[Info-vax] Two-Factor Authentication
John E. Malmberg
wb8tyw at qsl.net_work
Thu Oct 24 08:58:25 EDT 2019
On 10/23/2019 7:31 AM, VAXman- at SendSpamHere.ORG wrote:
>> web app: password + client certificate *or* password + text message with
>> pin (either via email to text gateway or an text messaging provider
>> offering a web service API)
>
> Many web sites are doing this and I discussed this method with party interested
> in implementing 2FA yesterday. By bank is now doing this OTP pin authentication
> which I, personally, find extremely annoying. The email route can often be very
> long in which case the OTP pin is expired and I don't have a phone that receives
> SMS. The whole phone thing seem problematic, especially if it's a mobile phone
> and the user is outside of cell service.
Some of the systems offer an option to have a voice phone call to report
the pin, so SMS is not required.
And one system I use sends also a link in e-mail to click on for it to
remember the device so that it does not ask for a pin again. But it
seems to forget about that device every few months.
Google has an annoying feature where it is doing a IP address lookup to
lookup the location for validation and then sends a notification the
device that it blocks access if it does not recognize the IP. In just a
drive around my county, my reported IP address wanders around the
continental U.S. as I move from cell to cell, so I end up blocked until
I notice that message.
And recently when I had a tablet battery fail and replaced it, I
discovered on a trip that my new device was locked out of gmail access
until I entered a code sent to the dead device, or returned to the home
IP address.
Some sites now have an anti-phishing feature. They require me to pick a
picture to be displayed when I log in and then tell me that I should
only proceed with the login if I see that picture (and an extra click
for me to agree that it is the right picture). Not sure that would be
effective though.
USB / sdcard dongles also have problems. Either not safe to not allowed
to put them in some devices.
Regards,
-John
wb8tyw at qsl.net_work
More information about the Info-vax
mailing list