Australian Government Tells Citizens To Turn Off Two-factor Authentication (arstechnica.com) 146
An anonymous reader writes with this news from Ars Technica: The Australian government has repeatedly called for citizens to turn off two-factor authentication (2FA) at its main digital government portal, myGov. The portal's Twitter account has recently been updated several times with cute pictures encouraging holidaymakers to "turn off your myGov security codes" so that "you can spend more time doing the important things."
The portal is the place where Australian citizens can use and manage a number of governmental services, including health insurance, tax payments, and child support. In case of myGov, two-factor authentication is implemented by sending users text messages that contain one-time codes to complement their usual passwords.
The portal is the place where Australian citizens can use and manage a number of governmental services, including health insurance, tax payments, and child support. In case of myGov, two-factor authentication is implemented by sending users text messages that contain one-time codes to complement their usual passwords.
Begs the question (Score:2, Interesting)
Re: Begs the question (Score:2, Interesting)
The Australian government is just plain stupid (and undemocratic, too).
Re: Begs the question (Score:1)
Re: (Score:1)
Re: Begs the question (Score:5, Funny)
Ozzies don't drink Foster's. That stuff is 'roo piss.
"Foster's. It's Australian for 'Pabst Blue Ribbon'."
Re: (Score:2)
Re: (Score:2)
I've seen it for sale but never actually bought it. Plenty of good beers to choose from instead!
Re: (Score:2)
Re: Fosters was prominent in The World's End movie (Score:4, Informative)
Simon Pegg is English.
Re: (Score:2, Interesting)
Was it hacked or has someone been drinking too much fosters?
Nobody here drinks fosters. Stop perpetuating this tired meme.
Re: (Score:2)
i had a frien from there. his name was bruce. do you know him?
Re: (Score:2)
s/frien/friend
Re: Begs the question (Score:1)
Re: (Score:1)
Re: (Score:2)
Well it's just like Canada, where everyone thinks all we do is eat maple syrup and live in igloo's. Don't worry you get used to it after 150 years or so.... the living in igloo's bit, we don't really have cities they're just really amazing holographic projections.
Re: (Score:2)
Re: (Score:2)
I... I thought Canadians lived in maple syrup and ate igloos. My mind is blown.
Re: (Score:2)
At a gov level all contracts and bids have to be open to US contractors and brands under free trade deals.
So its the perfect alignment of for profit interests, big gov and encryption but not too much good local encryption that would break 5 eye collect it all.
The international issue is really the change of sim card
Re: (Score:2)
Nonsense. The whole identity check thing is theoretical only. Often it's ignored, and if you've got reason to not be checked, you'd just steal the SIM off the shelf, because there is little security over them. The security check is just the government fooling themselves.
Re: (Score:2)
It was hacked - there is no such thing as too much Fosters.
Re: (Score:2)
You're too kind :-) About the troll part - is it trolling, now-a-days, when somebody makes a (very slightly provocative) joke?
Re: (Score:1)
I'm not going to visit your shitty website because 'begs the question' is a perfectly acceptable, well known and often used idiom in these parts.
Be pedantic all you like, it's part of the language and you can fuck off if you don't like it.
Re: (Score:2)
And you can fuck off if you don’t like people correcting your misusage. You are wrong. Just because a lot of other people are wrong along with you doesn’t make you less wrong, it just makes you less uniquely wrong.
There are plenty of phrases meaning “brings up the question,” “asks the question,” “leads me to ask,” etc. There are not many for “making an unspoken assumption,” so by appropriating a phrase that means one thing to mean another (for whic
Re: (Score:2)
If the general usage means one thing then the dictionary definition and cunts that stick to it can fuck off.
Welcome to a language that evolves, updates and changes. Something you seem to be incapable of.
Re: (Score:2)
The forces pushing the “evolution” (another word you’re misusing) of language one way or another are all human. I am a human, and I am pushing in the direction I see fit. If your best argument is “but everyone’s sayin it!” then I shouldn’t have to push too hard.
Re: (Score:2)
Your problem is that you don't have to push me, you have to push several million people that live near me.
Still, I'm sure you're up to the task. Enjoy.
Re: (Score:1)
Somewhat sadly, Cederic is correct in his reply: the language does evolve, and the meaning of words and phrases change. 'Begging the question' is a tricky one, because it is difficult to even explain the original meaning. OTOH, using it to define a situation in which one would naturally ask such a question is grammatically correct. The fact that the same phrase refers to a logical fallacy is immaterial - indeed, it is the 'correct' (that is, original) meaning that is arcane.
