[OT] how secure is 2 factor auth with a smartphone?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[OT] how secure is 2 factor auth with a smartphone?

Alceu R. de Freitas Jr.
Hello guys,

I apologize if the subject is too much out of topic for this list.

Today I was surprised by hearing from a security (?) tech guy that using
2 factor authentication with AWS was not problem at all when using a
smartphone not provided by the company (my own, in the case) that has
several VMs on this provider.

Considering that the company (my customer in this case) has absolutely
no control of whatever I install or how do I use my smartphone, it seems
pretty naive to think it is secure enough. It seems to me more an excuse
to make professionals like me to pay the bill (the smartphone itself,
instead of doing the right thing and buying the MFA device, if security
is really the concern here) and probably the legal responsibility too.

I've being doing a (basically useless nowadays) effort of avoiding a
smartphone due lack of freedom, privacy and terrible cost-benefits (at
least here in Brazil, where not only smartphones being expensive, but
the associated service that also sucks big time).

I did some research in this list archives and couldn't find mention
about it. This article shed some light about the subject:

https://www.csoonline.com/article/3044605/security/does-a-smartphone-make-two-factor-authentication.html

What do you guys think about? Do you agree with the article author opinion?

Feeling like a Neanderthal here, doesn't matter if a lot of people on
the streets nowadays look like those spaceship characters of the WALL-E
movie...

Thanks,
Alceu

Reply | Threaded
Open this post in threaded view
|

Re: [OT] how secure is 2 factor auth with a smartphone?

Lea Chescotta
Hi! I face the same situation at work, what i simply do is to have
an android tablet (which i also use to read while traveling to work)
just to use the 2 factor authentication at work, and a dumb phone
to make and receive phone calls from my wife and family.

> -------- Original Message --------
> Subject: [OT] how secure is 2 factor auth with a smartphone?
> Local Time: December 13, 2017 11:16 PM
> UTC Time: December 14, 2017 2:16 AM
> From: [hidden email]
> To: [hidden email]
>
> Hello guys,
>
> I apologize if the subject is too much out of topic for this list.
>
> Today I was surprised by hearing from a security (?) tech guy that using
> 2 factor authentication with AWS was not problem at all when using a
> smartphone not provided by the company (my own, in the case) that has
> several VMs on this provider.
>
> Considering that the company (my customer in this case) has absolutely
> no control of whatever I install or how do I use my smartphone, it seems
> pretty naive to think it is secure enough. It seems to me more an excuse
> to make professionals like me to pay the bill (the smartphone itself,
> instead of doing the right thing and buying the MFA device, if security
> is really the concern here) and probably the legal responsibility too.
>
> I've being doing a (basically useless nowadays) effort of avoiding a
> smartphone due lack of freedom, privacy and terrible cost-benefits (at
> least here in Brazil, where not only smartphones being expensive, but
> the associated service that also sucks big time).
>
> I did some research in this list archives and couldn't find mention
> about it. This article shed some light about the subject:
>
> https://www.csoonline.com/article/3044605/security/does-a-smartphone-make-two-factor-authentication.html
>
> What do you guys think about? Do you agree with the article author opinion?
>
> Feeling like a Neanderthal here, doesn't matter if a lot of people on
> the streets nowadays look like those spaceship characters of the WALL-E
> movie...
>
> Thanks,
> Alceu
Reply | Threaded
Open this post in threaded view
|

Re: [OT] how secure is 2 factor auth with a smartphone?

Kamil Cholewiński
In reply to this post by Alceu R. de Freitas Jr.
> Re: [OT] how secure is 2 factor auth with a smartphone?

Not very much. Phones are easy to lose, break (which means 2nd factor
recovery must be relatively painless == lowest common denominator), etc.

For services that insist on 2FA, I have a script that calls oathtool
and copies the code to clipboard. Secret seeds are encrypted via GPG.
All integrated via dmenu. I went thru 3 phones since then.

<3,K.

Reply | Threaded
Open this post in threaded view
|

Re: [OT] how secure is 2 factor auth with a smartphone?

Martin Schröder
In reply to this post by Alceu R. de Freitas Jr.
2017-12-14 3:16 GMT+01:00 Alceu Rodrigues de Freitas Junior
<[hidden email]>:
> What do you guys think about? Do you agree with the article author opinion?

It's probably more secure than your typical RSA token, which had
numerous security issues (including opening up the seeds!) in the last
years.

Best
   Martin