Would you choose text or email for two-factor authentication?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
goonie
Posts: 87
Joined: Fri May 31, 2013 7:33 pm

Would you choose text or email for two-factor authentication?

Post by goonie » Mon Jun 11, 2018 11:10 am

When dealing with companies that are behind the times by not offering app or key based 2FA, would you choose to receive your authentication codes via text or email?

The two articles linked below indicate that email is slightly more secure than text. Do you agree? I would most likely be using a gmail account that is already set up to use Google's app based method of 2FA.

https://lifehacker.com/which-form-of-tw ... 1784769336

http://blog.tcitechs.com/blog/two-facto ... ion-safest

JoeRetire
Posts: 1596
Joined: Tue Jan 16, 2018 2:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire » Mon Jun 11, 2018 11:15 am

If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.

Liberty1100
Posts: 238
Joined: Fri Nov 21, 2014 12:36 pm
Contact:

Re: Would you choose text or email for two-factor authentication?

Post by Liberty1100 » Mon Jun 11, 2018 11:19 am

I have been selecting text as I have an Apple Watch. It makes it really easy to type in the code without having to switch pages or tabs on the phone or computer.

User avatar
oldcomputerguy
Posts: 3334
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Would you choose text or email for two-factor authentication?

Post by oldcomputerguy » Mon Jun 11, 2018 11:23 am

Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
It’s taken me a lot of years, but I’ve come around to this: If you’re dumb, surround yourself with smart people. And if you’re smart, surround yourself with smart people who disagree with you.

User avatar
Toons
Posts: 12966
Joined: Fri Nov 21, 2008 10:20 am
Location: Hills of Tennessee

Re: Would you choose text or email for two-factor authentication?

Post by Toons » Mon Jun 11, 2018 11:25 am

Text for my 2 factors.
✋
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee

User avatar
Artful Dodger
Posts: 438
Joined: Thu Oct 20, 2016 12:56 pm

Re: Would you choose text or email for two-factor authentication?

Post by Artful Dodger » Mon Jun 11, 2018 11:25 am

Well, now I know that messages must contain at least 5 characters. :o

TEXT

Cheyenne
Posts: 419
Joined: Sun Jun 14, 2015 6:46 am

Re: Would you choose text or email for two-factor authentication?

Post by Cheyenne » Mon Jun 11, 2018 11:29 am

I have 2FA texts sent to a dedicated Google Voice number that is tied to a dedicated Gmail address and I read it on my computer. Also, I log in to the dedicated Gmail account with Google Authenticator on my phone.

goonie
Posts: 87
Joined: Fri May 31, 2013 7:33 pm

Re: Would you choose text or email for two-factor authentication?

Post by goonie » Mon Jun 11, 2018 11:48 am

Cheyenne wrote:
Mon Jun 11, 2018 11:29 am
I have 2FA texts sent to a dedicated Google Voice number that is tied to a dedicated Gmail address and I read it on my computer.
That's interesting. I take it that's more secure than having 2FA texts sent to a cell phone?

jalbert
Posts: 3696
Joined: Fri Apr 10, 2015 12:29 am

Re: Would you choose text or email for two-factor authentication?

Post by jalbert » Mon Jun 11, 2018 12:00 pm

JoeRetire wrote:
Mon Jun 11, 2018 11:15 am
If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.

If the only choices for 2FA are email and text, suggestion would be to login from a device that has antivirus software on it and is not the phone where you will receive a 2FA text.
Risk is not a guarantor of return.

JoeRetire
Posts: 1596
Joined: Tue Jan 16, 2018 2:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire » Mon Jun 11, 2018 1:17 pm

jalbert wrote:
Mon Jun 11, 2018 12:00 pm
JoeRetire wrote:
Mon Jun 11, 2018 11:15 am
If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
I'm not worried about keyloggers on my devices.

jebmke
Posts: 8370
Joined: Thu Apr 05, 2007 2:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by jebmke » Mon Jun 11, 2018 1:32 pm

I use text. I don't want the codes arriving on the same machine I am using for logging in (my desktop).
When you discover that you are riding a dead horse, the best strategy is to dismount.

mptfan
Posts: 4669
Joined: Mon Mar 05, 2007 9:58 am

Re: Would you choose text or email for two-factor authentication?

