Two-factor authentication: double-locked for more security

@CorinaS

What do those who don’t have cell phones do?

@WalterB

They either have to forgo the additional security or get a cell phone. Sooner or later you will no longer be able to access certain services in everyday life without a cell phone.

@hed

But you could also send a code via email because not everyone has enough money in their wallet to buy a cell phone. 😉

@WalterB

You don’t need an expensive smartphone just to receive an SMS.

But of course, if you could choose between SMS and email, it would certainly be more customer-friendly.

Code via email is all well and good - the only problem is if you can’t get into webmail because of the password 🤷‍♂️

@POGO 1104

Each code variant has its advantages and disadvantages and there are still many shops today that send a code by email.

You could simply offer it as an additional variant with the Swisscom login.

The variant I’m currently pursuing is the Yubico keys and am looking where it could work anywhere with the provider. There is a lot of talk about this method on YouTube. Just by the way, even outside of Swisscom, I mean

@Lowex

Foreign login keys are not the idea of ​​your own Swisscom sheet form as there is then a greater risk of it being cracked.

2FA with SMS is probably the least secure variant. Unfortunately, Swisscom only offers this and MobileID.

This also has the disadvantage if, for example, the cell phone is lost and nothing works anymore. I couldn’t even block my SIM myself.

It would finally be time for Swisscom to also allow TOTP via app for 2FA or, as far as I’m concerned, U2F via Yubikey, for example.

@WalterB I think you need to find out a little more about the Yubikeys. I think at the moment there is practically nothing safer for private users than what is also easy to use.

thank you @CorinaS for this article on double locking 😀

“Errare humanum est, perseverare diabolicum”

“To err is human, to persevere [in one’s error] is diabolical”

@Cruncher

Even with an app, the cell phone can be lost or the key if you lose a system with a key.

@hed Yes, of course. But if you set the TOTP in iCloud or 1Password or Bitwarden, for example, then this doesn’t happen. Only if you save the app on a second device, for example.

With MultiDevice, SMS only works on 1 device. Just like MobileID!

And if you only have 1 key, it’s your own fault anyway. There are people who have a concept for such security matters and want to avoid SMS if possible. MobileID would certainly be useful, but unfortunately it is only limited to 1 device.

I actually don’t think 2FA only with SMS is a good idea, but if you have several Apple devices you can alleviate the problem a little with the Apple iMessage function “Send and receive via multiple devices”.

Oh my goodness, but 2FA via SMS to the same mobile phone is probably a bad joke!

How would it be if Swisscom offered a *real* and uninterceptable 2FA via the TOTP?

In my opinion, that would be a real security gain because a second device could be used for this. Sorry, 2FA via the identical device is probably a bad joke!

Excuse me, but 2FA via SMS to the same mobile phone is probably a bad joke!

How about if Swisscom had a *real* and uninterceptable 2FA via the TOT[P](https: //www.zaun7.de/doppelstabmattenzaun “double rod mat fence”) would offer?

In my opinion, That would be a real security gain because a second device could be used for this. Sorry, 2FA via the identical device is probably a bad joke!

Also discover garden furniture in Zurich. And Buy double rod mesh fence!

Totally agree with you! Your approach sounds reasonable.

@hed

The idea with TOTP is that you don’t have to do it via the identical device (read “App” / SMS / MobileID), but you can use any other Internet-enabled device for 2FA!

(Unfortunately, those responsible at Swisscom do not seem to want to realize that 2FA via both SMS and MobileID via the IDENTICAL device excludes the SECOND FACTOR per se.

But - as the saying goes: hope dies last! - Maybe those responsible at Swisscom will also snack on the tree of knowledge over time <hope>)

Addendum: The “aha effect” is likely to set in for those responsible at the latest when they themselves become victims of a mobile device being stolen/lost. From a security perspective, it was and is simply a stupid idea to want to chain everything to a single device! Comfortable? - okay SURE???? - in your (wet) dreams!!!!

No problem with Apple.

If you don’t just own one device from then.

With 2FA, every device there rings to connect… 😉

@Herby

Thank you for the Apple commercial 😁

(there should also be people who

• neither the money
• still the opportunity
• still the desire to be brought into line “Cupertino-style”.

have)

The problem remains that 2FA without a real second factor is just a pious lie.

Addendum

And as soon as 2FA involves an American / Chinese / beat-me-dead / third party, it “died” anyway!

If you look back a bit…SMS was considered unbreakable and absolutely secure. There were banks that provided this as the only 2FA for their customers.

As an alternative, there was a token that showed a different code every 10 seconds.

If the user logged in to a fake website, the claim was limited to the respective account balance.

Then the unbelievable, unimaginable happened.

The user logged into a fake website and was asked to provide all sorts of data from the cell phone included in the online contract as part of a “security check.”

With this stolen data, the fraudsters were able to create a fake ID card so that they could, for example, identify themselves in a Swisscom shop.

A duplicate cell phone could then be obtained via the telephone company (keyword: multi-SIM).

Then set all the SMS messages to be sent to the other cell phone.

Thus:

1. Login to the real bank website with the data obtained via the fake website.

2. Since all the SMS messages are now sent to the other cell phone, the securities account and all the accounts can now be cleared out in peace and quiet.

With this “secure” login process, there were isolated gigantic claims of up to around a quarter of a million francs.

This was not possible with the other previously common login procedures, from the scratch list to that with the token - because you could only access the respective account balance.

The banks have now pushed CrontoSign - for some banks it is the only login procedure for customers.

What the fraudsters now have to do would be to steal the activation letter in order to integrate another device into the victim’s online banking.

Has that been achieved now? Damage would be just as gigantic here as with SMS.

Glotzologist