2FA Needs Work.

Sending 2FA via text only is insecure. Please permit users to use an app for 2FA codes.

Also please allow users to store a device for upto 30 days so as to not require repeated 2FA auth on a computer for example.

I’m glad 2FA is now permitted but this is one of the worst implementations I’ve seen in several years of companies permitted this feature.

14 Likes

Agreed. In the age of SIM Jacking, texting codes is a miserably poor attempt at 2FA.
Better is tokens like the YubiKey Security Key, FIDO2, U2F, or even Google Authenticator.

1 Like

Constantly having to login in the communties page every few hours with 2 factor is painful

2 Likes

Not on my phone. I hit post, sign in screen pops up filled out. Then text arrives, copy by simple tap, and paste code done. Rather have the added protection. Takes a few seconds more.

NIST.gov deprecated SMS based 2-factor back in 2016 – see https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

1 Like

But why are you logging into the community pages every few hours?

One prob is delayed text messages, common on TMO. I just tried to enroll in 2FA and didn’t get a code for a couple of minutes.

Both Google and Microsoft have authentication apps that are easy to use (produce same codes) and produce instant codes that don’t rely on text messages.

1 Like

I have TMobile and I get a text in less than 5 seconds all the time.

Much of the time I do also receive texts notifications from credit cards when I use them. But others ocassionally get delayed unpredictably.

It started a couple of years ago and there are threads on TMO’s support site about this and a worse problem of calls being sent directly to voicemail with no ring. It happens with various phones: Apple, Android and even some sold by TMO. They changed their network during a big expansion and my guess is it was inadvertently introduced into some network setting then. They have never never really acknowledged it other than the lower level support people apologizing but not actually solving the problem.

I cured mine almost completely by reseting my phone’s SMS network settings by trial and error. That cured the problem almost completely, but it still happens sometimes.

I agree with the above poster that we need to be able to use security keys such as the yubikey. Plus like the OP sai, 2FA by SMS is woefully inadequate.

If Ring really “cares” about security and privacy they wouldn’t hesitate to implement more secure 2FA options. And to give us complete control over our privacy and security options.

Agreed. Not only that, it requires surrending more personal information to Ring… your cell phone number. This implementation is known to be hackable and yet Amazon/Ring seems to think it’s a good idea. Maybe fine for people with dumb cell phones and no fears. Using an authicator app to generate one-time passwords is really not that hard.

Provide a better 2FA option. ASAP.

1 Like

You don’t have to give your phone number anymore. You can go old school and have them send you an email instead now.

Try to get a text message on time when you are out of the country. Always delayed, many do not make it. Why I use other messaging apps that are more secure anyway.