MFA on a smartphone

Multi-factor authentication (MFA; aka Two-factor authentication aka 2FA) makes access to things more secure. However, how to do it from the same smartphone seems to be an afterthought.

First, if someone has the smartphone which is used to generate the code, receive the text, answers the phone call, or confirms the access, then is MFA really doing its job? The whole point is to know the password and have the alternative device. In the case of accessing an app or website from the smartphone, then it eliminates the alternative device. It seems implementers don’t consider this scenario. But, also, it seems somewhat more complex to detect which device is the MFA one.

Second, more and more apps or websites appear to want to either clear the screen or go back to the login when you navigate away from them. So one can never accomplish the MFA process on the same device used to login. Which, is good in the sense that it closes the security loophole of the first issue. But, in a way that is infuriating when I want to access something away from my desktop computer.

Also, somewhat unrelated, but texts and phone calls can be intercepted. There are plenty of stories about phone companies firing employees over having given unscrupulous people the SIM card information allowing a hacker to clone it and receive each. This issue has been around two decades. So I don’t understand why this loophole still exists.

Email Changes

Ran across a site where if one changes the email address associated with the account, it sends the confirmation email to the new address.

Say, I am a Blackhat and used a phishing attack to get the password for the account. Having legitimately logged in, I then change the email address associated with it from victim@outlook.com to my blackhatalias@gmail.com. Sending the confirmation to blackhatalias rather than the victim ensures a compromised account will get altered. Strong security would want to prevent the change unless the owner of victim@outlook.com confirms the change.

Though, it does look like an email was sent to victim@outlook.com almost 3 hours after the confirmation saying:

Still scary. The blackhat has probably already made off with the data and done the damage.

I get the temptation to allow users to change their email address to a new one. It will prevent support phone calls because if they no longer have control of the old email account, users can simply change it to another address they do.

Of course, the site in question also does not have Two Factor Authentication. But, then it also is just a support forum. So, the ramifications of losing the account is impersonation at worst. They could ask or answer a question as me or change the profile to say something demeaning.

Verification Codes

One would hope that verification codes would be extremely random. More randomness makes it harder for a malicious entity (person or computer) to guess the code. Less randomness makes it easier. With all the Two-Factor Authentication (2FA) out there, we hope there is enough randomness in these methods to make them unguessable by someone attempting to get into our accounts. But, like all security technology, the hackers get better and protections get easier to break over time.

There is a current temptation to record the codes my generators provide to see if there is a pattern. At least in the back of my head it “feels” like there might be one. My intuitions sometimes turn out true (confirmation bias) and usually do not (reality). If little ole me can see the pattern, then I am sure smarter people than I have seen it as well and maybe even have a way to anticipate the codes.