Blows my mind that anyone would use their phone for banking.
Easy - Yes. Smart - No
39
Let's see how this works for moi:
Instagram-never used it
Facebook-never used it
Gmail-never used it
Twitter-never used it
Guess I'm all set now.
Thanks
81
These instructions are incorrect:
"On Gmail.com, go to your account settings and click “security.” Click 2-Step Verification, and then click Add Google Prompt."
The correct path is as follows:
Gmail > Settings > Accounts and Import > Change account settings > Other Google Account settings > Security
18
another simple approach is to set your browser to forget all your passwords and history when you close it. it actually makes it easier to remember them, and if someone takes your device, they don't have the keys to your kingdom!
17
From inside the tech bubble where Mr. Chen is issuing his dispatch, 2FA looks like a simple, straightforward solution. From outside, it’s a tightrope walk where one wobble leads to hours of recovery. I’m dealing with it by using a password manager (1Password) that has a built-in authenticator. When I log into a 2FA site—with my long-string-of-garbage password that I could never personally remember—the password manager copies the current 2FA key to the clipboard. When the prompt comes up, I press Command-V and go. It works across all my devices. BUT: it still feels like a deceptively fragile system that is designed to make me feel as though my account is safe, while the backend systems are quietly and constantly being attacked. Security Theatre.
17
What I don’t get is if someone steals my phone they can use it to log into my accounts because even though Apple has created these incredibly complex passwords, they are automatically inserted and then the thief receives the six digit code and enters it. How is this helping me?
13
@Stephen Fisher You can disable password autofill (and should), you can report a stolen smartphone and have it disabled, and there are options for making logging into a smartphone more secure. There is no such thing as absolute security, just layers that make it more difficult for nefarious folks.
12
@Stephen Fisher It's not. If your iPhone is capable of Touch ID or Face ID, you should have it enabled. You should set up the phone password to be longer than the default 4 digits (for most people a 7-digit string of numbers is easily memorized but more complex for a simple cracking algorithm to break). And, you should make sure that your iPhone closes and locks at a short interval—within 1 minute of when you stop using it—and simultaneously when you push the standby button. If you are receiving 2FA codes via text you should make sure that texts do NOT display on the screen when the phone is locked.
13
Two-factor authentication is great if you consider your phone a body organ and carry it with you at all times. Otherwise, it's a terrifically annoying bother. That's why fewer than 10% of people have signed up for it. Time for the tech community to come up with a better solution.
43
If I understand correctly, all of these two factor identification techniques require a cell phone. I don't have reliable cell phone service at my home. What can I do to secure my access?
39
A lot of commenters here complain about losing cell phones, thereby locking them out of their accounts. And as some have mentioned, tying 2 factor authentication to your phone number is weak security (although better than just passwords alone), since the phone number can be spoofed or ported to a new phone in possession of a fraudster.
Banks should be at the forefront of promoting 2 factor authentication using a security key device that plugs into the USB port of your computer. The device should fit on your keychain. The device should work using public key cryptography instead of generating a one-time code, which itself can be stolen and used quickly in a "man in the middle" attack.
As far as losing the device, if it's on your keychain you wouldn't lose it any more often than you lose your keychain with your housekeys and car keys. No security solution is perfect, but it's better and more secure than using a phone for one-time codes and certainly better than using passwords only.
IMO, banks especially should more aggressively promote 2 factor authentication using security keys, instead of taking a laid-back attitude about it.
14
Banks and most major financial institutions refuse to acknowledge cyber theft for fear of losing market share, investors backlash or admitting anything less than roses. Banks are not solutions but enablers. The less transparent they become the more attractive the target. Insurance and/tax loss benefits enable this house of cards even further.
13
I can't stand two factor. My Apple devices want me to use it and I somehow keep thwarting this though not sure how long that will last. The issue? I travel internationally. I don't have access to my phone when I travel. I don't have access to my desktop computer when I travel. I take an iPad and infrequently use it for things like email and so I can keep up with news for example. Without multiple devices it is fully impossible for me to two factor anything. How is this something that wan't thought of with this invention? Oh wait, someone who stays home glued to their phone invented it.
Two factor was a good theory but in practice it doesn't work for many. Also, it have been shown that someone can remotely be watching you and have access to your text messages. They are able to tell your bank that you need access and intercept the two factor code before you know anything is happening and clean you out. Happens in under a minute.
18
Buy a cheap chrome book when traveling outside the us. It is a wi-fi only device. No operating system. Accessing through anyone’s wi-fi system is just asking for trouble. Use onetime email addresses. Stay off your phone unless absolutely necessary. Or bring a burner just for the trip.
10
Better idea... just say no to all of these
4
I have several problems with the two authentication method. First, I worry that my battery could run down. Second I also fear that I could drop my phone. It could break and while it's being repaired I would not have access to important accounts like my bank. Third, there's always the prospect that my phone will get misplaced or stolen and I won't be able to access my accounts. Fourth, it's not only myself that needs to access accounts. My wife does too. She does not have a smart phone and often she can't get texts in a timely manner. Fifth, most accounts only have you supply one number for texting. So does my wife or children have to run and get my phone to access the account if they want to order something on Amazon? Two authentication sounds good on paper but it has problems and that's why many people don't use it.
18
For those of us without smart phones that accept texts or don't have mobile phones at all, is there an alternative?
26
The NYT needs to do a better job at soliciting and/or publishing articles about cybersecurity.
Using a mobile phone as a base for your two-factor authentication is so weak, that it's essentially not worth the effort to set and use. Our phone numbers were never meant to be a uniquely identifying series of numbers. And given the difficulty in transiting international borders, even if the phone number was some sort of SSN alternative, it's just a lazy way of not using a security key.
A physical security key like Google's Titan is the single most effective way a 'regular' person can secure their accounts. But, like nearly every article I read on this subject, the author always poo-poos this nearly infallible method as being difficult and cumbersome. Security keys like the Titan have been around since the late 1990s. And like most things that actually work for the purposes they were intended, they do cost money. A person's phone number can be spoofed by a novice hacker in a matter of minutes, so I don't think you have to be 'extra paranoid' to want to avoid this. And if you can carry around a phone that's the size of a paperback book, I don't see how a tiny security key is going to break your back.
FYI, since introducing Titan to it's workforce Google has reported that those accounts secured with the key have never been hacked.
10
What's the deal with these unaccountable multi-billion dollar high tech companies? Facebook uses an insecure format to store the passwords of billions of users? Boeing uses defective software to cover up a defective aircraft design? What's the world coming to?
Two factor authentication should be obligatory for pop ups that want to download an update onto your PC. To many of them look suspicious.
And why do financial institutions still send e-mails encouraging you to click on a link - one of the most dangerous actions one can do on a PC or mobile device? Indeed, it's a simple matter to install and run evil-ware in the background that intercepts the second factor code along with your password to then using your browser as a proxy getting you into your account before you do.
And our commander in chief is building walls with billions he is pilfering from the military conning us into believing that will make us safer.
Using a mobile phone of any type is risky regardless if you are for two factor authentication - if you are for a two state solution and/or support BDS - NSO will come after you and compromise your device to the highest bidder and two factor security will no longer be secure.
9
Simple- selling products. The thin veneer of safety is good enough for The fangs. In another article I pointed out that beta testing new electronic technologies was a lengthy process in the 1980,s at the dawn of the microchip revolution. Now the beta testing is done by the end user. Like all those people who died in two airplane crashes.
8
Two factor doesn’t protect you against Google and Facebook themselves!
15
2FA saved my Yahoo account from being used. I was asked four times one morning if I was trying to access my account. I knew that email address was listed as being on the "dark web." I have used it for 16 years so no surprise it's been compromised. I was thankful for the 2FA even though it is a hassle.
6
I live in a rural spot with no cell service. Two factor authentication has unintentionally locked me out of accounts so many times that my blood pressure jumps each time I see these words.
18
I have had two step authentication on some financial accounts for a few years. It is the simple 'receive a code by text' method. It works fine, but I also never, ever try to access such accounts away from home and will not do anything financial on an open wifi or with 4G. Not linking my cell to my financial accounts is also important to me. It is too risky to carry around a device in my pocket with such connections. Still, if I lose it, I'm blocked out until I get a new one because of the 2-step authentication.
I'm simply not worried enough about my Facebook account to add additional security. I keep a complicated password and change all my passwords about every 6-8 weeks.
4
I completely agree, yet I think they're one people have the urge to because every one else is doing it.
1
All internet accounts don't just mean gmail, Microsoft, etc, actually did you know that Instagram and Facebook, and basically any account that requires or asks for your mail address, phone number or even asks you to type in where you live, will be for sure on the internet. These apps now have access to all of this different information. Also when you are "following" someone for example on Instagram, they have access to posting your video on YouTube or your picture on the internet. As soon as some other random person "follows" you, or even if you follow someone else, they have access to pictures of videos that you took. Even some random person that lives in a totally different country than you and doesn't even follow you has access to your account and you have access to their even if you don't even know it or know that their account existed because you are able to look their accounts up. It's so amazing that humans could invent such talented devices,but you need to be aware and use them in the right way.
3
Yes. I just deleted my Instagram account after reading Bob the builder 's post. You are so right!! Thank you!!😁👍
4
I set up the two-step authentication for my google account with verification to my cell phone and everything worked well for a long time. Last year, on a trip to New York, I lost my cell phone (google pixel). That's when I learned that setting up the two-step authentication was not a smart decision. Why? Because authentication was tied to my cell phone -- which I did not have and could not find or retrieve. When I tried to find the location of my phone using google on a new computer, I could not. No phone, no access. I tried to access my email. Could not. No phone, no access. Tried to access my online bank account. Could not. No phone, no access. It took more than five days before I was able to access information in New York and locate my phone which had not been turned in. So, although I knew where my phone was (Washington DC), according to the police there was nothing that could be done. Since then I have not activated two-step authentication.
16
@Sue Racanelli - If you use google Authenticator, in addition to the service offering time based auth codes which change every few minutes, you are also offered one-time keys which you can print out or otherwise save. These can be used one time each. You could put some in a safety deposit box, and some in your wallet.
You could even keep some in a password encrypted document that you make public on the web, which you could get to quickly even if your wallet and cellphone and safety dep box keys were stolen (assuming you weren't in the ITU or dead).
6
Honestly I'm pretty shocked at the insecure authentication my bank uses. Just username and password. And then they forced me to set up silly easily guessable "security quesitons" that just seem an invitation to circumvent everything. And no 2 factor authentication, chip card, nothing. Apparently most US banks have such a pitiful level of security, is that true?
My very first online banking experience with a local bank in Switzerland in the late nineties used username, password and OTP (lists of codes on paper that had to be used one after the other, each exactly once). I changed banks after I moved a few years later and got a chip card with a pocket calculator style reader for username, password and chip card authentication (challenge response protocol with PIN for the card). This was in ca 2004! Then I move to the US and here I am in 2019 and my bank doesn't have any 2 factor authentication!
9
@Arthur Korn
I have yet to give a true answer to any security question. It's always a second password. Why anyone would give a true answer to one of these questions is beyond me.
15
"And then they forced me to set up silly easily guessable "security quesitons" that just seem an invitation to circumvent everything."
If you actually supply the *right* answers as the ones for your security questions, instead of using lies that only you would know, you are doing it wrong.
If your bank fact-checks your answers, THEY are doing it wrong and you need to RUN from that bank!
11
Brian X Chen,
ON a related security matter, securing you financial accounts:
Last year my BofA saving account was somehow discovered by some hacker who then used it to transfer $25,002 to some religious organization (ttb.org) via Paypal using an automated transaction (pulling money from my account via the ABA # and my account #).
I was lucky in that I happened to log into my Bank Account and see the transfer in progress. BofA claimed that they couldn't stop it so I had to make numerous calls to Paypal to stop the transaction.
It took 8 days to get the money back into my account at which point I closed all my BofA account and moved them to a bank that informs me of every withdrawal from my accounts.
5
@Steve J The BofA website has a system through which you get an email every time an amount over a certain limit that you set is in the process of being withdrawn from your account electronically, by check or ATM. The lead time varies, but it is worthwhile to make use of the service.
4
Here's an idea . . . no Instagram account, no Facebook account, no gmail and I've gotten along just fine without needing additional security.
16
@Rob
How does that help? A lot of people use social accounts to keep in touch with family and friends (I personally don't have such accounts). Your suggestion does not take into account the value of these accounts to people who use them. This article is not meant for you.
3
ever heard of email? and really, who care if someone hacks a facebook account.
@golf pork Well lets see. Someone could use it to find out where you live. (Can kinda do that just by viewing but takes more work) Wait until you leave for work and rob you blind. Which at that point they now have everything and by the time you find out what happened, it is too late. You will spend for ever clearing it up and it will not be cheap.
Your friends list can always be interesting. Mainly for those with profiles not set to public. Wash Rinse repeat.
So while I think people already post too much info on facebook (almost no one removes the meta data of images before posting) getting access to someone elses account can be very damaging.
2
I've been using Google Authenticator with a printed backup list of codes for years. It's easy and it works every time.
Switching phones is not that hard either. Just go to Google and stop 2FA for the time it requires you to set up the new phone and then reinstall the Authenticator on your new phone. Google is smart enough to know that you're installing a new Authenticator - and you can approve it with one click, deactivating the old and activating the new.
If you lose your phone and you still have access to your trusted computer, chances are that Google will not ask you for the 2FA password at all. [Google doesn't know that you lost your phone.]
If you lose the phone when you're away from your trusted computer, the backup codes are handy. You print 10 of them each time and you only need one to get in and temporarily turn 2FA off. Each time you generate a new set, the old set expires.
I know all of this is a pain, but it's the only way I know I can stay ahead of the bad guys. I hope.
4
@Rajkamal Rao Thank you for this idea. I'll try it.
Reminds me that establishing good habits early can really pay off!
2
Wow. What a great opportunity to create something that’s better than further complicating already disparate log-in procedures. Systems of proprietary ownership over products and services require a little regulatory tweaking once in a while. This is one of those places.
2
My Vanguard Group account uses this procedure whenever it doesn’t recognize my computers. Or when I haven’t used one in a while with them. Very secure procedure, and not a big hassle either.
4
Its great for Vanguard, but I would never do this or give this info to a social account. No Way!!
1
@Moe
One little problem. Vanguard will not send the code by email, as many banks, &c, do. Therefore, if the user does not possess a cell phone able to receive text, you are now locked out of your own accounts.
2-factor used to be optional with Vanguard, but they have recently made it mandatory.
4
@wagtail
Email is about the most insecure channel of communication, so it would make no sense at all to send codes to your email account when a hacker might have already taken control of it in trying to siphon your Vanguard accounts.
3
The optimal practical solution at this point is to use a password manager, secured with an authenticator or 2FA hardware device.
Then you enable 2FA on all sites that provide it.
Then you change your password on every site to some random garbage and store it in your password manager.
That way, you only need to log into your password manager once, then allow it to log you into your accounts. If a site gets hacked, only your account on that site is compromised. Not all your accounts that may have been using the same username/password.
iOS allows the user to pick a different password manager other than the default, and it's pretty seamless in the interface. Clicking on login fields will bring it up and will autofill it for you.
4
@Alan best password manager out there?
OK, we set up two-factor (text 6-digit number) authentication with Vanguard a while back and were satisfied with it.
Now we're going to move out of the US and it turns out that Vanguard can't do two-factor text authentication overseas, so as expats we're going to have to go back to the password only system.
Granted, phones/text can be problematical internationally, but email authentication works fine for Amazon, so why isn't it more generally accepted?
2
FYI Facebook / Instagram were known to use your 2 factor phone number to target you with ads.
9
I would recommend a Yubikey over the Google Titan. The Yubikey is manufactured in the United States and Sweden, versus China for the Google Titan. Given the hardware backdoors that have been found in Chinese manufactured routers, having a device made in-country gives me added peace of mind.
Always buy at least two keys; if you lose one of them, use the backup to get into your accounts. You can deactivate the lost key, then buy a new key and register it to each account.
Sadly, banks and finance have not been current in using hardware 2FA to secure user accounts...
11
I don't trust communications without a human on the other end, and that is why I will not do business with Google. Regardless of how serious were the various problems I encountered with Google software, at no juncture would the company permit me to speak with a human being to ry to resolve it.
10
Nothing is easy, least of all technology. I can only hope that you are trying to encourage users that it could be with a little effort.
There's the age factor. It's hard to teach old dogs new tricks. While the young ones are sometimes only interested in doing, rather than in learning. There is always a trade-off between convenience and something else, often security. Most users are squarely on the convenience part of that scale.
This was brought home to me when I worked on the launch of Sony video products. There was always one thing I checked when going to a friend's home for the first time. And there it inevitably was. That continual blinking "00:00" on their VCR, meaning that the user hadn't either figured out or bothered to set the clock. And without that, they couldn't possibly program any recordings.
While for us, it seemed like a simple enough task. The average user showed us that it was anything but.
5
With all due respect, I resent this. I’m almost 61 years old. I have to teach people 40 years younger than me the basics of security. I am far from perfect (I’m a scientist not a tech person) but I have had 2 factor authentication for years. I use a password vault with generated passwords and a killer ridiculous password for the vault. I back up (cloud and hard) regularly. I have better computer hygiene skills than 100% of the people I know.
Age is not the issue.
9
With people’s online presences, especially on Facebook and Instagram, more in depth than ever, these two-factor authentication methods for these websites are a must have for anyone with,”skin in the game.” It provides extra security like the author said but is relatively easy to use. I recommend this 10/10 times to my family and friends, furthermore do I recommend it to you.
1
While I agree it is better to use the additional layer of security beyond passwords that two-factor authorization (2FA) offers, the writer and his readers should be aware that 2FA is *not* rock-solid secure. It can be and has been defeated by bad guys, because there are techniques bad guys can use to gain control of your cell phone number or your email without your knowledge. See for example: https://www.pandasecurity.com/mediacenter/security/two-factor-authentication/
3
In Apple Store, Google Authenticator has 2.6 stars rating and some truly awful reviews. If even half is true... stay away. Authy has 4.6 star rating. I am all in on 2FA, but did author just check on Android versions or also iOS.
3
The issue with the Google Authenticator app is that you can’t back up the accounts that have 2FA implemented. So if you switch phones or it dies the you have a pain in trying to recover accounts. LastPass password manager or authy app allows you to back up.
3
Better yet, don’t put anything private in your Google mail and never click links in messages. Then delete your Instagram, Facebook, and Twitter accounts and never waste another second thinking about them.
18
I agree. The only social media I have is LinkedIn because I have to have it. Don’t ask for trouble.
1
I am increasingly weary of tech writers Like Brian X. Chen claiming something "sounds simple" or "easier," when it's anything but. Yes, for you uber-geeks who are literally paid to keep up with this stuff for your profession, setting up two-factor authentication may be "simple," but for most of your readers, what you're describing sounds--and is--incredibly convoluted.
I recently got my 82-year-old mother set up on iCloud, Apple's online e-mail, calendar, and backup service. As far as I could tell, it requires two-factor authentication with a cell phone that can receive a text. Well, my mother (along with a quarter of seniors, according to Pew Research) doesn't have a cell phone. I have read that it's possible to set up a non-cell-phone text service, but the complexity of that becomes mind-boggling for someone like my mom. Mr. Chen would do well just to acknowledge that for most mere mortals, tech has become much, much too complicated.
39
Jet airliners have become too complicated to fly.
11
@pdp
Apple's 2-factor authentication works with Macs, iPhones, iPod Touches, iPads and iPhones. You need not have a cell phone for the system they use.
3
@pdp
Apple's 2-factor authentication works with Macs, iPhones, iPod Touches, iPads, and iPhones. You need not have a cell phone for the system they use.
https://support.apple.com/en-us/HT204915
3
“According to Google, fewer than 10 percent of its users have signed up for two-factor authentication to protect their Google accounts”
FACEPALM
a gesture in which the palm of one's hand is brought to one's face as an expression of dismay, exasperation, embarrassment, etc..
3
“It sounds cumbersome.”
It IS cumbersome. And when there's any kind of problem, it gets even more cumbersome, sometimes leaving you without access to an important account for an extended period of time.
19
What if two of us need access to the bank account? How do we tell the bank to send the text to which of us?
There is no easy option.
3
Do what my wife and I do; pretend we are one or the other. Only the keyboard knows for sure. It's only complicated when neither one of you trusts the other.
4
The idea is a nerd's fantasy. The notion that it should take two different operations on 2 separate devices to access 1 account, each time you access, is preposterous. Of course nobody's going to do it. It's like taking out your horse so you can ride to where your car is parked.
Worth doing-- but only if a 'danger' flag has been waved due to uncommon use patterns.
14
This "but-Mom-it's-too-hard!" excuse is silly. Logging-in one day to find your checking account drained makes it worth the time to receive a number on your phone to input at the login. It's only six numbers and it is not necessary to input your PIN for your phone. Those numbers pop right on top of your screen for immediate use and good for a few minutes. Honestly, a bunch of you here sound like helpless millennials.
5
Yeah, I've used 2FA for years at work (remember SecurID circa 2002 or so?) and other 2FA methods like Google Auth, txt messages, etc.
The problem arises when the second part of the 2FA suddenly isn't available. Got off a flight one time, turned my phone on and it says "Welcome, let's set up your new phone". So, no Google Auth, no txt, no email. Hmmmm, how do you login to email if it expects to use Google Auth which is tied to your specific phone?
Spent 4 hours at the "genius" bar, can't restore any of my backups to that or a new phone, so I had to re-create everything from scratch.
