I got Australian government tells citizens to turn off two-factor authentication forwarded to me because of my two factor posts on this blog. The theory is that they will not have access to texts while abroad. I was surprised to see such a thing, but lo and behold, their twitter account does in fact say that including:
Going out of mobile range? Turn off myGov Security Codes so you can still sign in! Go to ‘settings’ in your account
If you turn off security codes, you’ll still need to securely sign in with secret questions & answers.
My gut reaction
This sounds like a horrible idea. While traveling, make your access LESS secure? I find it hard to believe their “secret” questions are actually secure. Most places use things that lots of people know. Or that you have no way of remembering yourself.
How Australia could fix this without compromising security
Australia could update their website. They could add support for any or all of the following:
- Email a secondary auth code for verification. It you have access to the website, you presumably have access to email.
- Google Authenticator support. This app doesn’t even require internet access.
- Predefined codes. Gmail has a number of codes you can type in that are generated in advance to be used if other methods fail.
- Support a temporary alternate number. This one is less convenient, but the site could provide a way to enter a secondary phone number to use during a pre-defined window. That way SMS could still be used.
All of these are still two factor solutions.
What users could do if a website doesn’t have an option other than SMS
This part isn’t specific to Australia. It applies to any site that uses only SMS for two factor.
- First, decide whether you will actually need the site while traveling. If not, problem solved.
- Check if the site remembers your device. If so, sign on using the temporary smart phone device while you still have access to your main phone/SIM so you won’t get two factor challenged while traveling.
- If there are predefined codes, bring them with you.
- If you must turn off two factor, do so. But also do the following:
- Complain to the website so they know this is a problem
- Leave a post it note on your home computer to turn back on two factor
- If the website shows “last login” check it was you.
- If the website emails when logging in from a different device, check for those.