Huh? Do you mean QR codes?
Not that I know of. It’s a bummer when sites use VIP Access, not just because it’s a single app from a single vendor, but also because I can’t run multiple copies of it on my phone, so if I have two PayPal accounts, I have to use SMS for one of them, which sucks. Twitter is even worse: they don’t use a standard 2fa system at all, and so you can only have one account per phone. For a brief time they supported a hack to get two accounts working on a single phone, but then backed it out. Ugh.
Chris
Yea, what’s THEIR security like though?
Doesn’t matter, since they store everything encrypted on their servers and you decrypt it with your passcode clientside.
I mean, they could be co-opted by a nation state to push a version of their client that records your passcode and sends it to them. But as usual, there’s no effective defense against a nation state. So don’t worry about it.
No, that means it absolutely matters how good their process is…
Same reason I’m still waiting for the third-party security audit on LastPast’s 2011 security breach. Been a while, hasn’t it.
(Honestly, regular external security audits would be necessary for my trust, which is why I use an offline password manager, KeePass)
You’re right. But the process looks pretty good to me. Of course it could be broken in some undisclosed way that would only be found by an external audit. You need to find your own comfortable spot on the paranoia scale.
It sounds fancy, military grade high tech etc, but i basically stop using services that force this on you (if there is a proper opt-out option (that does not require giving phone details before opting out, then sure no problem), especially if they are insistent on having a phone number over another email. It’s for spying mostly, profile building, intel gathering (in an easy catch all you-do-the-work-for-us-like-facebook kind of way).
I’ve moved away from hotmail/outlook because of this, and yahoo is getting close to getting the heave-ho. Never did much facebook due to privacy concerns, and Google (everything…youtube etc) has also gone from my usage. I like to make spies work for their money, it’s better for their int-gathering skills as well, so better for the long term security of your country etc. All this stuff makes em lazy (and fat).
And I’m willing to copy/paste passwords from an offline password manager, which I feel is more secure.
Your spot on the paranoia scale is considerably higher than mine, that’s all.
And all my friends think I’m crazy.
I don’t perceive myself as paranoid (certainly not in the face of the various tech related reveals of recent years (wikileaks/NSA/M15 etc)), just um…‘good’ at reading some basic info and understanding how (why) things work like they do.
For example face-recognition on Facebook - great for family and friends alike! (and my god how useful for Intel services!). There is an opt-out i believe (but permissions flip and change all the time on Facebook don’t they).
Or having to opt-in for two factor Authentication on Hotmail/Outlook BEFORE you can opt out, and it has to be a phone number (mobiles are very easy to track, fixed lines give direct location). Clear signals to my ‘military’ mind of other things being afoot. Now sure the int guys can simply find all that out with a little work if they have too, but when the ‘idea’ is blanket personal data gathering this way is much easier (and automatic). Too ‘1984’ for me personally, so i just drop the products that do this kind of thing and encourage others to do the same.
Now if you WANT to opt in for two factor Authentication, and you WANT to give your phone number (as that is a more secure form of the system) then by all means do. When it is forced with no/little or unclear options to avoid it you have a problem. Nothing i do or did on those services was so critical i needed that extra security to give my phone details, nothing. I would be perfectly happy giving another email (as i use ridiculous passwords and all unique) and keeping some personal anonymity. But i don’t have that option with many of these services now (some still do, but nag for a phone number etc). So i just stop using them/recommending them.
After realizing that the SMS text message was sporadic in receiving it, I found that Apple has a direct-to-device over the Internet/data for verification, one you successfully register it as a trusted, verified device. So it’s quicker to use my iPad or have it sent directly to the iPhone.
It’s a control issue for me, Stusser - there’s simply been too many cloud hacks for me to be comfortable with non-audited login/password tools on the internet.
I don’t stress about i.e. using Windows, or using shared logins (via Twitter, etc.) for services.
Now that’s paranoid.
I didn’t say you were crazy, I just said you were further on the paranoia scale than me. And people do call me crazy. Less so recently after all the privacy news, though.
This might be old news to some but I just discovered that 1password now supports the google 2 factor authentication stuff. You can scan the QR code and it will generate the one time use codes right inside the 1password app.
Rehheeaallly…
Amazon has introduced it, too, but you have to dig into your settings to find it. You can use it with any authenticate app; scan the code and bingo.
I’ve been using this for a while, but you do need to be aware of its security implications. As both your password and single use code are stored in the same app and secured by the same master password, it is technically no longer “two factor” authentication. The overall ramifications of this don’t worry me, but if you’re very security conscious, as people who tend to use two factor authentication tend to be, it might not be an ideal solution. For me, the convenience is worth it. But use it with your eyes open.
What You Have and What You Know become only What You Have. Yeah, it’s not really 2FA anymore.
Ok, I need help. Can someone explain to me what I could be doing wrong and what I can do next.
A few months ago I set up 2 step authentication with U-play, and got the Google Authenticator app for my phone.
Every time I would log into U-play, it would ask for my password, and then ask for a code from the authenticator. So I would start the app on my phone, and enter the number I saw there. And then I would get into U-play on my computer.
I did that today, and my authenticator app on my phone must have gotten updated or something, it has no memory of anything. It’s all about “Welcome! Scan an account or enter one manually”. I have no clue what I’m supposed to do at this point.
The U-play app does say to use my recovery codes if I can’t get a code, but provides no other options. I have no recovery codes.
So I went to the help section, and apparently I have to keep those recovery codes around. I think I wrote them down in a file on my old desktop. And when I upgraded to Windows 10, that stuff got put into an “Old Windows” directory, and I kept going to that file to keep stuff, and then eventually Windows 10 deleted everything in that directory.
And it looks like the only way to turn off Uplay 2 step verification is to first log in using a recovery code.