numbers in lock step.

Arborbridge
The full Lemon
Posts: 10369
Joined: November 4th, 2016, 9:33 am
Has thanked: 3601 times
Been thanked: 5227 times

Re: Two Factor Authentication

#279771

Postby Arborbridge » January 24th, 2020, 6:24 pm

Gilgongo wrote:
Arborbridge wrote:I use Google authenticator for my 2FA and I'm convinced that having it is better than only having a password, i.e 1FA.


I'd second that, but with the caveat that Google Authenticator is a little risky if one is not diligent in saving offline key codes in case you lose access to your phone.

I use the Authenticator Plus app, which has the ability to back up your keys on Google Drive or Dropbox. In the event that you lose access to your phone, you can install the app on a new phone and retrieve the keys (using a recovery password) and your 2FA codes are restored (An added bonus is that is syncs across devices too).

If you lose your phone with Google Authenticator, you have to re-generate each account on your new phone. And if you haven't saved offline key codes to log back into the relevant accounts to do this, it might present a rather disastrous Catch-22 problem.


I'm not sure I understand the problem. I just changed my phone and had no trouble installing on the new phone. Whether that's different to losing a phone I'm not sure.

colin
Lemon Slice
Posts: 663
Joined: December 10th, 2016, 7:16 pm
Has thanked: 24 times
Been thanked: 114 times

Re: Two Factor Authentication

#279772

Postby colin » January 24th, 2020, 6:28 pm

Lanark wrote:The main problem with 2FA is that if anything breaks, like your phone is disconnected or the number re-routed, then you are locked out of the account - possibly forever.

Really we need 3FA with any 2 out of 3 to get in, but very few places seem to offer that yet.

I would be much happier with 2 factor id if the second form of id consisted of a code sent in an email. Won't protect if someone knows your email password but then you could keep a seperate email address just for the second id.

Gilgongo
Lemon Slice
Posts: 415
Joined: November 5th, 2016, 6:51 pm
Has thanked: 154 times
Been thanked: 127 times

Re: Two Factor Authentication

#279777

Postby Gilgongo » January 24th, 2020, 6:57 pm

Arborbridge wrote:I'm not sure I understand the problem. I just changed my phone and had no trouble installing on the new phone. Whether that's different to losing a phone I'm not sure.


If you installed the app on the new phone and all your 2FA accounts all showed up without you having to do anything, then perhaps Google have changed the way it works since I was using it a few years ago. It certainly wasn't the case that they backed up your codes before. You had to re-generate all your accounts for the new phone.
Last edited by Gilgongo on January 24th, 2020, 7:08 pm, edited 1 time in total.

Gilgongo
Lemon Slice
Posts: 415
Joined: November 5th, 2016, 6:51 pm
Has thanked: 154 times
Been thanked: 127 times

Re: Two Factor Authentication

#279779

Postby Gilgongo » January 24th, 2020, 7:00 pm

Lanark wrote:The main problem with 2FA is that if anything breaks, like your phone is disconnected or the number re-routed, then you are locked out of the account - possibly forever.


That's right, although you're referring to "over the air" 2FA re. disconnection or re-routing, not offline (like Google Authenticator or one time codes).

Lootman
The full Lemon
Posts: 18681
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6563 times

Re: Two Factor Authentication

#279795

Postby Lootman » January 24th, 2020, 9:03 pm

Lanark wrote:The main problem with 2FA is that if anything breaks, like your phone is disconnected or the number re-routed, then you are locked out of the account - possibly forever.

Really we need 3FA with any 2 out of 3 to get in, but very few places seem to offer that yet.

I like the way Google does this when signing into your account with them.

If it doesn't like you it gives you about six options. Some are via a phone, some via email and some asking for special information.

Just give us OPTIONS!

Arborbridge
The full Lemon
Posts: 10369
Joined: November 4th, 2016, 9:33 am
Has thanked: 3601 times
Been thanked: 5227 times

Re: Two Factor Authentication

#279801

Postby Arborbridge » January 24th, 2020, 10:37 pm

Gilgongo wrote:
Arborbridge wrote:I'm not sure I understand the problem. I just changed my phone and had no trouble installing on the new phone. Whether that's different to losing a phone I'm not sure.


If you installed the app on the new phone and all your 2FA accounts all showed up without you having to do anything, then perhaps Google have changed the way it works since I was using it a few years ago. It certainly wasn't the case that they backed up your codes before. You had to re-generate all your accounts for the new phone.


When you "regenerate" I think I needed to get another activation code or something. It was straightforward, but then I don;t have loads of accounts using google authenticator so it's no chore.


Return to “How Do I Invest”

Who is online

Users browsing this forum: Ilikebeer and 14 guests