Drawback of TOTP (app like Google Authenticator)?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
slin
Posts: 52
Joined: Fri May 16, 2014 12:07 pm

Drawback of TOTP (app like Google Authenticator)?

Post by slin » Thu Oct 19, 2017 8:18 pm

Currently, my accounts use a mix of SMS two-factor authentication and TOTP apps like Google Authenticator and Symantec VIP.

I certainly recognize the possibility of someone hijacking my mobile phone account and why TOTP apps are more secure (for more background, see this recent thread for example: viewtopic.php?f=11&t=227649)

My question is: One thing I _like_ about SMS two factor is that if some bad guy happens to get my username and password and makes an initial attempt to log in (assuming he hasn't [yet] taken over my phone account), I will get a text message with the two factor code. In other words, if I get such a message without actually trying to log in, it's a pretty obvious sign that someone is trying to access my account. I can then immediately change my password or call the bank/institution, or take some other action.

On the other hand, with TOTP two-factor set up, I would never get a notification that someone is attempting to access the account. Once the "bad guy" sees that a TOTP code is required, they can then decide to call the bank/institution and use some social engineering to bypass the TOTP requirement, with plenty of time to do so, since I will not know anyone is trying to access the account.

Has this thought occurred to anyone else? It's too bad that Authenticator (or VIP or whatever app) doesn't have a way to send notifications to the user when someone tries to access a protected account. Any ideas? Or am I just wrong to think that this is a drawback of the TOTP apps?

(BTW, I had to reset my phone back to factory defaults some time ago - I called Fidelity to "reset" my VIP access, and it just took answering one very simple-to-guess security question for them to reset the VIP access. Sure, I was calling from the phone # associated with my account, but it was still surprisingly easy to bypass the TOTP security.)

slin

leftcoaster
Posts: 242
Joined: Mon Jul 23, 2007 4:04 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by leftcoaster » Thu Oct 19, 2017 10:51 pm

Recovery is the weak point of all account security. Ideally they would send a QR code for a new TOTP generator on paper to your address on file. And no call center rep would be able to see it.

AlohaJoe
Posts: 2636
Joined: Mon Nov 26, 2007 2:00 pm
Location: Saigon, Vietnam

Re: Drawback of TOTP (app like Google Authenticator)?

Post by AlohaJoe » Thu Oct 19, 2017 11:06 pm

slin wrote:
Thu Oct 19, 2017 8:18 pm
Has this thought occurred to anyone else? It's too bad that Authenticator (or VIP or whatever app) doesn't have a way to send notifications to the user when someone tries to access a protected account. Any ideas? Or am I just wrong to think that this is a drawback of the TOTP apps?
It's not really Authenticator's job, though -- plus how would an app installed on your phone even know that someone else tried to log into your account?

The real solution to this is that the place you are logging into needs to handle it. Google and Facebook both do this. I receive an email (and maybe an SMS as well but I don't recall) instantly saying "We received a login from a computer you haven't used before. If this wasn't you contact us immediately." I'm sure many other places do the same thing but Google and Facebook are the ones I remember off the top of my head.

JBTX
Posts: 1720
Joined: Wed Jul 26, 2017 12:46 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by JBTX » Thu Oct 19, 2017 11:08 pm

slin wrote:
Thu Oct 19, 2017 8:18 pm
Currently, my accounts use a mix of SMS two-factor authentication and TOTP apps like Google Authenticator and Symantec VIP.

I certainly recognize the possibility of someone hijacking my mobile phone account and why TOTP apps are more secure (for more background, see this recent thread for example: viewtopic.php?f=11&t=227649)

My question is: One thing I _like_ about SMS two factor is that if some bad guy happens to get my username and password and makes an initial attempt to log in (assuming he hasn't [yet] taken over my phone account), I will get a text message with the two factor code. In other words, if I get such a message without actually trying to log in, it's a pretty obvious sign that someone is trying to access my account. I can then immediately change my password or call the bank/institution, or take some other action.

On the other hand, with TOTP two-factor set up, I would never get a notification that someone is attempting to access the account. Once the "bad guy" sees that a TOTP code is required, they can then decide to call the bank/institution and use some social engineering to bypass the TOTP requirement, with plenty of time to do so, since I will not know anyone is trying to access the account.

