On 2024-03-11 03:49, Newyana2 wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote
>
> | > You said the reason for a cellphone code is to confirm
> | > that you're "an actual person with a phone contract". When
> | > I signed up for crypto I had to scan and upload both sides
> | > of my driver's license.
> |
> | To get a bank account?
> |
> | We are in that context.
> |
> | You get a bank account and in the same act you register with them your
> | real actual physical phone number.
> |
>
> This didn't start with bank accounts. YOU are talking about
> bank accounts. Real Bev started by complaining about how many
> websites require a cellphone number.
>
> If I want a bank account I go to the bank. My bank does
> not have a cellphone number for me.

Ok, but in any case sending a text message to your mobile phone doesn't
track you. It simply is a reasonable expectation that you have access to
your mobile phone. It does add some security, that has been proven. And
as "everybody has a mobile phone™", it is easy and cheap to implement.

If you do not have a mobile phone, tough luck. You do not matter :-P

--
Cheers, Carlos.

Bob Henson <bob.henson@outlook.com> Wrote in message:

> Jörg Lorenz wrote:
>
>> On 10.03.24 10:44, Bob Henson wrote:
>>> Newyana2 wrote:
>>>> At one point I played with crypto a bit. I had to upload a picture
>>>> ID (drivers license), as well as giving them my email address and
>>>> access to my bank account. As I recall I think they sent a voice
>>>> message code to my landline, which is a lot more security in terms of
>>>> proof of ID than a cellphone. The lamdline is registered to -- and
>>>> wired to -- a physical address.
>>>
>>> They will struggle in the UK soon, then. All landlines disappear by the end
>>> of 2025 - there will only be VoIP.
>>
>> Hardly ever read so much nonsense. We know Newyana does not have a cell
>> phone but he or she wants to have a big mouth in technical groups
>> discussing mobile technology.
>>
>> For you: IP-telephone lines are landlines. Landlines are not what you
>> think they are. The backend is even in the UK ip-based for years.
>>
>> Here in Switzerland VOIP/ip-endpoints are mandatory since 2017.
>
>
> Here we designate wired analogue connections running under PSTN as
> landlines - nothing else. What I say is correct. There will be options to
> continue the old lines for a few who cannot cope, but not for long.
>
> https://tinyurl.com/2lgbqv49

The word 'landline' can mean a several things in the UK. What's
being discontinued are the copper pairs which run between the
cabinets in the street and local exchanges, which carry analogue
voice calls (PSTN aka POTS - 'Plain Old Telephone System'). The
pairs between the cabinet and the premises may continue to carry
DSL or may be replaced by fibre.

The old (self powered) analogue phone service has become known to
the public here as a 'landline' only since they had a choice (or
no choice) to replace it with what's generally called a 'digital'
phone.

But the word 'landline' can also mean just the wires. Many people
have a landline but no phone on the end, but they still have to
pay for a 'landline'.

And to younger people, who have mobile phones, a 'landline'
probably means just a permanent phone in their home as opposed
to a mobile.
--
Remove numerics from my email address.

On 2024-03-10 08:58, Dave Royal wrote:
> "Carlos E.R." <robin_listas@es.invalid> Wrote in message:
>
>> On 2024-03-09 20:24, Newyana2 wrote:
>>> "The Real Bev" <bashley101@gmail.com> wrote
>>>
>>> | WTF? Why is the google voice number not a REAL phone number?
>>> |
>>> As V said, the simple answer is that they want to spy.
>>
>> No, that's not it. Not for a bank.
>>
>> They want to know that you are an actual person with a phone and
>> contract. They have to trust the company giving those numbers.
>
> Exactly. Banking regulations require them to use 2FA and SMS is a
> simple and cheap way of doing it. Not very secure, though more
> secure than email. Also it's easily understood by customers, and
> that's very important. AMEX send me _both_ an SMS and an email,
> which is convenient but more insecure - an OTP should go to
> exactly one device.
>
> I have a TOTP client on both my phone (FreeOTP) and tablet
> (andOTP) but none of my UK banks or savings accounts uses them.
> One bank provides me with an OTP gadget, but that was before 2FA
> became a legal requirement. I can also use their banking app to
> generate a code: I think that's what will replace SMS for most
> people.
>
> That banks or banking authorities are actually thinking about the
> security of these SMSs and refusing to send them to some mobile
> services is vaguely encouraging.

There was an attack on Orange, basically breaking all internet service,
and it was commented that had the attacked machines (RIPE database?)
used a simple 2FA, the attack would not have succeeded.

Nothing is fully safe, but an SMS to a mobile is better than nothing.

--
Cheers, Carlos.