Post by mptfan » Mon Jun 11, 2018 1:39 pm

oldcomputerguy wrote:
Mon Jun 11, 2018 11:23 am
Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
What are the benefits of having a Gmail account used exclusively for financial data? How is that more secure than using your primary Gmail account assuming it is protected by 2FA via Google Authenticator?

Jablean
Posts: 250
Joined: Sat Jun 02, 2018 2:38 pm

Re: Would you choose text or email for two-factor authentication?

Post by Jablean » Mon Jun 11, 2018 1:59 pm

Used to be email, now it's text because when it's usually asking for two factor is when I'm traveling and using a tablet or somebody else's computer. Also if you need it because your computer is in the shop, you may not have great access to email. I still use desktop Outlook although I know how to get most of my multiple emails online also.

User avatar
dm200
Posts: 18401
Joined: Mon Feb 26, 2007 2:21 pm
Location: Washington DC area

Re: Would you choose text or email for two-factor authentication?

Post by dm200 » Mon Jun 11, 2018 2:01 pm

I tend to use text

keinodoggy
Posts: 66
Joined: Tue Jan 23, 2018 1:16 pm

Re: Would you choose text or email for two-factor authentication?

Post by keinodoggy » Mon Jun 11, 2018 2:03 pm

For Gmail, Google Authenticator. Too bad other companies are not using a similar app. So otherwise by text.

User avatar
dm200
Posts: 18401
Joined: Mon Feb 26, 2007 2:21 pm
Location: Washington DC area

Re: Would you choose text or email for two-factor authentication?

Post by dm200 » Mon Jun 11, 2018 2:17 pm

dm200 wrote:
Mon Jun 11, 2018 2:01 pm
I tend to use text
If the authentication code is a short, simple "number" - test is good. However, occasionally these codes are long and not simple - such as I90!xO0qp_ and then I want to copy and paste

ccieemeritus
Posts: 562
Joined: Thu Mar 06, 2014 10:43 pm

Re: Would you choose text or email for two-factor authentication?

Post by ccieemeritus » Mon Jun 11, 2018 2:22 pm

Text. I agree with the people who don’t want the code on the same device they are logging in with. I also consider access to my email to be less secure than access to my phone.

Bank of America and Schwab let me choose from 2 phones: mine and DW. I like that feature.

hilink73
Posts: 280
Joined: Tue Sep 20, 2016 3:29 pm

Re: Would you choose text or email for two-factor authentication?

Post by hilink73 » Mon Jun 11, 2018 2:31 pm

JoeRetire wrote:
Mon Jun 11, 2018 11:15 am
If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Which is exactly what you should not do.

The second factor is a safe guard against a hacked account password.
When you have the second factor on the hacked device, the attacker now has access to both factors.

Cheyenne
Posts: 419
Joined: Sun Jun 14, 2015 6:46 am

Re: Would you choose text or email for two-factor authentication?

Post by Cheyenne » Mon Jun 11, 2018 2:34 pm

That's interesting. I take it that's more secure than having 2FA texts sent to a cell phone?
Yes, because people have been having their cell phones compromised by "social hackers" who convince cell phone store personnel that they are you and that you (they) have lost your phone and need a new SIM. Then they put the SIM in their phone and change the password. Now they own your cell phone account and receive 2FA, etc. It has happened. Port outs have also happened this way. Because of this I know T-Mobile, for example, requires their customers to submit a special "port out" code. This is a unique code of 8 or more digits used only for porting.

User avatar
oldcomputerguy
Posts: 3334
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Would you choose text or email for two-factor authentication?

Post by oldcomputerguy » Mon Jun 11, 2018 2:36 pm

mptfan wrote:
Mon Jun 11, 2018 1:39 pm
oldcomputerguy wrote:
Mon Jun 11, 2018 11:23 am
Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
What are the benefits of having a Gmail account used exclusively for financial data? How is that more secure than using your primary Gmail account assuming it is protected by 2FA via Google Authenticator?
I only have one Gmail account. My primary email account is hosted by GoDaddy, and they don't offer 2FA for that account.
It’s taken me a lot of years, but I’ve come around to this: If you’re dumb, surround yourself with smart people. And if you’re smart, surround yourself with smart people who disagree with you.

drwtsn32
Posts: 125
Joined: Wed Dec 31, 2014 12:28 pm

Re: Would you choose text or email for two-factor authentication?

Post by drwtsn32 » Mon Jun 11, 2018 2:39 pm

Neither. Texts and emails can be intercepted.

Time-based 2FA is best because nothing is transmitted to you at the time of logon. The shared secret for time-based 2FA is transmitted only once over HTTPS (ensuring privacy and authenticity) when you are doing the initial setup.

User avatar
oldcomputerguy
Posts: 3334
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Would you choose text or email for two-factor authentication?

Post by oldcomputerguy » Mon Jun 11, 2018 2:41 pm

drwtsn32 wrote:
Mon Jun 11, 2018 2:39 pm
Neither. Texts and emails can be intercepted.

Time-based 2FA is best because nothing is transmitted to you at the time of logon. The shared secret for time-based 2FA is transmitted only once over HTTPS (ensuring privacy and authenticity) when you are doing the initial setup.
It certainly is best in my opinion. However, not everyone offers such at this point, so we must make do with what we have.
It’s taken me a lot of years, but I’ve come around to this: If you’re dumb, surround yourself with smart people. And if you’re smart, surround yourself with smart people who disagree with you.

JoeRetire
Posts: 1596
Joined: Tue Jan 16, 2018 2:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire » Mon Jun 11, 2018 2:55 pm

hilink73 wrote:
Mon Jun 11, 2018 2:31 pm
JoeRetire wrote:
Mon Jun 11, 2018 11:15 am
If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Which is exactly what you should not do.

The second factor is a safe guard against a hacked account password.
When you have the second factor on the hacked device, the attacker now has access to both factors.
Meh. There's a difference between a hacked site account password and a hacked personal device.

Color me not worried.

User avatar
dwickenh
Posts: 1350
Joined: Sun Jan 04, 2015 9:45 pm
Location: Illinois

Re: Would you choose text or email for two-factor authentication?

Post by dwickenh » Mon Jun 11, 2018 3:19 pm

text!!
The market is the most efficient mechanism anywhere in the world for transferring wealth from impatient people to patient people.” | — Warren Buffett

DetroitRick
Posts: 586
Joined: Wed Mar 23, 2016 9:28 am

Re: Would you choose text or email for two-factor authentication?

Post by DetroitRick » Mon Jun 11, 2018 3:28 pm

My preference is text over email 100%. In a practical sense, as opposed to theoretical, it's safe enough for me when combined with the other measures I take. I just don't look at email more than a few times a day, so.... I also have a port out pin with my carrier to prevent my number from being ported to another sim without my permission (which could facilitate texts getting intercepted by another device).

User avatar
StevieG72
Posts: 830
Joined: Wed Feb 05, 2014 9:00 pm

Re: Would you choose text or email for two-factor authentication?

Post by StevieG72 » Mon Jun 11, 2018 3:29 pm

I wish Vangaurd would allow key based 2FA to be selected as the only option for log in. Key based log in is basically useless with Vangaurd since you can still log in without the key!

I like the security setting to allow log in only from recognized devices. I have managed to lock myself out twice by clearing cookies, but a quick phone call got me back in.

I use text for 2FA, along with log in from only recognized devices.
Fools think their own way is right, but the wise listen to others.

User avatar
lthenderson
Posts: 3496
Joined: Tue Feb 21, 2012 12:43 pm
Location: Iowa

Re: Would you choose text or email for two-factor authentication?

Post by lthenderson » Mon Jun 11, 2018 3:35 pm

I use text simply because I can't remember all those digits long enough to click between tabs on a computer and key them in. I suppose one could still check email on the phone while typing on computer so you didn't have to click between tabs but that requires opening up an app, searching for email, clicking it and expanding it large enough so I can see the numbers. With the text, it automatically pops up at the top of my phone screen and is big enough for me to easily read.

jalbert
Posts: 3696
Joined: Fri Apr 10, 2015 12:29 am

Re: Would you choose text or email for two-factor authentication?

Post by jalbert » Mon Jun 11, 2018 3:50 pm

JoeRetire wrote:
Mon Jun 11, 2018 1:17 pm
jalbert wrote:
Mon Jun 11, 2018 12:00 pm
JoeRetire wrote:
Mon Jun 11, 2018 11:15 am
If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
I'm not worried about keyloggers on my devices.
What risks are you trying to protect against with 2FA?
Risk is not a guarantor of return.

JoeRetire
Posts: 1596
Joined: Tue Jan 16, 2018 2:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire » Mon Jun 11, 2018 4:00 pm

jalbert wrote:
Mon Jun 11, 2018 3:50 pm
JoeRetire wrote:
Mon Jun 11, 2018 1:17 pm
jalbert wrote:
Mon Jun 11, 2018 12:00 pm
JoeRetire wrote:
Mon Jun 11, 2018 11:15 am
If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
I'm not worried about keyloggers on my devices.
What risks are you trying to protect against with 2FA?
I'm not trying to protect against any risks with 2FA. I was answering the original question.

goonie
Posts: 87
Joined: Fri May 31, 2013 7:33 pm

Re: Would you choose text or email for two-factor authentication?

Post by goonie » Mon Jun 11, 2018 4:35 pm

Cheyenne wrote:
Mon Jun 11, 2018 2:34 pm
That's interesting. I take it that's more secure than having 2FA texts sent to a cell phone?
Yes, because people have been having their cell phones compromised by "social hackers" who convince cell phone store personnel that they are you and that you (they) have lost your phone and need a new SIM. Then they put the SIM in their phone and change the password. Now they own your cell phone account and receive 2FA, etc. It has happened. Port outs have also happened this way. Because of this I know T-Mobile, for example, requires their customers to submit a special "port out" code. This is a unique code of 8 or more digits used only for porting.
Good to know, thanks.

I did read that some people have had issues with their Google Voice not receiving all automated 2FA texts.

goonie
Posts: 87
Joined: Fri May 31, 2013 7:33 pm

Re: Would you choose text or email for two-factor authentication?

Post by goonie » Mon Jun 11, 2018 5:27 pm

OP here. So I think I'm going with email over text. My understanding is that Gmail with Google Authenticator 2FA is more secure than SMS texts. Based on some reading, it sounds like SMS can easily be hacked a few different ways (and they don't all involve someone just social engineering your wireless carrier into giving a new SIM under your account).

I'll add that I don't really understand the reasoning that I've seen from a few in this thread that text is more secure because you get that on your phone, which is a separate device from the laptop/desktop that you're using to log in. That would seem to only be an issue if you don't have a smartphone and can't get email on your phone.

If I'm wrong with any of that, please correct me. And as far as convenience goes, email is just as convenient for me as text. I have a smartphone and use it for email (among many other things).

Thanks all for the feedback and conversation.

jalbert
Posts: 3696
Joined: Fri Apr 10, 2015 12:29 am

Re: Would you choose text or email for two-factor authentication?

Post by jalbert » Mon Jun 11, 2018 5:49 pm

JoeRetire wrote:
Mon Jun 11, 2018 4:00 pm
jalbert wrote:
Mon Jun 11, 2018 3:50 pm
JoeRetire wrote:
Mon Jun 11, 2018 1:17 pm
jalbert wrote:
Mon Jun 11, 2018 12:00 pm
JoeRetire wrote:
Mon Jun 11, 2018 11:15 am
If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
I'm not worried about keyloggers on my devices.
What risks are you trying to protect against with 2FA?
I'm not trying to protect against any risks with 2FA. I was answering the original question.
Then why are you suggesting what risks the OP should care about?
Risk is not a guarantor of return.

2015
Posts: 1992
Joined: Mon Feb 10, 2014 2:32 pm

Re: Would you choose text or email for two-factor authentication?

Post by 2015 » Mon Jun 11, 2018 6:09 pm

oldcomputerguy wrote:
Mon Jun 11, 2018 11:23 am
Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
This, except my Gmail account 2FA is a Yubikey (with GA and recovery codes as backup). No recovery phone number is attached to this Gmail account.

J295
Posts: 1622
Joined: Sun Jan 01, 2012 11:40 pm

Re: Would you choose text or email for two-factor authentication?

Post by J295 » Mon Jun 11, 2018 7:05 pm

Text.

