Australian government tells citizens to turn off two-factor authentication

When going abroad, turn off additional security. What could possibly go wrong?

Read the whole story

 

[JimmiG]

They should switch to an authentication service that doesn't rely on SMS messages.

 

[mrseb]

JimmiG[/url]":3b65opom]They should switch to an authentication service that doesn't rely on SMS messages.

Duo ftw!

 

[Torchwood]

So, how much does it cost to implement Google Authentication again? It sounds like they only rely on SMS codes.

 

[Haravikk]

JimmiG[/url]":2vhz7j7j]They should switch to an authentication service that doesn't rely on SMS messages.

Exactly, this is where smart phone apps are a useful alternative, but they should ideally offer multiple options (e.g- Authy, Google Authenticator etc., plus SMS) as too many services only offer a single option which just makes it annoying when you're forced to install every multi-factor app and still use SMS, and then try to remember which services will fail if you lose access to your SMS messages.

Yay for progress!

 

[r3loaded]

Haravikk[/url]":2twmi0jh]

JimmiG[/url]":2twmi0jh]They should switch to an authentication service that doesn't rely on SMS messages.

Exactly, this where smart phone apps are a useful alternative, but they should ideally offer multiple options (e.g- Authy, Google Authenticator etc., plus SMS) as too many services only offer a single option which just makes it annoying when you're forced to install every multi-factor app and still use SMS, and then try to remember which services will fail if you lose access to your SMS messages.

Yay for progress!

While we're at it, pass the message on to Steam (only works if you have their client app, which is only available if you have an iOS/Android device) and to Facebook (requires you to give them your phone number even if you only want to use app generated codes).

 

[kNevik]

mrseb[/url]":1uoc9udi]

JimmiG[/url]":1uoc9udi]They should switch to an authentication service that doesn't rely on SMS messages.

Duo ftw!

Correct me if I'm wrong, but Duo requires an internet connection, something there's a good chance you might not have while abroad. They should just use a standard solution like HOTP which apps on all platforms support (the standard being Google Authenticator), with SMS as an altertive for the non tech literate.

 

[mrseb]

kNevik[/url]":2dxa86yf]

mrseb[/url]":2dxa86yf]

JimmiG[/url]":2dxa86yf]They should switch to an authentication service that doesn't rely on SMS messages.

Duo ftw!

Correct me if I'm wrong, but Duo requires an internet connection, something there's a good chance you might not have while abroad. They should just use a standard solution like HOTP which apps on all platforms support (the standard being Google Authenticator), with SMS as an altertive for the non tech literate.

Yep, true. Though I think Duo does have 'emergency codes' that you save + print on dead trees/etc.

 

[AndreaFaulds]

r3loaded[/url]":5bbf8023]

Haravikk[/url]":5bbf8023]

JimmiG[/url]":5bbf8023]They should switch to an authentication service that doesn't rely on SMS messages.

Exactly, this where smart phone apps are a useful alternative, but they should ideally offer multiple options (e.g- Authy, Google Authenticator etc., plus SMS) as too many services only offer a single option which just makes it annoying when you're forced to install every multi-factor app and still use SMS, and then try to remember which services will fail if you lose access to your SMS messages.

Yay for progress!

While we're at it, pass the message on to Steam (only works if you have their client app, which is only available if you have an iOS/Android device) and to Facebook (requires you to give them your phone number even if you only want to use app generated codes).

Steam also uses email for two-factor authentication (though maybe only for the default Steam Guard?), and Facebook asking for your phone number isn't entirely unreasonable, as it means you can recover your account should you lose the app.

 

[Entegy]

AndreaFaulds[/url]":3vs4q7rw]

r3loaded[/url]":3vs4q7rw]

Haravikk[/url]":3vs4q7rw]

JimmiG[/url]":3vs4q7rw]They should switch to an authentication service that doesn't rely on SMS messages.

Exactly, this where smart phone apps are a useful alternative, but they should ideally offer multiple options (e.g- Authy, Google Authenticator etc., plus SMS) as too many services only offer a single option which just makes it annoying when you're forced to install every multi-factor app and still use SMS, and then try to remember which services will fail if you lose access to your SMS messages.

Yay for progress!

While we're at it, pass the message on to Steam (only works if you have their client app, which is only available if you have an iOS/Android device) and to Facebook (requires you to give them your phone number even if you only want to use app generated codes).

Steam also uses email for two-factor authentication (though maybe only for the default Steam Guard?), and Facebook asking for your phone number isn't entirely unreasonable, as it means you can recover your account should you lose the app.

