home | list info | list archive | date index | thread index

Re: 2FA on same device as application that is to be secured?

On 7/14/25 18:37, Nash JC - NCF via linux wrote:
I noticed that CIBC/Simplii announced that my email (with NCF) isn't from a "company or
educational institution" so could not be used for 2FA codes. I haven't actually used that,
preferring SMS or the 2FAS authenticator. When I contacted them, they now say NO email
for sending such codes. They are wanting people to use push notifications, which I can
see as a useful tool for some people, depending on their connectivity status.

In email exchanged, I get the feeling they recommend setting up push to the SAME device
where their banking app is installed.

Am I missing something, or is this a really stupid idea? I've always considered the
central idea of 2FA is to have at least 2 completely independent channels for verification.

Yes, you're missing the central idea of two-factor authentication: it is authenticating your identity using two unrelated factors.

It's not "protecting the device" or "protecting the app" it's just giving evidence that you are who you say you are.

You generally have to give it your identification (some kind of user name or account number) following by two factors that prove it came from the right person: almost always some kind of secret only you know (a "password") and usually evidence of some kind of device previously confirmed by an authority to be in your exclusive possession. In the case of an SMS or TOTP (push to an app), it is that you have working access to the SIM card in a phone associated by a carrier with a particular 10-digit phone number.

It doesn't matter if the authentication of the SIM is done with the same device you entered the username or password on or the same device used later to communicate with the asset being secured. All you're doing is proving that you are you.

It's not perfect: passwords can be stolen, SIMs can be faked. It's considerably more secure than a list of passcodes sent in the clear through dozens of third-party networks via email and stored in the clear in text on a device that is potentially compromised. That's kind of like requiring two keys to your front door one of which must be left on a hook by the door knob.

--
Stephen M. Webb

To unsubscribe send a blank message to linux+unsubscribe [ at ] linux-ottawa [ dot ] org
To get help send a blank message to linux+help [ at ] linux-ottawa [ dot ] org
To visit the archives: https://lists.linux-ottawa.org