But I admit, I haven't been thorough about keeping track of this.ġ. I seem to recall that anytime I call Fidelity, they ask for something beyond a garden-variety security question. Entrust can do something similar, and their tech can be rolled into other people's native apps.Įven when that tech is present, you can still use the TOTP token on the device, even if the device is offline and can't receive the notification. Click accept on your phone, and you're logged in on the PC. When you take some action (login or otherwise) that requires a second factor, the Authenticator app issues a notification that idenifies the transaction with a code like KQXPL and asks you to accept or deny. Take Microsoft's Authenticator, for example. It's not really Authenticator's job, though - plus how would an app installed on your phone even know that someone else tried to log into your account? I called in one time and the rep said the VA wasn’t working because he was having “computer problems” then asked me a security question that anybody with any level of personal knowledge would have easily guessed. Sure, I was calling from the phone # associated with my account, but it was still surprisingly easy to bypass the TOTP security.)įidelity now has voice authentification so a stranger claiming to be you should get detected. (BTW, I had to reset my phone back to factory defaults some time ago - I called Fidelity to "reset" my VIP access, and it just took answering one very simple-to-guess security question for them to reset the VIP access. Any ideas? Or am I just wrong to think that this is a drawback of the TOTP apps? Has this thought occurred to anyone else? It's too bad that Authenticator (or VIP or whatever app) doesn't have a way to send notifications to the user when someone tries to access a protected account. Once the "bad guy" sees that a TOTP code is required, they can then decide to call the bank/institution and use some social engineering to bypass the TOTP requirement, with plenty of time to do so, since I will not know anyone is trying to access the account. ![]() ![]() On the other hand, with TOTP two-factor set up, I would never get a notification that someone is attempting to access the account. I can then immediately change my password or call the bank/institution, or take some other action. In other words, if I get such a message without actually trying to log in, it's a pretty obvious sign that someone is trying to access my account. My question is: One thing I _like_ about SMS two factor is that if some bad guy happens to get my username and password and makes an initial attempt to log in (assuming he hasn't taken over my phone account), I will get a text message with the two factor code. I certainly recognize the possibility of someone hijacking my mobile phone account and why TOTP apps are more secure (for more background, see this recent thread for example: viewtopic.php?f=11&t=227649) Currently, my accounts use a mix of SMS two-factor authentication and TOTP apps like Google Authenticator and Symantec VIP.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |