|
Any recommendations/experiences for/with services that, for example, sends your phone a code (SMS), or phone apps where all you have to do is approve/decline ?
Yes, this is for my new job, which I'm loving! No need to send codez, just your wisdom for what services rock and what services suck.
Latest Article - A Concise Overview of Threads
Learning to code with python is like learning to swim with those little arm floaties. It gives you undeserved confidence and will eventually drown you. - DangerBunny
Artificial intelligence is the only remedy for natural stupidity. - CDP1802
|
|
|
|
|
Marc Clifton wrote: Any recommendations/experiences for/with services that, for example, sends your phone a code (SMS), or phone apps where all you have to do is approve/decline ?
Yes, this is for my new job, which I'm loving! No need to send codez, just your wisdom for what services rock and what services suck.
They all suck cause I hate having to find my phone to get a code or send a push notification.
Previous job used Duo and current one using Microsoft Authenticator.
Michael Martin
Australia
"I controlled my laughter and simple said "No,I am very busy,so I can't write any code for you". The moment they heard this all the smiling face turned into a sad looking face and one of them farted. So I had to leave the place as soon as possible."
- Mr.Prakash One Fine Saturday. 24/04/2004
|
|
|
|
|
Michael Martin wrote: Previous job used Duo and current one using Microsoft Authenticator.
I've just been looking at Duo. Free for 10 users, their documentation is excellent. So far so good. I'll look at Microsoft Authenticator next.
Thanks!
Latest Article - A Concise Overview of Threads
Learning to code with python is like learning to swim with those little arm floaties. It gives you undeserved confidence and will eventually drown you. - DangerBunny
Artificial intelligence is the only remedy for natural stupidity. - CDP1802
|
|
|
|
|
+1 for MS authenticator. There's also Google authenticator. These applications kinda hard to "recommend" though, because you just open it and it rocks up with a set of random digits for authentication. They both do the job.
|
|
|
|
|
Michael Martin wrote: I hate having to find my phone to get a code
Oh, I know where my phone is. It's out in my car, because we're not allowed cell phones in here at work.
I can usually get out to the phone, get the text, write the code down, and get back in through two security doors, unlock my desktop, and enter the code before it expires.
|
|
|
|
|
Sounds like you need a solar powered sun visor for your car that will keep your phone charged and extract the codes from certain SMS messages and display them in giant LCD letters on the sun visor!
Maybe some of the flexible, foldable LCD displays?
Then you can just look out the window!
|
|
|
|
|
Window? What's a window? I haven't had an office with a window since 2011.
|
|
|
|
|
If you have an android phone, just go to messages.android.com/ and you can receive texts right on your computer. I use it all the time for 2FA. Not sure if there's an equivalent for Apple iMessage.
|
|
|
|
|
We are using Okta Verify for our authentication service.
I'd rather be phishing!
|
|
|
|
|
Twilio is well documented and easy to use. I'm pretty sure they can handle what you are wanting to do. It's not free, but we found it to be reasonable.
"Go forth into the source" - Neal Morse
|
|
|
|
|
Forename(s):
Surname:
It's worked for centuries.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
on stone tablets, I'm sure.
|
|
|
|
|
I use DUO for my VPN connection to work and so far it's worked without any hitches.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
When I login and type my password correctly, it's because I want to get in and get started. I've started boycotting any services that do anything more than that, except for my surface that uses facial recognition effortlessly as the second bit.
To me, if you say you need to make sure it's me after getting my user name and password, that's equivalent to saying, move on, we don't want you in here!
CQ de W5ALT
Walt Fair, Jr., P. E.
Comport Computing
Specializing in Technical Engineering Software
|
|
|
|
|
Walt Fair, Jr. wrote: When I login and type my password correctly, it's because I want to get in and get started.
Agreed, but this is for local gov't employees dealing with sensitive data, so it's just part of doing the job.
Latest Article - A Concise Overview of Threads
Learning to code with python is like learning to swim with those little arm floaties. It gives you undeserved confidence and will eventually drown you. - DangerBunny
Artificial intelligence is the only remedy for natural stupidity. - CDP1802
|
|
|
|
|
The company I work for, ImageWare Systems, has a product: GoVerifyID [^]
Cheers,
Mike Fidler
"I intend to live forever - so far, so good." Steven Wright
"I almost had a psychic girlfriend but she left me before we met." Also Steven Wright
"I'm addicted to placebos. I could quit, but it wouldn't matter." Steven Wright yet again.
|
|
|
|
|
I've tried the various methods, and I would strongly recommend TOTP over SMS or push notifications. I tend to use "Google Authenticator" which you can actually use any app that supports the standard, which in my case on Android is the open source FreeOTP made by Red Hat.
In the case where you can't bring your phone to work, Google has had great success with Yubikeys.
|
|
|
|
|
Just make sure you're not looking at MFA in a vacuum. If you don't also implement MDM policies to enforce security on your mobile devices, you're missing the point. Any MFA solution is worthless if anyone can just pick up the mobile device and get at the code.
I'm partial to Microsoft's first-party MFA solution (based in Azure) because I work for them and help companies implement it, but no matter who you go with, make sure mobile/endpoint security is given equal attention. Security is a puzzle and no single piece is a panacea.
Good luck!
Jon (aka. Sir Buzz Killington )
|
|
|
|
|
The morons at my bank will text or call - but not use email.
If I'm planning on banking online they know I'm near an email capable device. I may not be anywhere near a phone. The US Treasury Direct site, which is amazingly fussy to maintain security, will email the one-time code. Same for a number of online banks - major financial institutions. I'm already voting with my wallet - moving my accounts to where they'll cooperate.
Another thing - authenticating BACK to me would be nice - a great way to avoid phishing attempts.
My particular version - for extra secure - requires a custom .exe to be run, which identifies unique machine information, encrypts it (with an every-changing key) and sends it for confirmation in the machine registry. If you don't go through the .exe you cannot access the 'working' parts of the website. Rephrased, for all practical purposes, without the local launcher on a registered machine you don't even get to the same website.
Nothing is 100% hack-proof, but a local item to authenticate registered machines makes it damn tough. Meanwhile, it's a single-click (once registered) - and the browser opens for user login. No burden on the user.
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
How about testing if the user can tell an arse from an elbow?
There are websites with photos and invites the reader to guess whether it is an ass or an elbow.
StupidStuff.ORG - Ass Or Elbow Quiz
|
|
|
|
|
Two factor authentication is a PITA! F'rinstance I couldn't log on to my mobile phone supplier's web site to report that my phone was dead. They insisted on sending an SMS with a code. Der!!!
We're philosophical about power outages here. A.C. come, A.C. go.
|
|
|
|
|
We use yubikey as do many secure businesses (think DoD, GOv, etc.).
Little USB plug in (many sizes, we use one that virtually disappears into you device when inserted). All you do is enter a PIN to authenticate.
https://www.yubico.com/
|
|
|
|
|
No, no, please no! 2 Form factor has stopped me from doing anything at home...
|
|
|
|
|
Just use the good old send some random words (or numbers) to the user's email account.
If that is not secure enough, then make sure the user apply with 2 email accounts, so that your service can send two sets of different random words (or numbers) to the user's two email accounts. Which may be as safe as a "2 factor authentication services". No fumbling with phone SMS / swipe here / swipe there, etc, etc.
And if that is not secure enough, then make sure the user apply with 3 emai ... ... ... ...
|
|
|
|
|
AusCert recommends (for it's 2 factor auth services):
FreeOTP app, Authy, 1Password, etc but also has instructions for google authenticator. I'm using FreeOTP and it's currently working a treat.
|
|
|
|