This blog was written by an independent guest blogger.
I was logging into one of my favorite online shopping sites the other day, and, as with all my other sites, I was presented with the multi-factor authentication prompt to complete the login process. Anyone who knows me, knows that I have been a long-time supporter of multi-factor, or 2-step verification of any kind.
The only problem I had with the login on this occasion, was that my phone was dead. Like most folks, my phone contains the authenticator applications that allow me to log into most of the sites that do not allow the use of a FIDO hardware token. This created an unusual conundrum, whereas, not only does my phone contain the authenticator application, but the only backup method the site offers is to send a text message to a registered phone number if the authenticator application is unavailable. The problem is that the registered phone number is attached to the same dead phone that contains the authenticator application.
Usually, this is not a problem, as most sites that have fully thought through their implementation of multi-factor authentication have also considered the problem of the lost, or otherwise non-functioning phone, and they issue one-time codes when the 2FA process is first enabled. These codes can be stored in a safe place.
Recently, when Google announced to a select group of GMail users that their mail account will be forced to use multi-factor authentication, many people protested. While I can understand the shock that many felt at the imposition of an unsolicited change to the login process, I commended the fact that steps were being taken to protect these vulnerable accounts. Google also did everything right, that is, they gave people multiple options to verify the log in process, including one-time backup codes to be used if the authenticating device is unavailable.
Many people who dislike multi-factor will lament at the thought of also having to store what amounts to other passwords, as one-time codes can arguably be thought of as just another password. This is where a password manager can serve double-duty to assist the password-weary.
Most password managers offer text fields that often go ignored and unused. However, that big open space can be used to store a ton of useful information. For example, the one-time codes can be stored there, in addition to the random answers to the common security questions asked by many sites.
None of what I am positing here should be misinterpreted to think that I am against multi-factor authentication in any way. Until passwordless technology replaces the current methods, I will remain committed to supporting 2FA as the best method we have right now. In the meantime, the problem that needs to be addressed is how to get more sites to fully realize their multi-factor implementations, and offer one-time codes along with whatever other methods they use for their enhanced security options. One has to wonder why this was overlooked in the first place? Until these solutions are established, I suppose I need to be more diligent about keeping my phone charged. Happy shopping!
More Stories
Pension Firms Report 4000% Surge in Breaches
Financial services targeted remorselessly over past year Read More
Sophisticated APT Clusters Target Southeast Asia
Unit 42 uncovered three separate threat actor clusters: Stately Taurus, Alloy Taurus and Gelsemium Read More
China-Linked EvilBamboo Targets Mobiles
This extensive operation is directed at Tibetan, Uyghur and Taiwanese individuals and organizations Read More
Voting Equipment Giants Team Up For Security
The move aims to combat the rampant spread of misinformation among American voters Read More
“The good and the bad that comes with the growth of AI” – watch this series of webinars with Abnormal, OpenAI, and others
Graham Cluley Security News is sponsored this week by the folks at Abnormal. Thanks to the great team there for...
iOS 17 update secretly changed your privacy settings; here’s how to set them back
Many iPhone users who upgraded their iPhones to the recently-released iOS 17 will be alarmed to hear that they may...