Jörg Lorenz <hugybear@gmx.net> writes:

> On 10.03.24 10:44, Bob Henson wrote:
>> Newyana2 wrote:
>>> At one point I played with crypto a bit. I had to upload a
>>> picture ID (drivers license), as well as giving them my email
>>> address and access to my bank account. As I recall I think they sent
>>> a voice message code to my landline, which is a lot more security in
>>> terms of proof of ID than a cellphone. The lamdline is registered to
>>> -- and wired to -- a physical address. >> They will struggle in the
>>> UK soon, then. All landlines disappear by >> the end >> of 2025 -
>>> there will only be VoIP.
>
> Hardly ever read so much nonsense. We know Newyana does not have a
> cell phone but he or she wants to have a big mouth in technical groups
> discussing mobile technology.
>
> For you: IP-telephone lines are landlines. Landlines are not what you
> think they are. The backend is even in the UK ip-based for years.
>
> Here in Switzerland VOIP/ip-endpoints are mandatory since 2017.

Once a landline number has been switched to VOIP it can easily be
switched to any VOIP provider, so in that sense I think it is less
secure than a PSTN landline.

Newyana2 <Newyana2@invalid.nospam> wrote:
> "The Real Bev" <bashley101@gmail.com> wrote
>
> | WTF? Why is the google voice number not a REAL phone number?
> |
> As V said, the simple answer is that they want to spy.

Just because you're paranoid doesn't mean they're NOT after you.

However, in this case it's by design not nefarious. The 'F' in. 2FA is
"factor" meaning that you need two different sources of truth. Your
password is one and a known device is the second. VOIP is neither known nor
a device so cannot be trusted as the endpoint could be almost anything.

VanguardLH <V@nguard.lh> wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
>
> > Newyana2 wrote:
> >
> >> "The Real Bev" <bashley101@gmail.com> wrote
> >>
> >>> WTF? Why is the google voice number not a REAL phone number?
> >>
> >> As V said, the simple answer is that they want to spy.
> >
> > No, that's not it. Not for a bank.
> >
> > They want to know that you are an actual person with a phone and
> > contract. They have to trust the company giving those numbers.
>
> Well, that *is* tracking to a device. They hope the device belongs to
> you, and you're the one in charge of the phone when the call arrives.
> Rather a stupid concept: send the code to the same phone that is trying
> to log into a web form. Geez, of course the thief or hacker just must
> ignore the code sent to that phone for the login they're trying to hack.

Huh? Who is saying that the "log into a web form" is done on a *phone*?

It's more likely done on a computer and in that case, the scenario
involves *two* devices and the thief/hacker must be in possesion of the
second device (phone), which he isn't.

*If* the "log into a web form" is done on a phone, then it's most
likely not a "web form" - i.e. via a web-browser -, but an *app* on the
phone and that app will - together with the bank (or other service
provider) - provide the needed security (by checking hardware IDs, PIN,
fingerprint, etc.).

Chris <ithinkiam@gmail.com> wrote:

> However, in this case it's by design not nefarious. The 'F' in. 2FA is
> "factor" meaning that you need two different sources of truth. Your
> password is one and a known device is the second. VOIP is neither
> known nor a device so cannot be trusted as the endpoint could be
> almost anything.

Yet 2FA codes are also sent by e-mail. Someone is on your phone using a
web browser, gets the login 2FA interruption, and the 2FA code gets sent
to e-mail which is accessed on the same phone. Yeah, that really
thwarted the 2FA-enabled login ... not! 2FA only makes sense when 2
*different* devices are used for login and to where the 2FA code is
sent. Where do 2FA SMS texts get sent? Yep, to the same phone someone
is using a web browser trying to login. There is nothing about 2FA that
gurantees nor even mandates that different devices are used for login
and 2FA code reception. The "factor" is NOT about using different
devices. It is about using two pieces of /evidence/ (password and 2FA).

All the site knows that is sending the 2FA code is either your e-mail
address or your SMS-capable phone number. How do they know that where
the 2FA code is received is at a different device than where the login
was attempted? Smartphones generate the most volume of web traffic.

https://gs.statcounter.com/platform-market-share/desktop-mobile/worldwide/

Most users are logging into a site via a web browser on their phone. It
is the same device that receives e-mails and SMS texts. The web site
knows your IP address, not your phone number, when you use a web browser
on your phone trying to log into a site. They send a 2FA code to your
phone number, but they don't know that is the same device as from where
you are web browsing - unless they are tracking your IP address to the
IMEI of your phone. Even with the IMEI of your phone, you use another
phone to web browse to the same site, it sends a 2FA code via e-mail or
SMS, and you see it on that phone.

Login on a smartphone via web browser, and 2FA code sent to the SAME
device. Just where is the mandate 2 different devices are used for
login and to where 2FA codes get sent?

