Hello, I'm trying to get 2FA going for some users. I'm finding the user experience difficult to sell as they don't like entering the user codes. What I'm trying to do is get 2FA push notifications going, where they get the notification of where the authentication is being made from and other information, and they just tap confirm. Ideally i'd like to make this as easy as possible. Suggestions? Thanks. Dave.
On 23/4/23 21:03, David Mehler wrote:
I'm trying to get 2FA going for some users. I'm finding the user experience difficult to sell as they don't like entering the user codes. What I'm trying to do is get 2FA push notifications going, where they get the notification of where the authentication is being made from and other information, and they just tap confirm.
Microsoft has an interesting approach, whereby the user is required to enter a two-digit code into the mobile authentication application which is displayed on the device used to log in. This should prevent authentication fatigue, as it is known, in which the threat actor make repeated authentication attempts until the user consents. I don't know whether there are other authentication tools that do the same, but it's more secure than prompting for confirmation alone. Have you considered an option involving security keys, for example FIDO 2 or operating as smart cards?
Hi. What sites are you trying to use with 2fa? Some of them have the option of using a push service, some don't. The ones that use a push service generally require a special app to get it working, meaning you can have several 2fa apps on the phone to provide push services for each one. I myself use Bitwarden and have the tokens stored in there and have that protected by a Ubikey. Means I don't need to type in the 2fa codes. Thanks. Andrew. -----Original Message----- From: David Mehler <dave.mehler@gmail.com> Sent: Monday, April 24, 2023 2:04 AM To: blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Implementing 2FA push authentication Hello, I'm trying to get 2FA going for some users. I'm finding the user experience difficult to sell as they don't like entering the user codes. What I'm trying to do is get 2FA push notifications going, where they get the notification of where the authentication is being made from and other information, and they just tap confirm. Ideally i'd like to make this as easy as possible. Suggestions? Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Hello, Thanks for your replies. It sounds like this isn't going to be a one-app solution, I hope I'm wrong. Sites I'm trying this on a bank site, paypal, amazon, facebook/twitter, pretty much if it's common then those. As I said i'd like to keep this as simple/intuitive as possible. While I don't mind a hardware token option it's not something I want to try to get everyone to carry around. Some of them are rather forgetful and I'd trust them with a mobile phone vs a hardware token. Andrew, which sites are you using that have push services and that utilize an app? And does your solution go for an allow or deny setup on a phone? Thanks. Dave. On 4/24/23, Andrew Hodgson <andrew@hodgson.io> wrote:
Hi.
What sites are you trying to use with 2fa? Some of them have the option of using a push service, some don't. The ones that use a push service generally require a special app to get it working, meaning you can have several 2fa apps on the phone to provide push services for each one.
I myself use Bitwarden and have the tokens stored in there and have that protected by a Ubikey. Means I don't need to type in the 2fa codes.
Thanks. Andrew.
-----Original Message----- From: David Mehler <dave.mehler@gmail.com> Sent: Monday, April 24, 2023 2:04 AM To: blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Implementing 2FA push authentication
Hello,
I'm trying to get 2FA going for some users. I'm finding the user experience difficult to sell as they don't like entering the user codes. What I'm trying to do is get 2FA push notifications going, where they get the notification of where the authentication is being made from and other information, and they just tap confirm.
Ideally i'd like to make this as easy as possible.
Suggestions? Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Hi. What token app are you using? Like I say all the push notification 2fa systems I am using are using their own apps: Microsoft AzureAD and personal accounts: Microsoft authenticator app Google accounts: Youtube Banking: Banking app provides push notifications for 2fa. Salesforce: Salesforce authenticator Okta: Okta authenticator Ping: Ping authenticator Those last 2 are for clients I do work for and the authenticator I think also sends my location to the auth provider so they can see where I work. Right now for everything else using 2fa I store the tokens in Bitwarden. Guarding Bitwarden I have some Ubikeys and also store a 2fa token in Microsoft Authenticator as it backs up to my Microsoft account. The Bitwarden browser extension and iOS app supports filling in the 2fa tokens automatically for a given site. I am thinking of extending Bitwarden out to a family subscription with my parents but haven't done it yet as waiting to see how the new unified open source Docker image works out for people in which case I will host it myself. If I go this route I would buy a pack of Ubikeys and set things up so people can use either the Authenticator app with a code to log in or the Ubikey. They will need to have their master password of course.forget their passwords all the time. Andrew. -----Original Message----- From: David Mehler <dave.mehler@gmail.com> Sent: Monday, April 24, 2023 11:46 PM To: Mailing list for blind system administrators <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Re: Implementing 2FA push authentication Hello, Thanks for your replies. It sounds like this isn't going to be a one-app solution, I hope I'm wrong. Sites I'm trying this on a bank site, paypal, amazon, facebook/twitter, pretty much if it's common then those. As I said i'd like to keep this as simple/intuitive as possible. While I don't mind a hardware token option it's not something I want to try to get everyone to carry around. Some of them are rather forgetful and I'd trust them with a mobile phone vs a hardware token. Andrew, which sites are you using that have push services and that utilize an app? And does your solution go for an allow or deny setup on a phone? Thanks. Dave. On 4/24/23, Andrew Hodgson <andrew@hodgson.io> wrote:
Hi.
What sites are you trying to use with 2fa? Some of them have the option of using a push service, some don't. The ones that use a push service generally require a special app to get it working, meaning you can have several 2fa apps on the phone to provide push services for each one.
I myself use Bitwarden and have the tokens stored in there and have that protected by a Ubikey. Means I don't need to type in the 2fa codes.
Thanks. Andrew.
-----Original Message----- From: David Mehler <dave.mehler@gmail.com> Sent: Monday, April 24, 2023 2:04 AM To: blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Implementing 2FA push authentication
Hello,
I'm trying to get 2FA going for some users. I'm finding the user experience difficult to sell as they don't like entering the user codes. What I'm trying to do is get 2FA push notifications going, where they get the notification of where the authentication is being made from and other information, and they just tap confirm.
Ideally i'd like to make this as easy as possible.
Suggestions? Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
_______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
participants (3)
-
Andrew Hodgson -
David Mehler -
Jason White