19
Jun 20

Turn on MFA Before Crooks Do It For You

Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. But people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Here’s the story of one such incident.

As a career chief privacy officer for different organizations, Dennis Dayman has tried to instill in his twin boys the importance of securing their online identities against account takeovers. Both are avid gamers on Microsoft’s Xbox platform, and for years their father managed their accounts via his own Microsoft account. But when the boys turned 18, they converted their child accounts to adult, effectively taking themselves out from under their dad’s control.

On a recent morning, one of Dayman’s sons found he could no longer access his Xbox account. The younger Dayman admitted to his dad that he’d reused his Xbox profile password elsewhere, and that he hadn’t enabled multi-factor authentication for the account.

When the two of them sat down to reset his password, the screen displayed a notice saying there was a new Gmail address tied to his Xbox account. When they went to turn on multi-factor authentication for his son’s Xbox profile — which was tied to a non-Microsoft email address — the Xbox service said it would send a notification of the change to unauthorized Gmail account in his profile.

Wary of alerting the hackers that they were wise to their intrusion, Dennis tried contacting Microsoft Xbox support, but found he couldn’t open a support ticket from a non-Microsoft account. Using his other son’s Outlook account, he filed a ticket about the incident with Microsoft.

Dennis soon learned the unauthorized Gmail address added to his son’s hacked Xbox account also had enabled MFA. Meaning, his son would be unable to reset the account’s password without approval from the person in control of the Gmail account.

Luckily for Dayman’s son, he hadn’t re-used the same password for the email address tied to his Xbox profile. Nevertheless, the thieves began abusing their access to purchase games on Xbox and third-party sites.

“During this period, we started realizing that his bank account was being drawn down through purchases of games from Xbox and [Electronic Arts],” Dayman the elder recalled. “I pulled the recovery codes for his Xbox account out of the safe, but because the hacker came in and turned on multi-factor, those codes were useless to us.”

Microsoft support sent Dayman and his son a list of 20 questions to answer about their account, such as the serial number on the Xbox console originally tied to the account when it was created. But despite answering all of those questions successfully, Microsoft refused to let them reset the password, Dayman said.

“They said their policy was not to turn over accounts to someone who couldn’t provide the second factor,” he said.

Dayman’s case was eventually escalated to Tier 3 Support at Microsoft, which was able to walk him through creating a new Microsoft account, enabling MFA on it, and then migrating his son’s Xbox profile over to the new account.

Microsoft told KrebsOnSecurity that while users currently are not prompted to enable two-step verification upon sign-up, they always have the option to enable the feature.

“Users are also prompted shortly after account creation to add additional security information if they have not yet done so, which enables the customer to receive security alerts and security promotions when they login to their account,” the company said in a written statement. “When we notice an unusual sign-in attempt from a new location or device, we help protect the account by challenging the login and send the user a notification. If a customer’s account is ever compromised, we will take the necessary steps to help them recover the account.”

Certainly, not enabling MFA when it is offered is far more of a risk for people in the habit of reusing or recycling passwords across multiple sites. But any service to which you entrust sensitive information can get hacked, and enabling multi-factor authentication is a good hedge against having leaked or stolen credentials used to plunder your account.

What’s more, a great many online sites and services that do support multi-factor authentication are completely automated and extremely difficult to reach for help when account takeovers occur. This is doubly so if the attackers also can modify and/or remove the original email address associated with the account.

KrebsOnSecurity has long steered readers to the site twofactorauth.org, which details the various MFA options offered by popular websites. Currently, twofactorauth.org lists nearly 900 sites that have some form of MFA available. These range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true “2-factor authentication” or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years).

Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.

Tags: , , , ,

83 comments

  1. Sadly many banking institutions still don’t offer more than a login / password approach. Oh, and the infamous 5 questions which are more of a scotch-tape over the gaping wound.

    I’ve contacted two of mine (both US credit unions) but they apparently go for the cheapest hosted security they can get.

    Other banking/CC operations use a phone/TXT 2FA which is ok (lower case ok).

    We need a critical mass of customers and companies to insist on some form of physical 2+fa.

    • Don’t answer security questions with real answers. Answer them with random BS. Or mix up the answers. Make them completely unrelated to the question and more than one word answers. Just of course log what you had them set to.

      Friend at work told me this and I facepalmed how simple it was.

