Jump to content

Two-Step Verification: Only Google Authenticator, no SMS


Recommended Posts

Thanks.  I went exactly the route described in the article you linked.  And to do that, I need a valid phone number that can receive SMS.  I do not have that at the moment, and I am doubtful about the security about SMS in general.  (It is rather easy to use social engineering to get SMS rerouted.  We've seen cases.)

 

Is it possible to set up two factor authentication without SMS, just using Google Authenticator only?

Link to comment

Yes, it is possible to set up two factor authentication without SMS, just using Google Authenticator only.  I just did it yesterday.  But unless I am missing something, it does not give you security against the most likely vulnerability.    If i have signed off Evernote, which I do not usually do, then when I sign on again and have entered my user name and password, I am asked to enter a six digit series from Authenticator. (sidenote- At first I was confused because of the space between the first three and last three digits.  It turns out that you do not enter the space.)  The six digits are generated randomly and they change after a short time.  This means that it would be impossible for someone else who tried to access your Evernote on the web and who knew your username and password to be successful if they did not have your mobile device.  If this person was able to access your desktop computer and you had not previously signed out, the two factor authentication would NOT protect you.  Your privacy could still be protected if your computer had a password set to restrict access to the whole computer.  To me, the most plausible scenario in which your evernote privacy is at risk would be if your mobile device is lost or stolen and the person who has it knows your pass code.  A member of your household, for example, might know your passcode and be able to gain access to your device.  In this scenario, the two factor process is of no value.  The person could access your evernote account if you had not signed out, which is true regardless of whether two-factor is enabled or not.  If the person knows your username and password, which is entirely possible if he/she is a member of your household, you have no protection, and the two factor is irrelevant.   The mobile device will have Google authenticator installed and it will provide the six digits to anyone who has access to the device.  If you tap the authenticator, it will display a screen that tells the user that it is connected to Evernote.

In a true two-step authentication, such as a bank can use, one carries a random number generator (like Google Authenticator) but there is no connection between that device and your account number or the name of your bank.  The way Evernote security is designed, the random number generator and the username/password might both be accessible on a mobile device.

Very flawed design, suggesting that it was designed by people with little understanding of how to secure information. 

AM I missing something?

Link to comment

Yes, it is possible to set up two factor authentication without SMS, just using Google Authenticator only.  I just did it yesterday.

 

Hmm, I didn't figure out how.  But I regained the capability to received SMS in the mean time, so I was able to go that route.

 

As for your attack scenario: if you stay logged in to your devices, you are down to a single factor authentication: your device.  You are still protected against phishing, but not against someone stealing your device.

 

Encrypting your phone, and setting a long unlock code re-introduces a second factor.

 

There are multiple threats to consider:

 

- attacks from the internet like phishing: you are still somewhat save, since you need your physical phone / computer to log in, even if they have your password.

- random stealing: most thieves are not interested in your data, and will just reset your phone, if they can't log in easily.

- targeted attack against you: once anyone gets physical access to your hardware, they can install hardware keyloggers etc without even having to crack your encryption.  You are hosed.

 

The problem with SMS is that rerouting SMS can be done purely via sweet talking the guys at your telco, no need for any physical access.  But yes, staying locked in trades security for convenience.

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...