Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Dave Royal <dave@dave123royal.com>
Newsgroups: comp.mobile.android
Subject: Re: Codes sent by text message
Date: Tue, 12 Mar 2024 08:16:17 +0000 (GMT)
Organization: news.eternal-september.org
Lines: 103
Message-ID: <usp30k$6b5f$1@dont-email.me>
References: <ush35k$2791b$1@dont-email.me> <usid1f$2fqif$1@dont-email.me> <usn5ia$3lqer$1@dont-email.me> <1mtd3l3os6odg.dlg@v.nguard.lh> <usnm5e.7g4.1@ID-201911.user.individual.net> <1fuj8a8wvjzts$.dlg@v.nguard.lh>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 12 Mar 2024 08:16:20 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="ec5f915a3258ab52dedd3e4e822d6e0f";
	logging-data="208047"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX19BxDMcoqXlXZu+v6uYlX6d"
Cancel-Lock: sha1:UHi4Up+oKoSUjB9tMbUv4Rc52I8=
X-Newsreader: Mod.PiaoHong.Usenet.Client:2.02.M16
Bytes: 6457

VanguardLH <V@nguard.LH> Wrote in message:

> Frank Slootweg <this@ddress.is.invalid> wrote:
> 
>> VanguardLH <V@nguard.lh> wrote:
>> 
>> [Yet another mixup of 2FA/2SV deleted.]
>> 
>>> I haven't delved much into TOTP, because I've yet to log into any sites
>>> that use it, but it might be more secure than 2FA.  
>>> 
>>> https://en.wikipedia.org/wiki/Time-based_one-time_password
>>> 
>>> My bank did add TOTP by letting their customers using the Authy app.
>>> Alas, Authy discontinued their desktop (Windows) client leaving only
>>> their mobile apps.  Yet I don't do banking on my phone, only on my
>>> desktop PC.  So, Authy yanked their desktop client, can't use it anymore
>>> with my bank, so I'm stuck with them sending the 2FA code to my Google
>>> Voice phone number which forwards to me via e-mail.  Obviously I can't
>>> get texts on my desktop PC (it has no cellular service), and I'm not
>>> running around the house to find my smartphones to power them up and
>>> wait to get a 2FA code via SMS that I have to manually copy into the 2FA
>>> form in the web browser on my desktop PC.  At the server, 2FA codes
>>> expire, so it could take me longer to use a phone with SMS than it took
>>> to use Authy on my desktop where I was trying to login.
>>> 
>>> There are other TOTP desktop clients, but I don't know which will work
>>> with my bank.  They list only a couple TOTP clients, one of which is the
>>> Symantec client that is geared to enterprise users.  They don't list
>>> other TOTP clients, like Google or Microsoft Authenticator.
>> 
>>   As Dave Royal also mentioned, your bank probably mentions/'supports'
>> one or more TOTP 'apps'/programs, but - assuming they have not
>> re-invented the wheel - their systems should be standards-compliant and
>> hence worke with any standards-compliant 'app'/program.
>> 
>>   See this list of OTP 'apps'/programs for possible Windows solutions
>> (pointed to by the 'See also:' of your reference)
>> 
>> 'Comparison of OTP applications'
>> <https://en.wikipedia.org/wiki/Comparison_of_OTP_applications>
> 
> Authy will drop their desktop (Windows client), but the desktop is where
> I do the vast majority of my web surfing and logins.  Google and
> Microsoft have their authenticators, but those are apps for Android or
> iOS, so they are no value to me on a desktop.  Besides Authy, my bank
> says they support Symantec VIP which has clients for Windows, Mac,
> Android, and iOS.  Authy originally said they were dropping their
> desktop client in August 2024, but they moved to this mid-March.
> 
> I read about Bitwarden for 2FA/TOTP, but that's a premium feature
> ($10/yr subscriptionware).  Symantec VIP (well, I think) is free.  The
> wiki article doesn't mention that one.  Until the wiki article, I had
> not heard of SAASPASS Authenticator.  Alas, while the wiki article makes
> SASSPASS Authenticator look superior, the table is a bit misleading.
> The personal-use client is only for mobile platforms.  I'll probably
> lookup comparisons between Symantec VPI and Bitwarden.
> 
> I was looking at the protocols, and it seems on the surface that just
> about any authenticator app should work, but that could be me being
> naive or overly hopeful.  I didn't want to get into the incompatibility
> with old chat clients that had their own protocols, so you had to use
> the same chat app as with whomever you wanted to chat (unless you got
> XMPP working on both ends, but typically on lesser featured chat
> clients).  From some forums, Symantec VIP provides the TOTP seed in some
> non-standard form, so it seems sites that support Symantec VIP means
> that's what you have to use, and other sites using OTP have you using
> yet another authenticator.
> 
> While OAUTH change from OAUTH1 as a protocol to OAUTH2 as a framework,
> seems everyone adapted the Google/Microsoft (who were the major players
> in the OAUTH2 spec).  Doesn't seem to have been true for TOTP and
> authenticators.  I'll probably try Bitwarden first, but I'm not finding
> a trial of Bitwarden Premium.

It's easier than you think. All the TOTP sites I use - admittedly
 not many and none of them banks - use standards protocols. I
 think all of them suggested Authy - not sure. GitHub and Mozilla
 suggested FreeOTP IIRC.

The reason I chose andOTP on my Android tablet was (a) it's
 opensource (b) it's offline (c)  it can produce an encrypted
 backup of its tokens (d) it requires a password to access.
 FreeOTP on iOS could not do (c) and (d). All the tokens I have
 originated on my Linux desktop. I point the Android tablet's
 camera  at the barcode on the screen to install it, then back it
 up onto both. If I want to transfer the token to my iPhone - I
 usually don't in case it's lost ot stolen, see (d) - I display
 the barcode on the tablet and read that with the iPhone.
 

Is all this more secure than an SMS to a phone? Debatable. The SMS
 should end up on _one_ place, whereas the TOTP tokens may be on
 several.

But it certainly makes life easier if you want to change your
 phone number, as I did recently!

I notice on WikiP that andOTP is no longer supported. But it works
 and should continue to work unless Android breaks it. I must back
 up the APK.
-- 
Remove numerics from my email address.