Security for 2FA

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 721102

    Comments posted to this topic are about the item Security for 2FA

  • Chris Wooding

    SSCarpal Tunnel

    Points: 4351

    I think 2FA can be good when it's well implemented, but a chore when it's not done well. For example, my bank sends a PIN to my mobile when I go into the account transfers area. Before it send the PIN, is asks me to confirm the mobile no. is correct by giving me the last few digits. This is all sensible, but once I've set up the transfer, it then wants to send another PIN and asks me to confirm the mobile no. again. I can end up repeating this sequence 5 or 6 times in as many minutes if I've got a few changes to make.

  • Meet George Jetson

    SSChampion

    Points: 10901

    This was the most timely post.  Just this past weekend, my cell phone took a "forty foot free fall face plant" from the upstairs deck to the paved patio below.  On Monday, I purchased my replacement and began the long, slow, process of weeding through the apps I need and the apps I want.  And then there was DUO.

    Congrats Steve on getting back online, I too had to reach out to our IT for assistance on this, one particular, app, but like you feel it is for the greater good that I am unable to do this without a second set of eyes.

    Chris Powell

    George: You're kidding.
    Elroy: Nope.
    George: Then lie to me and say you're kidding.

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 721102

    Poor 2FA is bad, especially if the real time systems are overloaded. I've gotten tied up with Azure before, where I click the "send code" a few times, but they don't come. Then they all come at once, but only the most recent one is valid. Still some work to do here.

    I do like the "confirm the last 4 digits", though if someone has cloned by sms, they have that. More, I'd rather some more independent, non 2FA related item to double check it's me.

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 721102

    Ugh, Sorry Chris, I haven't destroyed a phone since Gorilla Glass came out as standard, but I have cracked a few screens. Hope it wasn't too expensive a mistake.

  • TUellner

    SSCrazy

    Points: 2612

    Funny thing about 2FA systems is the same system can be good for one person and bad for another. When we were all still working in the office (remember those days) my company rolled out 2FA using the MS Authenticate app on our phones. I had no issues with it on my Pixel on Google-Fi but a developer there had really bad coverage at work. He would have to start Outlook, run outside to try and get a signal, respond to the 2FA app and then go back inside. Now that we're all working from home I occasionally see timeouts logging in where they authentication system takes too long to notify me and the VPN will time out. Usually it's less than a second from the time I press Enter until I have a prompt on my phone but things can be a bit overloaded these days.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply