> > As far as I know, authenticators on cell phone apps don’t require the > Internet. For example, the Google Authenticator mobile app doesn't require > any Internet or cellular connection >
Lots of people still use feature phones that are not capable of running applications such as this. On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <m...@beckman.org> wrote: > As far as I know, authenticators on cell phone apps don’t require the > Internet. For example, the Google Authenticator mobile app doesn't require > any Internet or cellular connection. The authenticated system generates a > secret key - a unique 16 or 32 character alphanumeric code. This key is > scanned by GA or can be entered manually and as a result, both the > authenticated system and GA know the same secret key, and can compute the > time-based 2nd factor OTP just as hardware tokens do. > > There are two algorithms: HOTP and TOTP. The main difference is in OTP > expiration time: with HOTP, the OTP is valid until it hasn’t been used; > TOTP times out after some specified interval - usually 30 or 60 seconds. > For TOTP, the system time must be synced, otherwise the generated OTPs will > be wrong. But you can get accurate enough clock time without the Internet, > either manually using some radio source such as WWV, or by GPS or cellular > system synchronization. > > -mel > > > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote: > > > > > > > >> On 4/18/21 05:18, Mel Beckman wrote: > >> > >> No, every SMS 2FA should be prohibited by regulatory certifications. > The telcos had years to secure SMS. They did nothing. The plethora of > well-secured commercial 2FA authentication tokens, many of them free, > should be a mandatory replacement for 2FA in every security governance > regime, such as PCI, financial account access, government web portals, etc. > > > > While I agree that SMS is insecure at the moment, I think there still > needs to be a mechanism that does not rely on the presence of an Internet > connection. One may not be able to have access to the Internet for a number > of reasons (traveling, coverage, outage, device, money, e.t.c.), and a > fallback needs to be available to authenticate. > > > > I know some companies have been pushing for voice authentication for > their services through a phone call, in lieu of SMS or DTMF-based PIN's. > > > > We need something that works at the lowest common denominator as well, > because as available as the Internet is worldwide, it's not yet at a level > that one would consider "basic access". > > > > Mark. >
