This is great; it's a Princeton research project from Arvind Narayanan's (@random_walker) group, in which their team made 10 attempts to SIM-swap each of 5 different carriers, including T-Mobile, AT&T, and Verizon (all three of which were, weirdly, less secure in some ways than the 2 MVNOs they tested).
Most notably: AT&T and Verizon both use call logs to authenticate SIM swaps from people who don't know the account PIN; requestors are asked to list recently made outbound calls, or in some cases inbound calls. A targeted attacker can trick a customer into making a known call (or, obviously, can simply call the customer to make inbound call records), and then authenticate with them.
AT&T uses billing statement data as a factor. But the research team was able to "spoof" billing statement data by purchasing prepaid refill cards and applying them to a target's account.
The report also identified a bunch of online services for which SMS was used not just as a second factor but, through account recovery, as a sole factor, meaning you're substantially worse off with SMS authentication than you are without it at those services. The reality is probably worse than the report highlights, since a lot of account recovery processes are informal and ad-hoc, and can be socially engineered into relying on SMS.
What worries me isn’t that I might not be able to recover my account if it uses some other form of authentication, it’s that I might not be able to recover my account because it requires authentication from a phone number I lose access to.
This just happened with my AWS account. Changed phones and forgot to update the number. Didn’t realize it until it was too late. Their recovery process without the phone is incredibly onerous (as it should be) and way too much hassle for me to go through for a small personal account. I just deactivated the credit card that was getting billed and let the account get cancelled. That was a hassle, but not nearly as much as getting back into the account.
Walk into a store and provide a government ID and the original SIM card. If customer doesn’t have the sim/phone, send a recovery code to the billing address on file in lieu of the SIM card.
> Walk into a store and provide a government ID and the original SIM card.
This is how it works in Poland since September 2019, after some recent SIM-swap attacks. You can swap SIM or get a replacement if stolen only at store showing government ID. It is free of charge with Orange and not always free with T-mobile.
But this has some downsides in real life.
1) I had to walk my 88 yo Mom to the store to swap SIM card.
2) Every clerk at every shop can do that so for a determined criminal it is possible to bribe or threaten one.
3) Virtual operators (MVNOs) usually do not have physical locations and there is a dozen of them.
The problem is that the ID is still checked by the clerk. They could be bribed or tricked by a fake ID.
A recovery code snail-mailed/e-mailed to the account holder when they first open the account is the correct way to go, and if they can't provide it they need to go through a lengthy process where many factors are used to authenticate them (verify their physical address, verify their ID, ask to confirm last call records, billing details, etc).
The clerk has to use some kind of online system to connect the new sim to the customers phone number. The system would obviously require the clerk to authenticate himself and could require him to enter the passport number or other document ID he checked to verify the customers identity.
If later it turns out this was a sim swapping attack you can verify if the clerk entered a valid document ID. He can’t do that without having been presented a proper document, so you can tell if he checked.
Its just convenience over security. Lot of things can be done but then the extra burden that companies have to go through. Think about that people don't use app based authentication because it's inconvenient even though it matters to them. How can you expect carriers to do it
I wasn't sure how would you solve the problem of verifying the ID card without showing the previously recorded number to the clerk. But simply requiring to every time just punch in the ID (and maybe scan the whole card to check the photo later) could work - if the system only returns a big OK or BAD signal.
Currently here, in Hungary, the clerks just photocopy the IDs though. And there was a big scandal a few years ago (in connection to the ISIL/ISIS attacks in EU) about some groups obtaining hundreds of thousands of SIMs for just a few names.
On your second point, a determined criminal could always deploy rubber-hose cryptanalysis on a 2-factor authentication scheme, but it's still a significant improvement.
If you make the carrier liable for damages in case of fraud, there would be process to mitigate the risk from one bad actor. Like the bank requires a manager approval for certain high risk transactions like international wires.
Too long of a moon shot. Generally the T&C are limited to actual loss, like you lost your internet for 2 days so they'll reimburse you for 2 days of bill but not if you lost a business deal. Similarly in case of airline if you missed your game. they're not responsible for the game tickets
Before you go abroad you could notify your bank. Then in period you declared you are abroad they should lower expectation from "in person and ID" to phone call and other means of verification. After that period you are automatically back to normal security.
That is for example how my debit card works. If I want to use it abroad I have to turn that feature on for whatever time I am abroad.
In Europe you have a telephone PIN codes, you have number generators on the app. There are lots of ways to authenticate yourself. IN Europe you no longer need to tell them whether you're abroad or not; I guess the ML algo's that monitor for fraud are so much better than before that this isn't needed.
Losing a bank card isn't as critical as losing a phone # so companies have to act quickly. Think about it - Can you live without your bank card for few days vs living without your #
I think we just need to be prepared for these sorts of things. Travel with cash, your debit card, and one or two credit cards. If you can afford it, have a backup SIM (Twilio sells SIM cards for about $3 and the cost to keep them activated is $1/mo, and nothing more if you don't use it [0]). Use a Twilio or Google Voice number that you don't use for anything else for 2FA or account recovery for services that require a phone number (some providers reject these numbers, but many will accept them).
[0] Full disclosure: I work at Twilio and built the first version of the wireless product, so I'm a bit biased.
Cool. What store? Do all services that provide accounts need physical stores now? How do you ensure the store endpoints are trustworthy, and actually checking said IDs and SIMs?
Use backup verification codes and a recovery email address.
Also, remember the date when you created your Google account. The best way to find that date may be to look at the first email you received in the account.
What you can do with email is move the problem to your most secure account or to an account that you know how to recover under essentially all circumstances.
As I mentioned before that it's just convenience. SMS based authentication is flawed and is also prone to SS7 Attacks but people just do it because it's simple. Nothing in the world is hack proof
Yes, like my mobile service is provided by a German supermarket chain that has outsourced the operation to somebody else, who run it as a virtual network over somebody else's cell network. The nearest of these supermarkets is hundreds of kilometres away, and the checkout operators are unlikely to be of much help.
Problem with a government photo ID, There's no way to verify its authentic besides a visual inspection. I consider them as secure as SMS 2FA. For $200 and someone could get passable ID with your name on it.
That's the key problem that US needs to solve - the businesses don't really have a solid gov't ID system to fall back on. In most of Europe (UK seems to be more like USA as far as I understand) passing on a counterfeit ID to a mobile shop is harder (and more rare) than paying with counterfeit money, the IDs can be checked, employees are required to verify online if that ID has been reported lost or stolen, etc.
I mean, in Europe if criminals want to get a bunch of stuff on credit from some place with a disposable identity, they generally recruit poor/homeless people with real IDs, because that is simpler/cheaper/safer than trying to do it with counterfeit IDs.
SMS hijacking, just as the core identity theft issue is so much rare elsewhere - it demonstrates that it's a solvable issue if the USA wanted to solve it. (in some sense the discussion on identity theft reminds me of https://www.theonion.com/no-way-to-prevent-this-says-only-na...) However, the straightforward way to do that would require a proper single centralized (i.e. federal) gov't ID issued to almost all people, which seems to be anathema in USA.
>In most of Europe (UK seems to be more like USA as far as I understand) passing on a counterfeit ID to a mobile shop is harder (and more rare) than paying with counterfeit money, the IDs can be checked, employees are required to verify online if that ID has been reported lost or stolen, etc.
Can you detail which "most" of Europe you are talking about?
In Italy, while obviously you have to produce an ID card, there is no way that it can be checked online by "an employer", only Police (and Carabinieri) can do those checks, and of course ony for Italian issued ID's, moreover in some other businesses besides SIM card selling where the ID is needed (as an example hotels, AirBnB's and similar, car or tools renting, etc.) the actual employee never had a formal, official training to recognize forged ID's so everything is demanded to the single employee common sense and experience/knowledge (often zero or next to zero).
Particularly with "foreign" or "uncommon" pieces of ID's even if Italian (besides the "normal" ID cards and passports there are a number of other documents that have ID value) it is extremely difficult to understand if it is forged.
In UK AFAIK there is no national ID card, so you are limited to passport and/or (if valid for the scope) the driver license.
Plus Italy's national ID is laughably insecure. It's a laminated piece of paper. I remember when I was growing up I had an Italian friend in the UK who went out to a bar for her actual 18th birthday. When they asked for ID, she showed it to them and they kicked us out because they thought it was fake. It was not.
No, it isn't (anymore), not everywhere, but in spots.
For the record - for a period it was laminated, and then it was forbidden to laminate it (as forgeries were somewhat simpler with the laminated one, though I don't know the details).
Old ID card (paper, large, duration - theorical - 5 years, then extended to 10 years, practically indestructible, i.e. they actually lasted the 5 or 10 years):
New ID card (electronic, credit card size, with chip[1], duration - theorical - 10 years, usually illegible after 2 or 3 years in a wallet unless you use a protective cover):
And whether you get the one or the other may depend on the city (comune) as most will use all the empty paper documents they have in storage before starting issuing the new electronic format.
[1] for which noone or nearly noone has a reader BTW, the whole stuff is somehow experimental, even now that we have an app (Android only):
You can get a federal ID. It's called a passport card. It costs $65.
The US also has the REAL ID[0] standard that requires IDs to meet minimum standards in order to be accepted by the federal government.
If carriers just required a REAL ID compliant ID in order to get a new SIM, and actually checked it via the chip or magnetic strip, I think we'd be good.
You can get a federal ID. It's called a passport card. It costs $65.
Which is usually a really crappy idea when you want to save a few bucks compared to a real passport.
They're umpteen stories of heartbreak and hurt, by people not being allowed to board an international flight, or a cruise which stops at destinations not covered by a passport card.
They're also those that thought it's a great idea to get them for their kids.
With the same consequence. A passport card does not allow you to fly internationally. Not even to Mexico or Canada.
I'm not saying use it for international travel, I'm saying use it as an ID? Literally any American citizen can get an ID card for $65 that is accepted everywhere someone asks you for ID.
If we started taking things a bit more seriously, we could also get that fee down by subsidizing it.
I have a counterpoint from my experience in France.
A few years back I have lost my phone and went to get a new SIM. The attendant in the shop only had a quick look over my ID card. He didn't scan it nor did he enter the ID number in the computer to check anything. I think he only verified that the name was the same as the one on file and the photo looked like me.
The same happens at the post office when you go to collect a parcel / registered mail.
On the other hand, in almost every bar I've been, staff would do a quick check with a pen on every 50 € note they would get, and those notes are fairly common (two cocktails in a random bar in Paris can often cost more than 20 €). I don't know how effective that is in actually detecting counterfeit bills, but there's clearly more effort that what the other clerk did.
The pen contains a chemical that interacts with the paper that's always used to make these bank notes. Specifically it blackens the starch found in wood pulp, and the paper in your laser printer, photocopier, etcetera uses wood pulp because that's cheap. Bank notes use a higher quality paper and so they aren't turned black.
This forces crooks to use more expensive and traceable high quality papers for their counterfeit notes or they'll get rejected in stores and bars.
Having IDs that actually look up to anything at all is a relatively modern idea. When I was born if you suspected a passport in my country of being bogus it'd probably take a bunch of clerks several hours of physically looking through filing cabinets to check.
And where we build systems that can check often people don't. The UK government built a system which lets a driver prove to the government who they are and then get a token value back which they can give to anyone - that token can be exchanged for viewing the government records for that driver. So e.g. hire firms could insist on this token to see you're not disqualified and actually have the entitlements your physical driving license says you have.
They don't. Some of them will let you give them this token reluctantly but all prefer you give them a print out, which obviously you could just fake.
I'm in retail in the UK at the moment. For doing credit, the main way we use is by drivers license. I plug the details into a form at the till and check the face. It does an online check with the DVLA.
I’m not in the US, but the only ID card without a chip that I can think of here is a European driving license, which is just a plastic credit-card-sized thing that is often used as informal verification eg to collect a parcel.
$200 and greater risk of getting caught -- that's still a step forward. Right now it only takes sitting at home spending a few cents to call customer service and social engineering them.
This is not true everywhere. There are Aadhar cards in India where you can confirm your identity with biometrics at any store using government-provided equipment that many stores have.
Does the bar code act as a key to lookup a record in a central database, or does it just encode "I am 21, trust me" without any cryptographic signature?
Unless it's the former it's as good as a standard paper ID as far as forgeries go. If anything, having it machine-readable decreases security as it means the person inspecting it spends less time looking at it and just scans it in a machine.
A sim transfer/ account recovery process should come
with a transition period of multiple days during which SMSs with warnings are sent to the original sim card.
On top of that, one could think of:
A passphrase to authenticate a number transfer to another sim.
I've implemented something like this at Dontport. There are few work arounds but again security isn't something that's on top of traditional carrier because it's a problem with a small set of people
Apps like Google authenticator, or more conveniently, a Google voice number. The Google voice solution works well since it can't be Sim swapped, and can be accessed via email (admittedly, a potential downside).
Well first of all using a password manager should be the last resort recovery strategy. Unlike device based 2FA a password manager allows you to make an unlimited number of backups.
After that 2FA should always be device specific. If you want to do 2FA with your phone then the 2FA challenge should not get sent via an identifier like a phone number that may change owners. Instead you should download a 2FA app that generates a private/public key pair where the public key is linked to your account. That way the only thing you need to do is wipe your phone remotely if it gets lost.
What about setting up two mobile phone numbers for recipients of the recovery code: 123 sent to phone #1 and 456 sent to phone #2? (Phone #1 is yours and phone #2 is your elected trusted partner’s)
Doesn't have to be SO. It can be a trusted friend who knows in advance that you may voice call them in a password recovery scenario (voice calls not via text).
Edit: regarding the "lack of availability" at the point of wanting to reset the password: the urgency of resetting passwords should be considered a lesser inconvenience than the risk of having lost control of your account through insecure 2FA.
(I am simply supporting my original brain storming thought through ... I am not married to this idea in any way or form. Just a thought.)
Seems straightforward, all these phone companies have endless kiosks and offices. Legislate that a phone number can only be transferred by making a confirmation call to the old phone or in-person with a salesperson who is checking ID.
In Europe, neither of these is viable without a complete overhaul.
- There are online-only providers. E.g. Giffgaff in the UK, Mobile Vikings in Belgium, etc.
- Many European countries offer prepaid SIMs that aren't tied to ID. Instead, you can just buy them in the supermarket the same way like you would a gift voucher.
On the contrary, in most European countries, due to anti terror regulations, you now need an ID to buy a SIM card or if you've bought one before this new law came into place you have to send a picture of your ID to the Telecom operator or your sim card gets deactivated.
Not saying I like this or that this is good way forward but it's a reality that contradicts your assumption.
This will do nothing to deter malicious SIM swaps. Someone who's happy to take over your number and then steal your money is also happy to present a fake ID and pretend to be you.
What kind of ID is it? A proper barcoded photo ID that corresponds to a government database? Because with that you can verify that the ID picture matches the one in the government database.
I don't live in Europe, but with Orange, I had to upload a photo of my EU passport (they didn't accept a non-EU passport to extend the lifespan of the SIM card).
Offtopic: those laws seem kind of silly if you can still get a valid SIM for 10 days without any ID. Seems more to be about surveillance than about anti-terrorism.
Assuming that ID gets logged in a database accessible to customer service people, it seems like a database check for IDs and IMEIs would be workable as a way to confirm "sorry, we can't port that number to your new SIM card, the ID card registered to its IMEI doesn't match your old phone number's ID card". You could still do it over the phone, then, since an ID was logged against your sim card when you bought it.
After using TOTP like Google Authenticator since around 2013, I now think the friction needed is just too great. Especially for banks which log you out after 15 minutes or so of idleness. Google doesn't do that.
Not to mention Google Authenticator deliberately prevents these stored tokens to be backed up and transferred to a different device, which makes upgrading devices troublesome.
I wish everyone would start using Yubikeys. WebAuthn is now widely supported by browsers.
Why not use an open TOTP app like AndOTP. I use it all the time for sites that claim to require Google Authenticator, it works, and its easy to backup the secrets as plain text or encrypted with a password. I keep it current on my primary phone and a cheap offline backup, in addition to backing up the encrypted secrets file.
I use Authy on iPhone and Mac. I am looking for an OSS replacement but would not want to setup everything from scratch after I change device reinstall the app like Google Authenticator.
I've wanted to get off Google Authenticator for awhile now, mostly because of the backup-restore problem, also a general trend of limiting my involvement with the company.
Bitwarden does a decent job of storing and syncing TOTP codes. Make sure you always use a long password with Bitwarden though, to avoid a known and unpatched issue with their password-based key derivation.
People recommend Authy. As far as I can tell they rely on cloud sync/backup like any other app in that space.
Isn’t google authenticator not using this on purpose? Central account and sync is googles thing and yet they deem it too insecure. Completely understandable
So how can using a central service that adds yet another attack vector be of value?
What I would love to have is a paper export.
Every time you add a new account to google authenticator you can print it as QR code for later reimport.
Yes many services already provide this for you via recovery codes but having it on a per service basis directly from authenticator is probably much easier to use and not less secure
That sounds good but put them in Authy. That lets you have multiple devices whereas Google limits you to one device.
It's great that people use can use one app for both factors but it seems less secure than two apps.
For example, use Authy for TOTP and LastPass for long passwords. That's two things that have to be compromised. And both of them allow you to have multiple devices (for example iPhone and iPad).
Its great functionality but it reduces your security. Say someone somehow figures out your 1Password password and security key - if you store your OTPs in Authy, your passwords are useless (well, less useful anyway). If you store your OTPs in 1Password, they have the keys to the kingdom.
This is technically true, but the most likely scenarios that result in the discovery of your secret key (128bits of entropy) + master password (?? additional bits) involve things like a device compromise. If your machine is compromised, you’re probably already exposed to things like session cookie stealing. At that point your attack surface is already blown wide open.
The biggest thing 2FA protects against is credential stuffing. If you’re using a password manager and have high entropy site-unique passwords, the additional entropy by TOTP is mostly moot anyway.
Passwords - protect against unauthorized access of my service accounts, and 1Password - can be compromised via logging or breaches or just plain peeping
Secret key - acts as 2FA for my 1Password and thus protects my master password from unauthorized use - can be compromised if someone steals the physical paper on which it's stored
TOTP - protect against unauthorized use of my service accounts - can be compromised if someone compromises my mobile phone or phone number. Highly unlikely someone would spend that kind of effort and €€€ on me though
All in all its a pretty nicely tiered system. If someone gets my master password, they still need the secret key. If a burglar steals my secret key, they don't have my master password. If someone somehow compromises both of those, they still don't have access to my TOTPs and thus can't login into any of my 'cricital' accounts (basically e-mail, hosting providers, finance, etc. etc.)
Now imagine you have an malicious spouse or housemate or whatever: they could easily learn your master password by peeping over your shoulder, piecing it together bit by bit (ha). They have a lot of opportunity to search for your secret key as well. If you put your TOTPs on 1Password, you're boned. But if you have them in an authenticator app, even having access to your password manager means jack because they can't login without your TOTPs.
I know one of the big faux pas is to talk about your security but most of this stuff can be deducted pretty easily so I don't feel too exposed.
Wow that’s awesome! I had no idea 1Password had this functionality so thanks for sharing. I just had a rough time after upgrading my phone dealing with Google Authenticator since I hadn’t realized my Auth info would not migrate along with the rest of my data...
> Not to mention Google Authenticator deliberately prevents these stored tokens to be backed up and transferred to a different device, which makes upgrading devices troublesome.
It doesn't offer export in the app UI. It's not doing anything to prevent you from backing up the tokens yourself; they're stored in the clear in the sqlite database for the app.
>Not to mention Google Authenticator deliberately prevents these stored tokens to be backed up and transferred to a different device, which makes upgrading devices troublesome.
If that were possible then you would face the same problems that reused SMS numbers suffer from.
That is not true. Banks in the EU seem to vary a lot, as the definition of “strong” is not defined (plus many banks have not introduced it yet). Biometric is definitely not required. I use hw tokens but at least one of my banks is trying to move to weaker auth.
I didn't say biometric is required, I said it's normal to have 2fa with friction, an hardware token is just as much friction as TOTP or biometric.
I am surprised your bank is moving to a weaker auth, what does that mean?