The same applies to the use of
Re: (Score:1)
That's fine, go for it. Get it into common parlance and I'll be terribly impressed.
I've heard of Jennifer Lawrence, can confirm I haven't had sex with her or passed on any specific conditions. Doesn't mean I wouldn't like the chance.
You can trust us... (Score:5, Funny)
PATCH#101: You have to trust us... (Score:1)
we're the government!
the reason why (Score:5, Insightful)
The reasoning behind myGov's suggestion is understandable: some tourists will swap their Australian SIM cards to local ones while on holiday. Once this is done, they won't be able to receive myGov security codes without reinstalling their Australian SIMs, which is a hassle.
it seems to me this is probably the result of many support calls/emails because people don't realize when they switched their card that they couldn't authenticate. perhaps instead of turning off two factor authentication in a situation when it's needed most, that they should add a "vacation mode" that let's you temporarily pick a new destination for the text messages.
Re:the reason why (Score:4, Insightful)
Re: (Score:2)
Or just use the same standard Google and a lot of other people use which doesn't use text messages or even require a phone number or internet access at all.
Wait, I missed something here. Exactly what does Google provide that doesn't require a phone or internet access at all?
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
No you can't.
Authenticator runs on a phone or tablet. Without internet you can't even set it up. Without perfect clock sync the codes generated by authenticator stop working.
The codes generated by authenticator have a very short shelf life, measured in seconds.
Re: the reason why (Score:2)
And what would you use them for without an internet connection?
Re: (Score:2)
Re: (Score:2)
That would be a stupid thing to do, as the code remains in the machine.
The codes are meant to be used as passwords for apps.
Re: (Score:2)
Re:the reason why (Score:4, Informative)
No you can't.
Wrong. You absolutely can use pre-generated keys for google's authentication services. They call them backup codes.
Authenticator runs on a phone or tablet. Without internet you can't even set it up.
Wrong again. You can absolutely setup accounts in Google Authenticator (And most other similar apps) without network access. You can even install the app itself without access in many cases, if you want to side-load from a PC or something.
Without perfect clock sync the codes generated by authenticator stop working.
Sorta wrong. The clocks don't have to be perfect, they just have to be close. Pretty much every service has the ability to deal with a certain amount of clock skew. Smartphones these days are pretty good at keeping time, even when not connected to the network, so this usually isn't an issue. But this is also dependent on if the service is using TOTP or HOTP. (Time based or Counter based codes)
The codes generated by authenticator have a very short shelf life, measured in seconds.
Here you got one right, every code has a 60 second lifespan. (:
But to the point of the original post (GGGP?) that brought up the autheticator... They should at least have HOTP/TOTP as an option for those with smartphones in this case. They probably can't drop SMS altogether because of the users that *don't* have smart phones, but no reason not to support both.
Re: (Score:3)
Re: (Score:2)
Here you got one right, every code has a 60 second lifespan. (:
Google also provides OTPs that are not time-limited. They're called backup codes; you get them from the Google account web site, print them out and keep them in a safe place. It's good to keep a few in your wallet when traveling, in case your phone is lost or broken.
Re: the reason why (Score:1)
Re: (Score:2)
Google provides a standard (as in open source and standard usable by all comers) TOTP/RFC 6238 app.
This really should be an option. For example, a user can opt to have their code texted, type in their six digit second authentication, or perhaps have a scratch-off card with one time use codes on it as the last resort. On iOS, maybe make a deal with Apple, so the code can appear using Apple's protocol that works regardless of SIM card used.
This should not be too difficult... the RFC is open source, easily u
Re: (Score:3)
smartcard readers or wtf?
fyi, google two factor authentication uses sms...
probably australian governent buys the sms sending with a shitty deal with either expensive or nonfunctional internationl sms's - and just expensive for them for domestic.
they probably bought it from telstra or some other shit company for ten cents a piece or something and thought they were getting a great deal because they had not checked the market in 15 years...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No, likely it's that the user forgets to update his account with a new phone number.
I mean, if you're traveling and you're using a local SIM, it
Re: (Score:2)
fyi, google two factor authentication uses sms...
Google two-factor uses any and all of:
1. Security key (any FIDO U2F-compliant device will work). This is a small device that plugs into a USB port. Some of them also have NFC capability so you can use them on your phone by tapping the key against the back of your phone. If you have multiple Google accounts you can use the same security key for all of them.
