Discussion:
[OT] how secure is 2 factor auth with a smartphone?
(too old to reply)
Alceu Rodrigues de Freitas Junior
2017-12-14 02:16:34 UTC
Permalink
Hello guys,

I apologize if the subject is too much out of topic for this list.

Today I was surprised by hearing from a security (?) tech guy that using
2 factor authentication with AWS was not problem at all when using a
smartphone not provided by the company (my own, in the case) that has
several VMs on this provider.

Considering that the company (my customer in this case) has absolutely
no control of whatever I install or how do I use my smartphone, it seems
pretty naive to think it is secure enough. It seems to me more an excuse
to make professionals like me to pay the bill (the smartphone itself,
instead of doing the right thing and buying the MFA device, if security
is really the concern here) and probably the legal responsibility too.

I've being doing a (basically useless nowadays) effort of avoiding a
smartphone due lack of freedom, privacy and terrible cost-benefits (at
least here in Brazil, where not only smartphones being expensive, but
the associated service that also sucks big time).

I did some research in this list archives and couldn't find mention
about it. This article shed some light about the subject:

https://www.csoonline.com/article/3044605/security/does-a-smartphone-make-two-factor-authentication.html

What do you guys think about? Do you agree with the article author opinion?

Feeling like a Neanderthal here, doesn't matter if a lot of people on
the streets nowadays look like those spaceship characters of the WALL-E
movie...

Thanks,
Alceu
Lea Chescotta
2017-12-14 12:09:36 UTC
Permalink
Hi! I face the same situation at work, what i simply do is to have
an android tablet (which i also use to read while traveling to work)
just to use the 2 factor authentication at work, and a dumb phone
to make and receive phone calls from my wife and family.
-------- Original Message --------
Subject: [OT] how secure is 2 factor auth with a smartphone?
Local Time: December 13, 2017 11:16 PM
UTC Time: December 14, 2017 2:16 AM
Hello guys,
I apologize if the subject is too much out of topic for this list.
Today I was surprised by hearing from a security (?) tech guy that using
2 factor authentication with AWS was not problem at all when using a
smartphone not provided by the company (my own, in the case) that has
several VMs on this provider.
Considering that the company (my customer in this case) has absolutely
no control of whatever I install or how do I use my smartphone, it seems
pretty naive to think it is secure enough. It seems to me more an excuse
to make professionals like me to pay the bill (the smartphone itself,
instead of doing the right thing and buying the MFA device, if security
is really the concern here) and probably the legal responsibility too.
I've being doing a (basically useless nowadays) effort of avoiding a
smartphone due lack of freedom, privacy and terrible cost-benefits (at
least here in Brazil, where not only smartphones being expensive, but
the associated service that also sucks big time).
I did some research in this list archives and couldn't find mention
https://www.csoonline.com/article/3044605/security/does-a-smartphone-make-two-factor-authentication.html
What do you guys think about? Do you agree with the article author opinion?
Feeling like a Neanderthal here, doesn't matter if a lot of people on
the streets nowadays look like those spaceship characters of the WALL-E
movie.
Kamil Cholewiński
2017-12-14 12:59:59 UTC
Permalink
Re: [OT] how secure is 2 factor auth with a smartphone?
Not very much. Phones are easy to lose, break (which means 2nd factor
recovery must be relatively painless == lowest common denominator), etc.

For services that insist on 2FA, I have a script that calls oathtool
and copies the code to clipboard. Secret seeds are encrypted via GPG.
All integrated via dmenu. I went thru 3 phones since then.

<3,K.
Martin Schröder
2017-12-14 13:18:34 UTC
Permalink
2017-12-14 3:16 GMT+01:00 Alceu Rodrigues de Freitas Junior
Post by Alceu Rodrigues de Freitas Junior
What do you guys think about? Do you agree with the article author opinion?
It's probably more secure than your typical RSA token, which had
numerous security issues (including opening up the seeds!) in the last
years.

Best
Martin

Loading...