Two-Factor Authentication: Back to the simpler options

In the last exciting installment of my two-factor authentication (2FA) odyssey, I got to the point of having to reset my Authy account because I messed up keeping records of the token backup password and the PINs used to protect the apps on my three devices.

tech_complexBy the way, if you’re thinking this sounds complex, it is. I like to think I’m not stupid, but this has been tortuous for me and I was already beginning to think (a) I may never get it working (b) even if I can, the majority of non-IT specialists never would.

Anyway, after my account was reset I duly reinstalled the apps on my phone, iPad and PC, set (and recorded) all the passwords and PINs, and took a deep breath. Back I went to setting up 2FA on my Gmail account. This again proved incredibly frustrating, with the Android app being confused by the old entry not being deleted; then I ended up with two tokens for Gmail! And it takes 48 hours to delete them!! In a fit of indignation I decided I’d had enough and disabled 2FA on Gmail again.

After cooling off and steeling myself to try again, I went to the Android app and found that (a) the Gmail tokens I thought I’d deleted were still there (b) the protection PIN on the app seemed to have been turned off. What. Is. Going. On??

Enough is enough. Regardless of its technical merits, and all the advantages compared to “simple” SMS-based 2FA, this was just never going to work for me. Reluctantly, I initiated deletion of my Authy account.

I admit defeat.

I’ll still look into 2FA, and the risks of using SMS, and needing a backup method in case your phone is lost or stolen, and all the rest of it. But the “superior” way with an authenticator app is just way too complicated. If I want to spread the word to non-IT specialists about how to improve their online security, people have to be able to understand it and manage it themselves. If they can’t, they won’t bother.

The odyssey continues.

Advertisements

Two-Factor Authentication: My false start with an authenticator app

ONE thing I could never be accused of is rushing into things. My last blog about two-factor authentication (2FA) was in March. Here we are in July and…I’m no further forward. That’s not because I’ve not done anything, 2FA-wise (although what I have done has been at a snail’s pace – a particularly slow, lazy snail on holiday, that is). It’s because, having installed Authy on my devices, when I finally got round to setting up 2FA on one of my email accounts, I discovered I’d made a schoolboy cyber security error and ended up having to start again.

Let me explain.

With Authy installed on my Android smartphone, an iPad and a PC, I launched into setting up 2FA on a Gmail account, following Google’s instructions in conjunction with Authy’s Gmail 2FA guide. After being temporarily flummoxed by the lack of text message from Google, it eventually worked and the 2FA token was stored on my phone. After that, Authy on the phone urged me to enable backups (of 2FA tokens to Authy’s servers), which I did. This then synched the newly-protected Gmail account and the backup password to my iPad and then to Authy for PC.

Next, I set the local PINs on the iPad and phone, plus the Master Password on the PC. These control local access to the apps as an extra layer of security.

So finally I had one account protected with 2FA (Gmail) and the apps configured securely (I hoped). I assumed that because I had Authy in three places and the codes are backed up to the cloud, I didn’t need Google’s suggested “alternative second step”, such as downloading printable one-time passcodes.

Finally finally, I had to try it. So I signed out of my Gmail and went to sign back in. This was on my PC, so when prompted I simply went to Authy Desktop, entered the Master Password to enter the app then clicked the relevant Gmail account. Authy gave me the TOTP (Time-Based One-Time Password) which I duly entered and gained access to my Gmail account. Hooray!

Forgetting to remember

So what was the problem? Well, the setup and testing I described above were done in a fairly short space of time, and I’d memorised the local PINs (for the Android and iOS apps), the Master Password (for the desktop app) and the backups password (for, well, backups). Being a (supposedly) smart chap, I knew I had to keep a record of these and that said record had to be secure. Not only that, I happened to be running a proper password manager thingy, so that was clearly the place to store those useful bits of info. Which I did.

Or so I thought.

Because by the time I next needed to 2FA my way into that Gmail account, I’d forgotten the PIN, etc. And it was then that I discovered that, somehow, I’d failed to store the info in my shiny password manager.

Gaaaaaahhhhhhhhhhhhh!!!!!

Strangely, but to my relief, I found that when I wanted to log into my Gmail account on a new device it gave me the simple option of using an SMS for the second factor. I was a bit surprised because I hadn’t configured this (although Gmail knows my mobile number). What’s more, thinking about it, if it was that easy to bypass the authenticator app method, presumably someone who stole my phone could have just done the same thing!? Unless I missed something, that kind of blows a hole in the TOTP security…No, I’m sure I must be mistaken; I’ll see if the helpful folks at Authy have come across this before.

Anyhoo, I was back in to my Gmail account so now I needed to decide what to do about Authy. The Authy FAQ on PINs, etc. told me that if I lost the app PIN / password I could recover by uninstalling and reinstalling. So I tried that on the iPad, but after reinstalling and re-entering my phone number, Authy told me that because I’d got multi-device turned off I couldn’t add any new devices!! And since my Android and Windows installs of Authy were also inaccessible, I was in a bit of a pickle.

