Questions tagged [multi-factor]
a multi factor authentication requires at least two sets of credentials. This is typically something you know (e. g. a password) and something you own (e. g. a token generator or mobile phone), but could also be something you are (a biometric).
743 questions
0
votes
1
answer
103
views
How could Telegram OTP password be compromised / hacked?
How could Telegram OTP password be hacked?
My timeline of Telegram hack attempt today:
хх:хх Login attempt?
00:47 OTP code in Telegram
00:47 OTP code in SMS to associated mobile
00:48 incomplete login,...
0
votes
0
answers
40
views
Can I rely on my backup codes to remain valid indefinitely?
GitHub recently reminded me to save backup codes to avoid losing access to my account. I wrote down my codes a few years ago and haven't taken further action since. However, I'm now wondering: do ...
- 101
9
votes
5
answers
4k
views
Why don't we use HTML password inputfields for usernames and 2FA codes in the front-end of web applications?
When entering a username and password on a web application I have always wondered why the username often equals personal email address (which is often known or easy to guess or find). A random ...
- 7,125
1
vote
1
answer
52
views
Is clientDataJson and attestationObject required to verify assertion during authentication in WebAuthN?
Currently I am working on implementing/supporting WebAuthN in my service (JAVA). I have a Control Plane which handles the registration ceremony and Data Plane that handles the authentication ceremony. ...
- 13
1
vote
1
answer
91
views
Do CI/CD pipelines in Azure DevOps require a dedicated user without MFA?
During security audits I've seen several times that DevOps made a 'special' user account for CI/CD pipelines, especially when using Azure DevOps. Often this user is the only user where multi-factor ...
- 7,125
1
vote
0
answers
17
views
How is Google's phone policy more secure? [duplicate]
Sometimes when you try to log in to a newly-created Google account, Google will block your log-in attempt saying "We've detected unusual activity on the account that you're trying to access,"...
user122565
1
vote
1
answer
74
views
Circular dependencies in email recovery
My question is about the security of having "circular dependencies" in email recovery. I.e., is option 1:
[email protected] -> [email protected] -> [email protected]
better than option 2:
[email protected] -&...
- 113
1
vote
2
answers
360
views
Whats the safest way to store 2fa/mfa secret key in database?
I try to implement a secure user login in my .net application. The first password is hashed with argon2id. The salt and the hashed password is stored in a database. SSL encryption and HttpOnly Cookie ...
- 369
1
vote
0
answers
34
views
Do I need to add TOTP 2FA for Facebook and mobile number logins in my app?
I’m adding 2FA to my app and have set it up for users who have registered with email. I also have users who log in with Facebook and others who use their mobile number.
Should I also add TOTP for ...
- 73
1
vote
0
answers
161
views
Is using a VOIP number for 2fa safer or less safe than using a cell number?
I have dedicated a VOIP number for 2fa use. What are some reasons why it would be safer or less safe than using a cell phone?
I am using a number from didforsale.com. They forward all SMS messages to ...
- 11
1
vote
1
answer
151
views
Is receiving login codes you didn't ask for a security concern? [closed]
In the last few days, i received emails from Microsoft with login codes.
AFAIK Microsoft login works without password but with sending those codes to an alternate email.
In this email, Microsoft ...
- 119
0
votes
0
answers
43
views
Is MS number-matching MFA still amenable to bypass in this scenario?
On August 2, 2023, the Microsoft security blog presented this scenario, in which the protection normally afforded by number-matching MFA on MS Authenticator can be thwarted:
In this activity, ...
9
votes
3
answers
1k
views
Passkeys: MFA or not?
According to different pages (e.g. OneIdentity, also a Google Security source I can't find anymore), using Passkeys does count as Multi Faktor Authentication. To my understanding, they argue, that the ...
- 193
1
vote
1
answer
137
views
How effective is re-entering your password to enable high-risk functions on your account when autofill is always available?
Websites ask for passwords to ensure you are the account owner before you make changes to high-risk settings, but autofill works all the time, even when the browser is in Incognito mode.
If someone ...
- 121
0
votes
2
answers
111
views
Is the following considered 2FA?
user have a verified email in system A
user have a verified phone number system A
user's authentication method in system A is out of scope in this question, but it is password based
security measures ...
- 230
1
vote
0
answers
108
views
Attack against MFA: attacker triggering MFA prompt at the same time user is doing a legitimate transaction requiring MFA
Is there a name for this kind of attack against Multi-Factor Authentication:
Attacker is in possession of a user login and password, and is able to trigger a transaction or login which requires MFA ...