JoeRetire
Posts: 1596
Joined: Tue Jan 16, 2018 2:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire » Mon Jun 11, 2018 7:05 pm

jalbert wrote:
Mon Jun 11, 2018 5:49 pm
JoeRetire wrote:
Mon Jun 11, 2018 4:00 pm
jalbert wrote:
Mon Jun 11, 2018 3:50 pm
JoeRetire wrote:
Mon Jun 11, 2018 1:17 pm
jalbert wrote:
Mon Jun 11, 2018 12:00 pm

Using two different devices is a non-trivial piece of how 2FA increases security of your authentication. If a device is compromised and a keystroke filter is capturing your password when you type it in, you don’t want the 2nd factor going to the already compromised device.
I'm not worried about keyloggers on my devices.
What risks are you trying to protect against with 2FA?
I'm not trying to protect against any risks with 2FA. I was answering the original question.
Then why are you suggesting what risks the OP should care about?
I never suggested anything at all about risks the OP should care about. I simply answered the question that was asked. Go back and check.

Cheyenne
Posts: 419
Joined: Sun Jun 14, 2015 6:46 am

Re: Would you choose text or email for two-factor authentication?

Post by Cheyenne » Mon Jun 11, 2018 7:06 pm

I did read that some people have had issues with their Google Voice not receiving all automated 2FA texts.
Thanks for the heads-up. I'll keep an eye out for that one.

hilink73
Posts: 280
Joined: Tue Sep 20, 2016 3:29 pm

Re: Would you choose text or email for two-factor authentication?

Post by hilink73 » Tue Jun 12, 2018 12:39 pm

JoeRetire wrote:
Mon Jun 11, 2018 2:55 pm
hilink73 wrote:
Mon Jun 11, 2018 2:31 pm
JoeRetire wrote:
Mon Jun 11, 2018 11:15 am
If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Which is exactly what you should not do.

The second factor is a safe guard against a hacked account password.
When you have the second factor on the hacked device, the attacker now has access to both factors.
Meh. There's a difference between a hacked site account password and a hacked personal device.

Color me not worried.
Speaking from an IT security professionals perspective: you're wrong.
That's exactly an attack scenario we're seeing against our customers.

JoeRetire
Posts: 1596
Joined: Tue Jan 16, 2018 2:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire » Tue Jun 12, 2018 1:11 pm

hilink73 wrote:
Tue Jun 12, 2018 12:39 pm
JoeRetire wrote:
Mon Jun 11, 2018 2:55 pm
hilink73 wrote:
Mon Jun 11, 2018 2:31 pm
JoeRetire wrote:
Mon Jun 11, 2018 11:15 am
If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Which is exactly what you should not do.

The second factor is a safe guard against a hacked account password.
When you have the second factor on the hacked device, the attacker now has access to both factors.
Meh. There's a difference between a hacked site account password and a hacked personal device.

Color me not worried.
Speaking from an IT security professionals perspective: you're wrong.
That's exactly an attack scenario we're seeing against our customers.
Okay. I guess I'm not one of your customers, but no matter. We each choose what we worry about and what we don't.

As an IT security professional, I'm sure you understand the difference between a hacked account password and a hacked device. I may not have control over one, but I do have control over the other.

Maybe you should provide an answer to the OP?

User avatar
kramer
Posts: 1631
Joined: Wed Feb 21, 2007 2:28 am
Location: Philippines

Re: Would you choose text or email for two-factor authentication?

Post by kramer » Tue Jun 12, 2018 1:27 pm

For those using texts to your cellphone, what do you do when you travel abroad? Are you effectively locked out of your accounts?

I spend up to several months each year abroad and normally use a local sim card in my destination country ... so I can't receive texts at my regular cellphone number. The actual phone number I have registered with financial services is my US Skype number which can receive calls whatever my location but no texts.

All my "text" communication in real life among friends is via IP Apps like WhatsApp and Facebook Messenger, we never use texts (texting seems to still be popular in the US, however)

hilink73
Posts: 280
Joined: Tue Sep 20, 2016 3:29 pm

Re: Would you choose text or email for two-factor authentication?

Post by hilink73 » Tue Jun 12, 2018 1:29 pm

JoeRetire wrote:
Tue Jun 12, 2018 1:11 pm
hilink73 wrote:
Tue Jun 12, 2018 12:39 pm
JoeRetire wrote:
Mon Jun 11, 2018 2:55 pm
hilink73 wrote:
Mon Jun 11, 2018 2:31 pm
JoeRetire wrote:
Mon Jun 11, 2018 11:15 am
If I typically access the site in question using my computer, I'd prefer email-based authentication.
If I typically access the site with my phone, I'd prefer a text message.

