Community

mimmo · ‎05-18-2019

This topic comes up once in a while curious what members ideas were for best practices and 2 factor authentication, especially since PM does not have roaming outside USA.

I do not do 2 factor yet, but this is what my thoughts are. Curious to know other peoples thoughts and ideas/ best practices are.

create a fongo account (send and make free calls , receive free sms)
set up and use the fongo number for all 2 factor authentication and essential services (banking)
when traveling outside Canada ( setup call forwarding to fongo.com) sms as well if spare phone available using an app

GinYVR · ‎05-23-2019

Best practice for 2FA? Don't use telephone number SMS as an authentication mechanism!

The basis of telephone network and technology that supports SMS is not that secure and it is often considered as a weak link in that method of 2FA. SIM jacking is a well known problem with SMS based authenication.

For secure 2FA, only use apps eg Authy or a full blown password manager! In case you don't know, the QR codes generated for those apps are 40bit keys for the app to generate a time dependent 6 digit code. Once the app has gotten the code during setup eg Gmail, the phone / app doesn't have to be connected to the internet to generate the 2FA response. Is is also worth mentioning to get a well regarded password manager, not the cheapest / leakiest ones.

The adage of always be prepared applies here, install and test your 2FA mechanisms BEFORE you travel!

If any service insists on only telephone as authentication, remember to put a SIM PIN, so you can't be SIM jacked.

Another problem with Fongo or VoIP in general is because it is not location specific, it can throw backend security systems off kilter and flag you as suspicious.

TheGx · ‎05-23-2019

@stonechucker wrote:
Is it the free use of Fongo where texts are free only between Fongo clients? Adding the fee based sms option might get around this?

Yeah, can send texts for free to other Fongo numbers, but need pay $10/month for unlimited text plan to send text anywhere else - but recieving texts is always free no matter of what plan you're on even the free plan, so I don't think adding fee based options will make the sms authentication work better. Also, Fongo does warn that not all sms authentication works on their service, so that probably means that it's a known issue already whether or not fee based options are added.

So, I use TextNow app to send texts, and Fongo apps to receive texts and make incoming/outgoing calls - both apps are free, but the TextNow uses up too much data for me to use more often, so I try to use Signal mostly since it uses the least data, then Fongo as backup. I on the $30 1 GB LTE plan and because I use WIFI most places I never go over the monthly limit.

But as for 2 factor authentication, I know most apps warn that there are some problems using apps instead of real numbers to authenticate.

stonechucker · ‎05-22-2019

Is it the free use of Fongo where texts are free only between Fongo clients? Adding the fee based sms option might get around this?

SmartShelly · ‎05-20-2019

i know what you're saying, but some bank/credit card company uses automated coding that won't allow fongo to pick up their SMS/Call request.

fongo 2-way-authentification works for TD both text and call,

but wouldn't work for CIBC for SMS but calling works,

and capital one, call and text both do not work.

Unfortunately, this 2-way-authentification seems random at times, so I'm switching from fongo to PM for this very reason...

I wish fongo works for everything, but even fongo recognizes that some SMS request won't work.

doesn't work for kakaotalk SMS verification or whatsapp either. Fortunately, for whatsapp, call verification works.

'hope this helps other users.

will13am · ‎05-19-2019

Real good authentication systems allow for flexible options like use authentication app, text, phone call.

mimmo · ‎05-18-2019

@popping great to know about fongo canelling numbers.

The reason I mentioned forwarding to fongo was to not miss calls. Yes not really part of the 2 factor, but more on the traveling part.

@TheGx it's the second time in 2 days I heard about proton will need to look it up.

It's a good little discussion going. 🙂

popping · ‎05-18-2019

@mimmo

I have my Fongo app running 24/7 as a second number for part time business.

.

If you set up all 2 steps verification using your Fongo number, you do not need to forward your mobile number to your Fongo number. TD Bank let me to supply up to 5 number for 2 steps verification. I have a choice of which phone number to use and voice or SMS. Check your bank whether they let you supply more than one phone number for 2 steps verification.

There is a pitfall in using Fongo. Even I am running my Fongo app 24/7. Fongo had canceled my account couple of times after 2 or 3 months of not making any calls because Fongo switch get some money for outgoing call from their switch. The free service is paying for by outgoing calls. I was able to get my number back after the first cancellation. Fongo suggested to put $5 in my account so that my number will not be cancel account with fund in it because of no activities. I am fine with adding $5 in my account so that I don't have to remember to call out at least once every month. I can use the fund in my account to call US long distance or Canadian small towns which do not have Fongo service.

TheGx · ‎05-18-2019

@mimmo wrote:
This topic comes up once in a while curious what members ideas were for best practices and 2 factor authentication, especially since PM does not have roaming outside USA.

I do not do 2 factor yet, but this is what my thoughts are. Curious to know other peoples thoughts and ideas/ best practices are.

create a fongo account (send and make free calls , receive free sms)
set up and use the fongo number for all 2 factor authentication and essential services (banking)
when traveling outside Canada ( setup call forwarding to fongo.com) sms as well if spare phone available using an app

I totally agree with @mimmo, using apps like Fongo lets you bring your phone number anywhere there's internet, without having to physically bring your phone/sim card/etc.

For travel I think the safest is to use trusted privacy apps that protect your private info, such as VPNs like TunnelBear or ProtonVPN or OpenVPN etc when using internet, then use more Privacy apps for communication such as Signal Private Messenger or TutanotaMail or ProtonMail etc - this works for email verification, when using Fongo for sms verification you can turn on your VPN while using Fongo for possible added security from spying.

popping · ‎05-18-2019

@computergeek541 wrote:
@popping wrote:
My bank let me choose email or text message.
Your're fortunate to have that option. It's TD Bank who I am speaking of and will only do it by text or a phone call to the number they have saved on file for the authentication. The ability to do it through e-mail makes sense since you will be using the internet to connect to online banking. The way TD does it means that if there is ever an outage at Public Mobile (or at carrier for that matter), you will not be able to access your bank account (unless you get TD customer service to override or go to to the bank in person).

Sorry. I gave you the wrong info about my bank's 2 steps verification. I also use TD Bank. But TD Bank let me enter up to 5 phone numbers for the 2 steps verification. I just added my Fongo number and verified. I always has Fongo app running on my phone for a partime business.

I think the TD Bank's 2 steps verification is more secure because it does not use the Internet to delivery the code. I may have compomised the security by using Fongo to receive text message which is delivered by Internet.

computergeek541 · ‎05-18-2019

@popping wrote:
My bank let me choose email or text message.

Your're fortunate to have that option. It's TD Bank who I am speaking of and will only do it by text or a phone call to the number they have saved on file for the authentication. The ability to do it through e-mail makes sense since you will be using the internet to connect to online banking. The way TD does it means that if there is ever an outage at Public Mobile (or at carrier for that matter), you will not be able to access your bank account (unless you get TD customer service to override or go to to the bank in person).

popping · ‎05-18-2019

@computergeek541 wrote:
@popping wrote:
When I am on free WiFi, I use VPN before login to my bank account. When login to my bank account with different IP address, my bank will email me an access code before I can login to my bank account. I need to enter my "one time use" code before I can access my bank account.

For my phone, I use PIN # and/or finger print to access my phone.

The problem with this is how some banks only send this code by through either an automated phone call or through text mesaging. This means that if you don't have cell phone service (with the phone number registered with your bank), you can't access your bank account. Some banks will not send that code by e-mail.

My bank lets me choose email or text message. BTW, I have not come across a 2 step verification uses only text message. The PC Optimum Rewards program also let me pick email or text.

computergeek541 · ‎05-18-2019

@popping wrote:
When I am on free WiFi, I use VPN before login to my bank account. When login to my bank account with different IP address, my bank will email me an access code before I can login to my bank account. I need to enter my "one time use" code before I can access my bank account.

For my phone, I use PIN # and/or finger print to access my phone.

The problem with this is how some banks only send this code by through either an automated phone call or through text mesaging. This means that if you don't have cell phone service (with the phone number registered with your bank), you can't access your bank account. Some banks will not send that code by e-mail.

popping · ‎05-18-2019

When I am on free WiFi, I use VPN before login to my bank account. When login to my bank account with different IP address, my bank will email me an access code before I can login to my bank account. I need to enter my "one time use" code before I can access my bank account.

For my phone, I use PIN # and/or finger print to access my phone.

TheOldVR · ‎05-18-2019

What are you setting up two factor for?

I have a couple of apps on my phone so I don't need data in order to get authenticated - they work offline.

If travelling out of the USA I would get a travel or local sim... they actually work out much cheaper than many other options.

dennisedge · ‎05-18-2019

Hi,

All smart phones now have the ability to set up a two factor entry system. You do not need to use third-party.

As a matter fact I would suggest you stay away from the third-party.

I use it only to unlock my phone each time I begin to use my phone....my thumb print.

Newest phone will use face recognition if you like.

I hope this helps. .

Dennis

Community

best practies for traveling and 2 factor authentication