Possibly stupid question about two-factor authentication

I've little or no experience with this process (unless the "secret question" thing counts as a form of it), so please bear with my ignorance.

From what I've read here and elsewhere, I've gotten the impression that the most common forms of two-factor authentication seem to take for granted that the applicant/member/whatever has some sort of mobile device to which a code can be texted or whatever.

What about those of us, like myself, who don't have a mobile phone and no particular need for (or interest in) one? How does 2-factor work for us?

 

I know that Paypal has two factor authentication key that provides you with a unique code. LastPass also uses a Yubikey for authentication. I've also seen the use of tokens but not sure how it works. There's no uniformity so it's at the discression of the service you use.

 

For services that use a Google Authenticator, there are ways to generate the needed code using a web application, a Windows one, a browser extension or a Linux one. For instance:

Online app: http://gauth.apps.gbraad.nl/
Offline version for the above: https://github.com/gbraad/html5-google-authenticator
More options you can find here: https://en.wikipedia.org/wiki/Google_Authenticator

If the service requires a SMS though, I'm not sure how can you go about it without a mobile phone...

 

The common thing I've read about 2 factor authentication is to use something you know (user name and password) and something you don't know but have exclusive access to (eg., the code generated by text or an app like Google's mobile Authenticator.)

You have the first. You just need to know what is available/acceptable for the something you don't know but have access to. And as merisi notes, some sites offer more than one way to accomplish the latter.

The other thing to keep in mind is that some websites offer 2 factor authentication but also offer a way to bypass it. Examples would be Outlook.com and Gmail. Both offer 2 factor but then they weaken it by using something called Application Specific Passwords.

An example... You need to log into Gmail with your Android tablet and use Android's email app. But there is no place for 2 factor authentication. So if you want to use the app, you need an ASP. BUT, ASPs are nothing more than passwords, plain and simple. So your account can still be entered by just using the correct password. No different than before! (And to make it worse, Google's ASPs are limited to 16 lower case letters. No numbers, capital letters or symbols. Granted, they likely limit your number of incorrect login attempts but I would guess there could be ways around that by determined bad guys.

I realize you may not need ASPs. If not, you are good to go if you can find a way to generate the something you don't know.

In the FWIW category... At this point, I only use 2 factor authentication for mobile apps that use the something I don't know (LastPass and DropBox.) I can't get past the fact that IMO, ASPs make things weaker (by using weak passwords) than what I have in place already.

 

Normally, you won't be able to make changes to your account using an ASP. Sure, an attacker could read your data/email/etc., but if it is well implemented 2-factor authentication can to protect the account itself. And for some people this is enough. People who are not ready to weaken their security will trade some convenience for this purpose.

 

You're right. Some would.

But I'm a person that needs to feel fairly warm and fuzzy about something like this for me to jump in.

I've tinkered with 2 factor for Google and Outlook.com to see how this all worked. But in the end, I'm convinced that until companies like these 2 absolutely, totally block account changes and ensure that ASPs are good quality passwords (symbols, numbers, lower and upper case letters), I won't be doing this with them. (It's not just Google that has the 16 character ASP issue. Outlook limits ALL passwords (ASP or user created) to 16 characters even if you do have a good password. Yes 16 is good. But more than 16 is better!)

Earlier this year, a flaw at Google proved ASPs weren't blocked from account changes. Supposedly Google fixed the flaw. But rumors persist that if you log into some other Google service (Music for example), you can still get into the main account with an ASP. (I haven't signed up for other Google services to test this (don't want/need them.) I have thought of writing Google and Outlook.com about their "poor" policies/practices but I know it won't do any good. It takes someone like Brian Krebs or an incident like Mat Honan's famous hacking to get the big boys talked into doing something safer.)