2. Google Authenticator app, or compatible (it's an open standard). The app also supports multiple accounts, and does both time-based and counter-based
Re: (Score:2)
So Google's method involves locking everyone out who travels. You can keep that.
Re: (Score:2)
"I went overseas and google locked me out because it thought someone else was using my account (because no-one ever travels right?)."
No need to travel, I get locked out regularly when I check my mail on with my VPN active.
Re: the reason why (Score:2)
I bet you were not using 2 factor authentication. Lock out only happens to users using only password.
Re: (Score:2)
Indeed, the Google authenticator app actually implements a standard that anyone is free to use. I use it with Microsoft services. You can use other apps too, if you don't like the Google one.
Re: (Score:2)
Re: (Score:1)
That's one possible solution.
Alternatively do what other multi-factor systems do: create backup options. Don't have the phone/app/dongle? Use the printed out one time codes. Send a code to the associated email address or the backup email address. Set up authentication questions (no free text.) Require a backup phone number to be set up at the same time.
Re: (Score:2)
So it's a fuckup to try to make up for the fuckup of not having enough support staff.
Email (Score:2)
So the problem is that people swap their Australian SIMs when they go abroad, and don't get alerts. Okay, well why not just send an email saying "you have an alert, log in to see it out replace your Australian SIM and pay $$$ to get the text message"?
That's what the lottery in the UK does. You get a message saying you have good news, log in to see it. Then you find out you won £2.37 and it was barely worth the effort.
Re: (Score:2)
So the problem is that people swap their Australian SIMs when they go abroad, and don't get alerts. Okay, well why not just send an email saying "you have an alert, log in to see it out replace your Australian SIM and pay $$$ to get the text message"?
That's what the lottery in the UK does. You get a message saying you have good news, log in to see it. Then you find out you won £2.37 and it was barely worth the effort.
The problem is that carriers gouge people who are traveling abroad if they have the temerity to turn on their phone with the home SIM installed.
I quote from the text message to my phone when I landed in Canada on a flight from Hong Kong, on my way to the US..
"AT&T Free Msg:
Welcome abroad! Please note your current international rates are: data $2.05/MB, talk $1.00/min, text $0.50/msg sent; $1.30/photo or video msg sent. Reply YES to learn how to get lower rates. For questions, or to block data, call +1.2
Re: (Score:2)
Yes over 2 dollars per megabyte. I shit you not.
Using Sosh (a sub-brand of French Orange, whose client I have been since 1997, even though the monthly price is substantially higher than that of competitor Free), I got two different SMSs when arriving in the US. The voice price was substantially different between the two, but the data price was over USD 13 per megabyte. My fellow travelers use Free, the newest big French mobile phone company. They got an SMS saying that all their voice and data were counted like at home: unlimited with no surcharge, restr
you are the answer (Score:2)
> For less that 2 MB using the Sosh price, I could have bought a month with Free just to visit the US. I'm wondering why my carrier still has clients.
You ARE the client who still keeps them. Why tf are you still with them?
Re: (Score:1)
Re: (Score:2)
The main thing 2FA protects against is keyboard loggers and a compromised machine. Even if the password is emailed, it still is a lot more difficult for an attacker to get in. Mainly because hacking someone's E-mail and constantly looking at it is more difficult than just passively retrieving a stream of a user's keyboard output from a keylogger.
Of course, the ideal is an application on a separate connection that isn't connected in any way to the computer, but even an emailed password is better than nothi
Re: (Score:1)
Not sure why logging into email account is any harder; once we accept a keyboard logger, he basically sees everything you do on the computer (basically he is looking over your shoulder all the time). And it's very reasonable to expect the hacker had seen and obtained your email login/password [as it's reasonable people use their email account often]. Yes, sure, two independent channels of communication is good - or hard-token
myGov is a nightmare. (Score:5, Interesting)
myGov has to be one of the worst executions of a good idea I've come across. Basicallly its a single sign on portal to other government services that appears to be designed by a committee of very user unfriendly elderly people. You dont get to have a username, you get a user number. The system insists on a *very* strict password, and if you get it wrong three times, your account is locked for the day, even if your on a welfare payment that requires you to log in that day by law. It also asks you to answer various questions ("What is your mothers maiden name" type things, and its anal about input to the point of paranoia. Capitals wrong? One day account lock!). I get that they are worried about security , but how about letting us have a user name we can remember, and setting that auth question to case insensitive!
