Would you choose text or email for two-factor authentication?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
goonie
Posts: 750
Joined: Fri May 31, 2013 7:33 pm

Would you choose text or email for two-factor authentication?

Post by goonie »

When dealing with companies that are behind the times by not offering app or key based 2FA, would you choose to receive your authentication codes via text or email?

The two articles linked below indicate that email is slightly more secure than text. Do you agree? I would most likely be using a gmail account that is already set up to use Google's app based method of 2FA.

https://lifehacker.com/which-form-of-tw ... 1784769336

http://blog.tcitechs.com/blog/two-facto ... ion-safest
User avatar
JoeRetire
Posts: 15381
Joined: Tue Jan 16, 2018 1:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire »

If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
This isn't just my wallet. It's an organizer, a memory and an old friend.
Liberty1100
Posts: 260
Joined: Fri Nov 21, 2014 11:36 am
Contact:

Re: Would you choose text or email for two-factor authentication?

Post by Liberty1100 »

I have been selecting text as I have an Apple Watch. It makes it really easy to type in the code without having to switch pages or tabs on the phone or computer.
User avatar
oldcomputerguy
Moderator
Posts: 17932
Joined: Sun Nov 22, 2015 5:50 am
Location: Tennessee

Re: Would you choose text or email for two-factor authentication?

Post by oldcomputerguy »

Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
There is only one success - to be able to spend your life in your own way. (Christopher Morley)
User avatar
Toons
Posts: 14467
Joined: Fri Nov 21, 2008 9:20 am
Location: Hills of Tennessee

Re: Would you choose text or email for two-factor authentication?

Post by Toons »

Text for my 2 factors.
✋
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee
User avatar
Artful Dodger
Posts: 1952
Joined: Thu Oct 20, 2016 12:56 pm

Re: Would you choose text or email for two-factor authentication?

Post by Artful Dodger »

Well, now I know that messages must contain at least 5 characters. :o

TEXT
Cheyenne
Posts: 548
Joined: Sun Jun 14, 2015 6:46 am

Re: Would you choose text or email for two-factor authentication?

Post by Cheyenne »

I have 2FA texts sent to a dedicated Google Voice number that is tied to a dedicated Gmail address and I read it on my computer. Also, I log in to the dedicated Gmail account with Google Authenticator on my phone.
Topic Author
goonie
Posts: 750
Joined: Fri May 31, 2013 7:33 pm

Re: Would you choose text or email for two-factor authentication?

Post by goonie »

Cheyenne wrote: Mon Jun 11, 2018 11:29 am I have 2FA texts sent to a dedicated Google Voice number that is tied to a dedicated Gmail address and I read it on my computer.
That's interesting. I take it that's more secure than having 2FA texts sent to a cell phone?
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Would you choose text or email for two-factor authentication?

Post by Northern Flicker »

JoeRetire wrote: Mon Jun 11, 2018 11:15 am If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.

If the only choices for 2FA are email and text, suggestion would be to login from a device that has antivirus software on it and is not the phone where you will receive a 2FA text.
User avatar
JoeRetire
Posts: 15381
Joined: Tue Jan 16, 2018 1:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire »

jalbert wrote: Mon Jun 11, 2018 12:00 pm
JoeRetire wrote: Mon Jun 11, 2018 11:15 am If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
I'm not worried about keyloggers on my devices.
This isn't just my wallet. It's an organizer, a memory and an old friend.
jebmke
Posts: 25475
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Would you choose text or email for two-factor authentication?

Post by jebmke »

I use text. I don't want the codes arriving on the same machine I am using for logging in (my desktop).
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
mptfan
Posts: 7217
Joined: Mon Mar 05, 2007 8:58 am

Re: Would you choose text or email for two-factor authentication?

Post by mptfan »

oldcomputerguy wrote: Mon Jun 11, 2018 11:23 am Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
What are the benefits of having a Gmail account used exclusively for financial data? How is that more secure than using your primary Gmail account assuming it is protected by 2FA via Google Authenticator?
Jablean
Posts: 872
Joined: Sat Jun 02, 2018 2:38 pm

Re: Would you choose text or email for two-factor authentication?

Post by Jablean »

Used to be email, now it's text because when it's usually asking for two factor is when I'm traveling and using a tablet or somebody else's computer. Also if you need it because your computer is in the shop, you may not have great access to email. I still use desktop Outlook although I know how to get most of my multiple emails online also.
User avatar
dm200
Posts: 23214
Joined: Mon Feb 26, 2007 1:21 pm
Location: Washington DC area

Re: Would you choose text or email for two-factor authentication?

Post by dm200 »

I tend to use text
keinodoggy
Posts: 77
Joined: Tue Jan 23, 2018 12:16 pm

Re: Would you choose text or email for two-factor authentication?

Post by keinodoggy »

For Gmail, Google Authenticator. Too bad other companies are not using a similar app. So otherwise by text.
User avatar
dm200
Posts: 23214
Joined: Mon Feb 26, 2007 1:21 pm
Location: Washington DC area

Re: Would you choose text or email for two-factor authentication?

Post by dm200 »

dm200 wrote: Mon Jun 11, 2018 2:01 pm I tend to use text
If the authentication code is a short, simple "number" - test is good. However, occasionally these codes are long and not simple - such as I90!xO0qp_ and then I want to copy and paste
ccieemeritus
Posts: 714
Joined: Thu Mar 06, 2014 9:43 pm

Re: Would you choose text or email for two-factor authentication?

Post by ccieemeritus »

Text. I agree with the people who don’t want the code on the same device they are logging in with. I also consider access to my email to be less secure than access to my phone.

Bank of America and Schwab let me choose from 2 phones: mine and DW. I like that feature.
hilink73
Posts: 588
Joined: Tue Sep 20, 2016 3:29 pm

Re: Would you choose text or email for two-factor authentication?

Post by hilink73 »

JoeRetire wrote: Mon Jun 11, 2018 11:15 am If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Which is exactly what you should not do.

The second factor is a safe guard against a hacked account password.
When you have the second factor on the hacked device, the attacker now has access to both factors.
Cheyenne
Posts: 548
Joined: Sun Jun 14, 2015 6:46 am

Re: Would you choose text or email for two-factor authentication?

Post by Cheyenne »

That's interesting. I take it that's more secure than having 2FA texts sent to a cell phone?
Yes, because people have been having their cell phones compromised by "social hackers" who convince cell phone store personnel that they are you and that you (they) have lost your phone and need a new SIM. Then they put the SIM in their phone and change the password. Now they own your cell phone account and receive 2FA, etc. It has happened. Port outs have also happened this way. Because of this I know T-Mobile, for example, requires their customers to submit a special "port out" code. This is a unique code of 8 or more digits used only for porting.
User avatar
oldcomputerguy
Moderator
Posts: 17932
Joined: Sun Nov 22, 2015 5:50 am
Location: Tennessee

Re: Would you choose text or email for two-factor authentication?

Post by oldcomputerguy »

mptfan wrote: Mon Jun 11, 2018 1:39 pm
oldcomputerguy wrote: Mon Jun 11, 2018 11:23 am Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
What are the benefits of having a Gmail account used exclusively for financial data? How is that more secure than using your primary Gmail account assuming it is protected by 2FA via Google Authenticator?
I only have one Gmail account. My primary email account is hosted by GoDaddy, and they don't offer 2FA for that account.
There is only one success - to be able to spend your life in your own way. (Christopher Morley)
drwtsn32
Posts: 127
Joined: Wed Dec 31, 2014 11:28 am

Re: Would you choose text or email for two-factor authentication?

Post by drwtsn32 »

Neither. Texts and emails can be intercepted.

Time-based 2FA is best because nothing is transmitted to you at the time of logon. The shared secret for time-based 2FA is transmitted only once over HTTPS (ensuring privacy and authenticity) when you are doing the initial setup.
User avatar
oldcomputerguy
Moderator
Posts: 17932
Joined: Sun Nov 22, 2015 5:50 am
Location: Tennessee

Re: Would you choose text or email for two-factor authentication?

Post by oldcomputerguy »

drwtsn32 wrote: Mon Jun 11, 2018 2:39 pm Neither. Texts and emails can be intercepted.

Time-based 2FA is best because nothing is transmitted to you at the time of logon. The shared secret for time-based 2FA is transmitted only once over HTTPS (ensuring privacy and authenticity) when you are doing the initial setup.
It certainly is best in my opinion. However, not everyone offers such at this point, so we must make do with what we have.
There is only one success - to be able to spend your life in your own way. (Christopher Morley)
User avatar
JoeRetire
Posts: 15381
Joined: Tue Jan 16, 2018 1:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire »

hilink73 wrote: Mon Jun 11, 2018 2:31 pm
JoeRetire wrote: Mon Jun 11, 2018 11:15 am If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Which is exactly what you should not do.

The second factor is a safe guard against a hacked account password.
When you have the second factor on the hacked device, the attacker now has access to both factors.
Meh. There's a difference between a hacked site account password and a hacked personal device.

Color me not worried.
This isn't just my wallet. It's an organizer, a memory and an old friend.
User avatar
dwickenh
Posts: 2304
Joined: Sun Jan 04, 2015 8:45 pm
Location: Hills of Eastern Tennessee

Re: Would you choose text or email for two-factor authentication?

Post by dwickenh »

text!!
The market is the most efficient mechanism anywhere in the world for transferring wealth from impatient people to patient people.” | — Warren Buffett
DetroitRick
Posts: 1488
Joined: Wed Mar 23, 2016 9:28 am
Location: SE Michigan

Re: Would you choose text or email for two-factor authentication?

Post by DetroitRick »

My preference is text over email 100%. In a practical sense, as opposed to theoretical, it's safe enough for me when combined with the other measures I take. I just don't look at email more than a few times a day, so.... I also have a port out pin with my carrier to prevent my number from being ported to another sim without my permission (which could facilitate texts getting intercepted by another device).
User avatar
StevieG72
Posts: 2214
Joined: Wed Feb 05, 2014 8:00 pm

Re: Would you choose text or email for two-factor authentication?

Post by StevieG72 »

I wish Vangaurd would allow key based 2FA to be selected as the only option for log in. Key based log in is basically useless with Vangaurd since you can still log in without the key!

I like the security setting to allow log in only from recognized devices. I have managed to lock myself out twice by clearing cookies, but a quick phone call got me back in.

I use text for 2FA, along with log in from only recognized devices.
Fools think their own way is right, but the wise listen to others.
User avatar
lthenderson
Posts: 8525
Joined: Tue Feb 21, 2012 11:43 am
Location: Iowa

Re: Would you choose text or email for two-factor authentication?

Post by lthenderson »

I use text simply because I can't remember all those digits long enough to click between tabs on a computer and key them in. I suppose one could still check email on the phone while typing on computer so you didn't have to click between tabs but that requires opening up an app, searching for email, clicking it and expanding it large enough so I can see the numbers. With the text, it automatically pops up at the top of my phone screen and is big enough for me to easily read.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Would you choose text or email for two-factor authentication?

Post by Northern Flicker »

JoeRetire wrote: Mon Jun 11, 2018 1:17 pm
jalbert wrote: Mon Jun 11, 2018 12:00 pm
JoeRetire wrote: Mon Jun 11, 2018 11:15 am If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
I'm not worried about keyloggers on my devices.
What risks are you trying to protect against with 2FA?
User avatar
JoeRetire
Posts: 15381
Joined: Tue Jan 16, 2018 1:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire »

jalbert wrote: Mon Jun 11, 2018 3:50 pm
JoeRetire wrote: Mon Jun 11, 2018 1:17 pm
jalbert wrote: Mon Jun 11, 2018 12:00 pm
JoeRetire wrote: Mon Jun 11, 2018 11:15 am If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
I'm not worried about keyloggers on my devices.
What risks are you trying to protect against with 2FA?
I'm not trying to protect against any risks with 2FA. I was answering the original question.
This isn't just my wallet. It's an organizer, a memory and an old friend.
Topic Author
goonie
Posts: 750
Joined: Fri May 31, 2013 7:33 pm

Re: Would you choose text or email for two-factor authentication?

Post by goonie »

Cheyenne wrote: Mon Jun 11, 2018 2:34 pm
That's interesting. I take it that's more secure than having 2FA texts sent to a cell phone?
Yes, because people have been having their cell phones compromised by "social hackers" who convince cell phone store personnel that they are you and that you (they) have lost your phone and need a new SIM. Then they put the SIM in their phone and change the password. Now they own your cell phone account and receive 2FA, etc. It has happened. Port outs have also happened this way. Because of this I know T-Mobile, for example, requires their customers to submit a special "port out" code. This is a unique code of 8 or more digits used only for porting.
Good to know, thanks.

I did read that some people have had issues with their Google Voice not receiving all automated 2FA texts.
Topic Author
goonie
Posts: 750
Joined: Fri May 31, 2013 7:33 pm

Re: Would you choose text or email for two-factor authentication?

Post by goonie »

OP here. So I think I'm going with email over text. My understanding is that Gmail with Google Authenticator 2FA is more secure than SMS texts. Based on some reading, it sounds like SMS can easily be hacked a few different ways (and they don't all involve someone just social engineering your wireless carrier into giving a new SIM under your account).

