Would you choose text or email for two-factor authentication?
Would you choose text or email for two-factor authentication?
When dealing with companies that are behind the times by not offering app or key based 2FA, would you choose to receive your authentication codes via text or email?
The two articles linked below indicate that email is slightly more secure than text. Do you agree? I would most likely be using a gmail account that is already set up to use Google's app based method of 2FA.
https://lifehacker.com/which-form-of-tw ... 1784769336
http://blog.tcitechs.com/blog/two-facto ... ion-safest
The two articles linked below indicate that email is slightly more secure than text. Do you agree? I would most likely be using a gmail account that is already set up to use Google's app based method of 2FA.
https://lifehacker.com/which-form-of-tw ... 1784769336
http://blog.tcitechs.com/blog/two-facto ... ion-safest
Re: Would you choose text or email for two-factor authentication?
If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.
In general, I prefer not to be required to use two different devices.
If I typically access the site with my phone, I'd prefer a text message.
In general, I prefer not to be required to use two different devices.
This isn't just my wallet. It's an organizer, a memory and an old friend.
-
- Posts: 260
- Joined: Fri Nov 21, 2014 11:36 am
- Contact:
Re: Would you choose text or email for two-factor authentication?
I have been selecting text as I have an Apple Watch. It makes it really easy to type in the code without having to switch pages or tabs on the phone or computer.
- oldcomputerguy
- Moderator
- Posts: 17932
- Joined: Sun Nov 22, 2015 5:50 am
- Location: Tennessee
Re: Would you choose text or email for two-factor authentication?
Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
There is only one success - to be able to spend your life in your own way. (Christopher Morley)
Re: Would you choose text or email for two-factor authentication?
Text for my 2 factors.
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee
- Artful Dodger
- Posts: 1952
- Joined: Thu Oct 20, 2016 12:56 pm
Re: Would you choose text or email for two-factor authentication?
Well, now I know that messages must contain at least 5 characters.
TEXT
TEXT
Re: Would you choose text or email for two-factor authentication?
I have 2FA texts sent to a dedicated Google Voice number that is tied to a dedicated Gmail address and I read it on my computer. Also, I log in to the dedicated Gmail account with Google Authenticator on my phone.
-
- Posts: 15363
- Joined: Fri Apr 10, 2015 12:29 am
Re: Would you choose text or email for two-factor authentication?
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
If the only choices for 2FA are email and text, suggestion would be to login from a device that has antivirus software on it and is not the phone where you will receive a 2FA text.
Re: Would you choose text or email for two-factor authentication?
I'm not worried about keyloggers on my devices.jalbert wrote: ↑Mon Jun 11, 2018 12:00 pmUsing two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
This isn't just my wallet. It's an organizer, a memory and an old friend.
Re: Would you choose text or email for two-factor authentication?
I use text. I don't want the codes arriving on the same machine I am using for logging in (my desktop).
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Re: Would you choose text or email for two-factor authentication?
What are the benefits of having a Gmail account used exclusively for financial data? How is that more secure than using your primary Gmail account assuming it is protected by 2FA via Google Authenticator?oldcomputerguy wrote: ↑Mon Jun 11, 2018 11:23 am Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
Re: Would you choose text or email for two-factor authentication?
Used to be email, now it's text because when it's usually asking for two factor is when I'm traveling and using a tablet or somebody else's computer. Also if you need it because your computer is in the shop, you may not have great access to email. I still use desktop Outlook although I know how to get most of my multiple emails online also.
Re: Would you choose text or email for two-factor authentication?
I tend to use text
-
- Posts: 77
- Joined: Tue Jan 23, 2018 12:16 pm
Re: Would you choose text or email for two-factor authentication?
For Gmail, Google Authenticator. Too bad other companies are not using a similar app. So otherwise by text.
-
- Posts: 714
- Joined: Thu Mar 06, 2014 9:43 pm
Re: Would you choose text or email for two-factor authentication?
Text. I agree with the people who don’t want the code on the same device they are logging in with. I also consider access to my email to be less secure than access to my phone.
Bank of America and Schwab let me choose from 2 phones: mine and DW. I like that feature.
Bank of America and Schwab let me choose from 2 phones: mine and DW. I like that feature.
Re: Would you choose text or email for two-factor authentication?
Which is exactly what you should not do.
The second factor is a safe guard against a hacked account password.