- 220
4
votes
1
answer
562
views
How important is HOTP/TOTP secret key security?
I'm prototyping an application that generates MFA codes. For developer simplicity I'm storing source data in clear text in Google Authenticator URI format (ex: otpauth://totp/totp@authenticationtest....
- 43
0
votes
0
answers
77
views
How to make SMS-based 2FA safer?
This is a problem that many of us face: A surprising number of financial institutions' websites offer additional authentication only via SMS and/or phone call. But I will refer to my situation ...
0
votes
1
answer
313
views
Do 2FA Codes on the same device defeat their purpose? [duplicate]
I have my iPhone connected to my MacBook and receive SMS codes on my computer, which is very convenient. I also recently learned you can have an authentication app on your MacBook too. I just wonder ...
- 329
-1
votes
1
answer
148
views
What 2FA should I use for my website login and what are the risks of 2FA?
Now I know this website is not for asking for specific software recommendations, but for my website for work purposes (as mentioned in another question,) I feel I need a more secure login protocol ...
- 3,035
0
votes
0
answers
28
views
Why is selecting a code in banking app necessary for MFA? [duplicate]
At my old bank, logging in via a browser required that I open their app on my phone and tap a button to authenticate my login.
My new bank is very similar but instead of a single button to click, I ...
0
votes
0
answers
26
views
If I'm rolling out MFA to users, should I provide TOTP, SMS or both? [duplicate]
My site's users currently do not have any MFA options, but we're planning to release this feature in the near future. We've already built support for TOTP and have it working internally, but some on ...
- 101
0
votes
2
answers
225
views
In 2FA, why can't the second factor be the computer? [duplicate]
When two-factor authentication is described to me, people always say that it's important for security to demonstrate at least two of 1) something you know, 2) something you have, and 3) something you ...
0
votes
0
answers
91
views
What types of attacks can MFA using an hardware authenticator prevent?
I recently looked into the topic of MFA in combination with some hardware authenticator (USB keys like Nitrokey/Yubico) to potentially improve the overall security of my digital daily activities (web ...
- 1
31
votes
2
answers
5k
views
What is the point of entering numbers in the two-factor authentication app?
Nowadays, 2FA apps usually require you to insert a number which you are presented with when trying to authenticate. For example, the following screenshot is from Microsoft Authenticator:
This is ...
- 569
0
votes
3
answers
1k
views
If you don't need a PIN for your card in Apple Wallet and don't need a PIN to use Apple Wallet, how is that safe?
I've just added a card to my Apple Wallet and noticed that I didn't need a PIN. Now since Apple Wallet is apparently already "secure", I don't need a PIN to use it either.
Is this a loophole ...
- 3
18
votes
5
answers
6k
views
How do Yubikeys improve security if I am typically also forced to enable other, weaker 2FA methods?
It is typically recommended to enable 2FA wherever possible. Moreover, it is typically recommended to enable not just any 2FA method, but Yubikeys in particular.
Yubikeys are considered to be the ...
- 6,595
0
votes
0
answers
112
views
How 2FA with Biometrics improve security?
Where I work, this is the passwordless registration/login flow for our Mobile App
A user registers with a username and a phone number. An SMS OTP is sent to the phone number to verify it.
Initial ...
0
votes
1
answer
119
views
Any tips for organization-wide 2FA enforcement?
I'm hoping to lead my organization (around 15 people, all remote) in overhauling our security practices, and part of that is making sure each team member is using 2FA on the platforms/tools that offer ...
0
votes
0
answers
75
views
Secure Passwordless MFA authentication on mobile app
I want to secure my mobile app with a passwordless MFA mechanism.
The registration/login flow would be:
You register you account online with a username and a mobile phone (an OTP will be sent to ...
-1
votes
1
answer
101
views
Digital Signatures as an Alternative to TOTP Backup Codes
It seems pretty common for websites to issue a bunch of backup codes for MFA that the user saves somewhere.
Instead, why don't they provide the user with the private key for a digital signature and ...
- 801
0
votes
0
answers
139
views
Is this a safe setup to prevent email account hack?
I would like to protect a Gmail account from being hacked.
Suppose I use the following approach for login/authentication:
Username, Password
2FA via security stick
the stick is in a place that is not ...
- 21
0
votes
1
answer
134
views
Why don't operators and CMS developers of discussion forums offer 2FA?
I have now done the tedious work and enabled 2FA for all accounts in my gopass (if the site offered an option).
Some only offer insecure SMS or a proprietary app, or even nothing at all.
What is ...