I'll add that I don't really understand the reasoning that I've seen from a few in this thread that text is more secure because you get that on your phone, which is a separate device from the laptop/desktop that you're using to log in. That would seem to only be an issue if you don't have a smartphone and can't get email on your phone.

If I'm wrong with any of that, please correct me. And as far as convenience goes, email is just as convenient for me as text. I have a smartphone and use it for email (among many other things).

Thanks all for the feedback and conversation.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Would you choose text or email for two-factor authentication?

Post by Northern Flicker »

JoeRetire wrote: Mon Jun 11, 2018 4:00 pm
jalbert wrote: Mon Jun 11, 2018 3:50 pm
JoeRetire wrote: Mon Jun 11, 2018 1:17 pm
jalbert wrote: Mon Jun 11, 2018 12:00 pm
JoeRetire wrote: Mon Jun 11, 2018 11:15 am If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
I'm not worried about keyloggers on my devices.
What risks are you trying to protect against with 2FA?
I'm not trying to protect against any risks with 2FA. I was answering the original question.
Then why are you suggesting what risks the OP should care about?
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Would you choose text or email for two-factor authentication?

Post by 2015 »

oldcomputerguy wrote: Mon Jun 11, 2018 11:23 am Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
This, except my Gmail account 2FA is a Yubikey (with GA and recovery codes as backup). No recovery phone number is attached to this Gmail account.
J295
Posts: 3401
Joined: Sun Jan 01, 2012 10:40 pm

Re: Would you choose text or email for two-factor authentication?

Post by J295 »

Text.
User avatar
JoeRetire
Posts: 15381
Joined: Tue Jan 16, 2018 1:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire »

jalbert wrote: Mon Jun 11, 2018 5:49 pm
JoeRetire wrote: Mon Jun 11, 2018 4:00 pm
jalbert wrote: Mon Jun 11, 2018 3:50 pm
JoeRetire wrote: Mon Jun 11, 2018 1:17 pm
jalbert wrote: Mon Jun 11, 2018 12:00 pm
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
I'm not worried about keyloggers on my devices.
What risks are you trying to protect against with 2FA?
I'm not trying to protect against any risks with 2FA. I was answering the original question.
Then why are you suggesting what risks the OP should care about?
I never suggested anything at all about risks the OP should care about. I simply answered the question that was asked. Go back and check.
This isn't just my wallet. It's an organizer, a memory and an old friend.
Cheyenne
Posts: 548
Joined: Sun Jun 14, 2015 6:46 am

Re: Would you choose text or email for two-factor authentication?

Post by Cheyenne »

I did read that some people have had issues with their Google Voice not receiving all automated 2FA texts.
Thanks for the heads-up. I'll keep an eye out for that one.
hilink73
Posts: 588
Joined: Tue Sep 20, 2016 3:29 pm

Re: Would you choose text or email for two-factor authentication?

Post by hilink73 »

JoeRetire wrote: Mon Jun 11, 2018 2:55 pm
hilink73 wrote: Mon Jun 11, 2018 2:31 pm
JoeRetire wrote: Mon Jun 11, 2018 11:15 am If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Which is exactly what you should not do.

The second factor is a safe guard against a hacked account password.
When you have the second factor on the hacked device, the attacker now has access to both factors.
Meh. There's a difference between a hacked site account password and a hacked personal device.

Color me not worried.
Speaking from an IT security professionals perspective: you're wrong.
That's exactly an attack scenario we're seeing against our customers.
User avatar
JoeRetire
Posts: 15381
Joined: Tue Jan 16, 2018 1:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire »

hilink73 wrote: Tue Jun 12, 2018 12:39 pm
JoeRetire wrote: Mon Jun 11, 2018 2:55 pm
hilink73 wrote: Mon Jun 11, 2018 2:31 pm
JoeRetire wrote: Mon Jun 11, 2018 11:15 am If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Which is exactly what you should not do.

The second factor is a safe guard against a hacked account password.
When you have the second factor on the hacked device, the attacker now has access to both factors.
Meh. There's a difference between a hacked site account password and a hacked personal device.

Color me not worried.
Speaking from an IT security professionals perspective: you're wrong.
That's exactly an attack scenario we're seeing against our customers.
Okay. I guess I'm not one of your customers, but no matter. We each choose what we worry about and what we don't.

As an IT security professional, I'm sure you understand the difference between a hacked account password and a hacked device. I may not have control over one, but I do have control over the other.

