EmailDiscussions.com

EmailDiscussions.com (http://www.emaildiscussions.com/index.php)
-   FastMail Forum (http://www.emaildiscussions.com/forumdisplay.php?f=27)
-   -   SMS as 2FA yet? (http://www.emaildiscussions.com/showthread.php?t=72384)

edu 3 Jan 2017 02:19 AM

SMS as 2FA yet?
 
Question: Is it active yet or dissapeared?. In case someone lose the smartphone and is not using pendrives or other devices with 2FA.
Thanks.

jhollington 3 Jan 2017 03:40 AM

It disappeared as part of FastMail's rollout of the new 2FA system last summer, and I'd guess that it's probably not coming back.... A post here by brong from the FastMail team suggests that it's pretty much known to be "awful for security" as well as reliability/deliverability.

rnkn 3 Jan 2017 09:36 AM

Trust in SMS is a quick path to having your identity stolen 🕵

edu 3 Jan 2017 03:19 PM

Thank you both for your answers. Yes, I know itīs not safe, but itīs safer than nothing. So, if you are without a smartphone (or donīt want to use a smartphone anymore) and canīt use another device, then itīs better sms as 2FA than no 2FA. But I see that itīs not in FM anymore.

rnkn 3 Jan 2017 06:04 PM

There are a few command line tools for generating time-based one-time passwords. There's no real magic to it, the codes are just generated from running a SHA1 algorithm on a secret string. A QR code is just a silly/inefficient way of communicating that secret string to an app, it's little different to copy/paste.

Have a google around and see what you're comfortable with using.

Terry 3 Jan 2017 06:48 PM

Quote:

Originally Posted by rnkn (Post 598653)
Trust in SMS is a quick path to having your identity stolen 🕵

Why would you say that, Banks here in Australia use sms to send a log in account password and so do the Government, surly if it was unsafe they would use some other method?

I would say the reason f/m don't want to use sms is the cost and reliability of phone companies.

edu 3 Jan 2017 08:38 PM

Quote:

Originally Posted by rnkn (Post 598662)
There are a few command line tools for generating time-based one-time passwords. There's no real magic to it, the codes are just generated from running a SHA1 algorithm on a secret string. A QR code is just a silly/inefficient way of communicating that secret string to an app, it's little different to copy/paste.

Have a google around and see what you're comfortable with using.

Thank you. I thought FM was not supporting time-based one-time passwords anymore, or do you mean about another way to do it, can you tell me more?.

edu 3 Jan 2017 08:39 PM

Quote:

Originally Posted by Terry (Post 598664)
Why would you say that, Banks here in Australia use sms to send a log in account password and so do the Government, surly if it was unsafe they would use some other method?

I would say the reason f/m don't want to use sms is the cost and reliability of phone companies.

I read about it too, itīs easier to intercept sms in smartphones than using an OTP app, I posted it some time ago: http://emaildiscussions.com/showthread.php?t=71964

jhollington 3 Jan 2017 10:55 PM

Quote:

Originally Posted by edu (Post 598665)
Thank you. I thought FM was not supporting time-based one-time passwords anymore, or do you mean about another way to do it, can you tell me more?.

FastMail still supports time-based one-time passwords as part of its new two-factor authentication system, but unlike the old "alternative logins" feature, these don't replace your FastMail password, but rather supplement it (hence the "two-factor" aspect).

The new 2FA system also supports only TOTP now for one-time passwords — either via a TOTP app like Google Authenticator or a Yubikey OTP device; the old static OTP lists that you could print are no more. Alternatively, you can also use the even more secure U2F method, assuming you have a U2F device and are using a browser (Google Chrome) that supports U2F.

To be fair, though, I also sort of lied about SMS not being available — FastMail does provide SMS authentication as a backup situation in the event that you don't have access to your TOTP device or U2F key, but it's clearly intended to be more of a backup/recovery method than a primary authentication method, but technically speaking, it does work in about the same way; I think FastMail just makes it a "backup" method to steer people toward the more effective TOTP/U2F system.

You can get an SMS code when logging in by clicking the Send a code to your backup phone number link at the bottom of the second-factor screen (this of course assumes you've added your phone number in the "Account Recovery" section in your FastMail "Password & Security" preferences.

jhollington 3 Jan 2017 11:02 PM

Quote:

Originally Posted by Terry (Post 598664)
Why would you say that, Banks here in Australia use sms to send a log in account password and so do the Government, surly if it was unsafe they would use some other method?

Well, it's not about it being "unsafe" so much as "not as safe" as other methods. I think the problem is that for a lot of public organizations like banks and Government agencies, SMS is the "least common denominator." It's not about security in that sense so much as convenience, and as others have pointed out, it's also better than not using a second factor at all.

The reality is that you're not going to get the vast majority of average users (probably 90% of the bank/Government user base) to fiddle with TOTP apps or buy U2F keys, so you're left with having to lower your security standards to the very lowest solution that pretty much every one of your clients has access to, and of course that's SMS, since almost everyone has a mobile phone these days.

Again, better than not having a second factor at all, and a big part of any security model is buy-in and usability from the user base. Security that nobody is going to use is no better than no security at all.

edu 3 Jan 2017 11:48 PM

Thank you very much!, doubt resolved :)

Quote:

Originally Posted by jhollington (Post 598668)
FastMail still supports time-based one-time passwords as part of its new two-factor authentication system, but unlike the old "alternative logins" feature, these don't replace your FastMail password, but rather supplement it (hence the "two-factor" aspect).

The new 2FA system also supports only TOTP now for one-time passwords — either via a TOTP app like Google Authenticator or a Yubikey OTP device; the old static OTP lists that you could print are no more. Alternatively, you can also use the even more secure U2F method, assuming you have a U2F device and are using a browser (Google Chrome) that supports U2F.

To be fair, though, I also sort of lied about SMS not being available — FastMail does provide SMS authentication as a backup situation in the event that you don't have access to your TOTP device or U2F key, but it's clearly intended to be more of a backup/recovery method than a primary authentication method, but technically speaking, it does work in about the same way; I think FastMail just makes it a "backup" method to steer people toward the more effective TOTP/U2F system.

You can get an SMS code when logging in by clicking the Send a code to your backup phone number link at the bottom of the second-factor screen (this of course assumes you've added your phone number in the "Account Recovery" section in your FastMail "Password & Security" preferences.



All times are GMT +9. The time now is 04:57 PM.


Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy