Commercially available 2FA in Products - Additional security or Snake oil?

Hi all!

As more and more global and local companies (not only Big Tech, for example also local Banks), but also in some cases the state (legal), are requiring 2FA access for security reasons. In times of increasing attacks over the Internet, it sounds good: 2 Factor Authentification (2FA), confirm your Identity (Authentification) from another device, almost always your Smartphone…

I would also like to note that there are globally only 2 operating systems for Smartphones (Not counting a “chinese” Android “Fork”…), Apple (iOS) and Google (Android). Open source alternatives like Android / Linux forks aren’t really valid 2FA providers, also because a lot of these “forks” do not want to use the “cloud”…

Now, getting to the “snake oil” part…

My swiss bank requires me to activate 2FA to use eBanking, so far, so good. The big gotcha: If I login to eBanking on a PC or my Macbook (These boxes are additionally authenticated by MachineID in eBanking!), I do need to verify my login on my Smartphone.

When on the road (also at home) and using my Smartphone, I can login to my banks eBanking without confirming on another device (example on a Tablet or PC/Mac). The smartphone does allow for Biometrical ID - but also simple password access works. So WHERE is 2FA in this use case?

If anyone wants to steal my data and access, they only need to steal or hack my unlocked smartphone…
It’s not only Pegasus out there in the wild…
2FA is often not really invoked when using a smartphone!

→ I’m interested to know other users experiences and thoughts with 2FA, also in other countries / regions / government…

Thanks for any feedback!

My 2 cents
Andy

2FA is a small increase in security.
However… it’s a legal protection for who requires it, offloading more responsability to the user for misuse.
2 factors means that at least twice the user consented access or operation. So prevalent liability is on user side, not on service side.

Hi @pike

I did mention “legal” requirements above

As long as this happens in the background on the same device, there is no “real” twice concented (agreed twice) as the used OS on the Smartphone prevents (perverts) real 2FA by “asuming” a second OK.

And as long as this is the case, there is no real 2FA, so not even a small increase in security - at least not when using a Smartphone…

How are things for you in Italy, if using 2FA to access your ebanking? Do you need to verify from a second device, or is just using your smartphone considered 2FA already (No second verification on a different device?)?

In Switzerland, it is enforced when using a PC / Mac or Linux - but not when using a Smartphone!

In my opinion, this is “snake oil” - a false “medicin”…

Without daily tests / scanning, even an expert can not, as a Smartphone user, claim a “clean” Smartphone, and any user would probably win any such case in court. So the state can’t make claims otherwise, and even less, when the daily press is full of concerted state attacks (like in Germany or the US).

A mobile SIM card ( Subscriber Identity Module Card) can be stolen - or even cloned using a small battery powered device on the road, so is not really acceptable as an absolute “security” identifier. It is, after all, “hardware”, and like other “hardware” (Think ID or Passports), these can be faked, manipulated, hacked, copied, whatever…

Faking IDs and Passports is as old an Industry globally, as making IDs and Passports in the first place!

My 2 cents
Andy

Hoi Andy,

and if biometric unlocking is also set on the smartphone, Poland is wide open. I can just imagine the following situation:
Frankfurt Central Station late at night in a dark corner. One of the countless drug addicts pulls a new middle parting on me with a special tool. I fall unconscious, he steals my smartphone and unlocks it quite simply because I had previously set it to be unlocked by Face ID. Or by fingerprint. Now it’s doubtful whether I still meet the ideal of beauty at the time Face ID was activated when I was unconscious and my middle parting was perhaps no longer quite as accurate. But the risk of having my money taken from my account in this way is not small. I’d better change it again and use the device provided to me by my bank as a second factor.

Have fun…

Uwe

Not all banks provide this “feature”.
Mine has their own App, but that also uses Biometric unlocking…

And it’s not only the state which operates IMSI-catcher systems, other states or organised crime can also operate an IMSI-catcher (or a whole network of such) Illegally - but you have no chance to find out…

If not stated by laws, tech and logic do not exist. Unfortunately.

IDK if there will be a proper upgrade as security perception, with the mindset, from countries, to define “safe today, less safe tomorrow so we will update laws”.
128bit encryption nowadays is… not that much safe as it was 5 years ago.
For SIM cards… why bother steling a plastic-embedded chip when you know can steal a QRCode? (not the biggest fan of eSIM. Might be a nice addition, but requires UI and camera to be installed. On M2M devices? Routers? Alarms? I get that a VOIP PBX can be computer operated (so webcam of the laptop can be borrowed for the eSIM acquisition… however) but…

British says “if there’s a will, there’s a way”.
For create dumb laws.
For steal someone identity.

Only a matter of competence, time, resources.

My bank also offers a separate app for this, which I just have to smile at (Face ID). And I’m already in my account.

The germans have the version:

“Where there is a will, there is also a bush…”

this is where a web based 2FA tool comes into mind.

I had began working on @Fauth Module for ns8, but ran into headwinds here: Error with container image name starting with a number - Bug - NethServer Community

Am not sure as to the progress on this issue so that the app can be published, and probably will benefit and implement an actual 2 factor authentication that Andy is asking for. even if your unlocked phone is stolen, they also need to gain access to your server SMH

@oneitonitram

Please do not hijack the issue.

This is NOT about a smartphone being stolen.

It is about almost all 2FA not asking your opinion, but dictating you must use your smartphone!
When using the smartphone itself, 2FA seems disabled, as ithe verification is sent to your smartphone.

And whatever software youz dig up, will NOT change in whatsoever how Apple or Google dictates you use 2FA…

And NO, I do not want additional software hampering me from doing my work!
Only the software I really need, nothing else!

My 2 cents
Andy

This is the reason for me to “Dont use eBanking on a Smartphone”! Only Windows, macOS or Linux with encrypted Filesystem, Awareness, etc. …

Be my guest.
EU already crashed the “one device only” approach with Payment Services Directive 2. And a lot of banks ditched hardware token for… mobile phone integrated token (specific app or integrated into homebanking app).
Costs less (at least logistically) and is way faster to replace.

By the way. Payment Services Directive 3 is incoming…

@pike

All states need to generate income, not only the EU. This is usually done with taxes or selling fossile fuel stuff like gas or crude (oil). If these are not an option, and there is no logical reason for “new” taxes, bureaucracy can always invent new ways to squeeze juice out of lemon pips (seeds)…

My previuos swiss bank provided RSA hardware tokens for several years.
Then RSA changed their long term licencing charges - and later in the same year were hard hit by a hack. Pay so much for hacked security is what not only banks thought…

My 2 cents
Andy

Fun fact, you are never really secure

Interesting, I won’t carry a smartphone with me anymore. However, here’s my solution to the 2FA. I have a wireguard server I control physically. WG clients on the smartphone at my home, my laptops, etc. there’s a VNC client for Android. when I need to get to my smartphone, I just vnc to it from wherever I’m at so long as I have connection. works fine. So far, no issues. the phone is always at a known location, and so far as they can tell, because of the VPN, I’m with it. works like a charm.

But then, how do you receive or make a call when you are away from your phone?

it’s freeing not being tethered. the phone doesn’t command my attention anymore, and it waits with messages and missed calls when I get home. works well for me.