Maybe you should provide an answer to the OP?
This isn't just my wallet. It's an organizer, a memory and an old friend.
User avatar
kramer
Posts: 1953
Joined: Wed Feb 21, 2007 1:28 am
Location: World Traveler

Re: Would you choose text or email for two-factor authentication?

Post by kramer »

For those using texts to your cellphone, what do you do when you travel abroad? Are you effectively locked out of your accounts?

I spend up to several months each year abroad and normally use a local sim card in my destination country ... so I can't receive texts at my regular cellphone number. The actual phone number I have registered with financial services is my US Skype number which can receive calls whatever my location but no texts.

All my "text" communication in real life among friends is via IP Apps like WhatsApp and Facebook Messenger, we never use texts (texting seems to still be popular in the US, however)
hilink73
Posts: 588
Joined: Tue Sep 20, 2016 3:29 pm

Re: Would you choose text or email for two-factor authentication?

Post by hilink73 »

JoeRetire wrote: Tue Jun 12, 2018 1:11 pm
hilink73 wrote: Tue Jun 12, 2018 12:39 pm
JoeRetire wrote: Mon Jun 11, 2018 2:55 pm
hilink73 wrote: Mon Jun 11, 2018 2:31 pm
JoeRetire wrote: Mon Jun 11, 2018 11:15 am If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Which is exactly what you should not do.

The second factor is a safe guard against a hacked account password.
When you have the second factor on the hacked device, the attacker now has access to both factors.
Meh. There's a difference between a hacked site account password and a hacked personal device.

Color me not worried.
Speaking from an IT security professionals perspective: you're wrong.
That's exactly an attack scenario we're seeing against our customers.
Okay. I guess I'm not one of your customers, but no matter. We each choose what we worry about and what we don't.

As an IT security professional, I'm sure you understand the difference between a hacked account password and a hacked device. I may not have control over one, but I do have control over the other.

Maybe you should provide an answer to the OP?
Well, you do understand that, if you have account passwords on hacked devices, these should be considered hacked as well?
Not sure of what control you are speaking because being hacked is the opposite of being in control.

To the OP:
It depends. NIST considers authentication via text messages as unsafe, but as long as the second factor is separate from the first (logon) device, this should still be acceptable.
Mind, that it is not too difficult to hack the GSM network to reroute text messages, which could be an attack vector in more high quality attacks.
VaR
Posts: 760
Joined: Sat Dec 05, 2015 10:27 pm

Re: Would you choose text or email for two-factor authentication?

Post by VaR »

I usually choose text, though I know it's not entirely secure.

I've just been trained to believe that for email, the delivery mechanism itself, SMTP (right?), is insecure. Is text messaging equally insecure?

Also, I do worry about the security of text messaging with iMessage integration.
User avatar
JoeRetire
Posts: 15381
Joined: Tue Jan 16, 2018 1:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire »

hilink73 wrote: Tue Jun 12, 2018 1:29 pm Well, you do understand that, if you have account passwords on hacked devices, these should be considered hacked as well?
Not sure of what control you are speaking because being hacked is the opposite of being in control.
Ugh. Let's try one more time and see if we gain a common understanding...

You seemed to suggest that a hacked account password implies a hacked device. I tried to explain that these are two different things. My account password at your site may have been hacked - that doesn't mean that my device is hacked.

Having both a hacked account password as well as a hacked device is something you are imagining. The first doesn't imply the second.
This isn't just my wallet. It's an organizer, a memory and an old friend.
mptfan
Posts: 7217
Joined: Mon Mar 05, 2007 8:58 am

Re: Would you choose text or email for two-factor authentication?

Post by mptfan »

2015 wrote: Mon Jun 11, 2018 6:09 pm
oldcomputerguy wrote: Mon Jun 11, 2018 11:23 am Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
This, except my Gmail account 2FA is a Yubikey (with GA and recovery codes as backup). No recovery phone number is attached to this Gmail account.
What is the benefit of a dedicated Gmail account to be used for nothing except financial data? Assuming you use your primary Gmail account with 2FA with Yubikey and Google Authenticator and recover codes as a backup, isn't that just as secure?
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Would you choose text or email for two-factor authentication?

