Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Dave Royal Newsgroups: comp.mobile.android Subject: Re: Codes sent by text message Date: Tue, 12 Mar 2024 08:16:17 +0000 (GMT) Organization: news.eternal-september.org Lines: 103 Message-ID: References: <1mtd3l3os6odg.dlg@v.nguard.lh> <1fuj8a8wvjzts$.dlg@v.nguard.lh> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Injection-Date: Tue, 12 Mar 2024 08:16:20 -0000 (UTC) Injection-Info: dont-email.me; posting-host="ec5f915a3258ab52dedd3e4e822d6e0f"; logging-data="208047"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19BxDMcoqXlXZu+v6uYlX6d" Cancel-Lock: sha1:UHi4Up+oKoSUjB9tMbUv4Rc52I8= X-Newsreader: Mod.PiaoHong.Usenet.Client:2.02.M16 Bytes: 6457 VanguardLH Wrote in message: > Frank Slootweg wrote: > >> VanguardLH wrote: >> >> [Yet another mixup of 2FA/2SV deleted.] >> >>> I haven't delved much into TOTP, because I've yet to log into any sites >>> that use it, but it might be more secure than 2FA. >>> >>> https://en.wikipedia.org/wiki/Time-based_one-time_password >>> >>> My bank did add TOTP by letting their customers using the Authy app. >>> Alas, Authy discontinued their desktop (Windows) client leaving only >>> their mobile apps. Yet I don't do banking on my phone, only on my >>> desktop PC. So, Authy yanked their desktop client, can't use it anymore >>> with my bank, so I'm stuck with them sending the 2FA code to my Google >>> Voice phone number which forwards to me via e-mail. Obviously I can't >>> get texts on my desktop PC (it has no cellular service), and I'm not >>> running around the house to find my smartphones to power them up and >>> wait to get a 2FA code via SMS that I have to manually copy into the 2FA >>> form in the web browser on my desktop PC. At the server, 2FA codes >>> expire, so it could take me longer to use a phone with SMS than it took >>> to use Authy on my desktop where I was trying to login. >>> >>> There are other TOTP desktop clients, but I don't know which will work >>> with my bank. They list only a couple TOTP clients, one of which is the >>> Symantec client that is geared to enterprise users. They don't list >>> other TOTP clients, like Google or Microsoft Authenticator. >> >> As Dave Royal also mentioned, your bank probably mentions/'supports' >> one or more TOTP 'apps'/programs, but - assuming they have not >> re-invented the wheel - their systems should be standards-compliant and >> hence worke with any standards-compliant 'app'/program. >> >> See this list of OTP 'apps'/programs for possible Windows solutions >> (pointed to by the 'See also:' of your reference) >> >> 'Comparison of OTP applications' >> > > Authy will drop their desktop (Windows client), but the desktop is where > I do the vast majority of my web surfing and logins. Google and > Microsoft have their authenticators, but those are apps for Android or > iOS, so they are no value to me on a desktop. Besides Authy, my bank > says they support Symantec VIP which has clients for Windows, Mac, > Android, and iOS. Authy originally said they were dropping their > desktop client in August 2024, but they moved to this mid-March. > > I read about Bitwarden for 2FA/TOTP, but that's a premium feature > ($10/yr subscriptionware). Symantec VIP (well, I think) is free. The > wiki article doesn't mention that one. Until the wiki article, I had > not heard of SAASPASS Authenticator. Alas, while the wiki article makes > SASSPASS Authenticator look superior, the table is a bit misleading. > The personal-use client is only for mobile platforms. I'll probably > lookup comparisons between Symantec VPI and Bitwarden. > > I was looking at the protocols, and it seems on the surface that just > about any authenticator app should work, but that could be me being > naive or overly hopeful. I didn't want to get into the incompatibility > with old chat clients that had their own protocols, so you had to use > the same chat app as with whomever you wanted to chat (unless you got > XMPP working on both ends, but typically on lesser featured chat > clients). From some forums, Symantec VIP provides the TOTP seed in some > non-standard form, so it seems sites that support Symantec VIP means > that's what you have to use, and other sites using OTP have you using > yet another authenticator. > > While OAUTH change from OAUTH1 as a protocol to OAUTH2 as a framework, > seems everyone adapted the Google/Microsoft (who were the major players > in the OAUTH2 spec). Doesn't seem to have been true for TOTP and > authenticators. I'll probably try Bitwarden first, but I'm not finding > a trial of Bitwarden Premium. It's easier than you think. All the TOTP sites I use - admittedly not many and none of them banks - use standards protocols. I think all of them suggested Authy - not sure. GitHub and Mozilla suggested FreeOTP IIRC. The reason I chose andOTP on my Android tablet was (a) it's opensource (b) it's offline (c) it can produce an encrypted backup of its tokens (d) it requires a password to access. FreeOTP on iOS could not do (c) and (d). All the tokens I have originated on my Linux desktop. I point the Android tablet's camera at the barcode on the screen to install it, then back it up onto both. If I want to transfer the token to my iPhone - I usually don't in case it's lost ot stolen, see (d) - I display the barcode on the tablet and read that with the iPhone. Is all this more secure than an SMS to a phone? Debatable. The SMS should end up on _one_ place, whereas the TOTP tokens may be on several. But it certainly makes life easier if you want to change your phone number, as I did recently! I notice on WikiP that andOTP is no longer supported. But it works and should continue to work unless Android breaks it. I must back up the APK. -- Remove numerics from my email address.