Two-factor authentification - is it sometimes just data phishing?

There’s a vendor I work with that has a rewards program. You get points for buying their services and then redeem them for gift cards and whatnot.

Today I try to log in and find that they’ve implemented two-factor authentification. Meaning, I have to put in my phone number so they can supposedly verify I am the person associated with an account. Previously this was just a user name and password.

I realize there are actually security needs in the online world. But could this really just be an excuse to data-mine peoples’ phone numbers? I really don’t want to give my phone number out just to be in some rewards scheme. And is it just me, or is “security” being used as an excuse for this sort of thing more an more often?

I assume they’re asking for your number so they can use 2FA going forward. The idea behind 2FA is that it would send a text message to the number already associated with your account. Just asking for the number, as part of the login process, wouldn’t work since anyone trying to access your account would just put their number in, get the text message and type in the code. It wouldn’t really do anything.

If you don’t want to give them your phone number, see if they give you the option to use your email address or turn off 2FA altogether. Besides, if there’s no sensitive info in the account, 2FA is just an extra step for no real reason.

Something else you can do is set up (for free) a google voice number and use that for this type of stuff. It’s easy enough to get a number and adjust the settings on the account so the only thing it can do it receive texts (IOW, no spam calls, no voicemails etc).

Unfortunately too many sites are wise to Google Voice and refuse to accept those numbers. (Which must be a real headache for those whose number was originally assigned by Google Voice and is now their actual, real-for-real, only phone number.)

I’ve run into this several times.

And in terms of so-called “security”, Slashdot posted about this (again) just yesterday. Search there for more posts about how insecure 2FA is.

Any site that thinks that 2FA is a good idea, let alone a must, is not to be trusted.

2FA over SMS is an insecure mess, because SMS is an insecure protocol. 2FA using a dedicated hardware or software token is indeed a good idea, and a must for anything you want to be remotely secure. I wish more banks supported it, but few do.

ETA: Of course, the entire banking system in the U.S. is an insecure mess, too (cf. checks, just for one), so the lack of proper 2FA is the least of our worries.

It used to be that numbers were assigned in large blocks (an exchange) to a given company; however, with number porting being allowed for so long all I can tell you is that 123-456-xxxx was originally assigned to ____ Telco. If I take my TMO/Verizon/Ma Bell landline & port it to GV (which one can do) how would a given company know that it’s a GV phone #? What if I go the other way & port my originally-a-GV-phone-# to another telco?

How do GV #s differ from Google Fi numbers?

Well, this is timely

I just had to deal with this with my insurance company. I needed to get into my account and they were setting up 2FA as a required first window for logging on. Unfortunately, both the phone number and the email address they had for my account were old and no longer usable. And customer service was only open during business hours.


I think it’s ‘authentication’, not ‘authentification’

You just have to assume that all these companies are 100% evil. The OP is not being paranoid.

So one wouldn’t use it for, say, a military computer system. But surely it’s perfectly adequate for commercial web sites?

Sure. As long as nobody sends any information like credit card numbers, email addresses, real addresses, phone numbers, names, etc. And anything having to do with login verification, passwords, etc. are right out.

So, talking about last night’s game is okay. If you don’t care who reads it.

But we’re talking about two-factor authentication here, which means having two totally separate ways to verify access. Passwords, e-mail, SMS, hardware dongle, etc, each have their vulnerabilities, but if someone were to hack one of those, they still can’t access the system. Hacking two of those for the same account would be extremely difficult.

The idea behind security is ‘something you know & something you have’. I know my signon/password & have my phone, which means that providing a ‘key’ / One-time password (OTP) should be secure; however, since SMS isn’t secure it’s kind of like leaving your key under a rock. If I lift the right rock I now have the key to your house. SMS has vulnerabilities & shouldn’t be looked at as being secure.

I came across this in June with Stripe, who is a pretty big merchant account provider. It’s a service that we occasionally use when our primary merchant account isn’t working for whatever reason.

One day we go to log on and Stripe isn’t suggesting 2FA, they require it. Trouble is linking the Stripe account to my phone wouldn’t be good because I’m not always at the office and if someone needs to run a charge it wouldn’t work.

Solution turns out to be that I could (and should have already) created user accounts for each user, and those user accounts don’t require 2FA, only the administrator account.

And for what’s it worth, for my 2FA phone number I was able to use a Google Voice number.

I work for a company that provides consumer facing payment applications to financial institutions. We use One-Time Passwords (OTP) as an in-session risk mitigation tool. It is not 100% effective by itself but is an important tool in a layered risk management strategy. Additionally, financial institutions are required to deploy multi-factor authentication strategies. It is not an attempt to phish your personal data for marketing purposes, it is to add further security to your interaction online. It provides, as others have mentioned, a way to further authenticate you when they are suspicious of your login attempt - for example, maybe from a computer you’ve not used before, or a geo-IP location outside our normal area, or a whole host of data points they’re evaluating when you access their website. Our products also look at device reputation and ownership data as a part of our risk strategy. It doesn’t do good to send an OTP to a phone number if the device itself has been associated with reported fraud and the device is not owned by the customer. But we can do all that validation behind the scenes and that data helps drive when or if we would issue a OTP.

OTP is not a silver bullet - it is simply one tool in a toolbox. Due to social engineering vulnerabilities with OTP we are also moving away from them to a 2-way SMS challenge process.

My potential problem with 2FA has always been this situation:
You lose your phone.
Your phone is logged in to your email account.
You have your banking app on your phone.
Badguy picks up your phone before the screen lock engages.
Badguy goes to app and hits “forgot password.”
Bank sends password reset to the email account logged in on the phone.
Badguy resets password, 2FA not an issue since it comes to the same phone.

Your scenario requires 2/3 things to go wrong at the same time.

Without 2FA your bank just has to forget to secure a customer database (something that happens all the time).

2FA is not perfect, nothing is, but it is the best solution for automated authentication at this point in time.

(BTW. you wouldn’t be able to reset my email-password with just my unlocked phone, or access my banking app; those require separate logins (TouchID)