In general, I prefer not to be required to use two different devices.
Which is exactly what you should not do.

The second factor is a safe guard against a hacked account password.
When you have the second factor on the hacked device, the attacker now has access to both factors.
Meh. There's a difference between a hacked site account password and a hacked personal device.

Color me not worried.
Speaking from an IT security professionals perspective: you're wrong.
That's exactly an attack scenario we're seeing against our customers.
Okay. I guess I'm not one of your customers, but no matter. We each choose what we worry about and what we don't.

As an IT security professional, I'm sure you understand the difference between a hacked account password and a hacked device. I may not have control over one, but I do have control over the other.

Maybe you should provide an answer to the OP?
Well, you do understand that, if you have account passwords on hacked devices, these should be considered hacked as well?
Not sure of what control you are speaking because being hacked is the opposite of being in control.

To the OP:
It depends. NIST considers authentication via text messages as unsafe, but as long as the second factor is separate from the first (logon) device, this should still be acceptable.
Mind, that it is not too difficult to hack the GSM network to reroute text messages, which could be an attack vector in more high quality attacks.

VaR
Posts: 585
Joined: Sat Dec 05, 2015 11:27 pm

Re: Would you choose text or email for two-factor authentication?

Post by VaR » Tue Jun 12, 2018 1:39 pm

I usually choose text, though I know it's not entirely secure.

I've just been trained to believe that for email, the delivery mechanism itself, SMTP (right?), is insecure. Is text messaging equally insecure?

Also, I do worry about the security of text messaging with iMessage integration.

JoeRetire
Posts: 1596
Joined: Tue Jan 16, 2018 2:44 pm

Re: Would you choose text or email for two-factor authentication?

Post by JoeRetire » Tue Jun 12, 2018 3:46 pm

hilink73 wrote:
Tue Jun 12, 2018 1:29 pm
Well, you do understand that, if you have account passwords on hacked devices, these should be considered hacked as well?
Not sure of what control you are speaking because being hacked is the opposite of being in control.
Ugh. Let's try one more time and see if we gain a common understanding...

You seemed to suggest that a hacked account password implies a hacked device. I tried to explain that these are two different things. My account password at your site may have been hacked - that doesn't mean that my device is hacked.

Having both a hacked account password as well as a hacked device is something you are imagining. The first doesn't imply the second.

mptfan
Posts: 4669
Joined: Mon Mar 05, 2007 9:58 am

Re: Would you choose text or email for two-factor authentication?

Post by mptfan » Tue Jun 12, 2018 5:58 pm

2015 wrote:
Mon Jun 11, 2018 6:09 pm
oldcomputerguy wrote:
Mon Jun 11, 2018 11:23 am
Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
This, except my Gmail account 2FA is a Yubikey (with GA and recovery codes as backup). No recovery phone number is attached to this Gmail account.
What is the benefit of a dedicated Gmail account to be used for nothing except financial data? Assuming you use your primary Gmail account with 2FA with Yubikey and Google Authenticator and recover codes as a backup, isn't that just as secure?

2015
Posts: 1992
Joined: Mon Feb 10, 2014 2:32 pm

Re: Would you choose text or email for two-factor authentication?

Post by 2015 » Tue Jun 12, 2018 7:41 pm

mptfan wrote:
Tue Jun 12, 2018 5:58 pm
2015 wrote:
Mon Jun 11, 2018 6:09 pm
oldcomputerguy wrote:
Mon Jun 11, 2018 11:23 am
Email. I have a Gmail account used for nothing except financial data, and that account itself uses 2FA via Google Authenticator on my iPad.
This, except my Gmail account 2FA is a Yubikey (with GA and recovery codes as backup). No recovery phone number is attached to this Gmail account.
What is the benefit of a dedicated Gmail account to be used for nothing except financial data? Assuming you use your primary Gmail account with 2FA with Yubikey and Google Authenticator and recover codes as a backup, isn't that just as secure?
Maybe, but color me paranoid. I also never do anything remotely related to financial work on anything but a dedicated laptop, and even then only after running Wifi Guard to ensure my network is secure, and only in Bank Mode, after which I clear the history and it's as if the session never occurred.

