From NIST Special Publication 800-63B at https://pages.nist.gov/800-63-3/sp800-63b.html
An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim�s mobile phone to the attacker. A malicious app on the endpoint reads an out-of-band secret sent via SMS and the attacker uses the secret to authenticate.�� Chris On Wed, Nov 01, 2017 at 08:43:35PM -0000, Phil Rigby wrote:
Hi,
Interesting that you say:
"I've read that sms texting where you get an OTP six-digit code is insecure, is this correct because this option would be easiest?"
I don't think that can really be the case otherwise I doubt the company I work for, a large, global IT services provider, would offer this as one of the methods of authenticating for sign in to the work network from any device with web access. It's a classic 2FA method. I agree also that it is the simplest solution as almost everyone that is likely to need to use it will have a mobile phone. I can't see what the problem is with the method. What did you read?
Cheers, Phil.
-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of David Mehler Sent: 01 November 2017 15:28 To: blind-sysadmins Subject: [Blind-sysadmins] 2fa accessibility thereof
Hello,
To those of you who are using 2fa solutions how accessible and easy to use do you find them? I'm looking at implementing 2fa but am not sure which way to go and would appreciate some recommendations.
I've read that sms texting where you get an OTP six-digit code is insecure, is this correct because this option would be easiest? Same lines a TOTP solution can I limit as to how long the token is good for?
With regards google authenticator can it secure other services other than google? I'm thinking dropbox or does dropbox have native 2fa support?
Lastly has anyone used sites that will allow a biometric such as a fingerprint to be utilized as the second factor or the authy service?
My goal is to increase service security for both my home/home users and contract users, while keeping things as easy as possible as some of these people are not really technology-savvy.
The issue that got me asking this question was how to best protect a keypass database stored on either a google drive or dropbox server, against compromise of the underlying service while still making it available for multiple device connections.
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins