Two Factor Authentication ---Living Abroad

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Topic Author
anonsdca
Posts: 307
Joined: Mon Jun 01, 2015 11:47 pm

Two Factor Authentication ---Living Abroad

Post by anonsdca » Sun Nov 24, 2019 4:48 pm

Hi - Been planning my move abroad for many years and I am getting close (year or so away) so really starting to think about some details.

My biggest fear throughout my planning has been FACTA, finances and the like. I am going to be living on investment income rather than a pension or SS (in the beginning). SS a few years after.

Right now, Two-Factor Authorization really has me worried. Most financial institutions do it, but they typically do it when they don't recognize a computer or network. I know some offer email, but others may not.

I just opened an Interactive Brokers account, mainly for safety if one of my other brokers finds me living outside the USA and closes my account due to FACTA (which I have heard has happened), but they require Two-Factor Authorization for EVERY Login, and EVERY trade (buy/sell). Yikes. Even in the US this seems like overkill and I don't know how to deal with this overseas.

It is no problem here in the US because I can do it on my local cell number. How does that work abroad? Anyone deal with this? I sure would like to stop worrying over this piece, but I have researched a ton, and I cant find anything speaking to this topic.

arf30
Posts: 624
Joined: Sat Dec 28, 2013 11:55 am

Re: Two Factor Authentication ---Living Abroad

Post by arf30 » Sun Nov 24, 2019 5:18 pm

Can you use a US Google Voice number? I use this for sites that require SMS 2FA. Otherwise go with a provider that uses token or authenticator 2FA instead, it's more secure and doesn't require them to send you a code.

Topic Author
anonsdca
Posts: 307
Joined: Mon Jun 01, 2015 11:47 pm

Re: Two Factor Authentication ---Living Abroad

Post by anonsdca » Sun Nov 24, 2019 5:31 pm

arf30 wrote:
Sun Nov 24, 2019 5:18 pm
Can you use a US Google Voice number? I use this for sites that require SMS 2FA. Otherwise go with a provider that uses token or authenticator 2FA instead, it's more secure and doesn't require them to send you a code.
I am not sure on Google Voice, I will check into it. I am not sure I have a choice to move really. My investments are where they are, and I am not sure I can move them that would avoid 2FA. Thanks, I will look into Google Voice.

GAAP
Posts: 1014
Joined: Fri Apr 08, 2016 12:41 pm

Re: Two Factor Authentication ---Living Abroad

Post by GAAP » Tue Nov 26, 2019 2:14 pm

anonsdca wrote:
Sun Nov 24, 2019 4:48 pm
Right now, Two-Factor Authorization really has me worried. Most financial institutions do it, but they typically do it when they don't recognize a computer or network. I know some offer email, but others may not.

I just opened an Interactive Brokers account, mainly for safety if one of my other brokers finds me living outside the USA and closes my account due to FACTA (which I have heard has happened), but they require Two-Factor Authorization for EVERY Login, and EVERY trade (buy/sell). Yikes. Even in the US this seems like overkill and I don't know how to deal with this overseas.

It is no problem here in the US because I can do it on my local cell number. How does that work abroad? Anyone deal with this? I sure would like to stop worrying over this piece, but I have researched a ton, and I cant find anything speaking to this topic.
I wouldn't use an account without two-factor.

I never let my financial institutions recognize a hardware device -- theft immediately removes a layer of security.

I never browse to a financial institution except by using a new incognito/private browsing session with a browser that has no other current sessions running.

SMS is not even close to being as secure as you seem to think it is. Yubikey or similar devices are far more secure. Authy or the Google Authenticator are also reasonable options.
“Adapt what is useful, reject what is useless, and add what is specifically your own.” ― Bruce Lee

mptfan
Posts: 5729
Joined: Mon Mar 05, 2007 9:58 am

Re: Two Factor Authentication ---Living Abroad

Post by mptfan » Tue Nov 26, 2019 2:22 pm

You seem to assume that the only way to use 2 factor authentication is with SMS texts. This is not correct. There are a number of ways, including physical tokens or soft tokens (an app). IBG uses an app as one option...

IBKR Mobile Authentication
IBKR Mobile Authentication provides two-factor authentication for your IBKR account via our IBKR Mobile app downloaded to your Android or iOS mobile device. IBKR Mobile Authentication requires a PIN code or fingerprint to operate. You use your IBKR Mobile Authentication alone or as an alternative to your existing physical security device.

https://www.interactivebrokers.com/en/i ... 2334&p=log

ARoseByAnyOtherName
Posts: 485
Joined: Wed Apr 26, 2017 12:03 am

Re: Two Factor Authentication ---Living Abroad

Post by ARoseByAnyOtherName » Tue Nov 26, 2019 3:09 pm

When abroad for sites that require SMS-based 2FA just use a Google Voice number. I haven’t had any issues with this at a number of financial institutions but I have heard some people have.

The good thing is you can set it up and try it out now, for free, so you can easily evaluate how well it works.

All the other 2FA methods I can think of are location-independent. For example Authenticator app, hardware key, hardware OTP token, email, etc. That said there may be some other weird schemes out there, so best to do research now.

dboeger1
Posts: 102
Joined: Fri Jan 13, 2017 7:32 pm

Re: Two Factor Authentication ---Living Abroad

Post by dboeger1 » Tue Nov 26, 2019 3:27 pm

I haven't had to deal with this abroad, but I would like to chime in that you need to be extremely careful and aware of how different implementations of 2FA work when it comes to account recovery, especially when using 3rd-party apps.

As an example, I use a service which relies on Google Authenticator, and I assumed that access was tied to my Google Account. After all, that's how Google integrates with a lot of things, such as granting access to your Calendar or Docs via OAuth tokens.

NOT SO, as I learned the hard way.

Google Authenticator is tied TO YOUR SPECIFIC DEVICE. This is true even if your plan is with Google Fi and you have a Google phone. I had a Pixel phone on Fi and used the Authenticator app to log into this other service. One day, I decided to trade in my old phone for a newer model, again from Google on Fi. After receiving the new phone and sending back the old one, I tried logging into the service, only to find that I could not access it through Authenticator anymore, because it was a different device.

So here I was, stuck, with a 3rd-party app supposedly trusting Google as an entity to authenticate me, and I had a phone designed by Google to run specifically on Google's own service, and I went through the standard Google trade-in process, and somehow, I suddenly lost access to my Authenticator accounts because Google couldn't authenticate me, which is absolutely bizarre to me. I'm not a security expert, but I am a software engineer, and that sounds like a straight up design flaw to me.

Anyway, I was luckily able to find where I had written down my recovery codes (somehow, my wife managed not to throw them away after several years and a change in apartments), log into the account, and switch the 2FA to email. And no, GOOGLE DOES NOT EXPLICITLY WARN YOU TO GO THROUGH THIS PROCESS WHEN TRADING IN DEVICES. I mean, maybe somewhere in some fine print or during setup in the Authenticator app, they might tell you to do this, but there are no helpful reminders when you actually need to do it. I could understand if I was using a Samsung phone on Verizon and this happened, but to go entirely through Google and not be able to access an account that presumably trusts Google to authenticate me was insane.

Moral of the story: know EXACTLY how you're going to recover your accounts should you change devices or lose a password or whatever, write it all down, and take care of those materials like your life depends on it. Make sure they never accidentally end up in the trash.

P.S.: And in case anybody chimes in to say I should have disabled Authenticator in my Google Account, I did. I tried everything. The other service still needed THE EXACT SAME PHONE AND APP to work. It's really not intuitive at all. This is why I feel like the security benefits of 2FA that relies so heavily on devices are over-stated. It assumes that our devices are more reliable than our accounts, and that's just not true in a world where we upgrade devices every couple of years because we want the latest stuff.

KyleAAA
Posts: 7758
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Two Factor Authentication ---Living Abroad

Post by KyleAAA » Tue Nov 26, 2019 3:34 pm

Most true 2FA doesn't rely on SMS. Even Vanguard supports hardware 2FA, and probably software as well. Not having a cell number won't be an issue.

Pacific
Posts: 1331
Joined: Tue Mar 06, 2007 8:19 pm
Location: Lost in the middle of the Pacific

Re: Two Factor Authentication ---Living Abroad

Post by Pacific » Tue Nov 26, 2019 4:17 pm

ARoseByAnyOtherName wrote:
Tue Nov 26, 2019 3:09 pm
When abroad for sites that require SMS-based 2FA just use a Google Voice number. I haven’t had any issues with this at a number of financial institutions but I have heard some people have.

The good thing is you can set it up and try it out now, for free, so you can easily evaluate how well it works.

All the other 2FA methods I can think of are location-independent. For example Authenticator app, hardware key, hardware OTP token, email, etc. That said there may be some other weird schemes out there, so best to do research now.
So, I have a Google Pixel phone through Google Fi which is fine when I am in the U.S. or Europe. However, my U.S. cell does not work in the country in which I work, so I suspend the service whenever I am in the other country. I have to switch to a local sim card and provider.

I do not understand how Google Voice will be of use. Please explain.

mptfan
Posts: 5729
Joined: Mon Mar 05, 2007 9:58 am

Re: Two Factor Authentication ---Living Abroad

Post by mptfan » Tue Nov 26, 2019 4:20 pm

Pacific wrote:
Tue Nov 26, 2019 4:17 pm
I do not understand how Google Voice will be of use. Please explain.
Google Voice and Google Fi are different things. I do not have Google Fi, but I do have Google voice.

Cyanide123
Posts: 195
Joined: Sun May 05, 2019 9:14 am

Re: Two Factor Authentication ---Living Abroad

Post by Cyanide123 » Tue Nov 26, 2019 4:24 pm

T mobile has free roaming, free in and out texts internationally as well as internet even when outside of the US for free.

You can send and receive free texts internationally. So texts with codes for authorization will be easily received.

Pacific
Posts: 1331
Joined: Tue Mar 06, 2007 8:19 pm
Location: Lost in the middle of the Pacific

Re: Two Factor Authentication ---Living Abroad

Post by Pacific » Tue Nov 26, 2019 4:35 pm

mptfan wrote:
Tue Nov 26, 2019 4:20 pm
Pacific wrote:
Tue Nov 26, 2019 4:17 pm
I do not understand how Google Voice will be of use. Please explain.
Google Voice and Google Fi are different things. I do not have Google Fi, but I do have Google voice.
But, I still do not understand how google voice works. How can it send a text to my foreign number?

User avatar
aj76er
Posts: 711
Joined: Tue Dec 01, 2015 11:34 pm
Location: Portland, OR

Re: Two Factor Authentication ---Living Abroad

Post by aj76er » Tue Nov 26, 2019 4:38 pm

If you setup your accounts to use a software key for logging in then the 2FA may not be an issue. In this case, you have a local program (like Symantec VIP) on your phone generating random codes; and the brokerage has the other side of the key. No need to send SMS, email, etc...
"Buy-and-hold, long-term, all-market-index strategies, implemented at rock-bottom cost, are the surest of all routes to the accumulation of wealth" - John C. Bogle

mptfan
Posts: 5729
Joined: Mon Mar 05, 2007 9:58 am

Re: Two Factor Authentication ---Living Abroad

Post by mptfan » Tue Nov 26, 2019 4:39 pm

Pacific wrote:
Tue Nov 26, 2019 4:35 pm
But, I still do not understand how google voice works. How can it send a text to my foreign number?
You do not send a text to your foreign number, you send a text to your google voice number, then you go to voice.google.com from any computer and you can see the text. Also, if you use Gmail and Hangouts (Hangouts is embedded within Gmail on the bottom left of the screen on your computer or as a separate app you can download to your phone) you can set up Hangouts as your default for receiving texts sent to your Google voice number, and you can see the text using Hangouts (hangouts.google.com or the Hangouts app on any device) or when logged in to Gmail the text will pop up anytime you are in Hangouts or Gmail.

You don't need a foreign number or Google Fi or any other number for that matter, you only need a Google voice number. If you have Google Fi then I think your Google voice number can be the same or is the same as your Google Fi number (I think, I'm not 100% sure) or you can simply set up Hangouts as your default for receiving texts using your Google Fi number without needing a separate Google Voice number and you can use Hangouts as your default for all SMS texts that will come to your phone and your computer and any device in which you are logged in using your Google account.

bryanm
Posts: 226
Joined: Mon Aug 13, 2018 3:48 pm

Re: Two Factor Authentication ---Living Abroad

Post by bryanm » Tue Nov 26, 2019 4:53 pm

dboeger1 wrote:
Tue Nov 26, 2019 3:27 pm
So here I was, stuck, with a 3rd-party app supposedly trusting Google as an entity to authenticate me, and I had a phone designed by Google to run specifically on Google's own service, and I went through the standard Google trade-in process, and somehow, I suddenly lost access to my Authenticator accounts because Google couldn't authenticate me, which is absolutely bizarre to me. I'm not a security expert, but I am a software engineer, and that sounds like a straight up design flaw to me.

...

P.S.: And in case anybody chimes in to say I should have disabled Authenticator in my Google Account, I did. I tried everything. The other service still needed THE EXACT SAME PHONE AND APP to work. It's really not intuitive at all. This is why I feel like the security benefits of 2FA that relies so heavily on devices are over-stated. It assumes that our devices are more reliable than our accounts, and that's just not true in a world where we upgrade devices every couple of years because we want the latest stuff.

The 3rd party app did not trust Google to authenticate you. It trusted a TOTP (Time-based One Time Password)-compliant app with a locally-stored shared secret to authenticate you. For those interested, authenticator apps work by exchanging a shared secret with a 2FA service provider. The provider and app both know how to generate codes using that shared secret and the current time. When the 2FA provider wants to authenticate you, you put in your code from your app, and the 2FA provider computes what it thinks the code should be. If they match, you're in. The shared secret is not synchronized in most authenticator apps, as the whole point of the application is to verify the "something you have" prong of 2FA. Synchronizing shared secrets would significantly weaken 2FA, as presumably the account to which it is synchronized is accessible via username/password (we can't assume 2FA in this world, as that would be circular). Relatedly, 2FA and OAuth are not designed for the same purposes. While OAuth let's one party vouch for you to another, true 2FA requires physical/biological possession as opposed to knowledge.

I recommend you save your backup codes to a secure location, like a password manager.

dboeger1
Posts: 102
Joined: Fri Jan 13, 2017 7:32 pm

Re: Two Factor Authentication ---Living Abroad

Post by dboeger1 » Tue Nov 26, 2019 5:05 pm

mptfan wrote:
Tue Nov 26, 2019 4:39 pm
Pacific wrote:
Tue Nov 26, 2019 4:35 pm
But, I still do not understand how google voice works. How can it send a text to my foreign number?
You do not send a text to your foreign number, you send a text to your google voice number, then you go to voice.google.com from any computer and you can see the text. Also, if you use Gmail and Hangouts (Hangouts is embedded within Gmail on the bottom left of the screen on your computer or as a separate app you can download to your phone) you can set up Hangouts as your default for receiving texts sent to your Google voice number, and you can see the text using Hangouts (hangouts.google.com or the Hangouts app on any device) or when logged in to Gmail the text will pop up anytime you are in Hangouts or Gmail.

You don't need a foreign number or Google Fi or any other number for that matter, you only need a Google voice number. If you have Google Fi then I think your Google voice number can be the same or is the same as your Google Fi number (I think, I'm not 100% sure) or you can use Hangouts as your default for receiving texts using your Google Fi number without needing a separate Google Voice number and you can use Hangouts as your default for all SMS texts that will come to your phone and your computer and any device in which you are logged in using your Google account.
I would like to add that this is a bit complicated by the history of how these different services were developed and merged, so things may work differently depending on how and when you sign up for all of this.

I had Google Voice before it was integrated with Hangouts, but after Google bought it from whatever the company was called before it was acquired, can't remember off the top of my head. Then, at some point, they allowed you to integrate Google Voice with Hangouts, but it was optional. I opted to do that. And eventually, when Google Fi came out (it was originally called Project Fi before they opened it up to BYOD), I signed up for that, which required me to merge my Google Voice number with Fi.

I have no idea if there are any differences in behavior based on whether you had Voice or Fi first, or whether either or both are integrated with Hangouts. I suspect Google has done a good job of converging everyone to the same basic service level, but I have no idea if the way you sign up for these things or the various subsets of functionality that were available at different times are all still available.

Basically, Google Voice is like a virtual phone number with voicemail, text, etc., but its original main selling point was that it had advanced call-handling features, such as different voicemail for different numbers, forwarding of different numbers to different phones, transcription of voicemails to text, etc. And again, this was all sort of a virtual setup ON TOP OF whatever existing phone number(s) you had. So, for example, you might have a small business with 3 employees, and you want different customers to be automatically routed to the mobile numbers of their corresponding account manager whenever they call the virtual business number. Or maybe you want to be able to pick up calls to the virtual business number from both your home phone and your office phone. Or even simpler, you might just want to answer a call from Gmail without needing a phone at all. Google Voice did those things.

Eventually, Fi came along, and it's more or less just a cell service that incorporates all the Google Voice features (at least I hope it does; I believe there was a time early on that certain Voice features were missing when you switched to Fi, and I have no idea if that's still the case, again because of their complicated histories). So if you have Fi, and it's integrated with Hangouts, that means you more or less have Voice already.

The benefit of that is that your Fi number essentially acts as a US phone number, regardless of what you have it set up to do. You can have it forward SMS to your Hangouts, you can answer calls in Hangouts from your PC or tablet or anywhere where it's available, and you can set it up to connect with foreign phones. Regardless, it just looks like a standard US phone number to whoever is contacting it... in this case, services that use it for 2FA. They have no idea that you might be forwarding that SMS to a phone to Bali, or picking up calls on a tablet in London.

02nz
Posts: 3064
Joined: Wed Feb 21, 2018 3:17 pm

Re: Two Factor Authentication ---Living Abroad

Post by 02nz » Tue Nov 26, 2019 5:29 pm

If you keep a U.S. cell line on a relative's account with a carrier that supports wi-fi calling, you'll receive texts just fine. I did this with T-Mobile. T-Mobile and Sprint both offer free international roaming - the data is slow (unless you pay extra) but the texts are free.

The reason to do this as an add'l line on a friend/relative's account is not just to save on cost but also because if you have just one line that is abroad most of the time, the carrier may shut you down (deeming that you're not using the service for its intended purpose).

T-Mobile also has an app called T-Mobile Digits, which you can install on any other iOS/Android phone/tablet and receive all the texts going to your T-Mobile U.S. number. It's been a while since I've used it though. I'm also not sure if it works with prepaid - if it does it might work well for the purpose you describe.

Google Voice has been suggested but not all institutions support sending 2FA texts to a GV number.

ARoseByAnyOtherName
Posts: 485
Joined: Wed Apr 26, 2017 12:03 am

Re: Two Factor Authentication ---Living Abroad

Post by ARoseByAnyOtherName » Tue Nov 26, 2019 5:34 pm

Folks the OP asked a simple question that has a simple answer, but I don’t see a simple answer in any of the replies. I suspect the walls of text are only serving to confuse, not enlighten.

OPs question was:
Pacific wrote:
Tue Nov 26, 2019 4:35 pm
But, I still do not understand how google voice works. How can it send a text to my foreign number?
The simple answer is that it doesn’t send a text to your foreign number.

When someone sends a text to your Google Voice number the SMS is delivered to Googles servers - NOT your phone. Then, Google sends a notification to the Google Voice app you have installed on your phone. You can also log in to google.com to get the SMS via a web browser if you want.

It never gets delivered to your foreign phone number.

Hope this helps.

ARoseByAnyOtherName
Posts: 485
Joined: Wed Apr 26, 2017 12:03 am

Re: Two Factor Authentication ---Living Abroad

Post by ARoseByAnyOtherName » Tue Nov 26, 2019 5:38 pm

02nz wrote:
Tue Nov 26, 2019 5:29 pm
If you keep a U.S. cell line on a relative's account with a carrier that supports wi-fi calling, you'll receive texts just fine. I did this with T-Mobile. T-Mobile and Sprint both offer free international roaming - the data is slow (unless you pay extra) but the texts are free.
I don’t recommend this at all, I think it’s bad advice. If said relative switches carriers, changes their plan, or doesn’t have the $$ to pay their bills then you are up a creek.

Google Voice is free. You can verify whether or not it works for you now, before you travel. And I believe there are other companies out there with similar offerings for minimal cost if you need other options. No need to add a dependency on things you don’t control directly.

Topic Author
anonsdca
Posts: 307
Joined: Mon Jun 01, 2015 11:47 pm

Re: Two Factor Authentication ---Living Abroad

Post by anonsdca » Tue Nov 26, 2019 5:40 pm

ARoseByAnyOtherName wrote:
Tue Nov 26, 2019 5:34 pm
Folks the OP asked a simple question that has a simple answer, but I don’t see a simple answer in any of the replies. I suspect the walls of text are only serving to confuse, not enlighten.

OPs question was:
Pacific wrote:
Tue Nov 26, 2019 4:35 pm
But, I still do not understand how google voice works. How can it send a text to my foreign number?
The simple answer is that it doesn’t send a text to your foreign number.

When someone sends a text to your Google Voice number the SMS is delivered to Googles servers - NOT your phone. Then, Google sends a notification to the Google Voice app you have installed on your phone. You can also log in to google.com to get the SMS via a web browser if you want.

It never gets delivered to your foreign phone number.

Hope this helps.

Well, I am the OP and I didn't actually ask that question :D But that is OK, I do appreciate all the back and forth --and other people asking questions--because it is giving me some great information and research to do. Thank you all that have answered so far. I will agree, this doesn't seem simple.

dboeger1
Posts: 102
Joined: Fri Jan 13, 2017 7:32 pm

Re: Two Factor Authentication ---Living Abroad

Post by dboeger1 » Tue Nov 26, 2019 5:40 pm

bryanm wrote:
Tue Nov 26, 2019 4:53 pm
dboeger1 wrote:
Tue Nov 26, 2019 3:27 pm
So here I was, stuck, with a 3rd-party app supposedly trusting Google as an entity to authenticate me, and I had a phone designed by Google to run specifically on Google's own service, and I went through the standard Google trade-in process, and somehow, I suddenly lost access to my Authenticator accounts because Google couldn't authenticate me, which is absolutely bizarre to me. I'm not a security expert, but I am a software engineer, and that sounds like a straight up design flaw to me.

...

P.S.: And in case anybody chimes in to say I should have disabled Authenticator in my Google Account, I did. I tried everything. The other service still needed THE EXACT SAME PHONE AND APP to work. It's really not intuitive at all. This is why I feel like the security benefits of 2FA that relies so heavily on devices are over-stated. It assumes that our devices are more reliable than our accounts, and that's just not true in a world where we upgrade devices every couple of years because we want the latest stuff.

The 3rd party app did not trust Google to authenticate you. It trusted a TOTP (Time-based One Time Password)-compliant app with a locally-stored shared secret to authenticate you. For those interested, authenticator apps work by exchanging a shared secret with a 2FA service provider. The provider and app both know how to generate codes using that shared secret and the current time. When the 2FA provider wants to authenticate you, you put in your code from your app, and the 2FA provider computes what it thinks the code should be. If they match, you're in. The shared secret is not synchronized in most authenticator apps, as the whole point of the application is to verify the "something you have" prong of 2FA. Synchronizing shared secrets would significantly weaken 2FA, as presumably the account to which it is synchronized is accessible via username/password (we can't assume 2FA in this world, as that would be circular). Relatedly, 2FA and OAuth are not designed for the same purposes. While OAuth let's one party vouch for you to another, true 2FA requires physical/biological possession as opposed to knowledge.

I recommend you save your backup codes to a secure location, like a password manager.
I understand the different purposes of OAuth and 2FA. However, I feel like the technical implementation doesn't necessarily make them completely separate when taking into account practical reality. When a 3rd-party app or service makes use of an external authenticator like Google Authenticator, there is an implicit trust being given, and so there is inherently some degree of authorization being done in addition to authentication. And because the device being authenticated is being used as the single authority on whether or not I am who I say I am, in the event where the device is compromised, there's this ironic situation where the 3rd-party actually explicitly CHOOSES to accept authentication by the compromised device while explicitly IGNORING the authorization of the party which was trusted to provide the authentication method in the first place.

To make it easier to talk about, I'll just mention a couple of services, Steam and Uplay. They're basically competing digital distribution platforms for video games. Steam uses its own authentication app, which I don't actually know exactly how it's implemented, but I think it's more of an authorization system, similar to OAuth, where you can still manage to log into your account if you answer secret questions instead of giving the code, add another mobile number (I think it only allows 1, but for the thought exercise, imagine you could list multiple), and then use the codes from either one. Meanwhile, Uplay uses Google Authenticator. This means that Ubisoft at some point decided to TRUST Google's implementation of 2FA. But it works as I said in my previous post, where if I lose or trade in that phone, my access is 100% gone unless I have those recovery codes. Sure, you could argue the recovery codes are analogous to Steam letting me answer my secret questions, but I would disagree, because to me, those are inherently different mechanisms. Secret answers are much more like a password, while the codes are generated when setting up 2FA, and really only exists as a compromise because humans mess up and lose things, NOT because the the architects wanted you to be able to get in without your phone. The intent is different.