Has this thought occurred to anyone else? It's too bad that Authenticator (or VIP or whatever app) doesn't have a way to send notifications to the user when someone tries to access a protected account. Any ideas? Or am I just wrong to think that this is a drawback of the TOTP apps?

(BTW, I had to reset my phone back to factory defaults some time ago - I called Fidelity to "reset" my VIP access, and it just took answering one very simple-to-guess security question for them to reset the VIP access. Sure, I was calling from the phone # associated with my account, but it was still surprisingly easy to bypass the TOTP security.)

slin
Fidelity now has voice authentification so a stranger claiming to be you should get detected. However even that isn’t perfect. I called in one time and the rep said the VA wasn’t working because he was having “computer problems” then asked me a security question that anybody with any level of personal knowledge would have easily guessed.

lazydavid
Posts: 1209
Joined: Wed Apr 06, 2016 1:37 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by lazydavid » Fri Oct 20, 2017 10:01 am

AlohaJoe wrote:
Thu Oct 19, 2017 11:06 pm
slin wrote:
Thu Oct 19, 2017 8:18 pm
Has this thought occurred to anyone else? It's too bad that Authenticator (or VIP or whatever app) doesn't have a way to send notifications to the user when someone tries to access a protected account. Any ideas? Or am I just wrong to think that this is a drawback of the TOTP apps?
It's not really Authenticator's job, though -- plus how would an app installed on your phone even know that someone else tried to log into your account?
It depends on the architecture. Take Microsoft's Authenticator, for example. When you take some action (login or otherwise) that requires a second factor, the Authenticator app issues a notification that idenifies the transaction with a code like KQXPL and asks you to accept or deny. Click accept on your phone, and you're logged in on the PC. Entrust can do something similar, and their tech can be rolled into other people's native apps.

Even when that tech is present, you can still use the TOTP token on the device, even if the device is offline and can't receive the notification.

azurekep
Posts: 1015
Joined: Tue Jun 16, 2015 7:16 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by azurekep » Fri Oct 20, 2017 11:32 am

JBTX wrote:
Thu Oct 19, 2017 11:08 pm
Fidelity now has voice authentification so a stranger claiming to be you should get detected. However even that isn’t perfect. I called in one time and the rep said the VA wasn’t working because he was having “computer problems” then asked me a security question that anybody with any level of personal knowledge would have easily guessed.
I seem to recall that anytime I call Fidelity, they ask for something beyond a garden-variety security question. But I admit, I haven't been thorough about keeping track of this.

I have a couple of questions:

1. Are you considering going back to an authentication system that doesn't use voice verification? Fido added VV to my account (due to a misunderstanding) and I'm considering rolling it back. I thought the fallback to VV would be username / password and then gibberish security questions and/or transactional questions, but maybe not.

2. What exactly does "computer problems" mean? Did it affect only the voice verification system and not any other system?

JBTX
Posts: 1720
Joined: Wed Jul 26, 2017 12:46 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by JBTX » Fri Oct 20, 2017 11:41 am

azurekep wrote:
Fri Oct 20, 2017 11:32 am
JBTX wrote:
Thu Oct 19, 2017 11:08 pm
Fidelity now has voice authentification so a stranger claiming to be you should get detected. However even that isn’t perfect. I called in one time and the rep said the VA wasn’t working because he was having “computer problems” then asked me a security question that anybody with any level of personal knowledge would have easily guessed.
I seem to recall that anytime I call Fidelity, they ask for something beyond a garden-variety security question. But I admit, I haven't been thorough about keeping track of this.

I have a couple of questions:

1. Are you considering going back to an authentication system that doesn't use voice verification? Fido added VV to my account (due to a misunderstanding) and I'm considering rolling it back. I thought the fallback to VV would be username / password and then gibberish security questions and/or transactional questions, but maybe not.

I see no reason not to use VA. It is an added layer of security. If for some reason it doesn’t work they go back to their standard procedure.

I will say in the past I rarely called but if I did I didn’t try to enter my user I’d and PW in the phone because they were long and complex. The result was I’d have to answer a few security question with rep. That’s convenient but not very good security on their part.

