Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(USA Today)   Text messages aren't always a great way to execute two-way authentication   (usatoday.com) divider line
    More: PSA, Security token, Authentication, Identity theft, Password, Verification, one-time, phone line, Social Security numbers  
•       •       •

804 clicks; posted to STEM » on 02 Sep 2021 at 7:27 AM (13 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



10 Comments     (+0 »)
View Voting Results: Smartest and Funniest
 
2021-09-02 8:45:59 AM  
Consumers didn't ask for this shiat. Don't blame them.
 
2021-09-02 9:06:37 AM  
It really bothers me that companies expect me to have my phone with me a all times. From these authentications to restaurants that have replaced menus with QR codes, there is an expectation that I have a computer in my pocket at all times; this is not the case.

I can, and do, go days without my phone. This shocks people, I am aware. When I mentioned to some friends that I was without my phone for a while traveling in Mexico they looked at me like I had gone to the moon without a spacesuit.

We shouldn't be expected to carry a phone anymore than we should be expected to have our refrigerator connected to the Internet.
 
2021-09-02 9:08:09 AM  
Time based one time code protocols have been standadized for ages now. I don't know why so many companies can't figure it out. I use multiple 3rd party apps on multiple operating systems to generate the codes. It works flawlessly. Text messages have been shown time and time again to be a very weak link in the security chain.
 
2021-09-02 9:28:22 AM  

CFitzsimmons: It really bothers me that companies expect me to have my phone with me a all times. From these authentications to restaurants that have replaced menus with QR codes, there is an expectation that I have a computer in my pocket at all times; this is not the case.

I can, and do, go days without my phone. This shocks people, I am aware. When I mentioned to some friends that I was without my phone for a while traveling in Mexico they looked at me like I had gone to the moon without a spacesuit.

We shouldn't be expected to carry a phone anymore than we should be expected to have our refrigerator connected to the Internet.


I'm old so while i do have my phone with me 90% of the time, I don't particularly care to use it for major things like extensive web browsing (I'm on my PC for this) or stuff that requires scrolling forever. I'd rather do the major screen time on a bigger screen.
 
2021-09-02 9:46:42 AM  

Russ1642: I don't know why so many companies can't figure it out


TOTP requires an app to be installed on the user's device.  SMS does not.  It's a cost/benefit calculation, and breaking SMS requires breaking the law.  That's good enough to cover banks asses, or at least has been so far.
 
2021-09-02 10:06:13 AM  

Russ1642: Time based one time code protocols have been standadized for ages now. I don't know why so many companies can't figure it out. I use multiple 3rd party apps on multiple operating systems to generate the codes. It works flawlessly. Text messages have been shown time and time again to be a very weak link in the security chain.


Serious question...both iPhone and Android are notoriously hackable with virtually no effort, e.g., Pegasus.  Is there anything specifically protecting the seed values in phone storage that "offline" authenticator apps rely on?
 
2021-09-02 10:13:26 AM  

CFitzsimmons: It really bothers me that companies expect me to have my phone with me a all times. From these authentications to restaurants that have replaced menus with QR codes, there is an expectation that I have a computer in my pocket at all times; this is not the case.

I can, and do, go days without my phone. This shocks people, I am aware. When I mentioned to some friends that I was without my phone for a while traveling in Mexico they looked at me like I had gone to the moon without a spacesuit.

We shouldn't be expected to carry a phone anymore than we should be expected to have our refrigerator connected to the Internet.


Buy a Linux phone
 
2021-09-02 11:24:56 AM  

CFitzsimmons: It really bothers me that companies expect me to have my phone with me a all times. From these authentications to restaurants that have replaced menus with QR codes, there is an expectation that I have a computer in my pocket at all times; this is not the case.

I can, and do, go days without my phone. This shocks people, I am aware. When I mentioned to some friends that I was without my phone for a while traveling in Mexico they looked at me like I had gone to the moon without a spacesuit.

We shouldn't be expected to carry a phone anymore than we should be expected to have our refrigerator connected to the Internet.


Better to steal your data my dear......
 
2021-09-02 2:26:38 PM  

CFitzsimmons: It really bothers me that companies expect me to have my phone with me a all times. From these authentications to restaurants that have replaced menus with QR codes, there is an expectation that I have a computer in my pocket at all times; this is not the case.

I can, and do, go days without my phone. This shocks people, I am aware. When I mentioned to some friends that I was without my phone for a while traveling in Mexico they looked at me like I had gone to the moon without a spacesuit.

We shouldn't be expected to carry a phone anymore than we should be expected to have our refrigerator connected to the Internet.


Agreed. Even if you have your phone, you might not have data coverage when you are travelling.
 
2021-09-02 7:19:56 PM  

Yankees Team Gynecologist: Russ1642: Time based one time code protocols have been standadized for ages now. I don't know why so many companies can't figure it out. I use multiple 3rd party apps on multiple operating systems to generate the codes. It works flawlessly. Text messages have been shown time and time again to be a very weak link in the security chain.

Serious question...both iPhone and Android are notoriously hackable with virtually no effort, e.g., Pegasus.  Is there anything specifically protecting the seed values in phone storage that "offline" authenticator apps rely on?


Every single service I've used for TOTP codes will actually give you the seed password. I store them safely so I can use them on multiple devices and don't need to 'register' again. As for the storage on the device, if they've got that sort of access to the device they can just use the app. If someone has your phone you go online and deregister the codes before they use them. The codes should be stored with whatever encryption is built into the OS. And pegasus/chrysaor is far less effective on Android devices, at least as reported right now.
 
Displayed 10 of 10 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking




On Twitter


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.