Handling two factor when on an international vacation

I got Australian government tells citizens to turn off two-factor authentication forwarded to me because of my two factor posts on this blog. The theory is that they will not have access to texts while abroad. I was surprised to see such a thing, but lo and behold, their twitter account does in fact say that including:

Going out of mobile range? Turn off myGov Security Codes so you can still sign in! Go to ‘settings’ in your account

and

If you turn off security codes, you’ll still need to securely sign in with secret questions & answers.

My gut reaction

This sounds like a horrible idea. While traveling, make your access LESS secure? I find it hard to believe their “secret” questions are actually secure. Most places use things that lots of people know. Or that you have no way of remembering yourself.

How Australia could fix this without compromising security

Australia could update their website. They could add support for any or all of the following:

  1. Email a secondary auth code for verification. It you have access to the website, you presumably have access to email.
  2. Google Authenticator support. This app doesn’t even require internet access.
  3. Predefined codes. Gmail has a number of codes you can type in that are generated in advance to be used if other methods fail.
  4. Support a temporary alternate number. This one is less convenient, but the site could provide a way to enter a secondary phone number to use during a pre-defined window. That way SMS could still be used.

All of these are still two factor solutions.

What users could do if a website doesn’t have an option other than SMS

This part isn’t specific to Australia. It applies to any site that uses only SMS for two factor.

  1. First, decide whether you will actually need the site while traveling. If not, problem solved.
  2. Check if the site remembers your device. If so, sign on using the temporary smart phone device while you still have access to your main phone/SIM so you won’t get two factor challenged while traveling.
  3. If there are predefined codes, bring them with you.
  4. If you must turn off two factor, do so. But also do the following:
    1. Complain to the website so they know this is a problem
    2. Leave a post it note on your home computer to turn back on two factor
    3. If the website shows “last login” check it was you.
    4. If the website emails when logging in from a different device, check for those.

two factor on amazon

I enabled two factor on many sites last year. Amazon is a bit late to the party, but they finally have two factor support. While they waited a long time, they did a good job with it.

Sign up was easy. They give you a choice of an authenticator app including scanning with your device to connect. Or you can use a mobile phone number for voice or text. Or you can use a landline with voice. You can set a second of these options as a backup. I like that there were choices.

You are also asked if the current device is trusted. Which is good as you don’t get prompted repeatedly from your main/home computer.

I also took this opportunity to check on twofactorauth.org to see if any other sites I use have added support. I was disappointed by how many banks don’t support two factor. I tweeted at four of them with the link on the page. (I don’t have accounts at all four).

the new two factor authentication for apple

I upgraded the OS on my iPad and MacBook Pro today. I also set up the “new” two factor system. I hadn’t set it up with the old system when I set up two factor on many other accounts.

Setup was easy as described here. I added both my home and cell numbers. I like that you can choose whether to receive a text or phone call with the code. A code was sent to or called on each phone to verify. Since I set this up from my Mac, it became a trusted device. My iPad is recognized as logged in, but not trusted so the code only appears on my Mac.

I then signed in to my apple account in Safari to try to set it up as trusted. On my Mac, the six digit verification code automatically popped up. Minor bug, it was a window that went to the background when I tabbed away and I couldn’t find it when command+tab to switched. I had to drag my browser window out of the way to get it back. When I went to look at iCloud > username > devices on my iPad, I again got the location/verification code pop up on my computer. More convenient this time since it was a different device. I like that it shows the location of the device that wants the code.

I also got an email saying I turned on two factor and that I can opt out by clicking the link for a limited time. I like that the link expires to reduce the attack surface. Of course, I can always opt out through actually logging into my account.

The only problem is that I can’t figure out how to make my iOS 9.1 iPad a trusted device. The option just isn’t there under iCloud > username > password and security.