Two Factor Authentication and One Time Passwords

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
CaliJim
Posts: 2727
Joined: Sun Feb 28, 2010 8:47 pm
Location: San Fran Bay Area

Two Factor Authentication and One Time Passwords

Post by CaliJim » Fri Sep 08, 2017 10:06 pm

In light of the Equifax debacle - it is a good idea to make sure you are using the strongest methods available to secure online and telephone access to your bank, investing accounts and email.

This generally means two factor authentication (token+password, sms pin+password,fingerprint+password, etc), or one-time-only passwords. Articles on this here: https://www.symantec.com/connect/blogs/ ... entication, and here: https://en.wikipedia.org/wiki/One-time_password

From my own experience I know:

Charles Schwab offers two factor authentication (Symantec's VIP system) (based on RSA SecureID?), and voice recognition for telephone.
To enroll, call their customer service.
http://www.schwab.com/public/schwab/nn/ ... popup.html

Wells Fargo offers two factor authentication using either SMS pin codes or RSA SecureID tokens.
https://www.wellsfargo.com/privacy-secu ... ed-access/

Gmail offers two factor authentication using SMS pin codes, and a 10 entry one-time pad for recovery purposes.
https://www.google.com/landing/2step/

Apple has two factor (sms pin codes) and their own fairly sophisticated recovery methodology.

These are the ones I'm familiar with.

Don't be like some people I know and not use the security features that are available to you, and then get surprised when you become the victim of identity theft. It takes a bit of effort to setup two factory authentication... but it is well worth the time.
-calijim- | | For more info, click this

User avatar
CaliJim
Posts: 2727
Joined: Sun Feb 28, 2010 8:47 pm
Location: San Fran Bay Area

Re: Two Factor Authentication and One Time Passwords

Post by CaliJim » Fri Sep 08, 2017 10:09 pm

See also:

https://www.turnon2fa.com/

It offers:

"Step-by-step instructions on enabling the free security feature that prevents hackers from accessing your accounts, even if they know your password."

(Seems like a good site, but I cannot vouch for the legitimacy.... I just stumbled on it.)
-calijim- | | For more info, click this

User avatar
LadyGeek
Site Admin
Posts: 41138
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Two Factor Authentication and One Time Passwords

Post by LadyGeek » Fri Sep 08, 2017 10:21 pm

This thread is now in the Personal Consumer Issues forum (computer security).

Social Security also requires two-factor authentication. See: More Information About MFA
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
CaliJim
Posts: 2727
Joined: Sun Feb 28, 2010 8:47 pm
Location: San Fran Bay Area

Re: Two Factor Authentication and One Time Passwords

Post by CaliJim » Fri Sep 08, 2017 10:31 pm

Fidelity has it. Discussion thread here: viewtopic.php?p=3525156#p3525156
-calijim- | | For more info, click this

student
Posts: 1343
Joined: Fri Apr 03, 2015 6:58 am

Re: Two Factor Authentication and One Time Passwords

Post by student » Fri Sep 08, 2017 10:38 pm

Here is another site with many examples.

https://twofactorauth.org/

jalbert
Posts: 2221
Joined: Fri Apr 10, 2015 12:29 am

Re: Two Factor Authentication and One Time Passwords

Post by jalbert » Fri Sep 08, 2017 11:41 pm

Don't forget to secure Vanguard phone access either with a voice print or enhanced phone security password. You may not use phone access, but someone else may still try to do so.
Risk is not a guarantor of return.

FedGuy
Posts: 1178
Joined: Sun Jul 25, 2010 3:36 pm

Re: Two Factor Authentication and One Time Passwords

Post by FedGuy » Sat Sep 09, 2017 7:14 am

student wrote:
Fri Sep 08, 2017 10:38 pm
Here is another site with many examples.

https://twofactorauth.org/
That site is very helpful but not 100% accurate. Ally, for example, does not offer 2-factor authentication. They kind of do this half-baked thing where they might challenge you on occasion, but they won't require you to enter a code whenever you log in no matter how much you ask.

student
Posts: 1343
Joined: Fri Apr 03, 2015 6:58 am

Re: Two Factor Authentication and One Time Passwords

Post by student » Sat Sep 09, 2017 7:17 am

FedGuy wrote:
Sat Sep 09, 2017 7:14 am
student wrote:
Fri Sep 08, 2017 10:38 pm
Here is another site with many examples.

https://twofactorauth.org/
That site is very helpful but not 100% accurate. Ally, for example, does not offer 2-factor authentication. They kind of do this half-baked thing where they might challenge you on occasion, but they won't require you to enter a code whenever you log in no matter how much you ask.
Thanks for the info.

mouses
Posts: 2340
Joined: Sat Oct 24, 2015 12:24 am

Re: Two Factor Authentication and One Time Passwords

Post by mouses » Sat Sep 09, 2017 7:53 am

I have two factor (as I understand it) set up for the sites that offer it. I always select send the code by email vs. phone when that option is available, since I don't like the phone ringing at night. Is there a security problem with using email this way? I always wonder...

student
Posts: 1343
Joined: Fri Apr 03, 2015 6:58 am

Re: Two Factor Authentication and One Time Passwords

Post by student » Sat Sep 09, 2017 7:57 am

mouses wrote:
Sat Sep 09, 2017 7:53 am
I have two factor (as I understand it) set up for the sites that offer it. I always select send the code by email vs. phone when that option is available, since I don't like the phone ringing at night. Is there a security problem with using email this way? I always wonder...
I guess the question is which is more secure: Email account or your phone. I do not know, I find the phone more convenient. (But of course, if the phone is lost, ...)

Nate79
Posts: 1360
Joined: Thu Aug 11, 2016 6:24 pm
Location: Portland, OR

Re: Two Factor Authentication and One Time Passwords

Post by Nate79 » Sat Sep 09, 2017 9:05 am

Phones accounts can be hacked and numbers taken. 2 factor is far from bullet proof.

JBTX
Posts: 1531
Joined: Wed Jul 26, 2017 12:46 pm

Re: Two Factor Authentication and One Time Passwords

Post by JBTX » Sat Sep 09, 2017 10:59 am

CaliJim wrote:
Fri Sep 08, 2017 10:31 pm
Fidelity has it. Discussion thread here: viewtopic.php?p=3525156#p3525156
My issue with fidelity is I don't think their two factor works with Quicken, which I use. However Vanguard does it without any problem.

User avatar
CaliJim
Posts: 2727
Joined: Sun Feb 28, 2010 8:47 pm
Location: San Fran Bay Area

Re: Two Factor Authentication and One Time Passwords

Post by CaliJim » Sat Sep 09, 2017 11:29 am

Nate79 wrote:
Sat Sep 09, 2017 9:05 am
Phones accounts can be hacked and numbers taken. 2 factor is far from bullet proof.
Are you thinking 'man-in-the-middle', ala imsi-cather/stingray? or something else?
-calijim- | | For more info, click this

btenny
Posts: 4164
Joined: Sun Oct 07, 2007 6:47 pm

Re: Two Factor Authentication and One Time Passwords

Post by btenny » Sat Sep 09, 2017 11:34 am

I had a RSA token back when for work. I was always leaving it in the office. So when I needed to do a transaction or set up a secure link remotely I did not have the token. And then there was the difficulty of setting up a link. It did not work very easy. It was generally a PIA. So I am wondering how you guys handle having a security RSA token for your investment accounts? I know it makes it more secure but will it make things too difficult? Also there is the risk of getting the token stolen. How do you store the token and keep it safe when not in use? Just thinking...

Good Luck.

User avatar
CaliJim
Posts: 2727
Joined: Sun Feb 28, 2010 8:47 pm
Location: San Fran Bay Area

Re: Two Factor Authentication and One Time Passwords

Post by CaliJim » Sat Sep 09, 2017 11:35 am

student wrote:
Sat Sep 09, 2017 7:57 am
mouses wrote:
Sat Sep 09, 2017 7:53 am
I have two factor (as I understand it) set up for the sites that offer it. I always select send the code by email vs. phone when that option is available, since I don't like the phone ringing at night. Is there a security problem with using email this way? I always wonder...
I guess the question is which is more secure: Email account or your phone. I do not know, I find the phone more convenient. (But of course, if the phone is lost, ...)
if you have two factor authentication enabled on your email.... then pin code by email would not be so bad.

however, if you have password only on your email, and your email password is hacked, you might not know it. Then if the hacker also has your personal identifying info, you are in deep doo-doo.

cell-phone hacking requires special hardware, i think.

I usually select pin-code by sms

but nothing is 100% secure
-calijim- | | For more info, click this

mptfan
Posts: 4176
Joined: Mon Mar 05, 2007 9:58 am

Re: Two Factor Authentication and One Time Passwords

Post by mptfan » Sat Sep 09, 2017 11:36 am

Nate79 wrote:
Sat Sep 09, 2017 9:05 am
Phones accounts can be hacked and numbers taken. 2 factor is far from bullet proof.
It's much more secure when you use email (assuming your email is secured by 2 factor authentication), or better yet an app like Google Authenticator or Symantec VIP.
I eat risk for breakfast. :)

User avatar
CaliJim
Posts: 2727
Joined: Sun Feb 28, 2010 8:47 pm
Location: San Fran Bay Area

Re: Two Factor Authentication and One Time Passwords

Post by CaliJim » Sat Sep 09, 2017 11:38 am

btenny wrote:
Sat Sep 09, 2017 11:34 am
I had a RSA token back when for work. I was always leaving it in the office. So when I needed to do a transaction or set up a secure link remotely I did not have the token. And then there was the difficulty of setting up a link. It did not work very easy. It was generally a PIA. So I am wondering how you guys handle having a security RSA token for your investment accounts? I know it makes it more secure but will it make things too difficult? Also there is the risk of getting the token stolen. How do you store the token and keep it safe when not in use? Just thinking...

Good Luck.
They have software tokens as well now. you can have a symantec vip SW token on your cell phone.

and I *believe* that multiple tokens can now be linked to the same account, one for home, one for the office.

i keep my token in my desk drawer at home. however, my password is in my head. they need both.
-calijim- | | For more info, click this

mptfan
Posts: 4176
Joined: Mon Mar 05, 2007 9:58 am

Re: Two Factor Authentication and One Time Passwords

Post by mptfan » Sat Sep 09, 2017 11:49 am

CaliJim wrote:
Sat Sep 09, 2017 11:38 am
...however, my password is in my head. they need both.
The issue is when someone pretends to be you and claims that "you" forgot your password...if you think about it, they don't need to know your password.
I eat risk for breakfast. :)

User avatar
CaliJim
Posts: 2727
Joined: Sun Feb 28, 2010 8:47 pm
Location: San Fran Bay Area

Re: Two Factor Authentication and One Time Passwords

Post by CaliJim » Sat Sep 09, 2017 12:05 pm

mptfan wrote:
Sat Sep 09, 2017 11:49 am
CaliJim wrote:
Sat Sep 09, 2017 11:38 am
...however, my password is in my head. they need both.
The issue is when someone pretends to be you and claims that "you" forgot your password...if you think about it, they don't need to know your password.
yes... a stolen token raises the issue of 'how secure is the password reset process". I really like that some shops, ie: schwab and vanguard, have a voice print recognition system for telephone authentication. it makes social engineering of customer support harder.

I like google's system too.

nothing is 100%. the idea is to slow the bad guy down, and give the appearance of being a harder target. gives you time to detect and take evasive action. one can find weaknesses in ANY security system, even strong ones. but that is not a reason to use a VERY WEAK system like 'password only'.
-calijim- | | For more info, click this

User avatar
CaliJim
Posts: 2727
Joined: Sun Feb 28, 2010 8:47 pm
Location: San Fran Bay Area

Re: Two Factor Authentication and One Time Passwords

Post by CaliJim » Sat Sep 09, 2017 12:10 pm

An aside...thinking out loud:

An enhancement to any of these security systems would be a "duress code" that can be used to indicate that the account owner is under immediate threat (ie. "they are holding a gun to my head and forcing me to log in")

My home security monitoring system has this type of thing.
-calijim- | | For more info, click this

User avatar
oldcomputerguy
Posts: 2006
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Two Factor Authentication and One Time Passwords

Post by oldcomputerguy » Sat Sep 09, 2017 12:36 pm

JBTX wrote:
Sat Sep 09, 2017 10:59 am
CaliJim wrote:
Fri Sep 08, 2017 10:31 pm
Fidelity has it. Discussion thread here: viewtopic.php?p=3525156#p3525156
My issue with fidelity is I don't think their two factor works with Quicken, which I use. However Vanguard does it without any problem.
Can you not download Fidelity transactions to a QXF file and import that?
Anybody know why there's a 20-pound frozen turkey up in the light grid?

JBTX
Posts: 1531
Joined: Wed Jul 26, 2017 12:46 pm

Re: Two Factor Authentication and One Time Passwords

Post by JBTX » Sat Sep 09, 2017 1:06 pm

oldcomputerguy wrote:
Sat Sep 09, 2017 12:36 pm
JBTX wrote:
Sat Sep 09, 2017 10:59 am
CaliJim wrote:
Fri Sep 08, 2017 10:31 pm
Fidelity has it. Discussion thread here: viewtopic.php?p=3525156#p3525156
My issue with fidelity is I don't think their two factor works with Quicken, which I use. However Vanguard does it without any problem.
Can you not download Fidelity transactions to a QXF file and import that?
Given that I have about 10 different accounts between wife and me that would be fairly time consuming.

User avatar
JoMoney
Posts: 4414
Joined: Tue Jul 23, 2013 5:31 am

Re: Two Factor Authentication and One Time Passwords

Post by JoMoney » Sat Sep 09, 2017 1:13 pm

Also, my suggestion is don't take Mr. Bogle's rule about "don't peek" too literally.
For multiple reasons, you really should regularly check your account and statements.
https://personal.vanguard.com/us/help/S ... ontent.jsp
Your responsibilities
At a minimum, in order for this protection to apply, you must take the following steps:
Review your accounts regularly.
Check your account frequently. Promptly and completely review all information we send you.
Report any errors or discrepancies in your account and any suspected unauthorized transactions or account changes to Vanguard immediately.
...
"To achieve satisfactory investment results is easier than most people realize; to achieve superior results is harder than it looks." - Benjamin Graham

Alchemist
Posts: 226
Joined: Sat Aug 30, 2014 6:35 am
Location: Florida

Re: Two Factor Authentication and One Time Passwords

Post by Alchemist » Tue Sep 12, 2017 7:49 am

CaliJim wrote:
Sat Sep 09, 2017 11:35 am

cell-phone hacking requires special hardware, i think.

I usually select pin-code by sms

but nothing is 100% secure
Unfortunately, all it takes is some social engineering of your cell phone company.
Wired wrote:The hackers, as he tells it, had called up Verizon, impersonated him, and convinced the company to redirect his text messages to a different SIM card, intercepting his one-time login codes
From the same article, its also possible to spoof the network SMS is sent on to get your texts
Wired wrote:And the security community has recently been calling attention to weaknesses in SS7, the protocol that allows telecom networks to communicate with each other. Hackers can exploit SS7 to spoof a change to a user's phone number, intercepting their calls or text messages. "Any network can tell any other network 'your subscriber’s here now,' and until your phone says otherwise, every call and text is diverted to this other network," says Karsten Nohl, the chief scientist at Security Research Labs, who recently demonstrated the attack for 60 Minutes. "If there’s an attacker, they get all your text messages. it’s completely trust-based...It’s so simple it’s almost embarrassing to call it a hack."
Source: https://www.wired.com/2016/06/hey-stop- ... ntication/

The point is not that cell phone companies have bad security for SMS, rather, the point is SMS was never intended nor designed to be a secure system. Instead it was just used by many places as an easy way of getting their customers to use some form of 2 FA. Certainly it is still far better than password only security, but if you can use an app or physical token instead of SMS then you should.

simple man
Posts: 89
Joined: Sun Nov 22, 2009 10:44 am

Re: Two Factor Authentication and One Time Passwords

Post by simple man » Tue Sep 12, 2017 1:28 pm

Schwab still offers a physical token for its 2FA. I got that over the phone app since the reviews on the phone app were awful and your phone can be hacked. I've gone retro on those hackers! hah.

Post Reply