On 7/14/25 18:37, Nash JC - NCF via linux wrote:
I noticed that CIBC/Simplii announced that my email (with NCF) isn't from a
"company or
educational institution" so could not be used for 2FA codes. I haven't actually
used that,
preferring SMS or the 2FAS authenticator. When I contacted them, they now say
NO email
for sending such codes. They are wanting people to use push notifications,
which I can
see as a useful tool for some people, depending on their connectivity status.
In email exchanged, I get the feeling they recommend setting up push to the
SAME device
where their banking app is installed.
Am I missing something, or is this a really stupid idea? I've always considered
the
central idea of 2FA is to have at least 2 completely independent channels for
verification.
Yes, you're missing the central idea of two-factor authentication: it is authenticating your identity using two
unrelated factors.
It's not "protecting the device" or "protecting the app" it's just giving
evidence that you are who you say you are.
You generally have to give it your identification (some kind of user name or account number) following by two factors
that prove it came from the right person: almost always some kind of secret only you know (a "password") and usually
evidence of some kind of device previously confirmed by an authority to be in your exclusive possession. In the case of
an SMS or TOTP (push to an app), it is that you have working access to the SIM card in a phone associated by a carrier
with a particular 10-digit phone number.
It doesn't matter if the authentication of the SIM is done with the same device you entered the username or password on
or the same device used later to communicate with the asset being secured. All you're doing is proving that you are you.
It's not perfect: passwords can be stolen, SIMs can be faked. It's considerably more secure than a list of passcodes
sent in the clear through dozens of third-party networks via email and stored in the clear in text on a device that is
potentially compromised. That's kind of like requiring two keys to your front door one of which must be left on a hook
by the door knob.
--
Stephen M. Webb
To unsubscribe send a blank message to [email protected]
To get help send a blank message to [email protected]
To visit the archives: https://lists.linux-ottawa.org