When you have the second factor on the hacked device, the attacker now has access to both factors.
Re: Would you choose text or email for two-factor authentication?
Yes, because people have been having their cell phones compromised by "social hackers" who convince cell phone store personnel that they are you and that you (they) have lost your phone and need a new SIM. Then they put the SIM in their phone and change the password. Now they own your cell phone account and receive 2FA, etc. It has happened. Port outs have also happened this way. Because of this I know T-Mobile, for example, requires their customers to submit a special "port out" code. This is a unique code of 8 or more digits used only for porting.That's interesting. I take it that's more secure than having 2FA texts sent to a cell phone?
- oldcomputerguy
- Moderator
- Posts: 17932
- Joined: Sun Nov 22, 2015 5:50 am
- Location: Tennessee
Re: Would you choose text or email for two-factor authentication?
I only have one Gmail account. My primary email account is hosted by GoDaddy, and they don't offer 2FA for that account.mptfan wrote: ↑Mon Jun 11, 2018 1:39 pmWhat are the benefits of having a Gmail account used exclusively for financial data? How is that more secure than using your primary Gmail account assuming it is protected by 2FA via Google Authenticator?oldcomputerguy wrote: ↑Mon Jun 11, 2018 11:23 am Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
There is only one success - to be able to spend your life in your own way. (Christopher Morley)
Re: Would you choose text or email for two-factor authentication?
Neither. Texts and emails can be intercepted.
Time-based 2FA is best because nothing is transmitted to you at the time of logon. The shared secret for time-based 2FA is transmitted only once over HTTPS (ensuring privacy and authenticity) when you are doing the initial setup.
Time-based 2FA is best because nothing is transmitted to you at the time of logon. The shared secret for time-based 2FA is transmitted only once over HTTPS (ensuring privacy and authenticity) when you are doing the initial setup.
- oldcomputerguy
- Moderator
- Posts: 17932
- Joined: Sun Nov 22, 2015 5:50 am
- Location: Tennessee
Re: Would you choose text or email for two-factor authentication?
It certainly is best in my opinion. However, not everyone offers such at this point, so we must make do with what we have.drwtsn32 wrote: ↑Mon Jun 11, 2018 2:39 pm Neither. Texts and emails can be intercepted.
Time-based 2FA is best because nothing is transmitted to you at the time of logon. The shared secret for time-based 2FA is transmitted only once over HTTPS (ensuring privacy and authenticity) when you are doing the initial setup.
There is only one success - to be able to spend your life in your own way. (Christopher Morley)
Re: Would you choose text or email for two-factor authentication?
Meh. There's a difference between a hacked site account password and a hacked personal device.
Color me not worried.
This isn't just my wallet. It's an organizer, a memory and an old friend.
Re: Would you choose text or email for two-factor authentication?
text!!
The market is the most efficient mechanism anywhere in the world for transferring wealth from impatient people to patient people.” |
— Warren Buffett
-
- Posts: 1488
- Joined: Wed Mar 23, 2016 9:28 am
- Location: SE Michigan
Re: Would you choose text or email for two-factor authentication?
My preference is text over email 100%. In a practical sense, as opposed to theoretical, it's safe enough for me when combined with the other measures I take. I just don't look at email more than a few times a day, so.... I also have a port out pin with my carrier to prevent my number from being ported to another sim without my permission (which could facilitate texts getting intercepted by another device).
Re: Would you choose text or email for two-factor authentication?
I wish Vangaurd would allow key based 2FA to be selected as the only option for log in. Key based log in is basically useless with Vangaurd since you can still log in without the key!
I like the security setting to allow log in only from recognized devices. I have managed to lock myself out twice by clearing cookies, but a quick phone call got me back in.
I use text for 2FA, along with log in from only recognized devices.
I like the security setting to allow log in only from recognized devices. I have managed to lock myself out twice by clearing cookies, but a quick phone call got me back in.
I use text for 2FA, along with log in from only recognized devices.
Fools think their own way is right, but the wise listen to others.
- lthenderson
- Posts: 8525
- Joined: Tue Feb 21, 2012 11:43 am
- Location: Iowa
Re: Would you choose text or email for two-factor authentication?
I use text simply because I can't remember all those digits long enough to click between tabs on a computer and key them in. I suppose one could still check email on the phone while typing on computer so you didn't have to click between tabs but that requires opening up an app, searching for email, clicking it and expanding it large enough so I can see the numbers. With the text, it automatically pops up at the top of my phone screen and is big enough for me to easily read.
