[Thad E Ginathom]

I suppose that SMS OTP must be cheap and easy.

My British bank sometimes expects an OTP, as well as random characters from two pass words/codes --- but I have a small device like a calculator, and to make payments online, I have to enter a code on the device and then type its response onto the payment screen.

(Actually, it is not required for "usual" payments)

[anandhsub]

Quote:

Originally Posted by binand

This is a facile, ill-informed view (based on the kool-aid produced by the marketing departments of service providers?). To the extend that OTP is supposed to do the "what you have" authentication with respect to the SIM card, I agree. But the problem is that OTP, as implemented currently, conflates knowledge of the PIN ("what you know") with possession of the SIM - which, depending on the protection you need or the threat model you have, is not a true interchangeability that holds good in the real world.

From the administrator of the backend system where the OTP is produced to SMS software's developers, there are several entities who aren't in possession of the SIM card but can access the OTP making it a very unsafe method of authentication.

The 2 FA for my work PC is currently done via microsoft authenticator app and we were specifically asked not to chose otp. I found it a bit weird because I thought receiving a new otp each time was more secure than just having click approve each time ( there is no random code in the app unlike Google authenticator). I thought it was because the mobile number is a personal one, not a work provided one while I would login to the authenticator app with my work login although it is still my personal phone.

Now I wonder whether it is because sms is not true 2FA. But given how easy it is to login would this app be a true 2FA?

[Safety is Param]

Quote:

Originally Posted by meerkat

If any hacker can find out my password somehow, how come one is allowed to log in without an OTP? What's the use of a 2-factor authentication if it is not on by default, and any new device can log in at will if the password is somehow leaked?

If it helps - I use Microsoft Authenticator app for Amazon.

It always gives an option Don't ask OTP on this device/browser but I never check that box and enter OTP generated by the Authenticator app in addition to the account password.

Quote:

Originally Posted by anandhsub

The 2 FA for my work PC is currently done via microsoft authenticator app and we were specifically asked not to chose otp. I found it a bit weird because I thought receiving a new otp each time was more secure than just having click approve each time ( there is no random code in the app unlike Google authenticator).

I have enabled Microsoft Authenticator for my personal email account while my work email account is linked to DUO MFA.

In both cases I just need to hit Approve to login, however -

1. Personal email account gives me an option to set this up on Trusted devices. I also have the liberty to skip this and enter password instead - on the same page.

2. Work email account stores domain account password for 90 days (PC) and 30 days (mobile browser) and uses DUO as 2FA. There is no trusted device concept here. Also, this applies to all apps that have SSO enabled.

[binand]

Quote:

Originally Posted by Thad E Ginathom

My British bank sometimes expects an OTP, as well as random characters from two pass words/codes --- but I have a small device like a calculator, and to make payments online, I have to enter a code on the device and then type its response onto the payment screen.

This is Barclay's? I had the exact same procedure when I was living over there and banking with them. In fact that calculator-like device is still lying around in my home, a plaything for kids.

Quote:

Originally Posted by anandhsub

The 2 FA for my work PC is currently done via microsoft authenticator app and we were specifically asked not to chose otp. I found it a bit weird because I thought receiving a new otp each time was more secure than just having click approve each time ( there is no random code in the app unlike Google authenticator). I thought it was because the mobile number is a personal one, not a work provided one while I would login to the authenticator app with my work login although it is still my personal phone.

I didn't quite understand what you describe here. I thought MS Authenticator is functionally identical to Google Authenticator. The latter implements the TOTP system I referred to in a previous post - Time-based OTP. These OTPs change every 30 seconds (the implementing service allows a further 30-second grace period, so each token has a lifetime of 1 minute actually). This makes certain types of attacks on 2FA systems that implement only "what you know can be used as a proxy for what you have" difficult or impossible to execute - but is still not completely fool-proof.

[anandhsub]

Quote:

Originally Posted by binand

I didn't quite understand what you describe here. I thought MS Authenticator is functionally identical to Google Authenticator. The latter implements the TOTP system I referred to in a previous post - Time-based OTP. These OTPs change every 30 seconds (the implementing service allows a further 30-second grace period, so each token has a lifetime of 1 minute actually). This makes certain types of attacks on 2FA systems that implement only "what you know can be used as a proxy for what you have" difficult or impossible to execute - but is still not completely fool-proof.

MS Authenticator just gives a popup notification on my mobile to deny/approve whenever I log in. Even I thought it would be the TOTP system similar to Google but that isnt the case

[binand]

Quote:

Originally Posted by anandhsub

MS Authenticator just gives a popup notification on my mobile to deny/approve whenever I log in. Even I thought it would be the TOTP system similar to Google but that isnt the case

OK. Google does this for their own account system (see screenshot). I haven't seen anyone else doing this actually. Since Google has that kind of intimate knowledge of my device I expect their implementation is foolproof.

[meerkat]

Quote:

Originally Posted by binand

The implementations I have seen are like this:

1. They all default to single factor only. 2FA is something the user explicitly turns on.
2. Once the user turns it on, they have to login from every device once with the full 2FA flow.
3. After that, the user has the option of marking one or several devices as "trusted devices" where logging in will not be mandated any longer.

I believe you are talking of #3? It is meant for your personal devices and the choice is entirely yours. I think it is a reasonable midpoint in the security vs convenience range.

I believe a more robust system would have 2FA turned on by default, with the option given to customers to turn it off for individual devices. I don't see why the trivial inconvenience of having to optionally turn 2FA off is not deemed as an acceptable price to pay for a more secure system! After all, something similar has already been mandated by RBI for credit/ debit cards which now come with things like Online, International and Contactless transactions disabled by default, with options to turn these on through netbanking.

Quote:

Maybe there is some other issue you want to point out? Because I certainly do not agree with "2FA is redundant".

My comment was in the context: "if the password is not compromised, 2FA is redundant". I'd love to learn what additional purpose 2FA serves in this context. As I understand it, 2FA is supposed to offer a second level of protection in case the password is compromised, and even then, it can offer no protection at all if it is not on by default! Such a system is not foolproof, and anybody having access to a leaked password can log in from new devices using this loophole.

Quote:

Of course there have been hundreds, thousands of cases where OTPs were stolen/retrieved and transactions made without the knowledge/consent of the account owner. The newspapers report these frequently. All these are failures of our faulty implementation of 2FA.

In my experience, newspapers always report such incidents without even hinting at this being a possible failure mode! Such reports typically suggest that the naive victims were somehow duped into disclosing passwords/ OTPs etc. by fraudsters. In any case, these usually go into some kind of black holes (a.k.a. internal investigations), with nothing reported about the final findings ever! So how does one ever become aware of the real reason behind such incidents that is so obvious to you, but not to most?

Quote:

... They just drag their feet because implementing the right approach is costlier for them, and the downside of not implementing is not expensive enough.

Bingo! No different from the reason behind some banks deciding to remove security from ATM machines!
.

[binand]

Quote:

Originally Posted by meerkat

I believe a more robust system would have 2FA turned on by default, with the option given to customers to turn it off for individual devices. I don't see why the trivial inconvenience of having to optionally turn 2FA off is not deemed as an acceptable price to pay for a more secure system!

Talking with my consumer internet product manager hat on - 2FA does have a convenience drawback. So unless my service is a critical one (financial implications, identity theft possibility etc.) I might not do that. Plus there is also the fact that if I am going to do it and my competitors don't, I lose out in the short/medium run.

(Remember that RBI's 2FA is SMS-based which we've established is not true 2FA)

Quote:

Originally Posted by meerkat

As I understand it, 2FA is supposed to offer a second level of protection in case the password is compromised, and even then, it can offer no protection at all if it is not on by default! Such a system is not foolproof, and anybody having access to a leaked password can log in from new devices using this loophole.

In my view, if any factor is compromised, the entire authentication system must be treated as compromised. 2FA cannot be considered as a "second level of protection". For example, even if a service provider does exactly what you want them to do - someone with access to your password can reach out to their support system with, "I have lost my phone so please reset my 2FA". This is a genuine workflow that they have to deal with.

Quote:

Originally Posted by meerkat

Such reports typically suggest that the naive victims were somehow duped into disclosing passwords/ OTPs etc. by fraudsters.

You answer your question yourself. Victims disclose the OTP, and fraudulent transactions take place. WHich means the "what you have" 2FA which has to verify physical possession of the device (phone or SIM) has failed. Ergo, 2FA is not working as intended.

Here is how "what you have" 2FA could possibly work. The provider needs to distinguish my device from all the other devices of the same category in the world. Some sort of unique serial number? So how will the provider know serial number N is mine? They need an enrollment process (during which they'll physically verify my identity and my device's serial number and establish the linkage). We have listed out the exact procedure used in RSA SecurID deployment (there are some more details to protect from disclosure of token to unauthorised people).