- 1,491
0
votes
1
answer
436
views
Using DUO Mobile for Enterprise (Work) and Personal Accounts
As an avid proponent of "don't mix work and pleasure," I have been using Microsoft Authenticator for personal use, and my company uses Duo mobile for enterprise security. This solution is ...
0
votes
1
answer
322
views
What is the benefit of a passkey over using 2FA like Google Authenticator?
At the moment to log into (for example) Paypal I type a password then the code from Google Authenticator. If I understand correctly having a passkey installed on my phone eliminates the password. It ...
- 101
13
votes
2
answers
2k
views
Do passkeys allow an attacker to gain account access by accessing a single device?
Some companies such as Github suggest passkeys replace both passwords and 2FA:
passkeys satisfy both password and 2FA requirements
Github thus allows logging in with a passkey without any second ...
- 233
1
vote
1
answer
188
views
Is 3DS compatible with secure 2FA technologies? (TOTP, WebAuthn)
Is PSD2's Strong Customer Authentication requirement possible to satisfy with secure 2FA solutions, such as TOTP and WebAuthn?
For the purposes of this question, I'm classifying all systems where an ...
- 1,090
2
votes
1
answer
405
views
How does google know my iPhone device name?
I have just signed into google using my browser, and google two step authentication has just started. When signing into google on my browser, it informed me that an authentication had been sent to my ...
- 21
0
votes
2
answers
126
views
Do all sites offer something like recovery codes? [closed]
I've always given two-factor authentication a wide berth because of my experience with it; with Dropbox, for example, they want an e-mail confirmation when I log in, but eight minutes pass until I ...
- 123
1
vote
3
answers
253
views
Is using TOTP from Authenticator app on a mobile device instead of passwords inherently 2FA?
A related discussion can be found, specifically addressing the security implications of using only TOTP for single-factor authentication However, in my view, using a TOTP code from a Google ...
0
votes
1
answer
585
views
Is Using an Authenticator App on the Same Device as the Passwordless Application a True 2FA?
I am building an application that a user can receive an access to by an internal worker. This works using a magic link, where the user will receive a one time link to authenticate in the app. Now I ...
1
vote
1
answer
613
views
Are 2FA browser plugins sufficiently secure?
Regarding 2FA browser plugins, I follow the uneducated opinion that they usually provide sufficient security. Since a desktop computer is a unique device (even a virtual machine) and provides that ...
- 113
0
votes
0
answers
327
views
If only 'two' insecure MFA options are available (email and sms) which is 'most secure'? [duplicate]
Although I disagree with the term MFA entirely if it refers to 'login code send to email', it's a one-time password at best, and likely badly implemented with its associated risks. I do see quite some ...
- 7,125
1
vote
0
answers
134
views
Are banks significantly reducing security by migrating everyone to mobile banking?
I have noticed a disturbing trend across banks (in the EU). Previously, many banks used 2FA by combining a login/password for an online banking website with a mobile authenticator app. However, many ...
- 851
2
votes
1
answer
572
views
Is TOTP "more secure" and harder to crack than HOTP and why?
In addition to my question: How many known time/result combinations does it take to guess a HOTP/TOTP secret?.
I've read often that TOTP is more secure than HOTP. One example:
TOTP provides higher ...
- 7,125
2
votes
2
answers
3k
views
Are passkeys a secure replacement for 2FA?
Passkeys seems great for me as an individual, instead of passwords and TOTP tokens I can now slowly ditch the passwords and the somewhat annoying (but important!) TOTP tokens which I have locked in my ...
2
votes
0
answers
325
views
Why are Yubico Yubikeys limited to 32 OATH accounts? [closed]
Is the 32 OATH QR code account limit on Yubikeys due to a storage constraint?
Because the Yubikey 5 series has been out for a few years now it'd be amazing if there is a new version released soon with ...
- 123
0
votes
2
answers
877
views
What is the point of required user verification in WebAuthn?
User verification in WebAuthn can either be required, preferred, or discouraged. The last two are a hint to the authenticator that may be ignored. I see how they could be used to prevent client-side ...
- 153
1
vote
1
answer
165
views
Is using the computer for MFA safe?
Recently, I discovered that MFA apps just calculate that codes based on a private key and the time clock, so it's easy to use tools like gnu pass to replace those apps with your computer.
But what are ...
0
votes
1
answer
164
views
Query on best practice - using 2FA to self-authorise IP addresses in an allow-list
I want to know whether a solution I'm considering for a web app is particularly secure / in line with best practices etc.
Scenario - a web application, it's a stock management app for small retailers. ...