      • I do this, as a rule (and save my random BS answers in my password manager) but, interestingly, Chase won’t let you do that. THEY define the security question responses based on information they already know about you. To “rip’s” earlier post, it may seem ironic that banks have the worst security protocols but it isn’t – they are designed for their own convenience, not for yours or for your security. They still use old tools and old-school processes and they are very slow to change.

    • I contacted my credit union multiple times about supporting FIDO2, Yubikeys and/or TOTP. Even talked to the head of IT about it. Was told they already offer multi-factor authentication by asking multiple questions.
      Sad how clueless some IT ‘professionals’ are.

      I wonder if the fact that my email is more secure than my bank account and they were notified their security was inadequate will help me in court should I need to sue them when my bank account is hacked.

  2. Daniel Bourque

    With some sites, you can only link phone base device. When travelling and changing SIM card, SMS are out of the picture since your phone number change (no, Google virtual phone number are not available in Canada). Other then physical token, what are the options? What can I do if my phone / Token are lost?

    • They should generate offline recovery codes which you can print.

    • Lets be clear. Any security system or for that matter most ‘procedures’ can be applied to a majority of population. If you are flying so often the your use is different. A vast majority of humans do not fly/travel often.

    • Use a dual-SIM phone or at worst, carry an old “brick style” feature phone with you to put your home SIM card in just to receive SMS messages?
      Nice thing about this ancient protocol is it just works even on the oldest of phones and with international roaming switched off so as not to incur costs for calls/data.

  3. 2 Factor gives the false impression of protection but it only works if a lockout is deployed.

    Of course lockout results in a denial of service and can be deliberately triggered which is its flaw and this story highlights the difficulties that are presented when this occurs.

    If users can revert to their primary logon to avoid such lockouts as they can with Microsoft and most others then this negates the benefit of 2 factor because it means accounts can be taken over.

    This is true even if 2 factor has already been implemented. It also highlights the futility of such ridiculous systems as backup passwords which can be phished in any case.

    The key issue as highlighted in this article is the use of commonly known characters for passwords. Among other things using commonly know characters allows for password duplication which this article highlights are exploited by attackers.

    I have designed a system that prevents password reuse, prevents phishing of passwords, prevents malware based hacking and brute force attacks and I have been writing in the comments on this site about it for more than 10 years but it always seems to fall on deaf ears of so called industry experts.

    • I’m interested in what you have done. Can you tell me more. I always promote innovative approaches to enhance user security, particularly when they are low friction.

        • I’m not persuaded by the Armorlog video, which is mostly marketing claims with little technical depth, that it really is a better, proven solution. To be taken seriously, Armorlog needs standardization, peer review, and security audits by independent experts.

        • Then it looks like the rough equivalent of two five letter alphabetic key insensitive passwords (5 * 1/24 signs) (depending on implementation it could be equivalent to a ten-letter pw, which would better). Not too impressed, I gotta say. Making the letters a small set of pictures and garbling them for transfer doesn’t add a lot of security…

      • I have the answers to your problem call me

    • > lockout results in a denial of service

      Not true with many providers.

      > If users can revert to their primary logon to a

      Not true with Google/Apple/Github/

      Of course your bank may do it.

      • All the vendors you listed use email as the primary basis for authentication and my statements are correct for these vendors.

        If lockout doesn’t result in blocking access to service then its not a lockout as required under the compliance guidelines in multiple jurisdictions around the world.

        The key is to have a lockout that can’t be triggered by a hacking attack or maliciously triggered to prevent accidental or deliberate lockout.

        None of the vendors quoted here have any such protection.

        • “The key is to have a lockout that can’t be triggered by a hacking attack or maliciously triggered to prevent accidental or deliberate lockout.”

          Read that very carefully.

          If lockout doesn’t happen when someone tries to hack with a brute force…. what’s the point?

          If anyone claims they can 100% guarantee no false positive lockouts, then they are selling snake oil.

          Besides lockouts, many places do throttle brute force attacks. They can also blacklist source IPs to slow down attackers.
          But this can only slow them down.

    • Sounds more like a scam than an actual security solution.

      No wonder nobody is using this Multilevel scheme, let alone taking it seriously.

      I was seriously baffled when “public keys” were mentioned several times. I’m like, “what are they talking about”. But then realized, whoever came up with this is NOT a security person and has no idea.

      Replacing the character set from the “publicly known” set…. is a ridiculous idea that falls under the “security through obscurity” term for this nonsense.

      Lockout is one problem that affects MFA and single factor as well. There will always have to be a lockout remediation, regardless of the authentication model. Armorlog doesn’t solve this either.
      Any authentication model will have to fall back to a previous method after lockout (whether forgot password or lost device, or both). Usually the fallback is to the original identifying method during signup. That is usually email. Sometimes, that does involve calling and answering KB questions. It really depends how the system first created your account and how it first trusted you.

      In my opinion, dump this nonsense, and don’t trust anyone who purports to “roll their own” without extreme 3rd party independent scrutiny and transparency.

  4. “Email, SMS and app-based one-time codes are considered less robust from a security perspective[…]”

    Brian, app-based one-time codes (TOTP) like Google Authenticator are the best solution.

    Please don’t put them in one line with SMS/phone call.
    (SIM swap).

    Certainly not with e-mail, which is the worst option if you don’t have 2FA on your email.

    If you have a malware on phone/PC you already lost.

    It’s a shame that twitch.tv asks for your phone number using Authy but is not using Google Authenticator (which doesn’t need phone number).

    • Finally, a mention of existing malware. This seems to be ignored by everyone I talk to about 2Fa. I’m told to get a new apple ID and change my passwords. The problem is the device is already compromised so 2fa is useless. How did it get compromised? From a computer that was compromised. How did that get compromised? From a previous phone, and keep trailing that back in time until you find who may have been able to install something, maybe years ago. Victims of stalkerware aren’t victims on only their current device. They just realize it. If victims have a “secret'” phone number and use it for 2fa….then all this advice makes the situation worse.

    • @Arc
      Amen. Well said.
      Push-based authentication with a *proprietary* app (e.g., Duo Security) is actually *less* secure than a FOSS TOTP/HOTP authentication app, but then FOSS projects don’t buy ads.

  5. I am leery of providing mobile phone number to Facebook and Netflix because I don’t trust them and I suspect they are frequently attacked by would-be hackers. But they require mobile numbers for multi-factor ID.

    • Not sure about netflix but you can use a OTP/QRCODE without any phone number for facebook.

  6. Jakub Narębski

    I have had my old Steam account (with no games, and no cash nor bank account connected) hijacked/hacked because of password reuse.

    I have not enabled MFA, but fortunately hackers didn’t either; so I was able to delete the account (used for cheating in games) and create a new one. However Valve / Steam didn’t notify me when they have had enabled MFA on the account; it was not present when I created this first account.

  7. The Sunshine State

    Their should be a recovery email account tied to the two factor authentication that is locked into the account and can’t be changed. The only purpose is to be used only used for circumstances like this as a one time use . After that the whole account needs to be reset with a new 2FA setup and recovery email.

  8. Do you have an article that explains what the symbols in the twofactorauth.org database mean?

  9. PattiMichelle

    It’s been a little “odd” watching KoS over the last 5 – 10 years… first TFA was very important, then it was poo-pooed (because SMS wasn’t secure and sim-swaps) and now it’s back to being a necessity (per this article). I guess this is because the 10-years-ago, presumed, improved-technology has just not appeared. And I think *that* is probably because increasing security-tech-complexity is difficult to implement *and* maintain in a world where the globalized economy is so fragile.

    • PattiMichelle

      (…meaning investing in new complex infrastructure is not financially attractive in the short time-horizon of CEO’s, etc.)

    • I don’t believe I’ve ever tried to tell people they shouldn’t use multifactor authentication. My stories about the SIM swapping epidemic have been about raising awareness that multifactor by SMS is not a great option because so many critical sites allow password resets just by receiving a link via SMS. These reports have always encouraged people to use the strongest form of mulitfactor available. Unfortunately, in many cases that is ONLY SMS.

      • Totally agree. SMS 2fa is 100% better than no 2FA. Clearly using FIDO or other strong 2FA methods is preferred, but SMS is so much better than nothing.

        • Wish I could borrow this as my signature. Thanks

          SMS 2fa is 100% better than no 2FA. Clearly using FIDO or other strong 2FA methods is preferred, but SMS is so much better than nothing.

          • What if you don’t have SMS? I tried setting up Snapchat but I could never get past that last hurdle of receiving the code to put into the computer to activate it. If they would send it as a voice message my wall phone could receive it. I have a system cobbled together using Google’s phone that barely works. You are expected to own an iPhone or other smart-phone. If you don’t have the phone how do you rig up the desktop to receive an SMS? Any advice would be illuminating.

            • Thanks for bringing this up, John O’Grady. I have an old-style flip phone and I have to pay for every text message. Emailed codes are (usually) only a minor irritation, but at least they’re free.

  10. …duo is the way to go, sadly not everyone supports the push approval, so i have a mix of token (google titan), sms text, at least two other authenticator apps, etc…

    • Duo and other Push2Accept (P2A) methods are good mechanisms for second factor. BUT, stupid people do stupid things, and may people just press “accept” when they get the push notification. I wish the industry would move to Symbol/Character to accept. The user is prompted with a list of four or so symbols/characters and has to select the right one (as displayed on the app they are logging into) in order to Accept . this prevents the robotic “accept” that many stupid users do.

      • And what a wonderful patent it is 🙂

      • WilliamDeRieux

        So you mean a type of (re)captcha.

        [service]: Please select the tiles that only contain cars….
        [robot]: [neural network is humming] click, click, click….
        [service]: Welcome.

      • …anyone that accepts that is not logging in is an id10t…

  11. Another lesson from a side story in this story where his kid’s bank accounts were being looted. When using gaming or shopping sites, never, ever give them your checking or other bank account information. And don’t use a debit card either. Always use a credit card. If someone hacks in and gets your credit card info, it is a pain in the neck but fairly easily resolved (deny the charges and cancel the card). But that hassle is nothing compared to resolving the problem when your checking or savings accounts have been drained by one of these crooks. You will be working with your bank for weeks trying to get your money back – and there is a good chance you will never see your money again. Meanwhile you have lost the money you use for your rent and groceries.

    Further, if someone has gained access to your bank account through one of these sites, don’t waste time trying to deal with Microsoft to get passwords back. As soon as you become aware of the problem, immediately contact your bank and have your accounts frozen (if they give you a problem freezing your accounts – jump in the car and go down and withdraw all your money now). Now, while you work trying to get your access back to your email, gaming or shopping site, at least the crooks won’t be able to continue spending your money.

    In response to a couple of comments I see here, if your bank doesn’t use MFA (or at least 2FA) on it’s site, you should seriously consider looking for another bank to do your business with.

    • Couldn’t agree more. And consist getting an ATM-only card instead of a debit card for bank accounts.

      • @TimH
        A much bigger problem than a debit card is ACH transfer, because most banks won’t give consumers the ability to approve or block ACH transfers. To protect yourself open a 2nd account for payments, disable overdraft protection, and only keep minimal funds in it.

  12. The average person is far more likely to get locked out of their account by enabling MFA and then losing access to their device/number and backup key, than they are due to someone else taking over their account.

    Nightmare waiting to happen.

    • There is absolutely zero data to support that, infact the data is to the contrary. The average person is far less likely to ‘lose’ a phone number or mobile device than forget just a password. Google it.

      • You must never have had a boatload of tokens stored in Google Authenticator and had your phone die (tokens aren’t backed up at all so only exist on the phone). Seeing that happen made me a devoted Authy user.

        • False. You can copy the TOTP token (some sites do not print it sadly, only QR code) and use it on MULTIPLE devices!

          If the site do not print it just scan the QR code with ordinary QR scanner app (not the auth one) and note it and keep it SAFE. If in need you can reenter it on any device in the same app. Just beware, if someone gets on that token you are in trouble.

          I use that method on my “2nd, better half” phone. So we are backed up 🙂

          In Google Authenticator app you can import/export all your tokens.

        • Automatic backups are a double edged sword.

          It is a favorite of attackers to simply go after your cloud backup, rather than try to steal a phone in the real world.

          Even backing up to a file on the phone’s file system to manually back it up, is dangerous. Once a file is outside the app container, it is exposed to other apps on the phone. So if you’ve got rogue app, that doesn’t have root, it can get the backup file.

          You could encrypt backups, but then you should be protecting that with 2FA.

          Authy backups to their cloud are good…. But I’m sure they are a high level target. However, to restore from a lost phone, it’s only protected by the single factor backup password and SMS code.
          So… that could be a problem.

          It is probably best to just archive the original OTP secrets in a local password manager, protect with 2FA like a yubikey, and store yubikey in a physical safe.

          • Nobody said anything about automatic backup of tokens.

            If you ever used it you’d knew that for exporting tokens you need to give your phone PIN and it’s one time export PHYSICAL operation using QR code image. This is also under strict action logging.

            Please don’t scare people and tell then not to do backups because of some crocks that can leverage it somehow. Too much FUD.

            • I was replying specifically to Rick regarding Authy, not you Arc regarding Google Authenticator. What makes you think I was talking to you?

              It’s not even the same thing. Google Authenticator “export/import” is not the same as a “backup”.
              It is designed for transferring directly to a new phone. Not even suitable as a “backup” in case of lost/stolen phone.

              In general, people DO need to know what is synced to a cloud service. It has been a huge target in the past, not just for hackers, but also law enforcement.
              And as I mentioned, protecting such secrets with a single factor password or PIN, can be brute-forced.
              If that is “scary” to you, good.
              Too many people have a false sense of security with these products.

              By the way, your accusation that I am telling people “not to do backups” is undercut by my last paragraph, when I write about how to do backups.

  13. Michael Schlachter

    It’s a pipe-dream to expect users to do this to the point of saturation, and even then, all you are doing is hardening the defenses of the least vulnerable users.. i.e. the tech savvy. Additionally, exfiltrating even more personal information in the form of 20 questions is just making it worse. Now the first breached service has your fathers middle name.
    I consider this a failure of the security industry itself.
    All these solutions absolutely suck. We need something fundamentally better.

    • @ Michael Schlachter ; you said, “Additionally, exfiltrating even more personal information in the form of 20 questions is just making it worse. Now the first breached service has your fathers middle name.”

      Not really because when it comes to security questions NEVER answer them truthfully but instead have a passphrase (I suggest one uses ‘Diceware’ which is truly random) or complex password there instead. so it’s sort of like a backup password 😉

      one can even write this info down and store it in a safe location.

    • Unless Wonder Woman’s Lasso of Truth compels you to answer the security questions truthfully, just make up some BS and use your password manager to store the fake answers.

      High School Mascot: T. Rex
      First Car: Model T Ford
      First Job: TS Mother F*ck*ng A

    • I totally agree with this, we need something fundamentally better.

      The only thing I can think of is to generate the password for the users when they sign up for an account.

      I know this is controversial to some but think about it. You can only use the internet with a web browser and every web browser saves passwords for you and fills them in too. No more fiddling around with password requirements. No more worry about password reuse and credential stuffing attacks would be pointless. If a user forgets their password they can reset it like they would any account through email.

      Passwords need to be stored, not remembered or you end up with people reusing passwords. I mean, we don’t remember phone numbers anymore because of an app on our phone so why not do the same with passwords?

  14. I had to disable 2 factor authentication on one site because they sent more than 10 numbers. There was a limit on the number of authentications. The site asked for too much personal information to recover my account. I regained access by embarrassing them on their own public user forum, I agree that 2 factor identification can become a nightmare.

  15. Definitely becoming more important to have this extra safeguard. It’s unfortunate that many sites still don’t have it as an option.

  16. Sadly, these reminders are still very much warranted and you are one of the few to keep up the advice stream. These are the articles I send to family and friends to remind them to be safe.

    This article guarantees another year of support from me for your invaluable work.

  17. Problem I have with text based 2FA is that I’m out in the woods and there’s no cell phone coverage here. Sending me a text won’t work, it shows up the next time I’m in town, which may be three days later.

    Not everywhere has 24x7x365 mobile phone service.

    • Vasanth Balakrishnan

      Do you have a land line or internet service? You can use the landline POTS or VOIP service (Google Voice) to receive an automated call with an OTP for many solutions, as long as they are not SMS-only MFA.

      • Sometimes they won’t let you use the SMS option on your VOIP account. “This number is a landline and can’t accept SMS messages.” My left foot…

  18. I like the way my credit card companies, and my bank do 2FA. As long as your “signature” doesn’t change, you can do an ordinary log in; but if anything changes, like your browser, location, IP address, changes; then 2FA is forced; this way you don’t always have to go through the trouble. Of course if you device is pwned that won’t help, but if you are pwned nothing with help anyway!

    • It is possible to validate transactions to prevent fraud even if networks are compromised. This is done by having device independent unique access keys created by the user that are encrypted and not even known to the network owner. These can be used to validate transactions at time of execution. The problem with persistent states is they can be hijacked so it is important to call for authentication to validate a transaction at time of execution. Designers of 2fa try to do this but the problem is their validations can be compromised because they are device dependent.

      • The attackers who were trying to compromise my bank and credit accounts, seemed pretty sophisticated, but we still defeated them. I shall forward your concerns to my institutional security teams. Thanks.

  19. I’d like to see more use of tokens. They can have my phone number once it becomes a felony for businesses to sell, rent, loan, or exchange the number with any other business or to use it for any purpose other than authentication.

    Since that won’t happen, my number stays private. I’d like the convenience but I don’t trust any businesses anymore. They keep losing their databases to the hackers because they just don’t care.

    • This.

      I’m generally ambivalent about 2FA, as in one thing you know, one you have – well, it sure is safer, unless you don’t have the thing you’re expected to have, for example because your phone got lost or taken. Then you’re cooked.

      But still, I just tried to setup 2FA for a secondary GMail account, fully expecting it to support Google’s own Authenticator app. No such luck. They want my phone number, or my address. Under “more options”, there’s also the choice of being sent a prompt to a Google app on your phone that you’re logged in to.

      I don’t have any Google apps on my phone that require login, and don’t want any. Too bad for me, it seems – Google will only play ball if I give them my data. Not going to happen.

      I lost my Facebook account for the same reason. Firstly, I wasn’t using my real name, but getting away with it for a couple of years. Eventually, they asked me for my phone number at login. I didn’t supply it, they didn’t let me login. After a couple of iterations, the cancelled my account. A couple of months later, there was a pretty big leak of user phone numbers from Facebook.

      My banks have my phone number, but most of them don’t use them anymore, but rather require their customers to use their app to authenticate. Which brings me back to the start: if I lose my phone, I’m cooked. Still looking for a good solution to the problem.

      • @Ozi
        With respect, you’re trying to have your cake and eat it too,
        to authenticate while remaining anonymous,
        and “that dog don’t hunt.”
        The essence of authentication is to authenticate,
        which means you have to prove who you are.
        If you don’t want to give out a permanent phone number,
        then buy a cheap prepaid burner phone for cash
        that you use just for authentication.
        If you can’t be bothered to do something like that,
        then you don’t really care about privacy and security.

        • @John Navas

          How so? What would that solve?

          I’m fine with Google Authenticator in principle, by the way, but for some reason, Google isn’t. I’m aware that Authenticator isn’t necessarily anonymous, but it seems like an acceptable trade-off. (Assuming Google isn’t using that to track my location, etc.) And I don’t see how giving them my phone number or/and address would be better.

          Burner phones are illegal in my country. They have the same problem, though: if you lose the phone, or it is taken, then “the thing you have” is gone.

          Are you saying this is not a valid concern?

          I quite like what @HelperBoy wrote at 2.41am:
          https://krebsonsecurity.com/2020/06/turn-on-mfa-before-crooks-do-it-for-you/#comment-511820

          As in there *is* a way to recover from not having the thing you’re supposed to have, but only in a way that would thwart most attacks. That, again, would require the service providers to put in some effort.

          I’d be tempted to say “if they can’t be bothered to do something like that,
          then they don’t really care about privacy and security.” And find that a much more reasonable thing to say than what I quoted this from.

        • No, authentication to an account is proof of ownership, not proof of identity. Different things.

          And as to your harsh conclusion…
          Do you only use a key to unlock your apartment? ’cause if so: “then you don’t really care about privacy and security” … your words.

          I’d say you should be granted to keep personal information from companies (who repeatedly lose and/or sell it) and still have a right to exclusive access to the services they offer.

  20. The real issue is not look what happens because you did not turn MFA. It is rather look what happens when companies implement MFA in a bad way.
    First, when you open the account, the company must force you to pick a strong password.
    Second, once you login they must force you to pick your non-MFA recovery options: at least a secondary email address and 3 or more security questions.
    If you want to change your secondary email you must answer the security questions. If you want to change your security questions, you must answer at least 1 and provide an OTP sent to your secondary email.
    You can only change your password if you did not change your recovery options in the last 30 days. If you change your password you cannot change your recovery options for the next 30 days.
    Now, if you want to turn MFA you can only do it if none of the above was changed in the last 30 days.

  21. If you are not comfortable with using 2FA for any reason, make sure that you use complex password individual per site. Use password manager to store them and protect password manager with hardware key.
    2FA especially with app that you need to retype code is often pain the back.

  22. william armstrong

    metro By T-Mobile uses 2FA when accessing the account they are part of T-Mobile and they only ask for the code when calling customer service and the codes are only sent to a Metro By T-Mobile number only

  23. it is also helpful to never use a ‘standard’ or re-used password. I recommend using something like LastPass or it you are a Google fan – and save your passwords in Chrome, then you can right-click on the password field when setting up an account and then select ‘suggest password’. Many people are fearful of forgetting passwords, but they shouldn’t. Worst case, just click on ‘forgot password’ and reset. Good point of an earlier poster that suggested long unrelated phrases for responses to security questions. – – Absolutely, though, set up MFA on your core email account that all recovery will go through. Google and Microsoft make very easy to use MFA apps for your phone.

  24. One thing that can help for e-mail is to use an e-mail service that allows you to add at least one alias.

    Set up your e-mail with one username but never use that e-mail to send or receive e-mail. Just use that to sign on and off.

    Create an alias and use the alias to send and receive e-mail.

    If someone tries to target your e-mail, they will be trying to log on using the alias instead of your actual mail.

    For example, on protonmail, you could sign up with “elephantcurry@protonmail.com”. Then add an alias of “tyrotoxism@protonmail.com” and use that to send and receive e-mail. If anyone attacks in a targeted attack, they will be trying to guess the password for tyrotoxism@protonmail.com, not elephantcurry@protonmail.com.

  25. “you should enable MFA”; “Nah, if my bank account gets hacked I’ll get my money back”; “If your x-box account gets hacked you could be locked out for ever”; “OMFG, show me how to enable MFA NOW!!!!”
    It’s all a matter of priority

  26. It would seem that twofactorauth.org that Brian links to doe snot give the full picture or maybe some verndors do not offer what they list there in all markets?
    Twitter and Dropbox being two entities that come to mind, whrere I could not choose a 2FA that this website lists.

    Twitter only does SMS, not hard or soft token, despite the overview, at least on this side of the pond?

    Also, the provider of, historically, my main email address, started to offer 2FA and I signed up immediately upon learning about it from an IT newsletter. The provider himself never adverised this vital piece of added security to me 🙁 Way to go in makring customers aware of their option.

  27. 2FA is all fine and dandy until you loose access to the device by theft, breakage, or replacement. My experience with a virtual private server on Godaddy taught me to never use one of the 2FA apps (Google Authenticator or Authy) unless I have a backup way of accessing the login. To make a long story short, when I swapped phones, Google Authenticator did not register correctly with WHM on the VPS. $85 and a couple of weeks later, Godaddy was able to remove 2FA from the account. The moral of the story is don’t screw yourself!

  28. Bank Of America: “MFA? Never heard of it. Is that that mixed martial arts thing in the cage?”

  29. 2FA, I enabled on Steam. My verification was via the Google Authenticator. I have fi.google as my phone service. My phone, broke beyond repair and I had not thought to store the authenticator token from Google Authenticator prior. I had to get a new phone, it took about a week for me to work this out with numberous calls and emails to steam. They were polite and helpful but still took a bit. It left a sour taste in my mouth. I’ve worked at AOL where we had a “fob” for lack of a better term that issued psuedo randomns for 2FA to log in at work, that was VERY effective. At least until said “fobs” run out of battery life and go blank. Then it takes quite a lot to get things back to normal.
    I would prefer to see a 2FA that sends a question, via email or SMS, my response generates a unique hash to the question regardless of how I chose to answer and then the far end sends an encrypted form of the hash back as a public token that coupled with a private type key on my side make the key pair much as PGP or now GPG did/do. Then I could store that on a USB stick take it to any computer or terminal type and recover using THAT key. Email is not secure unless you encrypt it. SMS is not secure either. Hats off to the post about using false info about the personal data for authentication. I have employed that for a long time. Most of my personal data that had any security value was compromised in the OPM breach.

  30. Timothy Moulder

    Correct me if I am wrong, but from what I have read, SIM Swap attacks are only possible if you have 2-factor authentication enabled?

    Seems like you are trading one set of known risks for another.