A report from the Enigma conference

Posted Mar 6, 2018 12:38 UTC (Tue) by nix (subscriber, #2304)
In reply to: A report from the Enigma conference by nybble41
Parent article: A report from the Enigma conference

The backup codes are probably what we're going to do. As for the 'correct phone number', this problem arises whenever people using landline phones move house. That's not that rare.

(And an offline 2FA method other than U2F was not, as far as I can recall, available when I set this up. Doubly so when you consider that if they don't have mobile phone coverage a tablet is likely to be fairly useless to them as well. They do have one now, but it gets charged so rarely that it's never working when they need it.)

to post comments

A report from the Enigma conference

Posted Mar 6, 2018 13:24 UTC (Tue) by zdzichu (subscriber, #17118) [Link] (1 responses)

Why moving house is a problem with phone number? You can move ("port") your number to your new address, even between different telecoms. The days when telephone number depended on physical location ended sometime in last century.

A report from the Enigma conference

Posted Mar 7, 2018 18:37 UTC (Wed) by nix (subscriber, #2304) [Link]

That's *definitely* not true in all countries or with all telcos.

A report from the Enigma conference

Posted Mar 6, 2018 16:26 UTC (Tue) by nybble41 (subscriber, #55106) [Link] (4 responses)

> And an offline 2FA method other than U2F was not, as far as I can recall, available when I set this up.

Google Authenticator, or the equivalent, was an option long before U2F was standardized.

> Doubly so when you consider that if they don't have mobile phone coverage a tablet is likely to be fairly useless to them as well.

In what world are tablets primarily used with mobile networks, as opposed to WiFi? Last time I checked (which I admit was some time ago) integrated mobile connectivity was still an optional feature not present on all tablets.

Anyway, you don't need a tablet for Google Authenticator or FreeOTP; any smartphone will do. In a pinch you could even set up compatible TOTP software on a laptop or PC. It doesn't require mobile coverage; technically it doesn't even require an Internet connection once the software is downloaded. Setup can be completed offline, and consists of either scanning a QR code or pasting in a URI string. Codes are likewise generated offline.

A report from the Enigma conference

Posted Mar 7, 2018 18:39 UTC (Wed) by nix (subscriber, #2304) [Link] (3 responses)

Last time I tried to use a tablet for this stuff Google Authenticator demanded that I take a photo of some auth code (not a screenshot, a photo). This was less than practical since the camera was of course *on* the tablet and it can't take a photo of its own screen.

(I'm sure this was just a simple stupidity that's since been fixed, but I had these over and over again and after the fifth stupid roadblock I just gave up for the time being. It's not like I can do this except when the account owner is around anyway...)

A report from the Enigma conference

Posted Mar 7, 2018 18:42 UTC (Wed) by sfeam (subscriber, #2841) [Link] (1 responses)

Mirror? umm - Two mirrors?

A report from the Enigma conference

Posted Mar 21, 2018 16:25 UTC (Wed) by nix (subscriber, #2304) [Link]

The tablet is not transparent. I think you'd need three mirrors, in a triangle. :)

A report from the Enigma conference

Posted Mar 7, 2018 20:40 UTC (Wed) by nybble41 (subscriber, #55106) [Link]

That is a legitimate annoyance when you're trying to set up TOTP from a QR code displayed on the same device. They should provide the key in plain text which you can copy and paste into the app. The typical reason for not doing this is to mitigate the risk that a rogue app could capture the credentials from the clipboard, but IMHO that decision should be up to the user. Another option, both easier for the user and likely more secure than using the clipboard, would be to provide a link to a URI which opens in the TOTP app. (The current version of Google Authenticator does allow setup via a text key, not just QR codes. I'm not sure whether it supports setup by URI link.)

As for workarounds, if you have a second tablet or smartphone handy you could take a photo of the screen and then scan that. You could also take a screenshot of the QR code and either print it out or display it on another screen, or just run the screenshot through a QR decoder and use the raw text.