The issue with Steam is that despite Steam Guard emails, there are limits placed on trades you can do until you start using the Steam mobile app for iOS or Android. For example, my phone runs neither of those operating systems, so I'm locked out.

Just implement that code generator thingy that allows me to store in an authentication app with email or SMS as backup and we'll be good Valve. I even got it working on Facebook without the Facebook app although it's kinda hidden. It's annoying (and likely more insecure) when people roll their own.

This is also a CC to Apple and Twitter as well.

 

[fir3bird]

JimmiG[/url]":2vcfmp8j]They should switch to an authentication service that doesn't rely on SMS messages.

+1. Text messages are better than nothing, but Google Authenticator avoids certian pitfalls. My bank texts the secondary code to your phone, but it seems to have trouble when you're roaming and/or switch providers. Wouldn't text my code while I was in India even though I was still on my home SIM card, nor for like a week when I switched to T-Mobile.

 

[balthazarr]

my.gov.au

Lucky me

 

[necrosis]

JimmiG[/url]":3hy4qprk]They should switch to an authentication service that doesn't rely on SMS messages.

I can't stand 2FA systems that only use SMS. Hell I hate 2FA systems that use SMS in any step in the process of setting things up. I ditched SMS a while ago to save money.

 

[sryan2k1]

kNevik[/url]":1do5od46]

mrseb[/url]":1do5od46]

JimmiG[/url]":1do5od46]They should switch to an authentication service that doesn't rely on SMS messages.

Duo ftw!

Correct me if I'm wrong, but Duo requires an internet connection, something there's a good chance you might not have while abroad. They should just use a standard solution like HOTP which apps on all platforms support (the standard being Google Authenticator), with SMS as an altertive for the non tech literate.

You're wrong. The smartphone app can generate some number of offline codes by tapping the "key" icon next to a source if there is no internet. A user can also generate and print a set of offline codes, and an administrator can set a bypass code if necessary. Duo also supports voice and SMS 2FA as well.

 

[Statistical]

They should switch to an authentication service that doesn't rely on SMS messages.

Or if they found it infeasible to switch at least provide a temporary alternative 2FA like printing out a set of one time codes. They could advocate doing that before travel. "Remember print out one time code before traveling to ensure you have access even when SMS is not available".

 

[mmiller7]

"they won't be able to receive myGov security codes without reinstalling their Australian SIMs"

Because having an important sounding account compromised isn't much of an inconvenience at all.

 

[Statistical]

I ditched SMS a while ago to save money.

Some cellphone companies actually still charge for SMS?

 

[TechCrazy]

kNevik[/url]":1flxf6f8]

mrseb[/url]":1flxf6f8]

JimmiG[/url]":1flxf6f8]They should switch to an authentication service that doesn't rely on SMS messages.

Duo ftw!

Correct me if I'm wrong, but Duo requires an internet connection, something there's a good chance you might not have while abroad. They should just use a standard solution like HOTP which apps on all platforms support (the standard being Google Authenticator), with SMS as an altertive for the non tech literate.

Just to note there is one major reason SMS has an advantage over number generator apps. It does not require a smart phone in order to generate a number. Any phone which is capable of receiving an SMS is able to receive the OTP.

 

[jb510]

kNevik[/url]":1ocn3z6f]

mrseb[/url]":1ocn3z6f]

JimmiG[/url]":1ocn3z6f]They should switch to an authentication service that doesn't rely on SMS messages.

Duo ftw!

Correct me if I'm wrong, but Duo requires an internet connection, something there's a good chance you might not have while abroad. They should just use a standard solution like HOTP which apps on all platforms support (the standard being Google Authenticator), with SMS as an altertive for the nont tech literate.

Pretty sure anyone trying to log into the website has an Internet connection...

FWIW, most places internet connections are more prevalant and accessible to travalers, than the cell phone network.

But still, Google auth and Authy FTW... I hate SMS based 2FA.

 

[jhollinger]

US citizen here. First off, wow. I can barely imagine having a service equivalent to "myGov" here in the states. (Bernie, care to add that to your platform?) Granted, its mere existence presents certain security concerns. Then again the plethora of unrelated offline and online systems we enjoy today is arguably only "secure through obscurity", if that.

Second, yes their suggestion clearly is a terrible one. But not because the 2-factor will be disabled for a few days or weeks. That's arguably an acceptable window, unless you're being specifically targeted. It's a terrible suggestion because most people won't remember to turn it back on, ever. Now idk, maybe they have a reminder pop up or something. Obviously, a 2-factor auth that doesn't require SMS would be ideal. But barring that, they should have a simple "Disable 2-factor until <date>" option, after which it would automatically switch back on.

 

[jnareb]

kNevik[/url]":9hgqn85a]
Correct me if I'm wrong, but Duo requires an internet connection, something there's a good chance you might not have while abroad. They should just use a standard solution like HOTP which apps on all platforms support (the standard being Google Authenticator), with SMS as an altertive for the non tech literate.

In this situation the limitation (if it were one) doesn't matter. If you don't have Internet connection, you cannot connect to AU gov site anyway, isn't it?

Nb. TOTP / HOTP is an open standard, Google Authenticator (or Authy, or FreeOTP) is just the implementation.

 

[Akemi]

r3loaded[/url]":1lpu0ok0]

Haravikk[/url]":1lpu0ok0]

JimmiG[/url]":1lpu0ok0]They should switch to an authentication service that doesn't rely on SMS messages.

Exactly, this where smart phone apps are a useful alternative, but they should ideally offer multiple options (e.g- Authy, Google Authenticator etc., plus SMS) as too many services only offer a single option which just makes it annoying when you're forced to install every multi-factor app and still use SMS, and then try to remember which services will fail if you lose access to your SMS messages.

Yay for progress!

While we're at it, pass the message on to Steam (only works if you have their client app, which is only available if you have an iOS/Android device) and to Facebook (requires you to give them your phone number even if you only want to use app generated codes).

You can also have the code sent to any e-mail address you specify. So if you have a Windows Phone, just sign in to your e-mail.

 

[vnangia]

"Winner" of most irritating 2FA has to be Paypal. Until recently, they'd redirect you first to a mobile version of the site, even on the desktop. The site would ask you for your username and password, fail three times, sometimes suggesting that you add your code - which, surprise, you don't have because SMS isn't precog - to the end of the password. The third time, it would add a button that allowed you to go to the desktop version of the site, which you'd click, and get sent to a desktop version of the site that was still 2FA unaware. Eventually, you'd be dropped back at the old school login, where you'd have to change to the "I have an account vertical tab", enter your password, request to be sent an SMS, wait four minutes for it to arrive and then scramble to put it in because they're only valid for five minutes, and if you were very lucky, it all did work.

They do (did?) offer an app-based 2FA, but it was not HOTP-based, and required a custom application that would not work if you denied it constant location awareness, data, and mic access.

They may have fixed this by now - certainly I've not seen the broken flow in about six weeks - but I doubt it's truly fixed. They've also supposedly fixed the bank account as default funding source "feature," but it isn't working here.

"Most loved" my ass - it's like Aeroflot's slogan during the Soviet Union: "you've made the right choice."

 

[Iphtashu Fitz]

mrseb[/url]":33ybcfog]

JimmiG[/url]":33ybcfog]They should switch to an authentication service that doesn't rely on SMS messages.

Duo ftw!

As a commercial product that requires a dedicated app, Duo would be rather expensive to implement and likely result in a LOT of support headaches for the Australian Government.

Not to mention the fact that Duo relies on push notifications, which would also break if a user swapped out SIM cards while on vacation abroad.

A much better approach would be to use something like Google Authenticator, which is fairly easy to install & configure, and doesn't require any communication path between the client & server. So even if an end user swapped SIM cards, etc. then it would still just work.

 

[ReaderBot]

necrosis[/url]":2s4qy1nf]

JimmiG[/url]":2s4qy1nf]They should switch to an authentication service that doesn't rely on SMS messages.

I can't stand 2FA systems that only use SMS. Hell I hate 2FA systems that use SMS in any step in the process of setting things up. I ditched SMS a while ago to save money.

Do people still pay for text messages?

 

[Ploutrance]

And me sitting here wishing my country had a unified login/password for all of their websites ... But no.

 

[MEhle]

The best solution is to offer several 2FA options and allow the user to choose the ones that work best for them. For example, Google offers U2F, TOTP, and written "emergency" codes. It might be a little more expensive to implement, but you would be able to serve a larger percentage of people. It could also reduce your operating expenses, as people using an authentication method that works for them are less likely to need help.

 

[ajmas]

JimmiG[/url]":9a3eq8vr]They should switch to an authentication service that doesn't rely on SMS messages.

Or get a cheap feature (aka dumb) phone for the Australian SIM when travelling?

 

[sryan2k1]

Not to mention the fact that Duo relies on push notifications, which would also break if a user swapped out SIM cards while on vacation abroad.

Uh no, push uses the internet and has nothing to do with the cellular part of the device, as long as the phone can get to Duo's servers, via WiFi, cell data, etc it doesn't matter.