I haven't delved much into TOTP, because I've yet to log into any sites
that use it, but it might be more secure than 2FA.

https://en.wikipedia.org/wiki/Time-based_one-time_password

My bank did add TOTP by letting their customers using the Authy app.
Alas, Authy discontinued their desktop (Windows) client leaving only
their mobile apps. Yet I don't do banking on my phone, only on my
desktop PC. So, Authy yanked their desktop client, can't use it anymore
with my bank, so I'm stuck with them sending the 2FA code to my Google
Voice phone number which forwards to me via e-mail. Obviously I can't
get texts on my desktop PC (it has no cellular service), and I'm not
running around the house to find my smartphones to power them up and
wait to get a 2FA code via SMS that I have to manually copy into the 2FA
form in the web browser on my desktop PC. At the server, 2FA codes
expire, so it could take me longer to use a phone with SMS than it took
to use Authy on my desktop where I was trying to login.

There are other TOTP desktop clients, but I don't know which will work
with my bank. They list only a couple TOTP clients, one of which is the
Symantec client that is geared to enterprise users. They don't list
other TOTP clients, like Google or Microsoft Authenticator.

Frank Slootweg <this@ddress.is.invalid> wrote:

> Huh? Who is saying that the "log into a web form" is done on a *phone*?

Web traffic volume generated by phones has surpassed web traffic
generated by desktop PCs. Most logins are on phones, not desktops.

https://gs.statcounter.com/platform-market-share/desktop-mobile/worldwide/

> It's more likely done on a computer and in that case, the scenario
> involves *two* devices and the thief/hacker must be in possesion of the
> second device (phone), which he isn't.

2FA isn't about using 2 devices. It's about 2 pieces of evidence:
password and 2FA code.

VanguardLH <V@nguard.lh> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
>
> > Huh? Who is saying that the "log into a web form" is done on a *phone*?
>
> Web traffic volume generated by phones has surpassed web traffic
> generated by desktop PCs. Most logins are on phones, not desktops.
>
> https://gs.statcounter.com/platform-market-share/desktop-mobile/worldwide/

Who says that these 'stats' are any indication of "log into a web
form" versus just browsing?

Anyway, in our country (NL), 'desktop' is still slightly higher than
'mobile'! :-) (Both stupid terms, without an explanation.)

And just look at 'Desktop vs Mobile vs Tablet Market Share Worldwide'
to see how silly/meaningless those stats are.

> > It's more likely done on a computer and in that case, the scenario
> > involves *two* devices and the thief/hacker must be in possesion of the
> > second device (phone), which he isn't.
>
> 2FA isn't about using 2 devices. It's about 2 pieces of evidence:
> password and 2FA code.

FTR, the context is sending a code by SMS, that's 2SV (2 Step
Verification), not 2FA (2 Factor Authentication).

2FA is about two *factors*, knowledge and possesion.

2SV is about two *steps*, in this case 1) (username and) password and
2) getting/entering the code.

2FA is a 2SV process, because it (normally) involves 2 steps.

But 2SV is not a 2FA process, because it doesn't involve possesion,
you don't own/posses the code, you get the code.

VanguardLH <V@nguard.LH> Wrote in message:

>....
>
> There are other TOTP desktop clients, but I don't know which will work
> with my bank. They list only a couple TOTP clients, one of which is the
> Symantec client that is geared to enterprise users. They don't list
> other TOTP clients, like Google or Microsoft Authenticator.
>

IME sites cite one or two TOTP clients that they 'support' - Authy
is common - but I suspect any standards-based client will work.
I've used andOTP on Android to read the QR code tokens from
Authy-supporting sites, and later transferred the tokens to
FreeOTP on iOS.

There must be offline Windows opensource clients. A quick Google
turn this up, but it's not clear to me how you install it if you
don't get it from MS.
https://github.com/2fast-team/2fast

(I tried chocolatey once, but got lost in it and gave up.)

--
Remove numerics from my email address.

On Sun, 10 Mar 2024 22:49:23 -0400, Newyana2 wrote:
>
> If I want a bank account I go to the bank.
> My bank does not have a cellphone number for me.

However, a worrisome trend is in play:

https://lagradaonline.com/en/two-largest-banks-will-close-united-states/

Jonesy
--
Marvin L Jones | Marvin | W3DHJ.net | linux
38.238N 104.547W | @ jonz.net | Jonesy | FreeBSD
* Killfiling google & XXXXbanter.com: jonz.net/ng.htm

VanguardLH <V@nguard.lh> wrote:

[Yet another mixup of 2FA/2SV deleted.]