Again, to be clear, I recognize these 2 are technically very similar when all is said and done. But to me, I consider the secret answers much more like a password, something I'm liable to remember as a person, not some crazy random string. So in the case of Steam, I essentially have an alternative 2nd factor. The phone is my normal 2nd factor, but at any time, I can log in with my secret answers, and change the phone I have set up for the account all I want. With Uplay, there really isn't an alternative factor EXCEPT for the recovery codes, which again, are not something I can remember if I'm out at a bar in some foreign country and trying to access my accounts on the fly. That means if I change phones or it gets stolen, I'm more or less screwed, with the exception of the recovery codes that are there as an emergency fallback option (I think the recovery codes are even single-use, and you're basically supposed to reset the whole system when that happens, so they're far less permanent than a secret answer). So that results in this situation where Uplay, having trusted Google to responsibly handle their 2FA implementation, will trust my stolen device INSTEAD OF my Google account, but Steam, which implemented their own 2FA solution without using a 3rd-party's (ignoring any potential hardware assist or anything like that; of course everything's interdependent to some degree) will still let me authenticate myself as a person using reasonable means in the event I trade in my device. This was actually my real-life use case. When I upgraded phones, regaining access to my Steam account was a breeze. Uplay, not so much. It took me a whole day of trying everything and searching before finally finding my old recovery codes which I had written down years ago.

My point is, yes, the technical implementation of 2FA has gotten really good at authenticating a device, but insofar as a device is not tied to the human that owns the account, then it's actually not necessarily an optimal method of authenticating a human directly. Just like any security mechanism over the years, it's only good as long as it doesn't get compromised, whether intentionally or by accident. I know you didn't say or even imply this, but I think it's worth mentioning as it is relevant to OP's topic: that's why 2FA isn't the be-all-end-all of security solutions, and it's why there have been many notable compromises, like the relatively trivial one where all you need is someone's phone number, and then you call into a bank or somewhere else where they have an account and try to "recover" the account. I realize TOTP is better than just a phone number, but even that may only require physical possession of the device.

In a case like OP's where they absolutely need to be able access and manage these accounts to live on while abroad, the technically most secure solution may not actually be the most secure in financial terms; they may end up accidentally locking themselves out of an account. Assuming they are careful with sharing their data and devices with others, that may in fact be the single most likely threat. This is literally what happened when I almost lost my Uplay account after trading in my old phone for a new one, a perfectly normal and legitimate thing to do. That's why I think it's crucial that someone like OP really understand the nitty-gritty of how their accounts work, because they might learn the hard way that a particular setting or provider is not a good fit for their living situation, regardless of how secure they claim to be.

dboeger1
Posts: 102
Joined: Fri Jan 13, 2017 7:32 pm

Re: Two Factor Authentication ---Living Abroad

Post by dboeger1 » Tue Nov 26, 2019 6:16 pm

Sorry for the double post. I just remembered a point I wanted to make. Even in corporate settings where things like hard 2FA tokens are becoming more common, there is often still a central authority that can act as a recovery system. Shortly after I started working at my current employer, I was issued a hard token for 2FA. Sadly, it ended up in the wash like 2 days later, and I felt like a fool having to request a replacement so soon after starting my new job. They were able to issue a new one in a matter of seconds, because they had the central authority to just do that.

Going back to my comparison of Steam and Uplay, to me, it FEELS like my Steam account is the central authority. I can log into it using secret answers and fix whatever is going wrong with my 2FA. With Uplay, I went into it assuming (perhaps naively) that my Google account was the central authority. IT IS NOT. Again, you could argue my Uplay account is, because I could technically get in with recovery codes, but again, when those recovery codes are randomly generated strings that came from Google Authenticator on my old phone and are one-time use, it FEELS like Google Authenticator on the old phone is the central authority. Basically, whoever has access to the phone or the codes is in control. Actually, that's not entirely true, because the Uplay account is still secured by the 1st factor, which is my password. So whoever has access to the phone and codes is able to deny access to whoever has the password.

Again, I get that's why the codes exist and you keep them in a safe place. They just don't feel like an authentication of me as a person though, especially when they're so easy to lose (I can certainly lose access to a password manager the same as I could lose a piece of paper). That's why I personally switched from Google Authenticator to email code verification on my Uplay account, and why I would probably avoid Google Authenticator like the plague if I needed it to access critical bank accounts and such while abroad. It may technically be very secure, but be careful what you wish for. And if someone like OP does use Google Authenticator, KEEP YOUR RECOVERY CODES CLOSE. I know they tell you that when you set it up, but I really cannot stress enough how important that is, having needed them myself. At most, I think Authenticator is exceptional for some non-critical service, but I would really be afraid to lock myself out of something like a bank account or my video game accounts which I've spent tons of money on over the years. That may be why I've not heard of any banks using something like that.

Workable Goblin
Posts: 100
Joined: Fri Mar 01, 2019 8:37 pm
Location: Honolulu, HI

Re: Two Factor Authentication ---Living Abroad

Post by Workable Goblin » Tue Nov 26, 2019 6:17 pm

dboeger1 wrote:
Tue Nov 26, 2019 5:40 pm
I understand the different purposes of OAuth and 2FA. However, I feel like the technical implementation doesn't necessarily make them completely separate when taking into account practical reality. When a 3rd-party app or service makes use of an external authenticator like Google Authenticator, there is an implicit trust being given, and so there is inherently some degree of authorization being done in addition to authentication. And because the device being authenticated is being used as the single authority on whether or not I am who I say I am, in the event where the device is compromised, there's this ironic situation where the 3rd-party actually explicitly CHOOSES to accept authentication by the compromised device while explicitly IGNORING the authorization of the party which was trusted to provide the authentication method in the first place.
No, not really. TOTP authentication is (in most cases) an open standard that anyone can (in principle) implement, just like an ordinary password (in the sense that ordinary passwords are strings of characters that anyone can figure out a method to record). Just because you chose to use Google Authenticator instead of one of the many other authentication apps out there (look at this review if you don't believe me) doesn't mean that they're implicitly trusting Google, any more than you using 1Password instead of LastPass means that they're trusting the former over the latter.

Now, if you're talking about a service that doesn't use standard TOTP passwords but relies on some proprietary method (an example: my former employer, which uses Duo's proprietary push system), then they're trusting that external authenticator. But in the usual case, not really.
dboeger1 wrote:
Tue Nov 26, 2019 5:40 pm
Meanwhile, Uplay uses Google Authenticator. This means that Ubisoft at some point decided to TRUST Google's implementation of 2FA. But it works as I said in my previous post, where if I lose or trade in that phone, my access is 100% gone unless I have those recovery codes. Sure, you could argue the recovery codes are analogous to Steam letting me answer my secret questions, but I would disagree, because to me, those are inherently different mechanisms. Secret answers are much more like a password, while the codes are generated when setting up 2FA, and really only exists as a compromise because humans mess up and lose things, NOT because the the architects wanted you to be able to get in without your phone. The intent is different.
No, actually they don't trust Google's implementation of 2FA. What they trust is a standard for TOTP password generation, of which there are many implementations--besides Google, 1Password, LastPass, Authy, Duo, Microsoft, and Symantec all have TOTP generators that will work just fine with the shared secret provided by UPlay or anyone else who offers "Google Authenticator" 2FA. The only reason they mention Google is that most people know what Google is but have no idea what Authy or Duo is. But that doesn't mean you can't use them just as well (and some of them do support synchronization of the shared secret between devices).

Of course, the actually sensible thing to do is to temporarily turn off 2FA before you get rid of a phone, then set it up again with the new phone. It's slightly inconvenient, but not much more so than all of the usual rigamarole you have to go through with a new device.

