smontanaro
11-02-2017, 06:46 AM
I use two-factor authentication (2FA) everywhere I can. In response to entering a username and password (something you know, you are queried for something you have as well. There are many ways to do this:
Most systems send an SMS to you with a four-to-six digit code. This has recently been deemed problematic, as a black hat can social engineer his way into getting your cell provider to reassign your number reassigned to his phone. Even if you aren't compromised, it seems risky to get a 2FA SMS on your phone from PayPal when you're attempting to access your PP account on your phone!
RSA key FOBs (as above, but it generates a code unique to your account information.
Special apps, like Google's Authenticator or Okta Verify. Yahoo's common mobile apps seem to now have a built-in module which serves the same purpose.
Where I can, I'm moving away from SMS verification to the others, which certainly appear to be safer. Today though, I read in the NY Times (https://www.nytimes.com/2017/10/25/technology/personaltech/google-keys-advanced-protection-program.html) about a new physical key system from Google which uses FIDO, a standard protocol for such things. This is apparently meant for people who are at heightened risk of digital intrusion. How is this any better than other physical keys or special authentication apps?
Most systems send an SMS to you with a four-to-six digit code. This has recently been deemed problematic, as a black hat can social engineer his way into getting your cell provider to reassign your number reassigned to his phone. Even if you aren't compromised, it seems risky to get a 2FA SMS on your phone from PayPal when you're attempting to access your PP account on your phone!
RSA key FOBs (as above, but it generates a code unique to your account information.
Special apps, like Google's Authenticator or Okta Verify. Yahoo's common mobile apps seem to now have a built-in module which serves the same purpose.
Where I can, I'm moving away from SMS verification to the others, which certainly appear to be safer. Today though, I read in the NY Times (https://www.nytimes.com/2017/10/25/technology/personaltech/google-keys-advanced-protection-program.html) about a new physical key system from Google which uses FIDO, a standard protocol for such things. This is apparently meant for people who are at heightened risk of digital intrusion. How is this any better than other physical keys or special authentication apps?