Lessons learned: if you use 2FA, have an alternate way if the primary 2FA isn't available, perhaps printed codes or a second email or txt number (Google voice perhaps). Also, test your phone backups occasionally, or delete and clean up periodically.
17
There is usually an option to NOT use the code precisely for this kind of scenario.
1
With all the praise for 2-factor authentication, remember its most important downside: It makes things more complicated. This isn't just a matter of tolerating inconvenience. It's the fact that every time you add additional steps, things can go wrong (you haven't got your phone; no reception; battery dead; you mistype; etc. etc.). Then it's "your fault".
Overall, it decreases reliability and user-friendliness of computer systems. There's a nonzero but very small chance you'll get broken into, but being routinely denied access
to your own stuff and wasting time, is a certainty.
When I first saw 2FA, I thought, "Jeez, When will it stop? Three factors? Four?". I just saw my first paper recommending three factors :-(. "Educating" users to acquiesce to more and more complex security procedures is unsustainable.
The primary concern of security professionals isn't just to keep users safe -- It's to deflect blame for break-ins away from the professionals and onto users. It's time to hold the security establishment responsible for simplifying the lives of users.
Henry Lieberman
Research Scientist
MIT Computer Science and AI Lab
121
Wow. It ain't that hard for my 70 yr. old brain. I think I'm ready for MIT. Where do I tell my Dad to send the bribe money?
6
@Henry Lieberman With the greatest respect for someone who’s scored a research science job at MIT, to say that the primary concern of security pros is “to deflect blame for break-ins away from the professionals and onto users” is absurd.
That sure isn’t the reason I’m transitioning into a cybersecurity career.
And how on earth is it the security establishment’s responsibility to simplify the lives of users? Um, I’d have said their responsibility was to help alert and protect people and companies from the increasingly widespread, callous, and sophisticated nature of cyberattacks today.
3
And maybe the people who can’t manage these simple functions shouldn’t be doing them. This is NOT a comment on “smarts”.
My brother, the smartest guy I know, doesn’t trust systems. Won’t use an ATM card. Does everything in person. Can run rings around you in his use of apps on his phone.
He cannot and will not be the person for these systems. So for the next 20-30 years we will need dual systems before society transforms. It’s ok.
3
There are several fatal flaws to this process, many of which affect seniors. First, there is the assumption that everyone has a smart phone and that they text. Many seniors don't. Second, many seniors still use the more secure land line; of course there is no option for texting. I doubt whether the 10% user penetration rate will increase quickly enough to justify the capital expenditures. Third, people are hassled enough these days to have such an ill thought through process as this.
12
@Big Mike "...there is the assumption that everyone has a smart phone and that they text"
1) SMS works with flip phone as well as smart phones. 2) You don't need to text (to initiate text messages) to read a code sent to you via SMS.
Also, because of security weaknesses in SMS (see https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls) I prefer to receive voice calls.
Voice calls can be received on a landline.
The problem then is that you have to be at home, with your phone handy, to log in. That's an annoyance but it is less of a problem than losing access to your email/bank/investment/medical/SSA account.
2
@Bob Stromberg
"Voice calls can be received on a landline." is all well and good for some, but does not help with the barriers Vanguard has erected if, as in my case, there are 3 landline numbers, many miles apart, among which I circulate. Vanguard, inscrutably, does not permit one to register more than 1 number.
2
@wagtail Thank you for pointing out the difficulties of your situation. Mind-boggling, isn't it?
One of the issues is convincing a computer somewhere in the interwebs that you ARE you and not someone else.
1
I don't use Facebook, Twitter or Instagram because I don't know what they or apps are and have no desire to learn. My telephone is attached to the wall of my bedroom with a copper wire. I keep all of my important papers in a Macanudo cigar box that is watched over by the good dog in the picture here. Our house here is deep in the woods and surrounded by trees.
Are we safe?
23
@A. Stanton
No, but you're well ahead of the pack.
3
The Titan security key bundle mentioned in this article has been out of stock on the Google web site for well over a month. Unknown if/when it will be returning.
3
Best to use a burner phone for 2FA - don't use your personal one. The bad guys can social engineer it to be switched over and get access to your accounts.
9
@Plennie Wingo Using any phone for 2FA is just a bad idea. Unfortunately, sometimes phone 2FA is the only option.
Using an authenticator or a hardware device for 2FA is leaps and bounds better. A hacker can't port these things to another device, like phone numbers.