-
- Posts: 15363
- Joined: Fri Apr 10, 2015 12:29 am
Re: Would you choose text or email for two-factor authentication?
What risks are you trying to protect against with 2FA?JoeRetire wrote: ↑Mon Jun 11, 2018 1:17 pmI'm not worried about keyloggers on my devices.jalbert wrote: ↑Mon Jun 11, 2018 12:00 pmUsing two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
Re: Would you choose text or email for two-factor authentication?
I'm not trying to protect against any risks with 2FA. I was answering the original question.jalbert wrote: ↑Mon Jun 11, 2018 3:50 pmWhat risks are you trying to protect against with 2FA?JoeRetire wrote: ↑Mon Jun 11, 2018 1:17 pmI'm not worried about keyloggers on my devices.jalbert wrote: ↑Mon Jun 11, 2018 12:00 pmUsing two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
This isn't just my wallet. It's an organizer, a memory and an old friend.
Re: Would you choose text or email for two-factor authentication?
Good to know, thanks.Cheyenne wrote: ↑Mon Jun 11, 2018 2:34 pmYes, because people have been having their cell phones compromised by "social hackers" who convince cell phone store personnel that they are you and that you (they) have lost your phone and need a new SIM. Then they put the SIM in their phone and change the password. Now they own your cell phone account and receive 2FA, etc. It has happened. Port outs have also happened this way. Because of this I know T-Mobile, for example, requires their customers to submit a special "port out" code. This is a unique code of 8 or more digits used only for porting.That's interesting. I take it that's more secure than having 2FA texts sent to a cell phone?
I did read that some people have had issues with their Google Voice not receiving all automated 2FA texts.
Re: Would you choose text or email for two-factor authentication?
OP here. So I think I'm going with email over text. My understanding is that Gmail with Google Authenticator 2FA is more secure than SMS texts. Based on some reading, it sounds like SMS can easily be hacked a few different ways (and they don't all involve someone just social engineering your wireless carrier into giving a new SIM under your account).
I'll add that I don't really understand the reasoning that I've seen from a few in this thread that text is more secure because you get that on your phone, which is a separate device from the laptop/desktop that you're using to log in. That would seem to only be an issue if you don't have a smartphone and can't get email on your phone.
If I'm wrong with any of that, please correct me. And as far as convenience goes, email is just as convenient for me as text. I have a smartphone and use it for email (among many other things).
Thanks all for the feedback and conversation.
I'll add that I don't really understand the reasoning that I've seen from a few in this thread that text is more secure because you get that on your phone, which is a separate device from the laptop/desktop that you're using to log in. That would seem to only be an issue if you don't have a smartphone and can't get email on your phone.
If I'm wrong with any of that, please correct me. And as far as convenience goes, email is just as convenient for me as text. I have a smartphone and use it for email (among many other things).
Thanks all for the feedback and conversation.
-
- Posts: 15363
- Joined: Fri Apr 10, 2015 12:29 am
Re: Would you choose text or email for two-factor authentication?
Then why are you suggesting what risks the OP should care about?JoeRetire wrote: ↑Mon Jun 11, 2018 4:00 pmI'm not trying to protect against any risks with 2FA. I was answering the original question.jalbert wrote: ↑Mon Jun 11, 2018 3:50 pmWhat risks are you trying to protect against with 2FA?JoeRetire wrote: ↑Mon Jun 11, 2018 1:17 pmI'm not worried about keyloggers on my devices.jalbert wrote: ↑Mon Jun 11, 2018 12:00 pmUsing two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
Re: Would you choose text or email for two-factor authentication?
This, except my Gmail account 2FA is a Yubikey (with GA and recovery codes as backup). No recovery phone number is attached to this Gmail account.oldcomputerguy wrote: ↑Mon Jun 11, 2018 11:23 am Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
Re: Would you choose text or email for two-factor authentication?
I never suggested anything at all about risks the OP should care about. I simply answered the question that was asked. Go back and check.jalbert wrote: ↑Mon Jun 11, 2018 5:49 pmThen why are you suggesting what risks the OP should care about?JoeRetire wrote: ↑Mon Jun 11, 2018 4:00 pmI'm not trying to protect against any risks with 2FA. I was answering the original question.jalbert wrote: ↑Mon Jun 11, 2018 3:50 pmWhat risks are you trying to protect against with 2FA?JoeRetire wrote: ↑Mon Jun 11, 2018 1:17 pmI'm not worried about keyloggers on my devices.jalbert wrote: ↑Mon Jun 11, 2018 12:00 pm
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
This isn't just my wallet. It's an organizer, a memory and an old friend.
