Differences

This shows you the differences between two versions of the page.

--- two-factor_authentication [2019/08/21 06:55] – neil
+++ two-factor_authentication [2022/09/08 09:09] (current) – neil
@@ Line 5: / Line 5: @@
   * [[two-factor_authentication#Enable two-factor authentication wherever you can|Enable two-factor authentication wherever you can]]
   * [[two-factor_authentication#Have a back-up mechanism in case you lose your device(s)|Have a back-up mechanism in case you lose your device(s)]]
+  * [[two-factor_authentication#Something you have: one-time codes|Something you have: one-time codes]]
 ===="Two-factor authentication" means using something you are, or something you have, to log in to a site, rather than just something you know====
@@ Line 23: / Line 24: @@
 Check first that you can use whatever two-factor approach you are using on whatever devices you tend to use. If you primarily use your phone, and the service requires a hardware device which is incompatible with your phone, you'll be causing yourself a lot of inconvenience, which may overreach the security benefit.
+Some password managers will suggest logins for which two-factor authentication is available. There's also a good list [[https://www.telesign.com/turnon2fa/tutorials/|here]].
 ====Have a back-up mechanism in case you lose your device(s)====
@@ Line 68: / Line 71: @@
 First, text messages are not secure, and a sufficiently motivated attacker is likely to be able to access your messages.
-Second, if someone manages to hijack your phone number (sometimes known as "SIM swapping"), they get all your messages and calls. Irritating at the best of times, but even more problematic if you rely on text messaging to log in to your services — the double whammy of you not being able to log in until you get it fixed, and someone else getting your codes.
+Second, if someone manages to hijack your phone number (sometimes known as "SIM swapping"), steal your phone, or simply remove your SIM card, they get all your messages and calls. Irritating at the best of times, but even more problematic if you rely on text messaging to log in to your services — the double whammy of you not being able to log in until you get it fixed, and someone else getting your codes.
+You can mitigate some of the risk by:
+  * changing the settings of your phone, so that message content is not available from the lock screen
+  * setting a SIM PIN, different to your device PIN, so that if someone takes your SIM and tries to put it in a different device, they cannot use it until they enter a PIN.
 Third, if you are out of signal, you cannot get your code — no good for places with Internet connectivity, but no or poor cellular service.