The Lounge is rated Safe For Work. If you're about to post something inappropriate for a shared office environment, then don't post it. No ads, no abuse, and no programming questions. Trolling, (political, climate, religious or whatever) will result in your account being removed.
Just make sure you're not looking at MFA in a vacuum. If you don't also implement MDM policies to enforce security on your mobile devices, you're missing the point. Any MFA solution is worthless if anyone can just pick up the mobile device and get at the code.
I'm partial to Microsoft's first-party MFA solution (based in Azure) because I work for them and help companies implement it, but no matter who you go with, make sure mobile/endpoint security is given equal attention. Security is a puzzle and no single piece is a panacea.
The morons at my bank will text or call - but not use email.
If I'm planning on banking online they know I'm near an email capable device. I may not be anywhere near a phone. The US Treasury Direct site, which is amazingly fussy to maintain security, will email the one-time code. Same for a number of online banks - major financial institutions. I'm already voting with my wallet - moving my accounts to where they'll cooperate.
Another thing - authenticating BACK to me would be nice - a great way to avoid phishing attempts.
My particular version - for extra secure - requires a custom .exe to be run, which identifies unique machine information, encrypts it (with an every-changing key) and sends it for confirmation in the machine registry. If you don't go through the .exe you cannot access the 'working' parts of the website. Rephrased, for all practical purposes, without the local launcher on a registered machine you don't even get to the same website.
Nothing is 100% hack-proof, but a local item to authenticate registered machines makes it damn tough. Meanwhile, it's a single-click (once registered) - and the browser opens for user login. No burden on the user.
Just use the good old send some random words (or numbers) to the user's email account.
If that is not secure enough, then make sure the user apply with 2 email accounts, so that your service can send two sets of different random words (or numbers) to the user's two email accounts. Which may be as safe as a "2 factor authentication services". No fumbling with phone SMS / swipe here / swipe there, etc, etc.
And if that is not secure enough, then make sure the user apply with 3 emai ... ... ... ...
This makes me think of an old song by Tool, "Disgustipated." During a spoken interlude they say,
And I begged, "Angel of the Lord, what are these tortured screams?"
And the angel said unto me, "These are the cries of the carrots, the cries of the carrots!
You see, Reverend Maynard, tomorrow is harvest day and to them it is the holocaust."
And I sprang from my slumber drenched in sweat like the tears of one million terrified brothers and roared, "Hear me now, I have seen the light! They have a consciousness, they have a life, they have a soul! Damn you! Let the rabbits wear glasses! Save our brothers!"
Can I get an amen? Can I get a hallelujah? Thank you Jesus
Last Visit: 3-Apr-20 20:40 Last Update: 3-Apr-20 20:40