Bottom line they can add security features, like authenticators or VA, which helps, but their weakest link will probably always be very clever hackers armed with a lot of personal information and very skilled at impersonating somebody who needs and should have access. I don’t see any way around that.
2. What exactly does "computer problems" mean? Did it affect only the voice verification system and not any other system?
No idea what the problem was on their end.

goose
Posts: 2
Joined: Sun Jan 18, 2015 5:16 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by goose » Fri Oct 20, 2017 11:54 am

TOTP apps like Google Authenticator actually support push notifications. It's up to the service you are logging into to take advantage of this. For example, here's how to set it up for your Google account. https://support.google.com/accounts/an ... DiOS&hl=en

User avatar
Ketawa
Posts: 1888
Joined: Mon Aug 22, 2011 1:11 am
Location: DC

Re: Drawback of TOTP (app like Google Authenticator)?

Post by Ketawa » Fri Oct 20, 2017 11:54 am

I never considered this a potential drawback of Google Authenticator. My main concern has been what I would do if I lost my phone with Authenticator, since there isn't any native support for backup. For that reason, I keep around a worthless Nexus 5 that exists solely to run Authenticator if I need it. Authenticator is part of my nightly backup through Titanium Backup on my main phone, which is encrypted and synced to Google Drive.

User avatar
CyberBob
Posts: 3166
Joined: Tue Feb 20, 2007 2:53 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by CyberBob » Fri Oct 20, 2017 1:21 pm

Ketawa wrote:
Fri Oct 20, 2017 11:54 am
...My main concern has been what I would do if I lost my phone with Authenticator, since there isn't any native support for backup.
Google backup codes

User avatar
Ketawa
Posts: 1888
Joined: Mon Aug 22, 2011 1:11 am
Location: DC

Re: Drawback of TOTP (app like Google Authenticator)?

Post by Ketawa » Fri Oct 20, 2017 1:55 pm

CyberBob wrote:
Fri Oct 20, 2017 1:21 pm
Ketawa wrote:
Fri Oct 20, 2017 11:54 am
...My main concern has been what I would do if I lost my phone with Authenticator, since there isn't any native support for backup.
Google backup codes
That only works for Google account access. I have a number of accounts using Google Authenticator without another option for 2FA, so losing my phone, or my phone dying could result in permanent loss of access to those accounts.

ThriftyPhD
Posts: 175
Joined: Mon Jul 31, 2017 10:43 am

Re: Drawback of TOTP (app like Google Authenticator)?

Post by ThriftyPhD » Fri Oct 20, 2017 2:06 pm

Ketawa wrote:
Fri Oct 20, 2017 1:55 pm
CyberBob wrote:
Fri Oct 20, 2017 1:21 pm
Ketawa wrote:
Fri Oct 20, 2017 11:54 am
...My main concern has been what I would do if I lost my phone with Authenticator, since there isn't any native support for backup.
Google backup codes
That only works for Google account access. I have a number of accounts using Google Authenticator without another option for 2FA, so losing my phone, or my phone dying could result in permanent loss of access to those accounts.
When you sign up for 2 factor, either at google or other places, you can choose to get the underlying code rather than the QR code. This can be entered manually into the authenticator app, but it can also be stored in a secure password manager, or a second device.

Fclevz
Posts: 308
Joined: Fri Mar 30, 2007 11:28 am

Re: Drawback of TOTP (app like Google Authenticator)?

Post by Fclevz » Fri Oct 20, 2017 3:53 pm

ThriftyPhD wrote:
Fri Oct 20, 2017 2:06 pm
When you sign up for 2 factor, either at google or other places, you can choose to get the underlying code rather than the QR code. This can be entered manually into the authenticator app, but it can also be stored in a secure password manager, or a second device.
Isn't that code only good for one-time use?

ThriftyPhD
Posts: 175
Joined: Mon Jul 31, 2017 10:43 am

Re: Drawback of TOTP (app like Google Authenticator)?