I have 3 bank accounts in 2 countries and they all switched to biometric because it's just a simpler experience then the hardware token or "mobile token" they used before.
What absolutely confuses me is.. aren't TOTP authenticators like the cheapest 2FA option to begin with?? No need to have some fancy SMS Enterprise account with a Telecom or pay okta or duo or entrust a bunch of money. It's FREE, all you have to do is implement the server side which is very straightforward.
A cost of implementing TOTP is ID verification at the time the user needs replacement credentials, eg when they lose the phone that had their TOTP secret. With SMS, this cost is offset to the mobile carrier, though as discussed here, carriers have their own vulnerabilities.
A further cost is that they usually require the user to install and set up an app, contrary to SMS.
OTP using an app has a very low adoption rate. You'll be surprised that even on crypto exchange 90% of the users don't have access to any kind of 2FA let alone Apps. Only less than .1% of the users have an app installed. It's not convenient
I wonder how that looks like for bank apps? Banks could (and I’m sure they have) offer their own TOTP client, perhaps a bit more integrated. I’m sure that would be easier and offer a better experience than downing some random. "Google Authenticator" app.
Yes, that works well. My bank has integrated this functionality this functionality into their mobile app, allowing one to use it to login on a computer. When large amounts are to be transferred, the bank-supplied 2FA device is still needed though (which can be annoying, but seems sensible).
This scheme also works really well with payments from your computer. Just use the bank app to scan a qr-code on checkout, verify the payment details on your phone, touch a button, and you're done.
I'd guess that a majority of the bank's clients are using this method. This is in the Netherlands, by the way.
> aren't TOTP authenticators like the cheapest 2FA option to begin with??
They are precisely equivalent to asking for two passwords on login instead of one password. "Something you know" and "something else you know". So pretty much, yeah. SMS may not be especially secure, but it is at least an actual second factor.
My banking app requires a pin (or fingerprint) to read data, and a password to make transactions.
The website requires a temporary code, generated by a card reader and my card. It works like a 2FA code, as I need to _have_ my card and to _know_ its pin.
My brain isn't working right now... Can you tell me why something like google authenticator could not be executed as a website? Does it have to be an app?
Just wondering if there could be an easier non installed version that was always available.
But how do you protect access to the website - with a username and password? Or do people now need to remember another code like "JBSWY3DPEHPK3PXP" to set up the authenticator everytime they visit?
Mobile apps were one way to solve this although the hardware U2F tokens like Yubikey provide another authentication factor in a usable way (and more secure than TOTP because you can't be phished to enter them on the wrong site).
That's right, in fact if people remember that secret then it's not a "second factor" it's just another part of their password. A "factor" in the context of authentication means one of the various ways that can be used to verify someone's identity: "something you know" (password), "something you have" (non-duplicatable object, eg a SIM card or OTP token containing a secret that cannot be easily guessed or extracted), or "something you are" (biometrics).
> in fact if people remember that secret then it's not a "second factor" it's just another part of their password.
This is more generous than it should be. Your TOTP secret is just another part of your password regardless of whether you personally remember it or not; what matters is that, if I would like to be you, I only need to know the secret.
TOTP has a secret which is basically the seed of the calculation. The security basically comes from that secret being only on the phone you have and not being copyable. Moving it to the server removes that proximity. At least thats how i see it, but you could do it very easily server side if you wanted with equivalent security loss.
Having the secret only exist on a single phone is the most secure, but keeping a backup of the secret for recovery if you lose the phone only lowers security a negligible amount if you are careful about it.
If it is an account you set up from home, probably the simplest thing to do is print the setup page before you scan the QR code for the secret. Even better, print the page, and then scan that QR code from the printout. Then store the printout where you keep other important papers (e.g., mine would go in my fire proof safe).
Another possibility is to scan the code on two devices. I scan on both my iPhone and my iPad. Nearly all realistic scenarios that involve me losing both of those at near the same time also involve me dying.
People chasing perfect security by only putting their TOTP codes in one place seems like perfect being the enemy of good. Back up you codes people! Put them in an encrypted file and back that file up in a bunch of places.
Encrypting a file is a bit arcane, but not difficult:
Do you have one encrypted file with all the codes, or do you have one file per code?
