…if the damn SMS texts don’t arrive on your chosen cellphone(s) either by (accidental?) carrier-blocking or (willful corruption of text messages) intentional like with Wind Mobile in Canada.
Well at least the cell-phone SMS based two-factor.
Intentional corruption? Care to elaborate?
Some services, eg Google, will voice call you with the code if you tell them to.
Yeah. I’d like to hear more about this. I’m on Rogers in Canada and have never had a problem with any of the various SMS based two factor authentications I’ve used.
Wind Mobile in Canada mangles the FaceTime/iMessage activation text’s headers necessitating someone to make a workaround.
Since it originates from the UK, you have to turn on International Messaging option or pay 25 cents per (unsuccessful) text.
https://discussions.apple.com/thread/5176865?start=0&tstart=0
I’m on TELUS Mobility and the iCloud keychain activation code + 2 factor iCloud work 50% of the time for me in the last 24 hours.
Oh, right. This isn’t really a two-factor authentication problem. It’s a problem with how Apple in particular activates one of its services and how Wind handles the process they use to do so. If Apple just sent a verification code it would work fine.
This is why I prefer the Google Authenticator style 2-factor auth, because it also works if you are not in cell service.
Also consider using a 2Factor App like “Authy” or similar which backs up your 2-factor keys, or at least have some method to get those 2-factor keys restored on your phone if it breaks or you replace it.
Resetting 2factor auth with a mountain of companies when your phone explodes is a huge pain.
When I had Sprint a few years ago I used to occasionally get those spam text messages for “Joke a day!” or whatever garbage. I NEVER once responded to any message, never signed up for any ridiculous service like that. I ignored them for months, then one day a $10 charge showed up on my bill. I called and patiently, then less patiently, explained it to everyone they could transfer me to, that I had not signed up for anything like this.
They said maybe I had responded to a text and forgotten. Or maybe someone else entered my phone number somewhere for something like this. The unhelpful customer service rep told me there was no verification for anything like this, someone could just enter my phone number and I’d be signed up.
I have no idea if that was true, it all sounded like total bullshit, and no one would just give me my $10 back and fix it. The only solution they offered was to disable some subset of texting. I’m not sure exactly how it works, but I think they turned off automated texts of some kind. I still got text messages from regular numbers, but I never got any texts from those short numbers like when your carrier texts you directly.
And of course, that meant I didn’t get legit text messages from those numbers either. I think I had an issue with that trying to authenticate something with my bank once.
Anyway, yes. I would never use 2 factor authentication for anything critical if it also relies on a text message.
How does this authy thing work, exactly? Does it replace Google’s app?
yes, it’s an alternative to the google authenticator app.
Yes, it replaces Google’s app. They basically reimplement the HOTP and TOPT protocols for use in their app.
If you go down this route, what you will have to do is basically re-setup the 2-factor login for all your sites with Authy, which, surprisingly enough, isn’t that painful – except that you have to visit each website individually. That is basically the same thing you’d have to do if you replaced your device as well.
But the nice thing with Authy is that once you set it up, it’ll store all your 2-factor stuff in the cloud and will resync with any device you want to set up (which is also uses some proprietary 2-factor stuff to authenticate new devices).
You only really need to re-setup google’s authentication. Everybody else will show the QR code again without resetting it.
I agree that Authy is the way to go.
Sweet, thanks guys, that backup thing will TOTALLY help since I like to switch ROMs on my phone. :)
For me, I had to reset nearly everything (Dropbox, Github, and Microsoft). Only LastPass showed me the QR code again without resetting.
Regardless, resetting is basically as painless as reshowing the QR code. Basically, find the place to reshow (or regenerate) a new QR code, then scan it with the new app and boom, you’re done.
Yeah, for me it was pretty simple, only Google taking more than a couple of steps.
Google will also offer you a OTP list you can save or print out even, to use in case you can’t get a call or a text.
So a few sites like paypal use the horrible VIP Access app which I hate. Does anybody know if there is a way to back that up? OTP, QR Code, anything?
Doesn’t this defeat the purpose of 2-factor authentication? I mean, it’s supposed to prevent security breaches by requiring physical access to your phone (or some hardcopy with one-time codes). But if Authy stores your tokens in the cloud, then how are you more secure than just storing your credentials with LastPass?
That was definitely one of my biggest concerns that I had too before trying it out. First off, the online backups are disabled by default (which also means the multi-device support is disabled by default). But, of course, the main reason you use Authy is for these features. So what about those backups? The backups are encrypted before being uploaded and the encryption keys are never sent to Authy. Here are the details for the security minded folks: http://blog.authy.com/backups
So, take that as you will. After reading that (and googling around for a few other white-hat hacking attempts) I was reasonably satisfied that it would be secure enough.
Authy seems pretty cool. It’d be nice if they supported barcode scanning.