Fortunately, the Notification of Doom told me what I have to do:

authy_multidevice

Sooooo…I’m off to reset my Authy account and try again.

*sigh*

Watch this space…

Two-Factor Authentication: SMS or an authenticator app?

indecisiveI admit it: I’m dithering.

After agreeing that passwords are no longer enough, I continued my mission to explore strange new cyber security worlds and to boldly go where…oops, sorry. Anyway, I carried on looking into 2FA. The default, simplest and most easily understood (at least by me, and, I suspect, by many others) method of applying a second factor is to use SMS, a.k.a. text messages. I’ve experienced this, and it works. Trouble is, it’s far from foolproof: messages can be intercepted, my phone can be stolen and used to read them, or there’s a fiendish fraud trick called SIM swapping that can give the cyber-thief the information they need.

To overcome all these weaknesses, there’s an alternative called Time-Based One-Time Password (a.k.a. TOTP, which in my day always stood for Top of the Pops, but there you go). This method requires an app such as Google Authenticator or Authy, which is generally reckoned to be superior. In addition to overcoming the issues with SMS, Authy has other advantages.

So, having decided to try out the “Authy” 2FA app, I duly installed it on both my Android phone and my iPad. Here’s how the journey proceeded:

On opening Authy on my phone I was asked to enter my “cellphone” number (that’s mobile number to we Brits), consisting of the international code (i.e. 44 for the UK) and then the normal mobile number, which doesn’t need the leading zero and which Authy displays in typical American format. So if my number is 07123 123456, Authy shows it as 44 712-312-3456; slightly confusing but not a big deal.

I then entered an email address (although not sure what that’s used for yet…) and then had to choose between a voice call and SMS for initial verification of the mobile number. (Yes, it slightly goes against the grain to use an SMS verification code in this context – where the point of the app is not to use SMS for two-factor authentication – but as they point out I haven’t yet entered any confidential info in the app so the security risk is extremely low.) After receiving the verification code, Authy was ready to add 2FA accounts.

But first I wanted to install it in other places, because one of the advantages of Authy over, say, Google Authenticator, is supposed to be that it’s much less troublesome if my phone is lost or stolen, or if I port my number to a new phone. I read this Authy page and got slightly perturbed at a potential delay of several days. Nevertheless I decided to press on, so I installed it on the iPad, entered my mobile number and, as before, entered the verification code that was sent to my mobile (by SMS).

Finally, I installed it on a Win 10 desktop PC. This too required an authentication process.

Being the cautious type, before actually setting up any 2FA I wanted to clarify various Authy options, PINs, protection passwords and the like. But although I set out to read the Help info on those topics, I ended up reading an FAQ about the “phone change process“.

And I was alarmed.

It was all starting to sound rather involved and potentially complicated. Now I’m torn; I know that SMS-only 2FA is insecure, insofar as it can be bypassed by various nefarious means, but do I really want to go this more complex route??

I’m going to do some more reading before taking the plunge. I understand all the arguments for not using SMS, but my brain just hasn’t yet got to grips with all the scenarios. It whispers to me: “What’s the point of increasing the security of your online accounts if you can end up being locked out of them for days – or even permanently?”

Have you used an authenticator app? What do you think about my hesitation? Shall I just quit dithering and dive in?

Two-Factor Authentication: Is it worth the hassle?

Passwords are no longer enough. That’s what we keep hearing. Bad people are constantly battering at the door of my digital life looking for a way in, and I need more layers of defence, even if I avoid these classic password boo-boos.

2fa_picEnter two-factor authentication (abbreviated 2FA, a.k.a. 2-step verification if you’re Google, and hashtagged as #2FA on that Twitter thingy). (“Universal 2nd Factor” or U2F is a related technology requiring special bits of hardware. We’ll not go there just yet.)

Like you, I have lots of online accounts, some of which don’t currently use 2FA (I’m not telling you which ones as you might hunt me down in order to cyber-attack me). My first introduction to 2FA was with the UK HMRC web site. They didn’t force me to set it up, as I recall, but I was happy to do so. Now, whenever I need to log in they text me a code which I have to enter in addition to my user name and password.

At this point you (like me) may have some questions, such as:

What problem does 2FA fix?

Sticking with the HMRC example, if someone steals or cracks my HMRC credentials, they still can’t log in as me because they don’t have my phone and can’t receive the 2FA code.

But what if they steal your phone as well?

Not very likely, is it? It could happen, I guess, so let’s assume I’ve been assaulted, they’ve tortured me for my HMRC login and then nicked me phone. I was about to say they’d need to crack my phone security as well, but then I remembered that text messages show a notification on the lock screen – so they might still be able to read the code. Dang it.

Not only that, I did hear of a scammer who managed to scam the mobile phone company as well as the target company so that they were able to receive 2FA codes. No torture or physical theft required. The phone company were negligent and it was a very complex scam, but it worked. (I’d like to include a link to the story but I can’t find it online and, hey, I’m not Wikipedia.)