I prefer one file per code. When I get a new code, I make a directory named after the account the code is for, save a screenshot of the QR code in there, save a text file with the text version of of the code and any one-time recovery codes the site provided. I then make a .zip for .tgz from that directory, encrypt that, and save a copy in the cloud and locally. The local copy is in a location that is included in offsite backups.
If you use one file per code, I'd recommend using a public key system for the encryption. That way you don't have to enter any secrets to encrypt a new code. You only enter anything secret when decrypting.
This has a few advantages.
1. Less chance of accidentally exposing the key.
2. If like most people you use the same key for all the files, no chance of unknowingly mistyping the key resulting in a file that you cannot decrypt later.
3. If you need to recover a code, you only need to decrypt that code.
If as you suggest you wrap this in shell scripts, you can address #2 there. Have a reference file encrypted with your symmetric key. For encryption, the script can ask for your key and verify it was typed correctly by using it to decrypt the reference file.
Also worth considering is using an encrypted disk image. I believe that all major desktop operating systems provide reasonably easy ways to create, mount, and dismount such volumes. Whether you use one file per code or all codes in one file, the file or files can live on an encrypted volume that you only mount when you are saving a new code or recovering an old code.
The advantage of that is that there is no need to use any arcane commands or install any extra software.
Having a simple encrypted file means you can stuff it on an online backup though. The point is to have the keys stashed in several places so the loss of any one or two devices doesn't lock you out of your life.
I prefer keeping it as simple as possible since the consequences of screwing it up are a whole lot of hassle and possibly being locked out of some accounts forever. One downside is when you add or change a code you have to update all of your backups. A second script that syncs all of the backup files is also helpful to have.
I could see Apple offering 2FA as a core feature, at least on iOS.
In fact, Apple should redesign Keychain into a user friendly, 1Password-lite product with 2FA built-in (1Password offers this too) or as a separate app that works with Keychain.
iCloud Keychain is already a better-than-1Password 1Password-lite and 2FA itself for your Apple id is built into iOS and macOS. I think the limiting thing there is desktop Safari - you don't really notice the full integration unless you're using Safari on macOS as well.
Yes, super annoying. Now I can no longer get into my Apple Developer account without walking to my development mac I use to run xcode builds (for a react native app), since for some bizarre reason the only 2FA they support is their own which requires Apple hardware.
It's bad enough their development toolchain requires you to buy their hardware, now to log into their websites you also have to buy their expensive hardware.
It depends. If your iMessage account is tied to an Apple ID used on multiple devices with 2FA enabled then the code is sent to one of those other devices to validate the login on the new device. So if you are fully in the Apple ecosystem and have 2FA enabled then I believe it would be secure. I know I get alerts on my other devices any time I have had to re-add my phone number to an Apple ID. It tells me my phone number is now being used on another device. So at the very least you would probably be notified.
iMessage is only tied to an Apple ID for the e-mail part (where they can send iMessage to your e-mail). The phone number part is independent of that and you can take it over provided you prove ownership of the phone number (by inserting the SIM into an iPhone, it'll send an invisible SMS to Apple and back and that then activates iMessage on that number on that new device).
I think there’s an SMS sent without any visual indication and without asking for explicit permission (or I missed it if there was a tiny text warning). I noticed it when I saw an SMS, in my bill, sent to a Singapore number which, as an international SMS, was changeable (SMS is mostly free here).
Most notably: AT&T and Verizon both use call logs to authenticate SIM swaps from people who don't know the account PIN; requestors are asked to list recently made outbound calls, or in some cases inbound calls. A targeted attacker can trick a customer into making a known call (or, obviously, can simply call the customer to make inbound call records), and then authenticate with them.
AT&T uses billing statement data as a factor. But the research team was able to "spoof" billing statement data by purchasing prepaid refill cards and applying them to a target's account.
The report also identified a bunch of online services for which SMS was used not just as a second factor but, through account recovery, as a sole factor, meaning you're substantially worse off with SMS authentication than you are without it at those services. The reality is probably worse than the report highlights, since a lot of account recovery processes are informal and ad-hoc, and can be socially engineered into relying on SMS.