Adding recovery phone

JamesHenderson · 25 Jul 2016, 05:58 PM

Hi,

Is anyone else (in the UK) having a problem setting this up? I am not getting the confirmation text and gave tried several times.

...I ask because my mobile reception isn't great but I currently have 1 bar.

J.

JamesHenderson · 25 Jul 2016, 06:01 PM

Quote:

Originally Posted by JamesHenderson

Hi,

Is anyone else (in the UK) having a problem setting this up? I am not getting the confirmation text and gave tried several times.

...I ask because my mobile reception isn't great but I currently have 1 bar.

J.

OK, it eventually came through - took more like 5 minutes and only after the 5th attempt

g4mby · 25 Jul 2016, 06:02 PM

Quote:

Originally Posted by JamesHenderson

Is anyone else (in the UK) having a problem setting this up? I am not getting the confirmation text and gave tried several times.

Sorry James but I've just added two phones which are on different networks. Text message received within five seconds of it being requested.

Edit: Looks like you received your text message while I was posting.

Terry · 25 Jul 2016, 06:03 PM

AU is a long way away....

JamesHenderson · 25 Jul 2016, 06:05 PM

Quote:

Originally Posted by Terry

AU is a long way away....

Ha - you're not kidding - all the other texts have literally just came through in a burst.

JamesHenderson · 25 Jul 2016, 06:12 PM

Quote:

Originally Posted by g4mby

Sorry James but I've just added two phones which are on different networks. Text message received within five seconds of it being requested.

Edit: Looks like you received your text message while I was posting.

thanks!

(...adding more text so my reply is long enough...)

misc · 25 Jul 2016, 06:18 PM

I've had no problems setting up the recovery phone, it took just a few seconds to get the verification code.

What seems to be unfavorable to me is that the code is written at the beginning of the text message. So on an iPhone for example you can read the code from the preview in the lock screen without having to unlock your phone. I haven't tried this yet, but if the text for resetting your account password looks the same, this would be a security risk, wouldn't it?

JamesHenderson · 25 Jul 2016, 06:29 PM

Quote:

Originally Posted by misc

I've had no problems setting up the recovery phone, it took just a few seconds to get the verification code.

What seems to be unfavorable to me is that the code is written at the beginning of the text message. So on an iPhone for example you can read the code from the preview in the lock screen without having to unlock your phone. I haven't tried this yet, but if the text for resetting your account password looks the same, this would be a security risk, wouldn't it?

...you can switch off the ability to read the text message itself on your iPhone security screen.

FredOnline · 27 Jul 2016, 02:52 PM

Quote:

Originally Posted by misc

I've had no problems setting up the recovery phone, it took just a few seconds to get the verification code.

What seems to be unfavorable to me is that the code is written at the beginning of the text message. So on an iPhone for example you can read the code from the preview in the lock screen without having to unlock your phone. I haven't tried this yet, but if the text for resetting your account password looks the same, this would be a security risk, wouldn't it?

I would assume that, if you had requested a recovery code via text message, that you would have your 'phone with you and so would be expecting that text message.

I wouldn't consider that a problem, unless you leave your 'phone laying around for all and sundry to pick up and look at.

In that case, you are probably more of a security risk.

If you don't trust the text message option, you could request the code be sent to an e-mail address instead.

misc · 27 Jul 2016, 03:23 PM

Quote:

Originally Posted by FredOnline

I wouldn't consider that a problem, unless you leave your 'phone laying around for all and sundry to pick up and look at.

In that case, you are probably more of a security risk.

I know that case is very unlikely – i just thought it would be very simple to avoid that ‘leak’ by putting the security code to the end of the text message. And of course that's only for iOS devices, I don't know how Android or other OSses or devices are dealing with text preiviews. So, everything's fine, don't bother.

Terry · 27 Jul 2016, 03:26 PM

Quote:

Originally Posted by misc

I don't know how Android or other OSses or devices are dealing with text preiviews.

Android is the same.

DumbGuy · 27 Jul 2016, 04:00 PM

I actually think it's pretty handy to have the code appear near the beginning of the text message and appear on the lock screen.

1) When I'm in a rush logging in to any of my 2FA services/accounts, I don't need to unlock the phone.

2) Rare case: I actually got locked out of my phone once (eventually needed to wipe and reinstall everything) -- and I couldn't access my text messages but needed urgently to login to 1 of my 2FA accounts. That lock screen showing my first several characters of the message -- and the entire 2FA code -- helped me get in (this was a non-FM account).

robn · 27 Jul 2016, 04:21 PM

The code appears at the start for two main reasons. One is so that it's quickly visible in a phone UI that only presents the first part of the message, and so the entire message can be pasted into the form - we only take the first six characters.

It's impossible for us to predict if and where an individual display will truncate the message. On my particular flavour of Android phone, I can expand the notification on the lock screen to see the entire message, without unlocking the phone. If it really bothered me, my phone has an option to not show message text on the lock screen. Yours probably does too.

As an attacker, knowing the code doesn't get you anything though. The code itself is tied to the login session that initiated it - it won't elsewhere. It's also only valid for a short amount of time.

misc · 27 Jul 2016, 04:52 PM

Quote:

Originally Posted by robn

As an attacker, knowing the code doesn't get you anything though. The code itself is tied to the login session that initiated it - it won't elsewhere. It's also only valid for a short amount of time.

Thanks Rob, but I wasn't talking about 2FA but about the Account Recovery feature. With the SMS code I could quickly reset the main account password and then delete all app passwords. Or did I get the recovery process wrong?

Terry · 27 Jul 2016, 05:13 PM

Edit......

25 Jul 2016, 05:58 PM	#1
JamesHenderson Cornerstone of the Community Join Date: Jan 2003 Location: Oxfordshire, UK Posts: 603	Adding recovery phone Hi, Is anyone else (in the UK) having a problem setting this up? I am not getting the confirmation text and gave tried several times. ...I ask because my mobile reception isn't great but I currently have 1 bar. J.

27 Jul 2016, 05:13 PM	#15
Terry The "e" in e-mail Join Date: Jul 2002 Location: VK4 Posts: 3,029	Edit...... Last edited by Terry : 27 Jul 2016 at 08:59 PM.

25 Jul 2016, 06:03 PM	#4
Terry The "e" in e-mail Join Date: Jul 2002 Location: VK4 Posts: 3,029	AU is a long way away....

25 Jul 2016, 06:18 PM	#7
misc Essential Contributor Join Date: Jul 2013 Location: Germany Posts: 251	I've had no problems setting up the recovery phone, it took just a few seconds to get the verification code. What seems to be unfavorable to me is that the code is written at the beginning of the text message. So on an iPhone for example you can read the code from the preview in the lock screen without having to unlock your phone. I haven't tried this yet, but if the text for resetting your account password looks the same, this would be a security risk, wouldn't it?

27 Jul 2016, 04:00 PM	#12
DumbGuy Essential Contributor Join Date: Oct 2008 Posts: 212	I actually think it's pretty handy to have the code appear near the beginning of the text message and appear on the lock screen. 1) When I'm in a rush logging in to any of my 2FA services/accounts, I don't need to unlock the phone. 2) Rare case: I actually got locked out of my phone once (eventually needed to wipe and reinstall everything) -- and I couldn't access my text messages but needed urgently to login to 1 of my 2FA accounts. That lock screen showing my first several characters of the message -- and the entire 2FA code -- helped me get in (this was a non-FM account).

27 Jul 2016, 04:21 PM	#13
robn Master of the @ Join Date: May 2012 Location: Melbourne, Australia Posts: 1,007 Representative of: Fastmail.fm	The code appears at the start for two main reasons. One is so that it's quickly visible in a phone UI that only presents the first part of the message, and so the entire message can be pasted into the form - we only take the first six characters. It's impossible for us to predict if and where an individual display will truncate the message. On my particular flavour of Android phone, I can expand the notification on the lock screen to see the entire message, without unlocking the phone. If it really bothered me, my phone has an option to not show message text on the lock screen. Yours probably does too. As an attacker, knowing the code doesn't get you anything though. The code itself is tied to the login session that initiated it - it won't elsewhere. It's also only valid for a short amount of time.