So the answer is – 2FA could be defeated. Boo.

Aha! And what if you just lose your phone?

That would also be a pain in the proverbial. But HMRC, like all reputable 2FA systems, provides for backup authentication methods. It may be a landline number, another mobile number or even a set of one-time codes you can download and keep for just such a calamitous occasion. (No good keeping them on your phone, naturally.)

So, when configuring 2FA I do need to consider the Plan B option as well.

Do you have to enter a code every time you log in?

With HMRC, yes – that’s how I’ve set it. I don’t use it that often, and the data is highly confidential. But for other accounts, I do live in the slightly troubled territory of Remember me on this computer. We all do it – who wants to log in to everything, every time, on every device? Browsers (or the systems themselves) offer to remember us, or keep us signed in. It’s that balance of security and convenience.

With most systems it’s possible to only require a 2FA code when signing in to a new device. There’s a logic to that because if my account credentials are stolen, chances are that the criminal will try to use them on a computer other than mine. And 2FA will thwart them. (Always assuming they haven’t stolen my phone.) But, as before, there’s a slim chance that the hacking happens directly on my own computer (say with a keylogger loaded by a Trojan). In that case, if I’ve selected “keep me signed in on this computer”, and the digital baddie has control of my PC, I’m doomed. 2FA will not save me. The baddie will access all my secrets and ruin my life.

Boo.

Is 2FA worth the bother then?

Yes, yes, a thousand times yes. Cyber security is all about risk management, just like physical security. The fact that my front door lock isn’t impenetrable doesn’t stop me using it, because it significantly reduces the chances of a burglary. It makes life harder for would-be thieves. If I add a second factor (like an alarm, security lights or a savage guard dog), it mitigates the risk further. A determined criminal could still bypass it all – but the chances are they won’t bother.

Is 2FA using text messages perfect? Nope. Can it be beaten? Yep. (And not just by stealing my phone, by the way; text messages are unencrypted and can theoretically be intercepted during transmission.) Will it help if I’m already signed in, stay signed in and the criminal has access to my device? Nope.

But…

Will 2FA with text messages usually stop a thief accessing my account on another device? Indeed. And theft of my credentials without loss of my phoneI would submit, your honour, is by far the most likely scenario. Why? Because most credential thefts or cracks don’t involve anyone accessing my computer (or my phone) directly. They’re stolen when a company web site is breached or when I’m dumb enough to be social-engineered or phished.

OK. So you recommend using 2FA?

Definitely.

Although…it’s worth being aware that companies mess up sometimes. Not naming any names, but Facebook have angered people with what they now say is a bug causing users to receive spam texts after setting up 2FA. That particular failing hasn’t caused a security problem – just extreme annoyance. Facebook’s 2FA is relatively new (at the time of writing) so it may be prudent to avoid being among the early adopters when a service first offers 2FA.

Which accounts did you say you don’t have 2FA configured for?

Nice try.

Android Irritations: How I stopped Google Play Services demanding that I update my phone number

I have a confession to make: Despite being an IT type of many years’ standing I’ve only recently acquired a smartphone. I know! For various reasons, until 2017 I stuck to a distinctly non-smart but very compact Nokia 2332. Finally prompted by the withdrawal of my pay-as-you-go tariff by TalkTalk and not wanting to be shunted to Vodafone, I entered the wonderful world of Android.

(For the phone geeks out there, my weapon of choice was a Huawei P8 Lite 2017. Yes, I do like it, no, this isn’t a review.)

Anyhoo, I soon discovered that every time the phone restarted, I would get a cheery notification from Google Play Services a bit like this:

google_play_services

(Actually mine said, “It looks like you changed your phone number…”.)

When this first appeared I dutifully followed the prompts, logged into my Google account and discovered – as I’d thought – that my phone number was already there, and was already correct. Mild irritation.

Next time I switched on my phone, same thing. And the next time. And the next time. And…you get the idea.

Being an IT pro, I called on all my accumulated experience and detailed technical knowledge by searching Google. I found other people similarly irritated but no fix.

I thought it might be because my phone number was wrong in the system settings (it showed the number given me by my new provider before I ported my old one), so duly contacted the provider and asked for a network refresh (or some such term). This did the trick as far as the system phone number was concerned but didn’t stop Mr Google greeting me each morning.

Boo.

App Data

Finally, after putting up with it for several months, I conquered it, courtesy of MultiMatt (whose problem was almost identical to mine) and Ed Nisley (whose proposed fix did the trick). The fix was: Clear the app data for “Google Play Services”, as described in Ed’s post.

After clearing the data I restarted the phone and it told me I now had no backup account (i.e. my apps, photos, etc. were no longer being backed up to Google). So I just picked an account and all was happy again. I’ve not seen the unwelcome notification since.rejoicing

You’re welcome.