Welcome to WebmasterWorld Guest from 34.204.191.31

Forum Moderators: open

Security: Enough with 2-factor already!

     
3:22 pm on May 25, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:2014
votes: 215


I'd like to share some experience, some may feel it's a rant, others something to consider, but it's nonetheless something to discuss. The title says 2-factor auth but this extends to emails and more, you'll see.

I received an email this morning from a tech company(which I will not name) telling me that I logged into my account(yup, I did 10 minutes earlier). The email told me my browser type, IP address, monitor size, device type and operating system. The email then went into a lengthy pitch strongly suggesting I needed to provide them with my mobile number for two-factor authentication to "keep my information safe".

#1 - This email sent my information out into the public where now a weak point isn't just my account itself, it's my email too, if you access one you get all this info too.

#2 - Providing more information does not keep it safe, it opens even more weaknesses. Sure, it may be harder to actually log into my account but logging into my account is NOT how a hacker will access my information. They will do something like find my mobile device if I drop it and by virtue of being linked will access accounts. OR, if this company has its servers hacked, which is a problem lately for MANY companies, the hacker now gets my phone info too.

I'm going to keep this short, there could be 10 more entries here, but the BEST security is to make it so that if one account is hacked... so what. By that I mean if you get into one of my accounts it will yield no information to get into other accounts. THAT is the best protection, in my opinion.

My real name, address and mobile number are things I do not provide if at all avoidable and that has served me well over the years. If a name is required it has a typo or I use an alias name along with a catchall email with that alias. Point is if someone contacts me they will be telling me where they came from by what they call me, by the email they use. I'll have all; the info I need to re-secure my own accounts by virtue of just being contacted and there is NOTHING any hacker can do to fool me on that.

It doesn't matter which account you get into, I have no vunerable information online. I demand paper bills instead of emails. I don't subscribe(or quickly unsuscribe) to company emails and I REALLY do not appreciate a company takinig it upon themselves to send me all of my information in email as a sales pitch to give them my number too, it ensures I end relationships with that company.

My point for writing this - take your security into your own hands. Never repeat passwords, do not keep accounts you don't use open, don't use the same email with everything by learning to set up a catchall. There's more but simple things keep you safe, info that is not out there or is unique to one service is hard to use against you. As for 2-factor authentication, NO, you cannot have my phone number, period. That mobile device is key to invading your privacy too, it's why every company wants it above all else you could provide. Just say no, or at the very least set up a trash number for security reasons if you like 2-factor. Keep your private life private!

/rant off, now excuse me while I go abandon this company. They sent the email to an email provider with a history of aggregating AND USING personal information, yuck.
4:39 pm on May 25, 2019 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4508
votes: 347


strongly suggesting I needed to provide them with my mobile number for two-factor authentication

I see many such "suggestions" and have never seen it as a good suggestion other than for opening an additional channel to them. I see it as three-factor at least because the "name" and "login" are two factors already. If these people are concerned about having an extra factor for authentication, how is my mobile phone number better than a second password - or even a PIN? So many simple ways to handle that additional authentication without needing that information.

5:29 pm on May 25, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10456
votes: 1091


The REAL purpose of the phone gambit is to DEFINITIVELY nail the id of the user for advertising/politics/resale of info. :)

Play the game at your peril.
1:02 pm on May 26, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:3002
votes: 206


Real 2FA is not two things you know, its one thing you know (password) and one thing you have.

Mobile phone works number works. However, so do things like "Google Authenticator" (which is not necessarilly a Google product - there are one source implementations).

The reason they are useful is that someone with a keylogger or similar can get username, password and anything else that is the same each time. The will not get something that provides a new token each time.

It breaks down somewhat if you have all those on the same device and it gets stolen or cracked.

Here in the UK we are going to be forced to use either SMS to mobile phone or a banks proprietary mobile app for all online transactions.
2:43 pm on May 26, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:June 20, 2006
posts:2164
votes: 92


People who use long, random, unique passwords, use password managers.
And I see site after site that makes it difficult for password managers to function properly - like no dedicated login page, randomly changing the names of the fields required, using interstitial login popups, pw strength measures, login page on http, and more.
It's like they design for the dumbest (un-safe-est) user, and in so doing, punish those who try to behave in a secure fashion.

Those who win our business attention, should employ practices that lend themselves to safe behaviors.
They need 2-factor, because so many of their Users do unsafe things, and too many webmasters are not helping.
They should ONLY force 2-factor onto those who use weak passwords, for example.
I wish their idiocy was an SEO ranking factor... Safe Login Score, if you will. Measured, among other things, by treating safe loggers to their PW managers compatibility, and properly (and only) whacking their Unsafe users with extra security measures.