List of websites that support 2FA

Jason

Can we get a list started of websites that support 2FA with Text or Google Authenticator so we all know which ones to enable?

Jason

Here's some to get started

Amazon - Google Authenticator & Text
Google - Google Authenticator & Text
Facebook - Google Authenticator & Text
Lastpass - Google Authenticator

scottalanmiller

I had no idea Facebook had that capability. Good for them.

Jason

Paypal - Text

stacksofplates

Vultr - Google Authenticator, not sure about texting

Zoho - Google Authenticator and text

Dashrender

microsoft.com can use their own 2FA software or GA and texting. Not sure about emailing a code.

Jason

@Dashrender said:

Not sure about emailing a code.

Emailing a code isn't really considered good 2FA. tehnicically it is 2FA but considering you can get it on the same device and also reset the account password etc using the email it's not any good.

scottalanmiller

@Jason said:

@Dashrender said:

Not sure about emailing a code.

Emailing a code isn't really considered good 2FA. tehnicically it is 2FA but considering you can get it on the same device and also reset the account password etc using the email it's not any good.

Same with texting, really. If you have a web browser on your phone and someone gets your phone, they get both the text and the web browser authentication on the same device.

scottalanmiller

Speaking of which, are any two things that travel over the same network really two factor authentication?

scottalanmiller

I have definitely worked places where all Internet, including 4G, LTE and texting, were hijacked and monitored so any attempt at normal 2FA would result in the company getting all components of your access, even if only for a few seconds before a code timed out.

stacksofplates

@scottalanmiller said:

Speaking of which, are any two things that travel over the same network really two factor authentication?

I think if you have a lock on the phone it is. I have a pattern that I draw to unlock mine, then the Google Authenticator app. Esp if you have a phone with a fingerprint reader.

scottalanmiller

@johnhooks said:

@scottalanmiller said:

Speaking of which, are any two things that travel over the same network really two factor authentication?

I think if you have a lock on the phone it is. I have a pattern that I draw to unlock mine, then the Google Authenticator app. Esp if you have a phone with a fingerprint reader.

Does that travel over the same network? I thought that the Google Authenticator app was locally based, no network needed.

Finger print reader would do nothing in my question because the data is hijacked before it ever reaches the device. The network would know your text passcode before your phone ever received it (and could even block you from receiving it if they wanted.)

stacksofplates

@scottalanmiller said:

@johnhooks said:

@scottalanmiller said:

Speaking of which, are any two things that travel over the same network really two factor authentication?

I think if you have a lock on the phone it is. I have a pattern that I draw to unlock mine, then the Google Authenticator app. Esp if you have a phone with a fingerprint reader.

Does that travel over the same network? I thought that the Google Authenticator app was locally based, no network needed.

Finger print reader would do nothing in my question because the data is hijacked before it ever reaches the device. The network would know your text passcode before your phone ever received it (and could even block you from receiving it if they wanted.)

Oh I see what you're saying. Ya Authenticator is all local, its generated based on a random string given to you and the date and time.

Jason

@scottalanmiller said:

I think if you have a lock on the phone it is. I have a pattern that I draw to unlock mine, then the Google Authenticator app. Esp if you have a phone with a fingerprint reader.

Nothing is sent over the network. Google Authenticator is the same thing as having a RSA keyfob without the costs.

scottalanmiller

@Jason said:

@scottalanmiller said:

I think if you have a lock on the phone it is. I have a pattern that I draw to unlock mine, then the Google Authenticator app. Esp if you have a phone with a fingerprint reader.

Nothing is sent over the network. Google Authenticator is the same thing as having a RSA keyfob without the costs.

That's what I was thinking. So those are not affected by network hijacking.

Dashrender

@scottalanmiller said:

@Jason said:

@scottalanmiller said:

I think if you have a lock on the phone it is. I have a pattern that I draw to unlock mine, then the Google Authenticator app. Esp if you have a phone with a fingerprint reader.

Nothing is sent over the network. Google Authenticator is the same thing as having a RSA keyfob without the costs.

That's what I was thinking. So those are not affected by network hijacking.

But the original code is transmitted to or from Google. So if the connection is hijacked from the beginning, the hijackers can have that code and put it into their own GA and it will give them the same results.

Jason

@Dashrender said:

But the original code is transmitted to or from Google. So if the connection is hijacked from the beginning, the hijackers can have that code and put it into their own GA and it will give them the same results.

Over SSL.. Texting does not have encryption.

scottalanmiller

@Dashrender said:

But the original code is transmitted to or from Google. So if the connection is hijacked from the beginning, the hijackers can have that code and put it into their own GA and it will give them the same results.

That is much, much harder and one can assume that additional precautions could be made when acquiring that service. One could, for example, make sure that whoever was attempting to hijack the Internet connection to set up the service would have no physical connection to the person hijacking a text message.

Dashrender

@scottalanmiller said:

@Dashrender said:

But the original code is transmitted to or from Google. So if the connection is hijacked from the beginning, the hijackers can have that code and put it into their own GA and it will give them the same results.

That is much, much harder and one can assume that additional precautions could be made when acquiring that service. One could, for example, make sure that whoever was attempting to hijack the Internet connection to set up the service would have no physical connection to the person hijacking a text message.

I'll definitely give you that - but then you're still at the single device problem. Logging in from a phone, and getting a text message on the same device.

Jason

@Dashrender said:

I'll definitely give you that - but then you're still at the single device problem. Logging in from a phone, and getting a text message on the same device.

Same Device isn't as big of a deal.. It's more of same method of access. EX: Email is a back door to most accounts, if you have the email you can reset anything. So using the email as a place to send the 2FA login codes is just not a good idea.