Security for 2FA

I got a new mobile device recently and despite the restore from backup, I still had to perform quite a few setup chores. Reconnecting various apps to services by logging in was time consuming, but simple. A password manager was useful here, since I have different passwords everywhere. I set that application up first and then proceeded from there.

The only trouble I really had was with Outlook and mail. I have an IMAP provider for one account and Outlook doesn’t make it easy to figure out where to change the settings for this. The second issue was with my corporate mail, which is secured with a 2FA connection through Duo.

This is a technology that doesn’t use text, but has an application on devices and pushes a notification to them. I get a push when I log onto corporate assets from my PC, and I have to approve a login from my mobile. This prevents sum of the sim hijacking that can occur, where someone might have access to my SMS messages. It also prevents a lazy guy with Google Messages from getting a code on the same device rather than walking to the other room to get my phone an ensure I have it.

I had to get help from our admins with the new device, despite having the old device connected and able to approve the connection. I had thought this would work, but there was some issue with Duo. On one hand, maybe this is good that it isn’t simple and I can’t quickly approve a new device, in that it prevents someone from stealing my identity on a cloned device. On the other, in an organization of any size, where mobiles might change constantly, this feels like a time sink.

This might not be an attack vector to be worried about, but I think it’s better to be safer here than we might need. I do think that good security is worth some hassle. I don’t really complain about having to periodically re-authenicate, the requirement for strong passwords, and I love having 2FA enabled on many services. I hope we continue to find more and stronger methods of protecting individual and corporate data, along with more respect for the rights of humans whose data is being captured and used by most organizations. I also hope that we continue to improve the security options in SQL Server, including adding 2FA.

Steve Jones

Listen to the podcast at Libsyn, Stitcher or iTunes.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged . Bookmark the permalink.