 

[m-p{3}]

r3loaded[/url]":c6fciy11]
While we're at it, pass the message on to Steam (only works if you have their client app, which is only available if you have an iOS/Android device) and to Facebook (requires you to give them your phone number even if you only want to use app generated codes).

Valve explained why they couldn't.

Security and Trading[/url]":c6fciy11]
...
We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.
...

 

[Onyx Spartan II]

m-p{3}[/url]":2kc6lfa7]

r3loaded[/url]":2kc6lfa7]
While we're at it, pass the message on to Steam (only works if you have their client app, which is only available if you have an iOS/Android device) and to Facebook (requires you to give them your phone number even if you only want to use app generated codes).

Valve explained why they couldn't.

Security and Trading[/url]":2kc6lfa7]
...
We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.
...

Which is still a lazy excuse.

 

[yankinwaoz]

JimmiG[/url]":1i5vt69w]They should switch to an authentication service that doesn't rely on SMS messages.

Or let the users select a 2FA service.

LastPass has a nice page full of MFA options.
https://helpdesk.lastpass.com/multifact ... n-options/

 

[ApplePaladin]

Several years ago I bought an authenticator for my World of WarCraft account, which ended up becoming the 2FA security for my entire Blizzard/Battle.net account.

It's a $6.50 USD fob with a one-time setup and no mobile/cellular/SMS/Internet connection requirement.

Why not just let Aussies get fobs like these for their government web portal 2FA?

 

[wastrel]

Is visiting that site--let alone signing in--something an Aussie would typically want to do when out of the country "on holiday"?

 

[m-p{3}]

Onyx Spartan II[/url]":2fqwebpv]

m-p{3}[/url]":2fqwebpv]

r3loaded[/url]":2fqwebpv]
While we're at it, pass the message on to Steam (only works if you have their client app, which is only available if you have an iOS/Android device) and to Facebook (requires you to give them your phone number even if you only want to use app generated codes).

Valve explained why they couldn't.

Security and Trading[/url]":2fqwebpv]
...
We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.
...

Which is still a lazy excuse.

But the idea behind it makes it understandable. No compromise on security for convenience.

itdraugr[/url]":2fqwebpv]Several years ago I bought an authenticator for my World of WarCraft account, which ended up becoming the 2FA security for my entire Blizzard/Battle.net account.

It's a $6.50 USD fob with a one-time setup and no mobile/cellular/SMS/Internet connection requirement.

Why not just let Aussies get fobs like these for their government web portal 2FA?

Or add support for Fido U2F on their services.

 

[bri2000]

necrosis[/url]":gf8lroxx]

JimmiG[/url]":gf8lroxx]They should switch to an authentication service that doesn't rely on SMS messages.

I can't stand 2FA systems that only use SMS. Hell I hate 2FA systems that use SMS in any step in the process of setting things up. I ditched SMS a while ago to save money.

I don't have to pay to receive SMSs but I've found those systems terrible due to codes taking ridiculous lengths of time to come through. I'm not sure if it's Apple being passive-aggressive because I don't use an iPhone (work issued BB Q10) or my provider (EE in the UK) but they generally take at least a couple of hours to arrive. In one case it was 2 days. Fortunately Apple will also send a code directly to my iPad. Those arrive instantly but kind of defeat the point of 2FA when that's the device I'm signing in on.

 

[Doc Spector]

The fact that good security isn't convenient, and convenient isn't good security, is not a new development.

However, security that prevents the legitimate user from using their IT resources at all isn't serving anyone's needs, either.

The failure here isn't suggesting a less-secure method of access. It's failing to explain properly why someone would want to do so, why they might not want to, and the factors that affect the decision.

 

[Korpo]

Torchwood[/url]":3moum6bu]So, how much does it cost to implement Google Authentication again? It sounds like they only rely on SMS codes.

There's some measure of time and effort to implement something like that, but Google Authenticator (and a bunch of others) are just clients for an open system that's free to implement.

Google, Amazon, Microsoft, Salesforce, Facebook, EA, Lastpass, and Kickstarter all use it, just from looking at the app on my phone.

Steam, Battle.net, and my job all use different (and incompatible) forms of the same sort of thing, so I get to enjoy having an extra three apps on my phone just for those.

 

[afanen01]

Statistical[/url]":1wxal1hf]

I ditched SMS a while ago to save money.

Some cellphone companies actually still charge for SMS?

You'd be surprised. The USA is the only country I know where you can get global SMS bundles with your cellphone plan. Most other places, you still get billed per-SMS, and the cost goes up if it's off-net, and even higher if it's to an international number.

No wonder services like Whatsapp are popular elsewhere and not in the US.

 

[Kharma]

Further proof that guvermints be stopping.