Mind you, my SIM card does have such a unique serial number. That serial number is used in the 2FA of UPI. Main reason I have reduced my online card usage, preferring UPI instead. (SIM cloning/duplication is still an issue, but that is a different conversation altogether).

[Thad E Ginathom]

Quote:

Originally Posted by binand

This is Barclay's?

Royal Bank of Scotland. I think the last time I used it was when using my card to log in instead of the usual ID/passcodes method. I make a monthly payment from myslelf to myself, of approximately the same amount: it says "You may need your machine," but I never do. I suspect I would if I set up a new payee.

Quote:

Originally Posted by binand

... ...Mind you, my SIM card does have such a unique serial number. That serial number is used in the 2FA of UPI. Main reason I have reduced my online card usage, preferring UPI instead. (SIM cloning/duplication is still an issue, but that is a different conversation altogether).

Identity theft and persuading the telecoms company to de-activate the "real" sim, whilst issuing another one to a third party is a part of that conversation, right?

[Chetan_Rao]

Quote:

Originally Posted by binand

...We have listed out the exact procedure used in RSA SecurID deployment (there are some more details to protect from disclosure of token to unauthorised people)...

What about app-based random code generators (like Google Authenticator), or even my work-issued RSA SecureID soft token on my phone, that are tied to specific user credentials?

[mvadg]

Quote:

Originally Posted by binand

Main reason I have reduced my online card usage, preferring UPI instead. (SIM cloning/duplication is still an issue, but that is a different conversation altogether).

Is card usage riskier? Why? My upi payments show up as transfers without any details, so I was planning on switching back to online payments using my card.

[binand]

Quote:

Originally Posted by Thad E Ginathom

Identity theft and persuading the telecoms company to de-activate the "real" sim, whilst issuing another one to a third party is a part of that conversation, right?

Yes. But the times I have changed SIMs here (couple of times replaced an old SIM, once ported to a different network) the new SIM had SMS disabled for 48 hours. That should give enough time for most people to detect the problem.

Quote:

Originally Posted by Chetan_Rao

What about app-based random code generators (like Google Authenticator), or even my work-issued RSA SecureID soft token on my phone, that are tied to specific user credentials?

Can't comment on specific apps. Android has a subsystem called Device Management which allows some of these kind of use-cases to work well. Many corporate BYOD policies have a device management app as a prerequisite. Need to look at this on case-by-case basis.

Quote:

Originally Posted by mvadg

Is card usage riskier? Why? My upi payments show up as transfers without any details, so I was planning on switching back to online payments using my card.

Not riskier. Just that I prefer UPI over cards for online transactions. Primarily because of the complete chaos prevalent in India's online card processing landscape.

1. You can't usually tell whether it is the merchant or an aggregator receiving card info (I believe we even have aggregators of aggregators)
2. You don't know whether all those entities are following the best practices or not. Remember Mobikwik?
3. They all default to "remember this card for faster checkout in the future". I hate this setting.
4. Way too many data leaks in India recently.

[Thad E Ginathom]

Quote:

Originally Posted by binand

Yes. But the times I have changed SIMs here (couple of times replaced an old SIM, once ported to a different network) the new SIM had SMS disabled for 48 hours. That should give enough time for most people to detect the problem.

I don't think that has happened to me, and my one vital linked-to-everything number is not even post-paid. I don't make enough phone calls to make that worth while.

By the way, didn't have to use it, but the might-have-to notice on Royal Bank Of Scotland's site, today, as I made a payment, reminded me that it is not just the box: one has to insert one's debit card in the box and enter the pin.

[rajesh1868]

Any suggestion on a good place to order Mangoes?
I have never bought the original Alphonso ones.
Was checking out and saw that the price is about 2-3k/dozen

Is this price right?

Are any of these trusted stores?
https://www.devgadmango.com/
https://www.alphonsomangoes.online/

Any other recommendations?

[Mortis]

Quote:

Originally Posted by rajesh1868

Any suggestion on a good place to order Mangoes?
I have never bought the original Alphonso ones.
Was checking out and saw that the price is about 2-3k/dozen

Is this price right?

Are any of these trusted stores?
https://www.devgadmango.com/
https://www.alphonsomangoes.online/

Any other recommendations?

Don't buy them yet. That price is on the higher side. Wait until May for the peak season.

Also out of curiosity has anyone tried the imported Alphonso mangos from South Africa that you get in Oct-Nov ?