Post by ThriftyPhD » Fri Oct 20, 2017 4:19 pm

Fclevz wrote:
Fri Oct 20, 2017 3:53 pm
ThriftyPhD wrote:
Fri Oct 20, 2017 2:06 pm
When you sign up for 2 factor, either at google or other places, you can choose to get the underlying code rather than the QR code. This can be entered manually into the authenticator app, but it can also be stored in a secure password manager, or a second device.
Isn't that code only good for one-time use?
No, I am talking about the code you enter into google authenticator or whatever app you're using so that it can generate your future codes. It's the same information that gets scanned in the QR codes, but just in digit form rather than QR code form.

MathWizard
Posts: 2652
Joined: Tue Jul 26, 2011 1:35 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by MathWizard » Fri Oct 20, 2017 4:36 pm

When I login, there are notices of failed login attempts. (I don't always hit the correct keys, so these have
always been my fault, but I would see if someone had tried.) This is after the fact though, not real time, unless I
were already logged in.

azurekep
Posts: 1015
Joined: Tue Jun 16, 2015 7:16 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by azurekep » Fri Oct 20, 2017 8:52 pm

JBTX wrote:
Fri Oct 20, 2017 11:41 am

Bottom line they can add security features, like authenticators or VA, which helps, but their weakest link will probably always be very clever hackers armed with a lot of personal information and very skilled at impersonating somebody who needs and should have access. I don’t see any way around that.
I pinned Fidelity down today and was satisfied with their answers. They answered my questions on VV, and re: the fallback, they reiterated they don't use Equifax-type data, and that jibes with what I've observed in the past. I've also never been asked information that would be easily guessable by someone with a lot of personal information on me. So no changes for now. No system is perfect, but it seems good enough, especially when backed by their guarantee (which I still have to read the fine print on, but basically, per the rep, means you don't share your logon credentials with anyone.)

JBTX
Posts: 1720
Joined: Wed Jul 26, 2017 12:46 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by JBTX » Sat Oct 21, 2017 12:30 am

azurekep wrote:
Fri Oct 20, 2017 8:52 pm
JBTX wrote:
Fri Oct 20, 2017 11:41 am

Bottom line they can add security features, like authenticators or VA, which helps, but their weakest link will probably always be very clever hackers armed with a lot of personal information and very skilled at impersonating somebody who needs and should have access. I don’t see any way around that.
I pinned Fidelity down today and was satisfied with their answers. They answered my questions on VV, and re: the fallback, they reiterated they don't use Equifax-type data, and that jibes with what I've observed in the past. I've also never been asked information that would be easily guessable by someone with a lot of personal information on me. So no changes for now. No system is perfect, but it seems good enough, especially when backed by their guarantee (which I still have to read the fine print on, but basically, per the rep, means you don't share your logon credentials with anyone.)
Who is one of your beneficiaries of your accounts? That was a question that was asked. Two different times.

TravelGeek
Posts: 1245
Joined: Sat Oct 25, 2014 3:23 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by TravelGeek » Sat Oct 21, 2017 8:53 am

JBTX wrote:
Sat Oct 21, 2017 12:30 am
Who is one of your beneficiaries of your accounts? That was a question that was asked. Two different times.
Wow. :shock:

slin
Posts: 52
Joined: Fri May 16, 2014 12:07 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by slin » Sat Oct 21, 2017 2:06 pm

TravelGeek wrote:
Sat Oct 21, 2017 8:53 am
JBTX wrote:
Sat Oct 21, 2017 12:30 am
Who is one of your beneficiaries of your accounts? That was a question that was asked. Two different times.
Wow. :shock:
When I had to reset my phone (and thus needed to resync with a new instance of Symantec VIP), Fidelity asked me my account #. I didn't know it offhand (so that should have been a "strike" if I was a bad guy). So they asked who the beneficiary of my account was, and what their birthday was. Not too surprisingly, the beneficiary of my account is my spouse. That didn't seem like too hard of a guess, and of course my spouse's birthday is probably not a huge secret either.

I was calling from the phone # associated with the account, and I had already entered my username/password on the phone. So maybe that helped, but in general the whole process somewhat lessened my confidence in TFA and TOTP apps!
Last edited by slin on Sat Oct 21, 2017 3:25 pm, edited 1 time in total.

azurekep
Posts: 1015
Joined: Tue Jun 16, 2015 7:16 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by azurekep » Sat Oct 21, 2017 2:13 pm

TravelGeek wrote:
Sat Oct 21, 2017 8:53 am
JBTX wrote:
Sat Oct 21, 2017 12:30 am
Who is one of your beneficiaries of your accounts? That was a question that was asked. Two different times.
Wow. :shock:
Wow is right. JBTX, was that a recent occurrence?

