home | list info | list archive | date index | thread index

Re: 2FA on same device as application that is to be secured?

John, I agree with your perception of things!

I buck every instance of 2FA that forces an App via SmartPhone, for the simple fact that

 * I do not have a smartphone,
 * I do not want a smartphone, and
 * my landline is a more secure identifier that I am not a fraudster.

If they want to send me a code, they need to send it to my Home Phone!!!

If not, then my email is the only alternative. 🙂


Eric


On 2025-07-14 18:37, Nash JC - NCF via linux wrote:
I noticed that CIBC/Simplii announced that my email (with NCF) isn't from a "company or educational institution" so could not be used for 2FA codes. I haven't actually used that, preferring SMS or the 2FAS authenticator. When I contacted them, they now say NO email for sending such codes. They are wanting people to use push notifications, which I can see as a useful tool for some people, depending on their connectivity status.

In email exchanged, I get the feeling they recommend setting up push to the SAME device
where their banking app is installed.

Am I missing something, or is this a really stupid idea? I've always considered the central idea of 2FA is to have at least 2 completely independent channels for verification.

I note RBC makes a (very slight) mention of an "alternative" device. TD even has a separate 2FA authenticator app. I suspect a time-based one. They hint at separate device. However, I really think there's a lot of playing footsy with security in the web pages.

JN


To unsubscribe send a blank message to linux+unsubscribe [ at ] linux-ottawa [ dot ] org
To get help send a blank message to linux+help [ at ] linux-ottawa [ dot ] org
To visit the archives: https://lists.linux-ottawa.org