Re: Would you choose text or email for two-factor authentication?
Thanks for the heads-up. I'll keep an eye out for that one.I did read that some people have had issues with their Google Voice not receiving all automated 2FA texts.
Re: Would you choose text or email for two-factor authentication?
Speaking from an IT security professionals perspective: you're wrong.JoeRetire wrote: ↑Mon Jun 11, 2018 2:55 pmMeh. There's a difference between a hacked site account password and a hacked personal device.
Color me not worried.
That's exactly an attack scenario we're seeing against our customers.
Re: Would you choose text or email for two-factor authentication?
Okay. I guess I'm not one of your customers, but no matter. We each choose what we worry about and what we don't.hilink73 wrote: ↑Tue Jun 12, 2018 12:39 pmSpeaking from an IT security professionals perspective: you're wrong.JoeRetire wrote: ↑Mon Jun 11, 2018 2:55 pmMeh. There's a difference between a hacked site account password and a hacked personal device.
Color me not worried.
That's exactly an attack scenario we're seeing against our customers.
As an IT security professional, I'm sure you understand the difference between a hacked account password and a hacked device. I may not have control over one, but I do have control over the other.
Maybe you should provide an answer to the OP?
This isn't just my wallet. It's an organizer, a memory and an old friend.
Re: Would you choose text or email for two-factor authentication?
For those using texts to your cellphone, what do you do when you travel abroad? Are you effectively locked out of your accounts?
I spend up to several months each year abroad and normally use a local sim card in my destination country ... so I can't receive texts at my regular cellphone number. The actual phone number I have registered with financial services is my US Skype number which can receive calls whatever my location but no texts.
All my "text" communication in real life among friends is via IP Apps like WhatsApp and Facebook Messenger, we never use texts (texting seems to still be popular in the US, however)
I spend up to several months each year abroad and normally use a local sim card in my destination country ... so I can't receive texts at my regular cellphone number. The actual phone number I have registered with financial services is my US Skype number which can receive calls whatever my location but no texts.
All my "text" communication in real life among friends is via IP Apps like WhatsApp and Facebook Messenger, we never use texts (texting seems to still be popular in the US, however)
Re: Would you choose text or email for two-factor authentication?
Well, you do understand that, if you have account passwords on hacked devices, these should be considered hacked as well?JoeRetire wrote: ↑Tue Jun 12, 2018 1:11 pmOkay. I guess I'm not one of your customers, but no matter. We each choose what we worry about and what we don't.hilink73 wrote: ↑Tue Jun 12, 2018 12:39 pmSpeaking from an IT security professionals perspective: you're wrong.JoeRetire wrote: ↑Mon Jun 11, 2018 2:55 pmMeh. There's a difference between a hacked site account password and a hacked personal device.
Color me not worried.
That's exactly an attack scenario we're seeing against our customers.
As an IT security professional, I'm sure you understand the difference between a hacked account password and a hacked device. I may not have control over one, but I do have control over the other.
Maybe you should provide an answer to the OP?
Not sure of what control you are speaking because being hacked is the opposite of being in control.
To the OP:
It depends. NIST considers authentication via text messages as unsafe, but as long as the second factor is separate from the first (logon) device, this should still be acceptable.
Mind, that it is not too difficult to hack the GSM network to reroute text messages, which could be an attack vector in more high quality attacks.
Re: Would you choose text or email for two-factor authentication?
I usually choose text, though I know it's not entirely secure.
I've just been trained to believe that for email, the delivery mechanism itself, SMTP (right?), is insecure. Is text messaging equally insecure?
Also, I do worry about the security of text messaging with iMessage integration.
I've just been trained to believe that for email, the delivery mechanism itself, SMTP (right?), is insecure. Is text messaging equally insecure?
Also, I do worry about the security of text messaging with iMessage integration.
Re: Would you choose text or email for two-factor authentication?
Ugh. Let's try one more time and see if we gain a common understanding...
You seemed to suggest that a hacked account password implies a hacked device. I tried to explain that these are two different things. My account password at your site may have been hacked - that doesn't mean that my device is hacked.