Workable Goblin
Posts: 100
Joined: Fri Mar 01, 2019 8:37 pm
Location: Honolulu, HI

Re: Two Factor Authentication ---Living Abroad

Post by Workable Goblin » Tue Nov 26, 2019 6:27 pm

dboeger1 wrote:
Tue Nov 26, 2019 6:16 pm
At most, I think Authenticator is exceptional for some non-critical service, but I would really be afraid to lock myself out of something like a bank account or my video game accounts which I've spent tons of money on over the years. That may be why I've not heard of any banks using something like that.
Banks in other countries frequently support 2fA via software token (which is what we're talking about). For that matter, I know Schwab does, even though they're not listed on the site I linked above--but, unfortunately, they rely on Symantec's VIP app for authentication instead of using the usual standard method (in this case, they do trust Symantec).

ivk5
Posts: 998
Joined: Thu Sep 22, 2016 9:05 am

Re: Two Factor Authentication ---Living Abroad

Post by ivk5 » Tue Nov 26, 2019 6:46 pm

I am a non-US resident US person (citizen) with US accounts.

For various US accounts I 2FA via SMS to google voice, google Authenticator, hard token (yubikey), etc - all without issue.

dboeger1
Posts: 102
Joined: Fri Jan 13, 2017 7:32 pm

Re: Two Factor Authentication ---Living Abroad

Post by dboeger1 » Tue Nov 26, 2019 6:59 pm

Workable Goblin wrote:
Tue Nov 26, 2019 6:17 pm
dboeger1 wrote:
Tue Nov 26, 2019 5:40 pm
I understand the different purposes of OAuth and 2FA. However, I feel like the technical implementation doesn't necessarily make them completely separate when taking into account practical reality. When a 3rd-party app or service makes use of an external authenticator like Google Authenticator, there is an implicit trust being given, and so there is inherently some degree of authorization being done in addition to authentication. And because the device being authenticated is being used as the single authority on whether or not I am who I say I am, in the event where the device is compromised, there's this ironic situation where the 3rd-party actually explicitly CHOOSES to accept authentication by the compromised device while explicitly IGNORING the authorization of the party which was trusted to provide the authentication method in the first place.
No, not really. TOTP authentication is (in most cases) an open standard that anyone can (in principle) implement, just like an ordinary password (in the sense that ordinary passwords are strings of characters that anyone can figure out a method to record). Just because you chose to use Google Authenticator instead of one of the many other authentication apps out there (look at this review if you don't believe me) doesn't mean that they're implicitly trusting Google, any more than you using 1Password instead of LastPass means that they're trusting the former over the latter.

Now, if you're talking about a service that doesn't use standard TOTP passwords but relies on some proprietary method (an example: my former employer, which uses Duo's proprietary push system), then they're trusting that external authenticator. But in the usual case, not really.
dboeger1 wrote:
Tue Nov 26, 2019 5:40 pm
Meanwhile, Uplay uses Google Authenticator. This means that Ubisoft at some point decided to TRUST Google's implementation of 2FA. But it works as I said in my previous post, where if I lose or trade in that phone, my access is 100% gone unless I have those recovery codes. Sure, you could argue the recovery codes are analogous to Steam letting me answer my secret questions, but I would disagree, because to me, those are inherently different mechanisms. Secret answers are much more like a password, while the codes are generated when setting up 2FA, and really only exists as a compromise because humans mess up and lose things, NOT because the the architects wanted you to be able to get in without your phone. The intent is different.
No, actually they don't trust Google's implementation of 2FA. What they trust is a standard for TOTP password generation, of which there are many implementations--besides Google, 1Password, LastPass, Authy, Duo, Microsoft, and Symantec all have TOTP generators that will work just fine with the shared secret provided by UPlay or anyone else who offers "Google Authenticator" 2FA. The only reason they mention Google is that most people know what Google is but have no idea what Authy or Duo is. But that doesn't mean you can't use them just as well (and some of them do support synchronization of the shared secret between devices).

Of course, the actually sensible thing to do is to temporarily turn off 2FA before you get rid of a phone, then set it up again with the new phone. It's slightly inconvenient, but not much more so than all of the usual rigamarole you have to go through with a new device.
So you're saying the TOTP generation is a standard function of the account secret? See, I did not know that (which is silly of me, being a software engineer). So in theory, I could have used a TOTP implementation other than Google Authenticator, even though GA is the one Uplay suggested? Very interesting, I was not aware of that.

Even so, that only supports my point even further, which is that OP needs to know how their accounts work, and should probably make sure it's easy enough to recover accounts in an emergency. Had I known when I set the account up, I definitely would have used an alternative to GA which DOES have some central authority, such as an account I can log into, in order to get the code in the event I lose or replace my device. I realize that just shifts the risk from the Uplay account to the authentication account, rather than actually authenticating a specific device, but I'm still convinced that's a better fit to me as a person than a device.

I wholly disagree that updating 2FA is a slight inconvenience on getting a new device. I think it's absolutely a deal-breaker. 1) I change devices too often, and 2) the amount of work is O(number of accounts), not constant. You have to go into each of the accounts themselves to disable 2FA. It's not something you can do directly from the phone (unless there's a whole other standard for pushing that setting change from something like GA to all the supporting accounts, which would blow my mind). You then have to securely store the recovery codes, which again, is not necessarily something people are going to want to do late at night checking into a hotel in some foreign country when their card gets declined and they just need to log into their bank to figure out why.

Maybe I just don't get it. Maybe I'm behind the times. Maybe I'm not a typical person. But I feel like tying authentication so intimately to what are practically throwaway devices nowadays which are easily pickpocketed isn't inherently any more secure than some of the other methods, such as sending a code to an email address. At some point, the potential difficulty of recovery outweighs the additional "security", which is nothing more than wannabe biometrics. I feel like TOTP is kind of a weird compromise while we wait for mainstream biometric authenticators to increase in quality and adoption. Until then, I'd rather stick to simpler methods.

Workable Goblin
Posts: 100
Joined: Fri Mar 01, 2019 8:37 pm
Location: Honolulu, HI

Re: Two Factor Authentication ---Living Abroad

Post by Workable Goblin » Tue Nov 26, 2019 7:31 pm

dboeger1 wrote:
Tue Nov 26, 2019 6:59 pm
So you're saying the TOTP generation is a standard function of the account secret? See, I did not know that (which is silly of me, being a software engineer). So in theory, I could have used a TOTP implementation other than Google Authenticator, even though GA is the one Uplay suggested? Very interesting, I was not aware of that.
Yes, you can go read about it here, including a reference implementation (in Java). Everybody suggests Google Authenticator because it's easy to find and from a relatively trusted name, not because it's the only choice.
dboeger1 wrote:
Tue Nov 26, 2019 6:59 pm
I wholly disagree that updating 2FA is a slight inconvenience on getting a new device. I think it's absolutely a deal-breaker. 1) I change devices too often, and 2) the amount of work is O(number of accounts), not constant. You have to go into each of the accounts themselves to disable 2FA. It's not something you can do directly from the phone (unless there's a whole other standard for pushing that setting change from something like GA to all the supporting accounts, which would blow my mind).
You actually can do it directly from the phone in a lot of cases. Most sites will let you access a text version of the shared secret (as opposed to the usual QR code), which you can then copy into the authenticator app in place of scanning the shared secret. You still have to manually go into each site, however my experience has been that this is not actually particularly time-consuming--you can simply go through the authenticator app you have on your old phone, update each site to use the new phone, and then delete the app from the old phone. Or write them down in a notes app or something so that you can easily check each one whenever necessary (this doesn't really affect security because just knowing that someone uses 2FA for a given site doesn't give you the 2FA code).

But my experience is that with 20-30 accounts it really doesn't take that long to deactivate and reactivate each one. Maybe an hour or two, comparable with the time you'll have to spend to redownload all your apps, sign into all of them, fiddle with settings to get everything the way you like it, and so on and so forth. And it's not like it's something you'll have to do every day, every week, every month, or even every year, so the impact is reduced even further.
dboeger1 wrote:
Tue Nov 26, 2019 6:59 pm
You then have to securely store the recovery codes, which again, is not necessarily something people are going to want to do late at night checking into a hotel in some foreign country when their card gets declined and they just need to log into their bank to figure out why.
So don't do that? Why are you waiting until you are "checking into a hotel" "late at night" to make sure that everything still works? Why didn't you do that when you got the phone in the first place?
dboeger1 wrote:
Tue Nov 26, 2019 6:59 pm
Maybe I just don't get it. Maybe I'm behind the times. Maybe I'm not a typical person. But I feel like tying authentication so intimately to what are practically throwaway devices nowadays which are easily pickpocketed isn't inherently any more secure than some of the other methods, such as sending a code to an email address.
It is in fact significantly more secure than the email message, because there's only one point of contact for man-in-the-middle attacks, i.e. no one can intercept the code as it's generated to impersonate you (hardware tokens are even more secure, but a lot of sites don't support them yet). Assuming you put halfway decent security on your phone, i.e. a decent password and biometrics, then stealing the phone is useless to anyone trying to impersonate you--and anyway, most people are actually pretty decent about securing their phone, just the way most people are pretty good at securing their wallets. And phones are hardly "throwaway"--the mean lifespan of a phone (that is, the time between getting purchased and being replaced) is nearly three years for consumer devices (as opposed to institutional ones), and it's been slowly increasing over time. Having to spend a few hours updating your authenticator once every few years is not the end of the world.

dboeger1
Posts: 102
Joined: Fri Jan 13, 2017 7:32 pm

Re: Two Factor Authentication ---Living Abroad

Post by dboeger1 » Tue Nov 26, 2019 8:59 pm

Very interesting points. I guess if somebody was better about managing their authentication methods, they'd probably mitigate the risk of human error and see more of the security benefits.

