APPLICATION: GOOGLE AUTHENTICATOR

Sunday, March 8, 2026

GOOGLE AUTHENTICATOR on iphone13pro and pixel9a; none for MAC OSX.

Argh!

— 30 —

Leave a Comment » | APPLE | Tagged: , , , , , | Permalink
Posted by reinkefj

SECURITY: The old style secondary security authorization questions are dumb

Friday, February 27, 2026

I’ve often heard people struggle with the old style secondary security authorization questions.  You know: “What’s your favoite color”, or pets name, or school street.

I, long ago, decided that it was a “stupid control”.  So, in my passwrd manager, I’d record the questions and give absurd answers.  So, “what’s your favorite color”, became red158, pet’s name, red247, and street, red532.

Solved that problem.  

I still object to 2FA that rely on an SMS message and prefer Google Authenticator.  

But what do I know.

And, I don’t care for PASSKEYS either.  Not good for sites where I may have multiple ids or different Users.

Argh!

I also don’t like using my email for a User id.

Argh!

— 30 —

Leave a Comment » | SECURITY | Tagged: , , , | Permalink
Posted by reinkefj

SECURITY: SMS should NOT be used for 2FA

Monday, October 18, 2021

*** begin quote ***

“The company that routes SMS for all major US carriers was hacked for five years. It isn’t revealing whether or not messages were exposed, but it’s just another reason not to use SMS for 2FA.”

*** end quote ***

So for the average layman, it means that if any service provider texts codes to your phone as a way of security your account, they are at risk of a security breach.

I’ve begin communicating with the providers I use putting them on notice that (1) they are using a insecure technology to secure my account; and (2) when do they plan to switch to a phone based authentication technology or something better.

Now, if they say they use GOOGLE or APPLE authenticator, you can point out that those too are insecure by design.  Since a hack of either high profile target, will make you vulnerable.

Using the “home grown” authenticator, (something written by the service provider like IDME), doesn’t have the transparency of the source code to assure security.

Any “home grown” authenticator, Google, orApple authenticators does NOT separate the necessary sufficient controls for good Information Security.

Suggest you tell them support AUTHY or other third party authenticators.  This is more secure because the “key” is only held by them and by you locally on your phone.

Or if they really want to protect you, they can give you are hardware token like YUBIKEY or a hardware authenticator like SECURE_ID.

—30—

Leave a Comment » | SECURITY | Tagged: , , , , , , , | Permalink
Posted by reinkefj