Question about 2 factor authentication


Tom Crawford

Recommended Posts

From what I have read I think that when I log on using ID and Password I get a text with a passcode I then enter to complete the log in.  But what I do not understand is if I get a new passcode every time I log on or if that only occurs the first time and something is saved on that device so a texted passcode is no longer required.  Can anyone here explain this to me?

 

Link to comment
Share on other sites

Tom,  how it exactly functions differs a little from site to site.  Generally speaking you will enter your username and password into a siteto login, then it takes you to the next step which is to enter a text passcode.  The text passcode has been sent to your phone or sometimes email address that you entered when you setup the two factor authentication.  This code is randomly generated each time you login to that site/service and you must enter this new code each time.

Link to comment
Share on other sites

I use two factor with several different sites.  Some of them have a "trust this device" or "trust this browser" option so you only have to enter the code the first time.  Google Apps has "trust this browser for 30 days", so every 30 days I have to re-enter my password and a new code.  Some sites don't have a "trust" option and I have to enter a new code every time. 

Link to comment
Share on other sites

I like the Google app.  I have about 8 sites that use it, and a few more that text me a code.

Not to get too far afield, but there's also "duo", which is like the Google app but you don't need to enter the code.  You just press a button on the duo app that tells it to send the code.  You still need the device with the app to login, like google, but you don't need to type anything.  Duo is new and is only offered at a few places, but it's catching on.

Link to comment
Share on other sites

A lot of them, after the 2-factor authentication save a cookie to your browser and will associate your ip address. So I have to enter the code for my bank/credit accounts on all three computers in my house but once I do it I'm fine until I clean my cache and delete cookies. 

It's annoying but also necessary in our stupid society. The password rules that are considered safe and secure are laughably inept. These security measures pushed on us are a false sense of security. Not that it matters, the most popular password is 12345678, and password (#1 & #2 respectively.)

Link to comment
Share on other sites

The reusable password's time has gone.  If there's a virus on your computer that reads your password as you type it in, or a break in on the server that steals your password when you log in or from the data base, then it doesn't matter how long or complex your password is.

I was recently asked what were the most important security topics for a general audience.  I said

  • Have a different password for every site, and use a password manager to "remember" them
  • Two factor
  • safe web surfing
Link to comment
Share on other sites

1 hour ago, Beechwood Chip said:

The reusable password's time has gone.  If there's a virus on your computer that reads your password as you type it in, or a break in on the server that steals your password when you log in or from the data base, then it doesn't matter how long or complex your password is.

I was recently asked what were the most important security topics for a general audience.  I said

  • Have a different password for every site, and use a password manager to "remember" them
  • Two factor
  • safe web surfing

Yeah for the most part I agree. Unfortunately companies are storing passwords in outdated encryption like md5.. It's been broken, gotta stop that. But if you increase the bits of entropy using four random words as your password and use pbkdf2/rsa/aes/sha-256 then your system will be pretty safe. Of course nothing to be done if someone has key loggers or Trojans jacking their system. 

But at least if you gain access to my password, and the database/server is secure, you probably won't gain admin rights.

One hopes?

It's a scary world and people focusing on biometric are nuts too.

Link to comment
Share on other sites

1 hour ago, socoj2 said:

Its twice as bad as you think out there. This sadly is what i get to do for a living =/

I have no doubt. I just pick up some things here and there really. It's relevant to me as a programmer, but it's also not because where I work I can't move 5 feet without using 2-factor verification that I can't control. So security is completely out of our hands. As a result though.. if some of these developers I work with went elsewhere where it was a concern - they'd be terrible.

Link to comment
Share on other sites

  • 2 weeks later...
14 hours ago, socoj2 said:

You should Do this AND two factor. 

2 factor should be done on every critical site, like a banking website, primary email, etc. I personally don't bother on things like, for example, a forum about woodworking, if that were even an option.

On 1/27/2016 at 7:22 PM, Cliff said:

Unfortunately companies are storing passwords in outdated encryption like md5

Sadly, that's not the worst of it. Some places are still storing in clear text. I used a site once where the 'forgot password' link actually just emailed me back my password in clear text.... :huh: I emailed them right away to complain and close my account.

The sad part is I never would have known about the complete lack of security otherwise. Examples like this are why we must use different passwords for different sites/services, and use 2-factor auth for the most critical ones.

Link to comment
Share on other sites

I once bought tickets from a site and they asked if I wanted to create an account so that I wouldn't have to enter my credit card info for future purchases.  I said "no", of course.  I later received a letter from them with my account info, including my clear text password.

I called them on the phone, eventually got someone who seemed to speak tech, and threatened to report them to the PCI (Payment Card Info, the folks who enforce credit card security).  I waited while he manually deleted my records from the database.

Looking back, I should have reported them, but I don't actually know how to contact PCI.  Or even if they are actually called PCI.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Who's Online   3 Members, 0 Anonymous, 61 Guests (See full list)

  • Forum Statistics

    31.2k
    Total Topics
    421.8k
    Total Posts
  • Member Statistics

    23,757
    Total Members
    3,644
    Most Online
    R Parekh
    Newest Member
    R Parekh
    Joined