3
@Alan Right! Call your cell phone provider and ask them how to secure your account against "SIM-swapping." Take those steps.
3
Don't hold your breath waiting for me to give my phone number to any of these hungry megalodons. The Authy app at least looks interesting, since my Google identity is only a nonsense Gmail address and might not compromise identity - but I'm not willing to have Google aggregate anything about the credit card bearing "real me". If a trustworthy independent entity set up a similar service, I might bite.
9
@J111111 Phone numbers are not secure. Authy/MS Authenticator/Google Authenticator/etc. and hardware based solutions are far better 2FA options when they are available.
1
Why not an email verification rather than a text message, if the user so prefers?
9
As not everyone it tethered to their phones 24/7 (too, not everyone has access to personal cell phones during work hours), the option to send verification to email might be a boon to getting people to use 2FA...
1
There is always a choice to have it sent to your phone or to your email.
@scrumble
Why not indeed, but Vanguard does not permit it.
two factor authentication sent me alerts that someone in Boston was trying to use my account every time I used my gmail account on my MacBook Pro in Old Saybrook CT. So I don't use it.
In addition, Verizon uses alerts to someone using your password as a prompt for you to worry, call Verizon, and get a sales pitch. In reality, no-one was trying to use my password.
7
All of these accounts, aside possibly from online banking and gmail, can be controlled very easily.
Don't use them.
I have none of the social media accounts, and live a pretty happy life.
Securely.
22
@Lee I agree! I only carry my cell phone when I'm in the car or out of town. At home, I use a landline and love the answering machine for screening calls.
12
@Lee How about your accounts at SSA.gov and irs.gov? Does your state have an online account with your name on it? Who has access to those accounts if you do not?
As has already been said, my reason for not giving them my phone number is not because it "sounds cumbersome" but because then they have that too and when they get hacked, the hackers now have it; the assumption is that we should trust these companies to protect our information, which we can't, but many of these companies SELL our information and the last thing I want is more robocalls and text ads on my phone.
I'd be fine with having to stick in a thumb drive with an ID on it because a thumb drive can't be hacked until it it plugged into the computer and its use does not give up private information or allow for personal invasion, but that option is not frequently offered - in fact, every method mentioned in this article involves a phone and giving up a phone number. Nope. Indeed, the examples given are all related to social media, a curious bias that ignores the number of entities that have our social security numbers, bank account numbers, credit accounts. health and other private information.
Keep yourself safe by not using social media, or if you must, be very selective in whom you allow access, don't click on everything, be skeptical, don't give up information freely without thinking.
36
@Me It's ridiculous that hardware (or at least authenticator) 2FA isn't supported by a lot of banks. That's the one thing that I would imagine people would want locked down...
1
What happens to two factor authentication if you lose your phone, or it stops working?
22
@PNK Google asks you for a backup phone number to set up. So if your phone is lost or broken, which could be a major security issue in itself, you can set it up so Google uses your husband's phone or whoever you want.
1
@S.G. - Yeah, more complexity. Wonderful. My phone conks out for some reason, my husband's out of town with his phone--so what do I do now?
7
@S.G. Plus, you can use one-time use codes. Print them out, or write them down, keep them in a secure (or obscure) place, and use them to recover your account.
Like changing a tire, do this once when you don't absolutely need it.
Always work from a secure device. Using Windows? Try not to, but at least check that it has had a recent full system scan with updated antivirus, and use a free supplement like ADWCleaner (now owned by Malwarebytes) to scan the system and clean it. Scan again after a reboot.
Windows is a maintenance nightmare, but at least there are lots of tools around to make vigorous attempts to clean it. Check out bleepingcomputer.com (honest!).
1
What is the point of trying to lock the "front door" when the "back door" that is supposedly protected by the vendors or sites continues to have major breaches?
64
@Ray Edgerton You lock every door, and every window, you can. 2FA makes those passwords stolen in data breaches next to useless.
2
This works great where 2FA is available, but isn't a silver bullet. This past weekend someone got a hold of a password I used on a few different sites (yes, that's my fault, and I now have a password manager as of yesterday) via a recent data breach. They logged into my Chipotle and Hulu accounts and rung up charges on both.
With so many sites and apps not offering a second factor, it's pretty hard to keep things totally secure. I feel like it would be reasonable to mandate that any company that stores your credit card or other personal information, also offer multi-factor authentication.