I feel like this is one of those cases where security and risk mitigation are somewhat related but also distinct from each other. Again, I'm not a security expert, nor am I someone who does risk analysis for a living, but perhaps what I consider "secure" is more along the lines of "probably safe". I do know that security experts often think in terms of threat surfaces, which are the vulnerable points in a system, and threat vectors, which are the potential attacks they might want to stop. And so if they can reduce the threat surface and plug the threat vectors, then the system is "more secure". But there are many things that can go wrong in life besides someone gaining access to my account. For example, I may forget my password, not be able to transfer money when I need it, and end up asking some stranger in a bar for a ride home in a bad part of town. And for the sake of argument, let's say he beats me up and steals my wallet full of cash. Whole lot of good 2FA did me there.

In a sense, the threat vectors of life include far more than just compromising an account, and so much of modern living is tied up in the proper ongoing function and access to our accounts. Returning to my example of Uplay, I had a bunch of video games tied to that account which I spent a lot of money on. I almost lost access to all of those games because I forgot to disable 2FA before trading in my old phone (and I hadn't logged into that account in a long time, so it wasn't fresh in my mind to update it either). The potential harm of someone stealing my games is actually not something that bothers me that much, because my life doesn't depend on them in any way. On the other hand, I'd be pretty angry if I could not recover my account and play my games because I traded in a phone. You can see how life is not just a binary threat vector, but there are different levels of harm as well as probabilities in play, which would be more akin to severity levels in software security.

I wasn't suggesting that people should set their accounts up while checking into a hotel, but rather, that it's not a rare occurrence to get a card shut down or something because of a foreign transaction, and being able to log into your bank account to see what's going on vs. hoping to get someone helpful on the customer service line from the lobby can be kind of a big deal for someone traveling abroad. Likewise, let's say you're traveling on a cruise ship. I think it's fair to say your risk of dropping your phone into the ocean and not being able to authenticate without major hassle while on your severely limited WiFi plan is inherently much higher than usual.

I mean, this is really just a tradeoff between convenience and security at the end of the day. On one end, it'd be quite convenient if you could just access everything without authentication, but severely insecure. On the other, why not have 20-factor authentication? Because on some level, we have to be able to reasonably and quickly access the things that are important to our everyday lives, and just adding more and more factors can actually be counter-productive (I could hold your 20th factor hostage for ransom, and you wouldn't be able to access your accounts with the other 19).

I just don't really like the tradeoff of TOTP when compared to email codes. Sure, it's "significantly" more secure because there are no other points in the email chain where the code can get compromised. But I feel like that's just splitting hairs in terms of probability. An attacker would need to both gain my password AND be able to intercept the email, and while email has historically been relatively insecure, that's getting harder and harder to do as a significant portion of all email providers now encrypt email traffic between each other. I doubt in the grand scheme of things, the additional risk is much more than the risk of someone managing to both get my password and my phone. To me, that's a lot of binary "Yes, we blocked that" that represents a small bit of my risk profile. On the other hand, losing my phone while traveling and forgetting or accidentally deleting my recovery codes seems extraordinarily easy to do.

I'm sure it's different for different people, and my points may resonate with some more than others. Again, all I can say is that I ran into this once before without fully understanding the repercussions of my 2FA setup going into it, and almost lost a valuable account because of it. I've also never had an account stolen and try to use good password practices. I also have to help my wife, grandparents, and other family members with this stuff on a regular basis, and they're not nearly as tech-savvy as I am. That's really why I hesitate when it comes to 2FA. It may be more secure, but my mother-in-law has also been locked out of her MacBook for years because she didn't understand how Apple accounts worked. I think it's worth OP considering some of these things while traveling abroad. At the very least, they should develop a better understanding of them than I clearly have, haha.

User avatar
tfb
Posts: 8194
Joined: Mon Feb 19, 2007 5:46 pm
Contact:

Re: Two Factor Authentication ---Living Abroad

Post by tfb » Tue Nov 26, 2019 9:20 pm

dboeger1 wrote:
Tue Nov 26, 2019 6:59 pm
I wholly disagree that updating 2FA is a slight inconvenience on getting a new device. I think it's absolutely a deal-breaker.
If you'd like to transfer 2FA codes easily to another device, consider using Authy.
Harry Sit, taking a break from the forums.

ARoseByAnyOtherName
Posts: 485
Joined: Wed Apr 26, 2017 12:03 am

Re: Two Factor Authentication ---Living Abroad

Post by ARoseByAnyOtherName » Tue Nov 26, 2019 9:20 pm

anonsdca wrote:
Tue Nov 26, 2019 5:40 pm
Well, I am the OP and I didn't actually ask that question :D
I’m going to summon the most Boglehead response I possibly can: “well you should have asked that question!!!”

:-)
anonsdca wrote:
Tue Nov 26, 2019 5:40 pm
I will agree, this doesn't seem simple.
I actually don’t agree. I don’t think it’s that complicated. Your questions was about how to deal with 2FA while living abroad; I think Google Voice is a very simple solution to your problem. Have you tried it yet?

Please don’t let the bros arguing about TOTP and OAuth and litigating this history of Hangouts vs Google Fi vs other junk that no one cares about scare you. The solution to your question is not that hard.

ARoseByAnyOtherName
Posts: 485
Joined: Wed Apr 26, 2017 12:03 am

Re: Two Factor Authentication ---Living Abroad

Post by ARoseByAnyOtherName » Tue Nov 26, 2019 9:23 pm

ivk5 wrote:
Tue Nov 26, 2019 6:46 pm
I am a non-US resident US person (citizen) with US accounts.

For various US accounts I 2FA via SMS to google voice, google Authenticator, hard token (yubikey), etc - all without issue.
OP, here is someone with real-world answers to the question your are concerned about.

Drown out all the noise in this thread and focus on the solutions to your specific problem.

Topic Author
anonsdca
Posts: 307
Joined: Mon Jun 01, 2015 11:47 pm

Re: Two Factor Authentication ---Living Abroad

Post by anonsdca » Tue Nov 26, 2019 9:44 pm

ARoseByAnyOtherName wrote:
Tue Nov 26, 2019 9:23 pm
ivk5 wrote:
Tue Nov 26, 2019 6:46 pm
I am a non-US resident US person (citizen) with US accounts.

For various US accounts I 2FA via SMS to google voice, google Authenticator, hard token (yubikey), etc - all without issue.
OP, here is someone with real-world answers to the question your are concerned about.

Drown out all the noise in this thread and focus on the solutions to your specific problem.
Yes, I caught this one. I am already researching. I dont know anything about those three things but I keyed in on that being something I could take and run with.

Topic Author
anonsdca
Posts: 307
Joined: Mon Jun 01, 2015 11:47 pm

Re: Two Factor Authentication ---Living Abroad

Post by anonsdca » Tue Nov 26, 2019 9:44 pm

ARoseByAnyOtherName wrote:
Tue Nov 26, 2019 9:23 pm
ivk5 wrote:
Tue Nov 26, 2019 6:46 pm
I am a non-US resident US person (citizen) with US accounts.

For various US accounts I 2FA via SMS to google voice, google Authenticator, hard token (yubikey), etc - all without issue.
OP, here is someone with real-world answers to the question your are concerned about.

Drown out all the noise in this thread and focus on the solutions to your specific problem.
Yes, I caught this one. I am already researching. I dont know anything about those three things but I keyed in on that being something I could take and run with.

