This blog was written by an independent guest blogger.
I was logging into one of my favorite online shopping sites the other day, and, as with all my other sites, I was presented with the multi-factor authentication prompt to complete the login process. Anyone who knows me, knows that I have been a long-time supporter of multi-factor, or 2-step verification of any kind.
The only problem I had with the login on this occasion, was that my phone was dead. Like most folks, my phone contains the authenticator applications that allow me to log into most of the sites that do not allow the use of a FIDO hardware token. This created an unusual conundrum, whereas, not only does my phone contain the authenticator application, but the only backup method the site offers is to send a text message to a registered phone number if the authenticator application is unavailable. The problem is that the registered phone number is attached to the same dead phone that contains the authenticator application.
Usually, this is not a problem, as most sites that have fully thought through their implementation of multi-factor authentication have also considered the problem of the lost, or otherwise non-functioning phone, and they issue one-time codes when the 2FA process is first enabled. These codes can be stored in a safe place.
Recently, when Google announced to a select group of GMail users that their mail account will be forced to use multi-factor authentication, many people protested. While I can understand the shock that many felt at the imposition of an unsolicited change to the login process, I commended the fact that steps were being taken to protect these vulnerable accounts. Google also did everything right, that is, they gave people multiple options to verify the log in process, including one-time backup codes to be used if the authenticating device is unavailable.
Many people who dislike multi-factor will lament at the thought of also having to store what amounts to other passwords, as one-time codes can arguably be thought of as just another password. This is where a password manager can serve double-duty to assist the password-weary.
Most password managers offer text fields that often go ignored and unused. However, that big open space can be used to store a ton of useful information. For example, the one-time codes can be stored there, in addition to the random answers to the common security questions asked by many sites.
None of what I am positing here should be misinterpreted to think that I am against multi-factor authentication in any way. Until passwordless technology replaces the current methods, I will remain committed to supporting 2FA as the best method we have right now. In the meantime, the problem that needs to be addressed is how to get more sites to fully realize their multi-factor implementations, and offer one-time codes along with whatever other methods they use for their enhanced security options. One has to wonder why this was overlooked in the first place? Until these solutions are established, I suppose I need to be more diligent about keeping my phone charged. Happy shopping!
More Stories
Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services
Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google...
Friday Squid Blogging: Sunscreen from Squid Pigments
They’re better for the environment. Blog moderation policy. Read More
Compromising the Secure Boot Process
This isn’t good: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than...
Synnovis Restores Systems After Cyber-Attack, But Blood Shortages Remain
Synnovis has rebuilt “substantial parts” of its systems following the Qilin ransomware attack on June 3, enabling the restoration of...
Hacktivists Claim Leak of CrowdStrike Threat Intelligence
CrowdStrike has acknowledged the claims by the USDoD hacktivist group, which has provided a link to download the alleged threat...
CrowdStrike Falcon Outage Exploited for Social Engineering
Cyber threat actors are exploiting the CrowdStrike Falcon outage to conduct social engineering attacks. Here's what the CIS CTI team...