5
Sorry, I just don't want to give them my cell phone number. That only gives them even more information about me that I don't want them to have. Hackers know how to break through all this security while I don't.
64
@Jennifer There have been cases where a victim's cell phone number was ported to a new device, allowing the hacker to intercept the 2FA code from the text message.
Cell phone 2FA is false security. I only use it when no other option is available, because it is somewhat better than no 2FA at all...
4
A problem I have seen with phone or specifically phone number based security is that a phone number is not tied to you exclusively, nor forever. Phone numbers get re-assigned if you ever change your number or don't pay your bill. I gave my son a new phone and he was being inundated with facebook notifications from the previous owner of the number. The only recourse I had was to take over the previous owners facebook account and remove the number from this account directly. Not exactly a kosher solution. A more evil person could have done some serious social media damage.
30
@Joe Caridi Phone number based 2FA is not a safe solution. Victims have had their phone numbers ported to other devices, allowing hackers to capture the 2FA code.
It's only marginally safer than no 2FA at all.
2
There’s a much simpler security solution for the apps you use as examples: don’t use them.
37
My solution to this problem is both elegant and simple. Don't have Facebook, Twitter, or similar accounts. This will give you ample time to conduct your important business and reduce stress.
111
@Elwood - They are not the only ones with 2FA.
1
As an added bonus, you won't help the loser or his party-cult with your attention or data, which prevents you from being gaslighted or sold to C'Analytica or successors.
1
The problem is you have to do this for every site. The article could have stated this clearly, but chose not to.
The article also failed to point out that taking over the phone disrupts all the 2FA schemes that rely on apps. The spouse or friend takes it physically (while unlocked), and the thief convinces phone company tech support to switch the SIM card id.
Google and Facebook do permit other apps to use their logins and they could have been the default authentication providers so you only needed one second key, but they have shown themselves to be so unreliable and adverse to users that people actively avoid signing in with them. Password providers like LastPass have shown themselves hackable, and focus more on extending corporate IT's reach into private phones than on consumer privacy.
This problem was technically solved in the 1990's with proposals for government-run two-factor authorization, but of course that threatened user retention and was violently opposed on libertarian grounds.
The reason 2FA is not the norm is because it doesn't work for tech companies.
It is, however, the recommendation for the technical elite.
8
I travel a lot overseas. One of my US banks has just set up such two factor-authentication and I do not like it.
I need to have my US phone with me and active, incurring heavy roaming cost. In several counties text messages never arrive to me, I need to opt for "call me"...
These security practices are very "domestic life" minded.
Is there any practical and convenient global solutions available?
43
@Yul "One of my US banks has just set up such two factor-authentication and I do not like it."
One of my banks kept notifying me that 2-factor authentication was coming soon, and I should sign up. I didn't, and so far it hasn't become mandatory.
2
@Yul
Use a physical security key.
3
@Yul
Switch to Google Fi. The cost is reasonable worldwide.
4
I have two-step verification on all my accounts - where it's available. It works really well, assuming you have a smartphone. Without a smartphone, it's a bit more challenging to get the codes but can still be done. I recommend it to everyone.
4
What nytimes reader doesnt have a smart phone ??
@John Wesley I don't. Flip phone. Never had a problem. No hacking. Texting and calling is simple. It's rather inexpensive and takes good photos.
16
@John Wesley I've never had a smart phone. $25/mo. for a flip phone. If you work on a computer all day you don't need a smart phone.
8
What happens if a user encounters a problem with two factor authentication? Are there reachable humans who can help people regain access to their accounts? I was locked out of my gmail account several years back after signing up for two-factor authentication, and at that time I discovered how difficult it was to be a puny user looking for help from a faceless corporation called Google. This is why I won't willingly sign up for two factor authentication again, from any provider. I'll adapt when its forced on me, but for now, it just seems to be a way of inviting complexity into my life.
49
@Katharine " Are there reachable humans who can help people regain access to their accounts?"
Do you believe in miracles?
5
@Katharine Depending on the company, they can disable 2FA on your account to allow you access again if you lose your authenticator code or hardware 2FA device. Often, they will ask for all sorts of identification paperwork before making the request to do that...
@Katharine You'd need to "recover" your account using "another method." For example, a second phone number. Or, set up one-time-use passcodes and record them in a secure, accessible, obscure place. Gee, now where did I put that little slip of paper and which account does it belong to?
It ain't easy. And if some young person says some computer tech is "intuitive" I ask them, "What's your plan if you lose your phone?"
2