Topic Author
anonsdca
Posts: 307
Joined: Mon Jun 01, 2015 11:47 pm

Re: Two Factor Authentication ---Living Abroad

Post by anonsdca » Tue Nov 26, 2019 9:45 pm

ARoseByAnyOtherName wrote:
Tue Nov 26, 2019 9:20 pm
anonsdca wrote:
Tue Nov 26, 2019 5:40 pm
Well, I am the OP and I didn't actually ask that question :D
I’m going to summon the most Boglehead response I possibly can: “well you should have asked that question!!!”

:-)
anonsdca wrote:
Tue Nov 26, 2019 5:40 pm
I will agree, this doesn't seem simple.
I actually don’t agree. I don’t think it’s that complicated. Your questions was about how to deal with 2FA while living abroad; I think Google Voice is a very simple solution to your problem. Have you tried it yet?

Please don’t let the bros arguing about TOTP and OAuth and litigating this history of Hangouts vs Google Fi vs other junk that no one cares about scare you. The solution to your question is not that hard.
Have not tried Google voice but will try it. Yes, the bros are certainly getting into the weeds, which is all interesting, but confusing a bit.

HawkeyePierce
Posts: 863
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Two Factor Authentication ---Living Abroad

Post by HawkeyePierce » Tue Nov 26, 2019 9:46 pm

T-Mobile is not an option for someone moving permanently as they do *not* support long-term roaming. After some period of time your account would likely be terminated.

theplayer11
Posts: 982
Joined: Tue Jul 22, 2014 8:55 pm

Re: Two Factor Authentication ---Living Abroad

Post by theplayer11 » Tue Nov 26, 2019 9:53 pm

I have 2FA on for my Schwab accounts and get a text when I try to log on from computer...yet I can log on from my iphone with just username and password. Is this normal? If so..then couldn't OP just use the app when abroad?

Topic Author
anonsdca
Posts: 307
Joined: Mon Jun 01, 2015 11:47 pm

Re: Two Factor Authentication ---Living Abroad

Post by anonsdca » Tue Nov 26, 2019 9:56 pm

theplayer11 wrote:
Tue Nov 26, 2019 9:53 pm
I have 2FA on for my Schwab accounts and get a text when I try to log on from computer...yet I can log on from my iphone with just username and password. Is this normal? If so..then couldn't OP just use the app when abroad?
Well, I plan to live there, forever. So, I would like to be able to sit in front of my laptop ---as I do today in the USA--- and handle all my financial affairs. I dont really do much via apps on my iPhone.

ARoseByAnyOtherName
Posts: 485
Joined: Wed Apr 26, 2017 12:03 am

Re: Two Factor Authentication ---Living Abroad

Post by ARoseByAnyOtherName » Tue Nov 26, 2019 10:27 pm

anonsdca wrote:
Tue Nov 26, 2019 9:56 pm
theplayer11 wrote:
Tue Nov 26, 2019 9:53 pm
I have 2FA on for my Schwab accounts and get a text when I try to log on from computer...yet I can log on from my iphone with just username and password. Is this normal? If so..then couldn't OP just use the app when abroad?
Well, I plan to live there, forever. So, I would like to be able to sit in front of my laptop ---as I do today in the USA--- and handle all my financial affairs. I dont really do much via apps on my iPhone.
With Google Voice you can log in via the web and get the SMS 2FA code. An iPhone app isn’t necessary.

ARoseByAnyOtherName
Posts: 485
Joined: Wed Apr 26, 2017 12:03 am

Re: Two Factor Authentication ---Living Abroad

Post by ARoseByAnyOtherName » Tue Nov 26, 2019 10:30 pm

anonsdca wrote:
Tue Nov 26, 2019 9:45 pm
Have not tried Google voice but will try it. Yes, the bros are certainly getting into the weeds, which is all interesting, but confusing a bit.
Forgive them as they are young Padawan who do now know the way of The User. In time they will learn that The User does not and should not care about the means, but only the result. Forgive them for they have sinned.

scottyja
Posts: 238
Joined: Tue Oct 07, 2008 1:08 pm

Re: Two Factor Authentication ---Living Abroad

Post by scottyja » Tue Nov 26, 2019 10:40 pm

anonsdca wrote:
Tue Nov 26, 2019 9:56 pm
Well, I plan to live there, forever. So, I would like to be able to sit in front of my laptop ---as I do today in the USA--- and handle all my financial affairs. I dont really do much via apps on my iPhone.
I live overseas and use the Google Voice method. It's generally successful. Some corporations will not send authorization codes to VOIP numbers. I have a Microsoft account that was locked and MS would not send a code to my Google Voice number. Fortunately they would send it to my local overseas number.

I will caution you on two things: 1) get Google Voice set up BEFORE you go overseas. You will have a very difficult time doing this outside the U.S. 2) purchase a VPN service (such as NordVPN or ExpressVPN) and use it on your computer. When connected to a U.S. VPN server, it will appear that you're located in the U.S.

ARoseByAnyOtherName
Posts: 485
Joined: Wed Apr 26, 2017 12:03 am

Re: Two Factor Authentication ---Living Abroad

Post by ARoseByAnyOtherName » Tue Nov 26, 2019 10:47 pm

scottyja wrote:
Tue Nov 26, 2019 10:40 pm
anonsdca wrote:
Tue Nov 26, 2019 9:56 pm
Well, I plan to live there, forever. So, I would like to be able to sit in front of my laptop ---as I do today in the USA--- and handle all my financial affairs. I dont really do much via apps on my iPhone.
I live overseas and use the Google Voice method. It's generally successful. Some corporations will not send authorization codes to VOIP numbers. I have a Microsoft account that was locked and MS would not send a code to my Google Voice number. Fortunately they would send it to my local overseas number.

I will caution you on two things: 1) get Google Voice set up BEFORE you go overseas. You will have a very difficult time doing this outside the U.S. 2) purchase a VPN service (such as NordVPN or ExpressVPN) and use it on your computer. When connected to a U.S. VPN server, it will appear that you're located in the U.S.
More sage advice from someone who is trying to help OP answer the original question.

Topic Author
anonsdca
Posts: 307
Joined: Mon Jun 01, 2015 11:47 pm

Re: Two Factor Authentication ---Living Abroad

Post by anonsdca » Tue Nov 26, 2019 10:59 pm

scottyja wrote:
Tue Nov 26, 2019 10:40 pm
anonsdca wrote:
Tue Nov 26, 2019 9:56 pm
Well, I plan to live there, forever. So, I would like to be able to sit in front of my laptop ---as I do today in the USA--- and handle all my financial affairs. I dont really do much via apps on my iPhone.
I live overseas and use the Google Voice method. It's generally successful. Some corporations will not send authorization codes to VOIP numbers. I have a Microsoft account that was locked and MS would not send a code to my Google Voice number. Fortunately they would send it to my local overseas number.

I will caution you on two things: 1) get Google Voice set up BEFORE you go overseas. You will have a very difficult time doing this outside the U.S. 2) purchase a VPN service (such as NordVPN or ExpressVPN) and use it on your computer. When connected to a U.S. VPN server, it will appear that you're located in the U.S.
I just bought the Nord VPN 3 year plan for a great price so I have the VPN going. Just checked out Google Voice and I am less than pleased with the $20/Month, but I guess if that is what is needed, then I will have to do it. Yes, I plan to have everything online and tested before I leave.

scottyja
Posts: 238
Joined: Tue Oct 07, 2008 1:08 pm

Re: Two Factor Authentication ---Living Abroad

Post by scottyja » Tue Nov 26, 2019 11:03 pm

anonsdca wrote:
Tue Nov 26, 2019 10:59 pm
scottyja wrote:
Tue Nov 26, 2019 10:40 pm
anonsdca wrote:
Tue Nov 26, 2019 9:56 pm
Well, I plan to live there, forever. So, I would like to be able to sit in front of my laptop ---as I do today in the USA--- and handle all my financial affairs. I dont really do much via apps on my iPhone.
I live overseas and use the Google Voice method. It's generally successful. Some corporations will not send authorization codes to VOIP numbers. I have a Microsoft account that was locked and MS would not send a code to my Google Voice number. Fortunately they would send it to my local overseas number.

I will caution you on two things: 1) get Google Voice set up BEFORE you go overseas. You will have a very difficult time doing this outside the U.S. 2) purchase a VPN service (such as NordVPN or ExpressVPN) and use it on your computer. When connected to a U.S. VPN server, it will appear that you're located in the U.S.
I just bought the Nord VPN 3 year plan for a great price so I have the VPN going. Just checked out Google Voice and I am less than pleased with the $20/Month, but I guess if that is what is needed, then I will have to do it. Yes, I plan to have everything online and tested before I leave.
Google Voice should be a one-time fee of $20 to port your existing cell number over, which you'll want to do a week or two before leaving. It should not be a monthly fee. If you're only using it for 2FA, Google will assign you a Voice number for free.