> I haven't delved much into TOTP, because I've yet to log into any sites
> that use it, but it might be more secure than 2FA.
>
> https://en.wikipedia.org/wiki/Time-based_one-time_password
>
> My bank did add TOTP by letting their customers using the Authy app.
> Alas, Authy discontinued their desktop (Windows) client leaving only
> their mobile apps. Yet I don't do banking on my phone, only on my
> desktop PC. So, Authy yanked their desktop client, can't use it anymore
> with my bank, so I'm stuck with them sending the 2FA code to my Google
> Voice phone number which forwards to me via e-mail. Obviously I can't
> get texts on my desktop PC (it has no cellular service), and I'm not
> running around the house to find my smartphones to power them up and
> wait to get a 2FA code via SMS that I have to manually copy into the 2FA
> form in the web browser on my desktop PC. At the server, 2FA codes
> expire, so it could take me longer to use a phone with SMS than it took
> to use Authy on my desktop where I was trying to login.
>
> There are other TOTP desktop clients, but I don't know which will work
> with my bank. They list only a couple TOTP clients, one of which is the
> Symantec client that is geared to enterprise users. They don't list
> other TOTP clients, like Google or Microsoft Authenticator.

As Dave Royal also mentioned, your bank probably mentions/'supports'
one or more TOTP 'apps'/programs, but - assuming they have not
re-invented the wheel - their systems should be standards-compliant and
hence worke with any standards-compliant 'app'/program.

See this list of OTP 'apps'/programs for possible Windows solutions
(pointed to by the 'See also:' of your reference)

'Comparison of OTP applications'
<https://en.wikipedia.org/wiki/Comparison_of_OTP_applications>

Dave Royal wrote:

> The old (self powered) analogue phone service has become known to
> the public here as a 'landline' only since they had a choice (or
> no choice) to replace it with what's generally called a 'digital'
> phone.

Not so. You're obviously not as old as me. When I first used telephones
there were (apart from snailmail or a runner with a cleft stick) two ways
to communicate - telephones (landlines) and radio (no lines at all) - the
latter not being for the public (outbound, at least) at that time.
Telephones lines remained "landlines" until mobile phones appeared - not
that long back, in the global order of things.

--
Bob
Tetbury, Gloucestershire, England

Can you be a closet claustrophobic?

On 3/11/2024 9:50 AM, Frank Slootweg wrote:

> FTR, the context is sending a code by SMS, that's 2SV (2 Step
> Verification), not 2FA (2 Factor Authentication).
>
> 2FA is about two *factors*, knowledge and possesion.
>
> 2SV is about two *steps*, in this case 1) (username and) password and
> 2) getting/entering the code.
>
> 2FA is a 2SV process, because it (normally) involves 2 steps.
>
> But 2SV is not a 2FA process, because it doesn't involve possesion,
> you don't own/posses the code, you get the code.

FTR Professor Google says they are the same:

"With 2-Step Verification, also called two-factor authentication, you
can add an extra layer of security to your account in case your password
is stolen."

<https://support.google.com/accounts/answer/185839?hl=en&co=GENIE.Platform%3DDesktop>

Who to believe? Professor Google or Professor Slootweg? Hmmmmm... ;)

AJL <noemail@none.com> wrote:
> On 3/11/2024 9:50 AM, Frank Slootweg wrote:
>
> > FTR, the context is sending a code by SMS, that's 2SV (2 Step
> > Verification), not 2FA (2 Factor Authentication).
> >
> > 2FA is about two *factors*, knowledge and possesion.
> >
> > 2SV is about two *steps*, in this case 1) (username and) password and
> > 2) getting/entering the code.
> >
> > 2FA is a 2SV process, because it (normally) involves 2 steps.
> >
> > But 2SV is not a 2FA process, because it doesn't involve possesion,
> > you don't own/posses the code, you get the code.
>
> FTR Professor Google says they are the same:
>
> "With 2-Step Verification, also called two-factor authentication, you
> can add an extra layer of security to your account in case your password
> is stolen."
>
> <https://support.google.com/accounts/answer/185839?hl=en&co=GENIE.Platform%3DDesktop>
>
> Who to believe? Professor Google or Professor Slootweg? Hmmmmm... ;)

Professor Google's blurb is probably intended to keep things simple.

But more to the point, *in the context* of that text - which is the
'2-Step Verification' setting of your Google Account, i.e. specific, not
generic - some of the options of the second step *are* indeed 2FA,
namely Google prompts, security keys, (AFAIK) Google Authenticator /
verification code apps and backup codes, because all these use a second
*factor*, instead of just a second *step*.

Bottom line: *In context*, you can believe *both* Professor Google
*and* Professor Slootweg.

FYI, sofar Professor Slootweg uses / has used all of the above
methods, except verification code apps.

"Allodoxaphobia" <trepidation@example.net> wrote

| However, a worrisome trend is in play:
| | https://lagradaonline.com/en/two-largest-banks-will-close-united-states/
| That doesn't surprise me. The article is misleading, implying
that BofA and WF are leaving the US. They're just closing
branches. It doesn't surprise me because so many people now
avoid cash, bank by phone, have auto-deposit and use 3rd-party
services to exchange money. Bank tellers and managers are
just not needed as much as they used to be.

On 3/11/24 4:59 PM, Newyana2 wrote:
>"Allodoxaphobia" <trepidation@example.net> wrote
>
>| However, a worrisome trend is in play:
>|
>| https://lagradaonline.com/en/two-largest-banks-will-close-united-states/
>|
> That doesn't surprise me. The article is misleading, implying
>that BofA and WF are leaving the US. They're just closing
>branches. It doesn't surprise me because so many people now
>avoid cash, bank by phone, have auto-deposit and use 3rd-party
>services to exchange money. Bank tellers and managers are
>just not needed as much as they used to be.

That would be me. I visit my branch maybe twice a year to get cash for
emergencies (like if the checkout system is down) and tips. Everything else
is done with the credit card. Love that Cashback card. Also love that folks
who pay with cash help support it...

Frank Slootweg <this@ddress.is.invalid> wrote:

> VanguardLH <V@nguard.lh> wrote:
>
> [Yet another mixup of 2FA/2SV deleted.]
>
>> I haven't delved much into TOTP, because I've yet to log into any sites
>> that use it, but it might be more secure than 2FA.
>>
>> https://en.wikipedia.org/wiki/Time-based_one-time_password
>>
>> My bank did add TOTP by letting their customers using the Authy app.
>> Alas, Authy discontinued their desktop (Windows) client leaving only
>> their mobile apps. Yet I don't do banking on my phone, only on my
>> desktop PC. So, Authy yanked their desktop client, can't use it anymore
>> with my bank, so I'm stuck with them sending the 2FA code to my Google
>> Voice phone number which forwards to me via e-mail. Obviously I can't
>> get texts on my desktop PC (it has no cellular service), and I'm not
>> running around the house to find my smartphones to power them up and
>> wait to get a 2FA code via SMS that I have to manually copy into the 2FA
>> form in the web browser on my desktop PC. At the server, 2FA codes
>> expire, so it could take me longer to use a phone with SMS than it took
>> to use Authy on my desktop where I was trying to login.
>>
>> There are other TOTP desktop clients, but I don't know which will work
>> with my bank. They list only a couple TOTP clients, one of which is the
>> Symantec client that is geared to enterprise users. They don't list
>> other TOTP clients, like Google or Microsoft Authenticator.
>
> As Dave Royal also mentioned, your bank probably mentions/'supports'
> one or more TOTP 'apps'/programs, but - assuming they have not
> re-invented the wheel - their systems should be standards-compliant and
> hence worke with any standards-compliant 'app'/program.
>
> See this list of OTP 'apps'/programs for possible Windows solutions
> (pointed to by the 'See also:' of your reference)
>
> 'Comparison of OTP applications'
> <https://en.wikipedia.org/wiki/Comparison_of_OTP_applications>

Authy will drop their desktop (Windows client), but the desktop is where
I do the vast majority of my web surfing and logins. Google and
Microsoft have their authenticators, but those are apps for Android or
iOS, so they are no value to me on a desktop. Besides Authy, my bank
says they support Symantec VIP which has clients for Windows, Mac,
Android, and iOS. Authy originally said they were dropping their
desktop client in August 2024, but they moved to this mid-March.

I read about Bitwarden for 2FA/TOTP, but that's a premium feature
($10/yr subscriptionware). Symantec VIP (well, I think) is free. The
wiki article doesn't mention that one. Until the wiki article, I had
not heard of SAASPASS Authenticator. Alas, while the wiki article makes
SASSPASS Authenticator look superior, the table is a bit misleading.
The personal-use client is only for mobile platforms. I'll probably
lookup comparisons between Symantec VPI and Bitwarden.

I was looking at the protocols, and it seems on the surface that just
about any authenticator app should work, but that could be me being
naive or overly hopeful. I didn't want to get into the incompatibility
with old chat clients that had their own protocols, so you had to use
the same chat app as with whomever you wanted to chat (unless you got
XMPP working on both ends, but typically on lesser featured chat
clients). From some forums, Symantec VIP provides the TOTP seed in some
non-standard form, so it seems sites that support Symantec VIP means
that's what you have to use, and other sites using OTP have you using
yet another authenticator.

While OAUTH change from OAUTH1 as a protocol to OAUTH2 as a framework,
seems everyone adapted the Google/Microsoft (who were the major players
in the OAUTH2 spec). Doesn't seem to have been true for TOTP and
authenticators. I'll probably try Bitwarden first, but I'm not finding
a trial of Bitwarden Premium.

Frank Slootweg <this@ddress.is.invalid> wrote:
> VanguardLH <V@nguard.lh> wrote:
>
> [Yet another mixup of 2FA/2SV deleted.]
>
>> I haven't delved much into TOTP, because I've yet to log into any sites
>> that use it, but it might be more secure than 2FA.
>>
>> https://en.wikipedia.org/wiki/Time-based_one-time_password
>>
>> My bank did add TOTP by letting their customers using the Authy app.
>> Alas, Authy discontinued their desktop (Windows) client leaving only
>> their mobile apps. Yet I don't do banking on my phone, only on my
>> desktop PC. So, Authy yanked their desktop client, can't use it anymore
>> with my bank, so I'm stuck with them sending the 2FA code to my Google
>> Voice phone number which forwards to me via e-mail. Obviously I can't
>> get texts on my desktop PC (it has no cellular service), and I'm not
>> running around the house to find my smartphones to power them up and
>> wait to get a 2FA code via SMS that I have to manually copy into the 2FA
>> form in the web browser on my desktop PC. At the server, 2FA codes
>> expire, so it could take me longer to use a phone with SMS than it took
>> to use Authy on my desktop where I was trying to login.
>>
>> There are other TOTP desktop clients, but I don't know which will work
>> with my bank. They list only a couple TOTP clients, one of which is the
>> Symantec client that is geared to enterprise users. They don't list
>> other TOTP clients, like Google or Microsoft Authenticator.
>
> As Dave Royal also mentioned, your bank probably mentions/'supports'
> one or more TOTP 'apps'/programs, but - assuming they have not
> re-invented the wheel - their systems should be standards-compliant and
> hence worke with any standards-compliant 'app'/program.

Sadly in the UK that's not the case. They either use SMS, an automated call
or their own TOTP available in their app.

VanguardLH <V@nguard.LH> Wrote in message:

> Frank Slootweg <this@ddress.is.invalid> wrote:
>
>> VanguardLH <V@nguard.lh> wrote:
>>
>> [Yet another mixup of 2FA/2SV deleted.]
>>
>>> I haven't delved much into TOTP, because I've yet to log into any sites
>>> that use it, but it might be more secure than 2FA.
>>>
>>> https://en.wikipedia.org/wiki/Time-based_one-time_password
>>>
>>> My bank did add TOTP by letting their customers using the Authy app.
>>> Alas, Authy discontinued their desktop (Windows) client leaving only
>>> their mobile apps. Yet I don't do banking on my phone, only on my
>>> desktop PC. So, Authy yanked their desktop client, can't use it anymore
>>> with my bank, so I'm stuck with them sending the 2FA code to my Google
>>> Voice phone number which forwards to me via e-mail. Obviously I can't
>>> get texts on my desktop PC (it has no cellular service), and I'm not
>>> running around the house to find my smartphones to power them up and
>>> wait to get a 2FA code via SMS that I have to manually copy into the 2FA
>>> form in the web browser on my desktop PC. At the server, 2FA codes
>>> expire, so it could take me longer to use a phone with SMS than it took
>>> to use Authy on my desktop where I was trying to login.
>>>
>>> There are other TOTP desktop clients, but I don't know which will work
>>> with my bank. They list only a couple TOTP clients, one of which is the
>>> Symantec client that is geared to enterprise users. They don't list
>>> other TOTP clients, like Google or Microsoft Authenticator.
>>
>> As Dave Royal also mentioned, your bank probably mentions/'supports'
>> one or more TOTP 'apps'/programs, but - assuming they have not
>> re-invented the wheel - their systems should be standards-compliant and
>> hence worke with any standards-compliant 'app'/program.
>>
>> See this list of OTP 'apps'/programs for possible Windows solutions
>> (pointed to by the 'See also:' of your reference)
>>
>> 'Comparison of OTP applications'
>> <https://en.wikipedia.org/wiki/Comparison_of_OTP_applications>
>
> Authy will drop their desktop (Windows client), but the desktop is where
> I do the vast majority of my web surfing and logins. Google and
> Microsoft have their authenticators, but those are apps for Android or
> iOS, so they are no value to me on a desktop. Besides Authy, my bank
> says they support Symantec VIP which has clients for Windows, Mac,
> Android, and iOS. Authy originally said they were dropping their
> desktop client in August 2024, but they moved to this mid-March.
>
> I read about Bitwarden for 2FA/TOTP, but that's a premium feature
> ($10/yr subscriptionware). Symantec VIP (well, I think) is free. The
> wiki article doesn't mention that one. Until the wiki article, I had
> not heard of SAASPASS Authenticator. Alas, while the wiki article makes
> SASSPASS Authenticator look superior, the table is a bit misleading.
> The personal-use client is only for mobile platforms. I'll probably
> lookup comparisons between Symantec VPI and Bitwarden.
>
> I was looking at the protocols, and it seems on the surface that just
> about any authenticator app should work, but that could be me being
> naive or overly hopeful. I didn't want to get into the incompatibility
> with old chat clients that had their own protocols, so you had to use
> the same chat app as with whomever you wanted to chat (unless you got
> XMPP working on both ends, but typically on lesser featured chat
> clients). From some forums, Symantec VIP provides the TOTP seed in some
> non-standard form, so it seems sites that support Symantec VIP means
> that's what you have to use, and other sites using OTP have you using
> yet another authenticator.
>
> While OAUTH change from OAUTH1 as a protocol to OAUTH2 as a framework,
> seems everyone adapted the Google/Microsoft (who were the major players
> in the OAUTH2 spec). Doesn't seem to have been true for TOTP and
> authenticators. I'll probably try Bitwarden first, but I'm not finding
> a trial of Bitwarden Premium.

It's easier than you think. All the TOTP sites I use - admittedly
not many and none of them banks - use standards protocols. I
think all of them suggested Authy - not sure. GitHub and Mozilla
suggested FreeOTP IIRC.

The reason I chose andOTP on my Android tablet was (a) it's
opensource (b) it's offline (c) it can produce an encrypted
backup of its tokens (d) it requires a password to access.
FreeOTP on iOS could not do (c) and (d). All the tokens I have
originated on my Linux desktop. I point the Android tablet's
camera at the barcode on the screen to install it, then back it
up onto both. If I want to transfer the token to my iPhone - I
usually don't in case it's lost ot stolen, see (d) - I display
the barcode on the tablet and read that with the iPhone.

Is all this more secure than an SMS to a phone? Debatable. The SMS
should end up on _one_ place, whereas the TOTP tokens may be on
several.

But it certainly makes life easier if you want to change your
phone number, as I did recently!

I notice on WikiP that andOTP is no longer supported. But it works
and should continue to work unless Android breaks it. I must back
up the APK.
--
Remove numerics from my email address.

Chris <ithinkiam@gmail.com> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
> > VanguardLH <V@nguard.lh> wrote:
[...]
> > As Dave Royal also mentioned, your bank probably mentions/'supports'
> > one or more TOTP 'apps'/programs, but - assuming they have not
> > re-invented the wheel - their systems should be standards-compliant and
> > hence worke with any standards-compliant 'app'/program.
>
> Sadly in the UK that's not the case. They either use SMS, an automated call
> or their own TOTP available in their app.

It's similar in The Netherlands, at least for my banks and other banks
I know of. But SMS and automated call are (AFAIK) not used. Just a
bank-specific hardware TOTP device (uses your bank card as one of the
factors) or TOTP in their apps. I use the TOTP devices, because it's not
much of a bother and more secure.

Frank Slootweg <this@ddress.is.invalid> Wrote in message:

> Chris <ithinkiam@gmail.com> wrote:
>> Frank Slootweg <this@ddress.is.invalid> wrote:
>> > VanguardLH <V@nguard.lh> wrote:
> [...]
>> > As Dave Royal also mentioned, your bank probably mentions/'supports'
>> > one or more TOTP 'apps'/programs, but - assuming they have not
>> > re-invented the wheel - their systems should be standards-compliant and
>> > hence worke with any standards-compliant 'app'/program.
>>
>> Sadly in the UK that's not the case. They either use SMS, an automated call
>> or their own TOTP available in their app.
>
> It's similar in The Netherlands, at least for my banks and other banks
> I know of. But SMS and automated call are (AFAIK) not used. Just a
> bank-specific hardware TOTP device (uses your bank card as one of the
> factors) or TOTP in their apps. I use the TOTP devices, because it's not
> much of a bother and more secure.

Does this bank-specific TOTP device use your normal bank
credit/debit card (i.e. the one you you make payments or withdraw
cash with) or a specific TOTP card. I have one of the latter -
though the bank doesn't use it for payments requiring
2FA.

Amex has recently taken to asking for 2 digits of my credit card
PIN to authorise some transactions - after years of saying we
should never reveal it.
--
Remove numerics from my email address.

"AJL" <noemail@none.org> wrote

| That would be me. I visit my branch maybe twice a year to get cash for
| emergencies (like if the checkout system is down) and tips. Everything
else
| is done with the credit card. Love that Cashback card. Also love that
folks
| who pay with cash help support it...
| Yes, I remember that about you. The man who would
buy an expired lottery ticket if he could get cash back. The
man who wants to purchase a gravestone that says, "Here
lies a man who never failed to get cash back."

The trend seems to be much bigger than cash-back-mania,
though. People in this thread are actually getting angry at
merely the suggestion of having options besides cellphones
for taking care of business. Cellphones have become a lifestyle.
Many of those people are not even using charge cards. They're
using debit, Square, Venmo... They've actually become
accustomed to paying someone else to handle their cash, so
that all transactions -- even lending $20 to a friend -- go
through a payment service.

Some people are just afraid of cash, fearing that they'll
be mugged if they have money. Others feel Jetson-esque,
waving their iPhone at Starbucks. Many young people
probably know payment services as where money comes from.
But I suspect the main motivator is just habit: Once people
are constantly using their cellphone, it becomes convenient
to do everything through it.

As Carlos put it, people addicted to cellphones
would like to believe that everyone else "does not matter".
They not only want cellphone options, they want cellphone
interaction to be enforced as the only option. They
want to live in Cellphone World.

I'm not so sure about automated checkouts, though. Some
stores in the US are deciding to remove or reduce them due
to theft.

https://www.cnn.com/2023/12/08/business/self-checkout-dollar-general-retail/index.html

At the same time, you run the risk of being accused of
theft when using self-checkout:

https://www.coreycohen.com/blog/2022/12/have-you-been-accused-of-self-checkout-theft/

There's also a controversy around restaurants with QR
code menus. Most people are happy to use their cellphone
to read the menu, but then they're questioning why they
should tip for barebones service...

So we run into an entirely
different issue: How does human society work without
personal interactions? Maybe you'll be able to use your
famous cash-back charge card to buy conversations...
Perhaps Monty Python's argument service wasn't so
farfetched. :)

I used a self checkout for the first time recently. There
were 8 women with full carts at the only Target register,
and the self checkout took cash. I don't really mind it
there. They have the best prices, by far, on household
items. And Target seems to be the only place left to buy
such a simple thing as a pack or sponges -- just a plain old
4-pack of kitchen sponges, without a "patented
scrubber surface" or any other overpriced gimmick. So
I accept that they need to cut corners. Though I have to
find another source for underwear and socks now. Target
has locked them in display cases! Apparently people were
stealing them and sneaking through the self-checkout.

On 2024-03-12 13:53, Newyana2 wrote:
> "AJL" <noemail@none.org> wrote

....

>
> As Carlos put it, people addicted to cellphones
> would like to believe that everyone else "does not matter".
> They not only want cellphone options, they want cellphone
> interaction to be enforced as the only option. They
> want to live in Cellphone World.

Addicted? No, simply banks are using a device that everybody has,
instead of making their clients buy an extra hardware device, not cheap,
for needed extra security. You do have other options if you insist.

--
Cheers, Carlos.

Dave Royal <dave@dave123royal.com> wrote:
> Frank Slootweg <this@ddress.is.invalid> Wrote in message:
>
> > Chris <ithinkiam@gmail.com> wrote:
> >> Frank Slootweg <this@ddress.is.invalid> wrote:
> >> > VanguardLH <V@nguard.lh> wrote:
> > [...]
> >> > As Dave Royal also mentioned, your bank probably mentions/'supports'
> >> > one or more TOTP 'apps'/programs, but - assuming they have not
> >> > re-invented the wheel - their systems should be standards-compliant and
> >> > hence worke with any standards-compliant 'app'/program.
> >>
> >> Sadly in the UK that's not the case. They either use SMS, an automated call
> >> or their own TOTP available in their app.
> >
> > It's similar in The Netherlands, at least for my banks and other banks
> > I know of. But SMS and automated call are (AFAIK) not used. Just a
> > bank-specific hardware TOTP device (uses your bank card as one of the
> > factors) or TOTP in their apps. I use the TOTP devices, because it's not
> > much of a bother and more secure.
>
> Does this bank-specific TOTP device use your normal bank
> credit/debit card (i.e. the one you you make payments or withdraw
> cash with) or a specific TOTP card. I have one of the latter -
> though the bank doesn't use it for payments requiring
> 2FA.

It uses my normal bank card. Mostly a debit card, because most 'local'
(in NL (and EU?)) on-line transactions can be done by a debit card,
which - in our country - is a safer card than a credit card. But also
some credit card transactions work with the bank's TOTP device (our
credit cards are issued by our banks).

> Amex has recently taken to asking for 2 digits of my credit card
> PIN to authorise some transactions - after years of saying we
> should never reveal it.

When I use my credit card in the bank's TOTP device, I need to give
the 4-digit PIN of that card, i.e. the PIN is one factor of 2FA, the
physical card is the other.