Duo Security

September 7, 2016

The Limits of SMS for 2-Factor Authentication

This post was originally published on this siteA recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code. Mark Cobb, a computer technician in Reno, Nev., said […]
September 7, 2016

The Limits of SMS for 2-Factor Authentication

This post was originally published on this siteA recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code. Mark Cobb, a computer technician in Reno, Nev., said […]
May 10, 2017

SSA.GOV To Require Stronger Authentication

This post was originally published on this siteThe U.S. Social Security Administration will soon require Americans to use stronger authentication when accessing their accounts at ssa.gov. As part of the change, SSA will require all users to enter a username and password in addition to a one-time security code sent their email or phone. In this post, we’ll parse this a bit more and look at some additional security options for SSA users. The SSA recently updated its portal with the following message: The Social Security Administration’s message to Americans regarding the new loginchanges coming in July 2017. I read that […]
July 23, 2018

Google: Security Keys Neutralized Employee Phishing

This post was originally published on this siteGoogle has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. A YubiKey Security Key made by Yubico. The basic model featured here retails for $20. Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a […]