You can just scan the QR code on multiple devices during setup. I have an old junker phone that I use just for this and being a universal remote that never leaves my end-table.
Indeed. I’m trying to move from Google Authenticator to Authy for that reason - but the inability to backup/export from GA is a PITA... a cruel form of vendor lock-in.
No. For two factor authentication to work the solution needs to be practical for most people. So it can’t involve multiple phones or backup schemes most people aren’t going to implement.
Otherwise you’re going to lock a lot of people out of their accounts which is not acceptable.
Ultimately this typically ends up with a reset scheme that depends on phone numbers or email addresses which means the protection, which is as strong as the weakest link, is worthless.
I strongly recommend Aegis on Android. Encrypted backups of the TOTP config, so you can easily recover it all if you lose your phone without having to reset everything, plus biometric support to unlock it.
I literally hate when services and apps force me to use SMS-based authentication.
When I travel I need to use a different SIM to access reasonably priced internet. Because I don't have a double-SIM phone, that means my other SIM is not active at the moment.
Really dangerous trend is when this SMS confirmation is requested when I don't expect it. Once I was in the Philippines and AirBnb wanted me to verify my authentication attempt. It can be not only frustrating, but dangerous - I have accommodation scheduled and without the access to my home number I could be easily left on the streets in a foreign country.
And my last complaint -> SMS can arrive pretty late when you are in a foreign country. Sometimes too late that the authentication window is closed.
I use cheap android(100$) and that country's SIM, with Verizon (think TMobile also) the phone will work BAU when connected to WiFi in other countries, you will get your normal calls and SMS just as if you are in US.
I got a number through https://jmp.chat/ to solve this. Instead of using my real phone number, I use the VOIP number which is accessible over XMPP. Unlike most VOIP nubmers it works with short code numbers. Most services will use the number a couple are dumb and refuse to send messages to it.
Occasionally my logged in Microsoft apps all suddenly re-request the 2f thing. Sometimes in the middle of the night. And when the 2f window pops up you can't tell which app has generated it.
Most of the mentioned attacks are not likely to be used against random members of the general public. And the problems of networks handing out new SIM cards for existing accounts without verifying ID seems to be mostly a US problem.
25 comments
[ 2.5 ms ] story [ 67.1 ms ] threadSecond, if that happens you are in the same situation as with the phone authentication -> so the disadvantage is the same.
It's easy to transfer from one to the other but that doesn't remove the single point of failure.
Solution is to have back up codes for each account.
But of course, keeping emergency codes is a good idea too.
It's worth also noting that Authy also has no official way to export your secrets, although there are workarounds: https://tij.me/blog/migrating-your-one-time-passwords-from-a...
Otherwise you’re going to lock a lot of people out of their accounts which is not acceptable.
Ultimately this typically ends up with a reset scheme that depends on phone numbers or email addresses which means the protection, which is as strong as the weakest link, is worthless.
If you work for an organization with their own PKI then there’s probably also an automated self service reset mechanism using a complicated process.
When I travel I need to use a different SIM to access reasonably priced internet. Because I don't have a double-SIM phone, that means my other SIM is not active at the moment.
Really dangerous trend is when this SMS confirmation is requested when I don't expect it. Once I was in the Philippines and AirBnb wanted me to verify my authentication attempt. It can be not only frustrating, but dangerous - I have accommodation scheduled and without the access to my home number I could be easily left on the streets in a foreign country.
And my last complaint -> SMS can arrive pretty late when you are in a foreign country. Sometimes too late that the authentication window is closed.
With roaming and rampant robot calls, phone numbers should basically be considered no more static than IPs.
There's a reason iMessage/WhatsApp took over from legacy SMS.
Yes, of course I can have a second phone or other solution. The point is that SMS-based auth is just worse than the alternatives.
https://docs.microsoft.com/en-us/azure/active-directory/user...
You can change your settings here: https://myaccount.microsoft.com