I've been told someone who works in cloud security that even the geeks aren't as thorough as I am (all my financial information is encrypted within VeraCrypt containers), so perhaps not for everyone, but right for me.

AlohaJoe
Posts: 3758
Joined: Mon Nov 26, 2007 2:00 pm
Location: Saigon, Vietnam

Re: Would you choose text or email for two-factor authentication?

Post by AlohaJoe » Tue Jun 12, 2018 8:59 pm

kramer wrote:
Tue Jun 12, 2018 1:27 pm
For those using texts to your cellphone, what do you do when you travel abroad? Are you effectively locked out of your accounts?
This is the main reason I don't like SMS 2FA and vastly prefer the "software token" approach. However a lot of banks & brokerages, especially in the US (Vanguard, Wells Fargo, Ally), only support 2FA.

I've known people who were traveling and where locked out of their banks account because they didn't have access to their 2FA.

It was mentioned earlier in the thread -- my solution is to use Google Voice. It is easy to set up (if you already have a US phone number....) and once setup you can access the SMS from anywhere in the world that has an internet connection.

mptfan
Posts: 4669
Joined: Mon Mar 05, 2007 9:58 am

Re: Would you choose text or email for two-factor authentication?

Post by mptfan » Tue Jun 12, 2018 10:21 pm

AlohaJoe wrote:
Tue Jun 12, 2018 8:59 pm
It was mentioned earlier in the thread -- my solution is to use Google Voice. It is easy to set up (if you already have a US phone number....) and once setup you can access the SMS from anywhere in the world that has an internet connection.
Except you should not use Google Voice for SMS 2FA for your Google account. Think about it, let's say you forgot your Google password and you needed to get an SMS code, and it was sent to your Google Voice number...but you can't access your Google Voice number because...you don't know you password.

naha66
Posts: 180
Joined: Sun Jul 14, 2013 6:02 pm

Re: Would you choose text or email for two-factor authentication?

Post by naha66 » Thu Jun 14, 2018 7:59 am

kramer wrote:
Tue Jun 12, 2018 1:27 pm
For those using texts to your cellphone, what do you do when you travel abroad? Are you effectively locked out of your accounts?

I spend up to several months each year abroad and normally use a local sim card in my destination country ... so I can't receive texts at my regular cellphone number. The actual phone number I have registered with financial services is my US Skype number which can receive calls whatever my location but no texts.

All my "text" communication in real life among friends is via IP Apps like WhatsApp and Facebook Messenger, we never use texts (texting seems to still be popular in the US, however)
I have a T-Mobile account for a US # and it work on the Globe network here in the Philippines. I spend less than $10 a month on my t-mobile account

VaR
Posts: 585
Joined: Sat Dec 05, 2015 11:27 pm

Re: Would you choose text or email for two-factor authentication?

Post by VaR » Thu Jun 14, 2018 10:14 am

mptfan wrote:
Tue Jun 12, 2018 10:21 pm
AlohaJoe wrote:
Tue Jun 12, 2018 8:59 pm
It was mentioned earlier in the thread -- my solution is to use Google Voice. It is easy to set up (if you already have a US phone number....) and once setup you can access the SMS from anywhere in the world that has an internet connection.
Except you should not use Google Voice for SMS 2FA for your Google account. Think about it, let's say you forgot your Google password and you needed to get an SMS code, and it was sent to your Google Voice number...but you can't access your Google Voice number because...you don't know you password.
I'm guessing that the poster would use Google Authenticator for 2FA for their Google account, including their Google Voice account. That Google Voice account could then serve as the receiver for text message 2FA for all their other accounts.

It's a good idea, if you accept Google Voice SMS as being secure enough for 2FA.

UpperNwGuy
Posts: 998
Joined: Sun Oct 08, 2017 7:16 pm

Re: Would you choose text or email for two-factor authentication?

Post by UpperNwGuy » Thu Jun 14, 2018 10:37 am

Text.

SagaciousTraveler
Posts: 123
Joined: Thu May 03, 2018 6:05 am

Re: Would you choose text or email for two-factor authentication?

Post by SagaciousTraveler » Thu Jun 14, 2018 10:45 am

I use both but they both have vulnerabilities. TEXT more so with SIM Card Hijacking.

https://securityaffairs.co/wordpress/69 ... obile.html

Post Reply