Topic Author
anonsdca
Posts: 307
Joined: Mon Jun 01, 2015 11:47 pm

Re: Two Factor Authentication ---Living Abroad

Post by anonsdca » Tue Nov 26, 2019 11:06 pm

scottyja wrote:
Tue Nov 26, 2019 11:03 pm
anonsdca wrote:
Tue Nov 26, 2019 10:59 pm
scottyja wrote:
Tue Nov 26, 2019 10:40 pm
anonsdca wrote:
Tue Nov 26, 2019 9:56 pm
Well, I plan to live there, forever. So, I would like to be able to sit in front of my laptop ---as I do today in the USA--- and handle all my financial affairs. I dont really do much via apps on my iPhone.
I live overseas and use the Google Voice method. It's generally successful. Some corporations will not send authorization codes to VOIP numbers. I have a Microsoft account that was locked and MS would not send a code to my Google Voice number. Fortunately they would send it to my local overseas number.

I will caution you on two things: 1) get Google Voice set up BEFORE you go overseas. You will have a very difficult time doing this outside the U.S. 2) purchase a VPN service (such as NordVPN or ExpressVPN) and use it on your computer. When connected to a U.S. VPN server, it will appear that you're located in the U.S.
I just bought the Nord VPN 3 year plan for a great price so I have the VPN going. Just checked out Google Voice and I am less than pleased with the $20/Month, but I guess if that is what is needed, then I will have to do it. Yes, I plan to have everything online and tested before I leave.
Google Voice should be a one-time fee of $20 to port your existing cell number over, which you'll want to do a week or two before leaving. It should not be a monthly fee. If you're only using it for 2FA, Google will assign you a Voice number for free.
Ah, thank you for that! Yes, I wont be using it for anything else. Great to know.

StealthRabbit
Posts: 497
Joined: Sat Jun 13, 2009 1:25 am

Re: Two Factor Authentication ---Living Abroad

Post by StealthRabbit » Tue Nov 26, 2019 11:57 pm

Living abroad and doing Two Factor Authorization, is really simple compared to my 3 locations in USA. No cell coverage, no dsl, no cable, no broadband, no satellite dishes allowed..no fiber....none coming.
Most of the world where I travel (Asia, Oceania, western Europe) has far better connectivity than much of rural USA.

2 factor Auth was a 'factor' that forced me to leave Vanguard (only passive accts remain there).

Topic Author
anonsdca
Posts: 307
Joined: Mon Jun 01, 2015 11:47 pm

Re: Two Factor Authentication ---Living Abroad

Post by anonsdca » Wed Nov 27, 2019 12:24 am

StealthRabbit wrote:
Tue Nov 26, 2019 11:57 pm
Living abroad and doing Two Factor Authorization, is really simple compared to my 3 locations in USA. No cell coverage, no dsl, no cable, no broadband, no satellite dishes allowed..no fiber....none coming.
Most of the world where I travel (Asia, Oceania, western Europe) has far better connectivity than much of rural USA.

2 factor Auth was a 'factor' that forced me to leave Vanguard (only passive accts remain there).
My concern is not with connectivity, but the fact that some financial sites are very aggressive with folks that actually live outside the USA. So aggressive in fact that they sometimes close accounts with little and short warning. I dont have any interest in using a relative or someone address when I leave so I am just trying to prepare to set things up in a way that my financial accounts will be safe and I can use them as I do here.

scottyja
Posts: 238
Joined: Tue Oct 07, 2008 1:08 pm

Re: Two Factor Authentication ---Living Abroad

Post by scottyja » Wed Nov 27, 2019 1:08 am

anonsdca wrote:
Wed Nov 27, 2019 12:24 am
My concern is not with connectivity, but the fact that some financial sites are very aggressive with folks that actually live outside the USA. So aggressive in fact that they sometimes close accounts with little and short warning. I dont have any interest in using a relative or someone address when I leave so I am just trying to prepare to set things up in a way that my financial accounts will be safe and I can use them as I do here.
Off-topic, but do you have a strategy for a physical mailing address? There are companies that will receive your mail in the US and email you scanned photos of what you receive. You choose what they forward to you overseas. I haven't used one of these services, but again, banks and financial institutions are catching on. A colleague of mine used one such service for over a year, and within the space of a month two different banks notified him that they considered his address a PO Box or a freight forwarder and would close his account unless he provided a physical address in the US. He ended up using a relative's address, which is what I do. It's can be a pain, especially if your local mail system is unreliable or dishonest.

Topic Author
anonsdca
Posts: 307
Joined: Mon Jun 01, 2015 11:47 pm

Re: Two Factor Authentication ---Living Abroad

Post by anonsdca » Wed Nov 27, 2019 1:15 am

scottyja wrote:
Wed Nov 27, 2019 1:08 am
anonsdca wrote:
Wed Nov 27, 2019 12:24 am
My concern is not with connectivity, but the fact that some financial sites are very aggressive with folks that actually live outside the USA. So aggressive in fact that they sometimes close accounts with little and short warning. I dont have any interest in using a relative or someone address when I leave so I am just trying to prepare to set things up in a way that my financial accounts will be safe and I can use them as I do here.
Off-topic, but do you have a strategy for a physical mailing address? There are companies that will receive your mail in the US and email you scanned photos of what you receive. You choose what they forward to you overseas. I haven't used one of these services, but again, banks and financial institutions are catching on. A colleague of mine used one such service for over a year, and within the space of a month two different banks notified him that they considered his address a PO Box or a freight forwarder and would close his account unless he provided a physical address in the US. He ended up using a relative's address, which is what I do. It's can be a pain, especially if your local mail system is unreliable or dishonest.
Scott, I have a spreadsheet now of the mail forwarding services that I am evaluating (services & fees) and I began researching those a while back. There are several that look like they would work, but just like you, I have been reading/hearing lately that the financial institutions are catching on to those as well. Even those with a "physical address" are now somehow being detected and shut down. It is worrisome to say the least. Moving abroad is a bit scary with FACTA which is the cause of all of this, especially if you just want to pull up stakes and move. As I mentioned, I am really not interested in using some relatives address or something like that. I am going to experiment with a mail service in approx. 6 months. I want to see that in action while I am still in the USA also.

CFM300
Posts: 1645
Joined: Sat Oct 27, 2007 5:13 am

Re: Two Factor Authentication ---Living Abroad

Post by CFM300 » Wed Nov 27, 2019 1:27 am

dboeger1 wrote:
Tue Nov 26, 2019 6:59 pm
I wholly disagree that updating 2FA is a slight inconvenience on getting a new device. I think it's absolutely a deal-breaker.
I share some of your concerns about the hassle factor if your phone is lost or stolen, so I've taken two steps.

1. I saved copies of the QR codes for each of the accounts I loaded into Google Authenticator. These are stored in a VeraCrypt vault.

2. Whenever I added an account to GA on my primary phone, I added the same account to GA on an old phone.

if I lose my primary phone, I can use my old phone to get into all of my accounts, and when I buy a new phone, I can use the saved QR codes to reload accounts into GA on my new phone.

User avatar
kramer
Posts: 1732
Joined: Wed Feb 21, 2007 2:28 am
Location: Philippines

Re: Two Factor Authentication ---Living Abroad

Post by kramer » Wed Nov 27, 2019 1:42 am

I have used a Skype phone number for this for years. However, I would say it only works for about 1 out of 3 financial institutions, the rest detect that it's a VOIP number and the text never shows up. So in those other cases, I have it call me at my Skype number and the robot calls me and verbally gives me the access code.

Then, starting a few months ago, one of my financial institutions started failing with calling, also (the call just never came). So I mentioned this to them and I had to go through a process whereby they put some kind of indicator on my account that lets me use email for 2FA. I had to send them a copy of my passport (electronically) and maybe some other things, I can't remember.

I also have Google Fi now, which gives me a permanent US number. But I don't have a short term plan to switch my financial institutions to that phone number because when I am in my country of residence (Philippines), I pause the Google Fi service since I have a permanent local sim card there already. So when it is paused (maybe half the year), I wouldn't be able to receive texts or calls at that number.

Post Reply