FWIW, now that I'm thinking way way back, think I was asked that quesiton once but it was not recently, and I don't believe that was the only question asked.

If that IS the only question asked, that is scary.

I did manage to come up with one other scenario where the fallback security question system is not bulletproof. (I won't post it here for obvious reasons.) I think it's unlikely to happen unless someone was being specifically targeted by a hacker, but I think financial companies have a lot of room for improvement.

The problem with financial companies and their security departments is that they probably don't adequately enough "think like a criminal". I think that mindset is needed for them to hermetically seal their customer's assets.

But again, their fallback is that you're made whole as long as you follow the rules.

I'm going to have another talk with Fidelity. I think if enough customers call in, their IT/security department will beef up things a bit.

slin
Posts: 52
Joined: Fri May 16, 2014 12:07 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by slin » Sat Oct 21, 2017 3:03 pm

azurekep wrote:
Sat Oct 21, 2017 2:13 pm

The problem with financial companies and their security departments is that they probably don't adequately enough "think like a criminal". I think that mindset is needed for them to hermetically seal their customer's assets.
I think the problem is that if they make it too hard to recover from a lost TOTP token (or otherwise gain access to your accounts), customers get frustrated as well. I've seen posts here on bogleheads before where some customers are irritated at a variety of financial institutions because for "security reasons" they have to wait for a paper letter or are otherwise inconvenienced. From the companies' perspective, it's kind of damned if you do, damned if you don't, and I think it is legitimately hard for them to draw the line between security and convenience.

azurekep
Posts: 1015
Joined: Tue Jun 16, 2015 7:16 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by azurekep » Sat Oct 21, 2017 3:24 pm

slin wrote:
Sat Oct 21, 2017 3:03 pm
I think the problem is that if they make it too hard to recover from a lost TOTP token (or otherwise gain access to your accounts), customers get frustrated as well. I've seen posts here on bogleheads before where some customers are irritated at a variety of financial institutions because for "security reasons" they have to wait for a paper letter or are otherwise inconvenienced. From the companies' perspective, it's kind of damned if you do, damned if you don't, and I think it is legitimately hard for them to draw the line between security and convenience.
I think (hope) Equifax was a game-changer.

There are a lot of concerned people -- some with a with a lot of assets -- who suddenly feel as if their security blanket has been pulled.

I've never felt my input to Fidelity counted for much because of the sort of people you mention...the ones who hate to be inconvenienced.

But I think Fidelity has a large base of individual investors with a lot of assets that would be willing, and in fact, would demand, better security at this point.

It would not be a bad idea for Fidelity investors to call up and express their concerns about the nature of fallback security questions. If they're going to use something as easily guessable as beneficiaries, at the very least, they need to have multiple questions that are NOT easily guessable. Since the fallback option is needed only rarely anyway, it really isn't that much of an inconvenience.

TravelGeek
Posts: 1245
Joined: Sat Oct 25, 2014 3:23 pm

Re: Drawback of TOTP (app like Google Authenticator)?

Post by TravelGeek » Sat Oct 21, 2017 6:37 pm

azurekep wrote:
Sat Oct 21, 2017 2:13 pm
I did manage to come up with one other scenario where the fallback security question system is not bulletproof. (I won't post it here for obvious reasons.) I think it's unlikely to happen unless someone was being specifically targeted by a hacker, but I think financial companies have a lot of room for improvement.
If this is specific to a particular company (say, Fidelity), please consider reaching out to their security department and try to get them to fix it.

If you face push-back or get ignored, consider reaching out to the likes of Bruce Schneier or Brian Krebs.

Not posting it here in public is fine ( :beer ) as long as the loophole gets fixed somehow (reputable security researchers give the companies affected advanced notice to give them the opportunity to fix an issue before they publish their work). But don’t count on bad guys not thinking of or even already knowing the same flaw if you just keep it to yourself.

Post Reply