Having both a hacked account password as well as a hacked device is something you are imagining. The first doesn't imply the second.
This isn't just my wallet. It's an organizer, a memory and an old friend.
Re: Would you choose text or email for two-factor authentication?
What is the benefit of a dedicated Gmail account to be used for nothing except financial data? Assuming you use your primary Gmail account with 2FA with Yubikey and Google Authenticator and recover codes as a backup, isn't that just as secure?2015 wrote: ↑Mon Jun 11, 2018 6:09 pmThis, except my Gmail account 2FA is a Yubikey (with GA and recovery codes as backup). No recovery phone number is attached to this Gmail account.oldcomputerguy wrote: ↑Mon Jun 11, 2018 11:23 am Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
Re: Would you choose text or email for two-factor authentication?
Maybe, but color me paranoid. I also never do anything remotely related to financial work on anything but a dedicated laptop, and even then only after running Wifi Guard to ensure my network is secure, and only in Bank Mode, after which I clear the history and it's as if the session never occurred.mptfan wrote: ↑Tue Jun 12, 2018 5:58 pmWhat is the benefit of a dedicated Gmail account to be used for nothing except financial data? Assuming you use your primary Gmail account with 2FA with Yubikey and Google Authenticator and recover codes as a backup, isn't that just as secure?2015 wrote: ↑Mon Jun 11, 2018 6:09 pmThis, except my Gmail account 2FA is a Yubikey (with GA and recovery codes as backup). No recovery phone number is attached to this Gmail account.oldcomputerguy wrote: ↑Mon Jun 11, 2018 11:23 am Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
I've been told someone who works in cloud security that even the geeks aren't as thorough as I am (all my financial information is encrypted within VeraCrypt containers), so perhaps not for everyone, but right for me.
Re: Would you choose text or email for two-factor authentication?
This is the main reason I don't like SMS 2FA and vastly prefer the "software token" approach. However a lot of banks & brokerages, especially in the US (Vanguard, Wells Fargo, Ally), only support 2FA.
I've known people who were traveling and where locked out of their banks account because they didn't have access to their 2FA.
It was mentioned earlier in the thread -- my solution is to use Google Voice. It is easy to set up (if you already have a US phone number....) and once setup you can access the SMS from anywhere in the world that has an internet connection.
Re: Would you choose text or email for two-factor authentication?
Except you should not use Google Voice for SMS 2FA for your Google account. Think about it, let's say you forgot your Google password and you needed to get an SMS code, and it was sent to your Google Voice number...but you can't access your Google Voice number because...you don't know you password.
Re: Would you choose text or email for two-factor authentication?
I have a T-Mobile account for a US # and it work on the Globe network here in the Philippines. I spend less than $10 a month on my t-mobile accountkramer wrote: ↑Tue Jun 12, 2018 1:27 pm For those using texts to your cellphone, what do you do when you travel abroad? Are you effectively locked out of your accounts?
I spend up to several months each year abroad and normally use a local sim card in my destination country ... so I can't receive texts at my regular cellphone number. The actual phone number I have registered with financial services is my US Skype number which can receive calls whatever my location but no texts.
All my "text" communication in real life among friends is via IP Apps like WhatsApp and Facebook Messenger, we never use texts (texting seems to still be popular in the US, however)
Re: Would you choose text or email for two-factor authentication?
I'm guessing that the poster would use Google Authenticator for 2FA for their Google account, including their Google Voice account. That Google Voice account could then serve as the receiver for text message 2FA for all their other accounts.mptfan wrote: ↑Tue Jun 12, 2018 10:21 pmExcept you should not use Google Voice for SMS 2FA for your Google account. Think about it, let's say you forgot your Google password and you needed to get an SMS code, and it was sent to your Google Voice number...but you can't access your Google Voice number because...you don't know you password.
It's a good idea, if you accept Google Voice SMS as being secure enough for 2FA.
-
- Posts: 9479
- Joined: Sun Oct 08, 2017 7:16 pm
- SagaciousTraveler
- Posts: 366
- Joined: Thu May 03, 2018 6:05 am
Re: Would you choose text or email for two-factor authentication?
I use both but they both have vulnerabilities. TEXT more so with SIM Card Hijacking.
https://securityaffairs.co/wordpress/69 ... obile.html
https://securityaffairs.co/wordpress/69 ... obile.html