Post by 2015 »

mptfan wrote: Tue Jun 12, 2018 5:58 pm
2015 wrote: Mon Jun 11, 2018 6:09 pm
oldcomputerguy wrote: Mon Jun 11, 2018 11:23 am Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
This, except my Gmail account 2FA is a Yubikey (with GA and recovery codes as backup). No recovery phone number is attached to this Gmail account.
What is the benefit of a dedicated Gmail account to be used for nothing except financial data? Assuming you use your primary Gmail account with 2FA with Yubikey and Google Authenticator and recover codes as a backup, isn't that just as secure?
Maybe, but color me paranoid. I also never do anything remotely related to financial work on anything but a dedicated laptop, and even then only after running Wifi Guard to ensure my network is secure, and only in Bank Mode, after which I clear the history and it's as if the session never occurred.

I've been told someone who works in cloud security that even the geeks aren't as thorough as I am (all my financial information is encrypted within VeraCrypt containers), so perhaps not for everyone, but right for me.
AlohaJoe
Posts: 6609
Joined: Mon Nov 26, 2007 1:00 pm
Location: Saigon, Vietnam

Re: Would you choose text or email for two-factor authentication?

Post by AlohaJoe »

kramer wrote: Tue Jun 12, 2018 1:27 pm For those using texts to your cellphone, what do you do when you travel abroad? Are you effectively locked out of your accounts?
This is the main reason I don't like SMS 2FA and vastly prefer the "software token" approach. However a lot of banks & brokerages, especially in the US (Vanguard, Wells Fargo, Ally), only support 2FA.

I've known people who were traveling and where locked out of their banks account because they didn't have access to their 2FA.

It was mentioned earlier in the thread -- my solution is to use Google Voice. It is easy to set up (if you already have a US phone number....) and once setup you can access the SMS from anywhere in the world that has an internet connection.
mptfan
Posts: 7217
Joined: Mon Mar 05, 2007 8:58 am

Re: Would you choose text or email for two-factor authentication?

Post by mptfan »

AlohaJoe wrote: Tue Jun 12, 2018 8:59 pm It was mentioned earlier in the thread -- my solution is to use Google Voice. It is easy to set up (if you already have a US phone number....) and once setup you can access the SMS from anywhere in the world that has an internet connection.
Except you should not use Google Voice for SMS 2FA for your Google account. Think about it, let's say you forgot your Google password and you needed to get an SMS code, and it was sent to your Google Voice number...but you can't access your Google Voice number because...you don't know you password.
naha66
Posts: 198
Joined: Sun Jul 14, 2013 6:02 pm

Re: Would you choose text or email for two-factor authentication?

Post by naha66 »

kramer wrote: Tue Jun 12, 2018 1:27 pm For those using texts to your cellphone, what do you do when you travel abroad? Are you effectively locked out of your accounts?

I spend up to several months each year abroad and normally use a local sim card in my destination country ... so I can't receive texts at my regular cellphone number. The actual phone number I have registered with financial services is my US Skype number which can receive calls whatever my location but no texts.

All my "text" communication in real life among friends is via IP Apps like WhatsApp and Facebook Messenger, we never use texts (texting seems to still be popular in the US, however)
I have a T-Mobile account for a US # and it work on the Globe network here in the Philippines. I spend less than $10 a month on my t-mobile account
VaR
Posts: 760
Joined: Sat Dec 05, 2015 10:27 pm

Re: Would you choose text or email for two-factor authentication?

Post by VaR »

mptfan wrote: Tue Jun 12, 2018 10:21 pm
AlohaJoe wrote: Tue Jun 12, 2018 8:59 pm It was mentioned earlier in the thread -- my solution is to use Google Voice. It is easy to set up (if you already have a US phone number....) and once setup you can access the SMS from anywhere in the world that has an internet connection.
Except you should not use Google Voice for SMS 2FA for your Google account. Think about it, let's say you forgot your Google password and you needed to get an SMS code, and it was sent to your Google Voice number...but you can't access your Google Voice number because...you don't know you password.
I'm guessing that the poster would use Google Authenticator for 2FA for their Google account, including their Google Voice account. That Google Voice account could then serve as the receiver for text message 2FA for all their other accounts.

It's a good idea, if you accept Google Voice SMS as being secure enough for 2FA.
UpperNwGuy
Posts: 9479
Joined: Sun Oct 08, 2017 7:16 pm

Re: Would you choose text or email for two-factor authentication?

Post by UpperNwGuy »

Text.
User avatar
SagaciousTraveler
Posts: 366
Joined: Thu May 03, 2018 6:05 am

Re: Would you choose text or email for two-factor authentication?

Post by SagaciousTraveler »

I use both but they both have vulnerabilities. TEXT more so with SIM Card Hijacking.

https://securityaffairs.co/wordpress/69 ... obile.html
Post Reply