Re: (Score:2)
Basicallly its a single sign on portal to other government services that appears to be designed by a committee of very user unfriendly elderly people.
The problem with public service is that process takes priority over outcomes, and it has to be that way since it is public money at stake.
You never get greatness with this model, but you hopefully never get Enron style failures either (ie bankrupt government). So you have to take the good with the bad.
Re: (Score:2)
Very cynical to say it has to be that way. I think it is that way because they appoint ladder climbing bureaucrats to run these things rather than domain experts, and thus they always get rubbish results. But I don't think it has to be this way.
Re: (Score:2)
Govt can't work like Apple or Google.
Re: (Score:1)
Re: (Score:3)
Wow - keywords really set you off don't they? How do you know one way or another that a "welfare state" applies? You don't seem to understand that Australia is currently run by people with politics either similar or identical to your own.
Hilarious.
Re: (Score:2)
fuck off you nazi cunt and take your privatised corporate-owned state with you.
Re: (Score:2)
America to start with out of the "Western" countries, the US was conquered decades ago. others as their program advances - the TPP, for example, was a huge win for corporate overlordship.
Re: (Score:2)
Oh, so you have a job for him? That's wonderful!
New Phone Number (Score:5, Insightful)
If you get a new phone number they have to completely delete your account and you have to link everything again from scratch. Takes a couple of months. Well designed portal...
Re: (Score:2)
Yup. The rules that govern myGov are rubbish, and if you make a mistake, it is unrecoverable, and you have to start again.
But it says (Score:1)
Every-time I log-in, I get a nag screen demanding I turn two-factor authentication on; every time. This is precisely the reason I won't: no phone, no access.
I would love to. (Score:4, Informative)
But in order to turn it off I need to log in. I can't log in because I'm living abroad without my Australian number. I can't change the system to use my new number because I can't log in.
I hope implement a sensible workaround before tax time.
Re: (Score:2)
You're supposed to do a lot of things. Changing a 2 factor authenticator on a portal that I use at most once a year (which at the moment equates to once in it's life so far) doesn't rank really high on the things to remember list.
Unless you're on welfare the Australian government is actually quite hands off and I need to interact with them at most at tax time... and some people use tax agents to sort that out for them.
Australian Gov tells citizens to turn off 2FA (Score:2)
Re:Australian Gov tells citizens to turn off 2FA (Score:4, Insightful)
That doesn't even begin to make sense.
How would that enable the Aussie feds to spy on you any better? We're talking about a government page for crying out loud, if they want to spy on you, they already own one end of the communication.
Look, I'm usually not the one defending governments when it comes to sniffing in things they have no business in, but this is ridiculous.
Re: (Score:2)
I would go one step further. Spy ON WHAT?
The portal is an access for citizens TO the government, not the other way around. Not only do they already own one end of the communication they actually already own all the content too.
I can't get it to stop trying to make me use 2FA (Score:2, Interesting)
I'm an Australian with a MyGov account, and I refuse to give them my phone number. Every time I log in it asks for one, and tells me how much more secure I would be if I used 2FA. You can decline each time, but there's no way to tell the system "no, not now, not ever, don't ask me again". I even sent feedback to the webmaster asking how I could tell it that I DO NOT HAVE A MOBILE PHONE so it will stop asking me, and got no response.
And now they're urging people to turn it off!
Bizarre.
(I always knew that the
Re: (Score:2)
You don't have a phone, but you have an Internet connection and are geek enough to access slash dot? Lol.
WGAF (Score:2)
2-factor auth by mobile phone (or tablet) is fucking cretinous. mobile phones aren't in the least bit secure, they're even worse than Microsoft Windows - and that includes both Android and Apple.
Anyone who trusts their phone for anything where security is important - like banking, or as a credit card substitute or other payment system, or even just to login to a web site - is a fucking moron.
they are inherently compromised by spyware and malware - even if you're extremely careful about the apps you install
Re: (Score:2)
Is it perfect? No. Web security is inherently imperfect. Is it better than not having 2FA?
Re: (Score:2)
it's you who doesn't understand - if the 2nd factor (e.g. the thing you have rather than the thing you know) is inherently compromised and insecure then it's worse than useless.
and no, you have to be a fucking moron to trust something inherently untrustworthy like a mobile phone for 2FA.
this is doubly true if you are stupid enough to also use a browser on your phone to perform the login - actual compromise is more difficult without that, but locking someone out of their account is trivial with phone-based
Re: (Score:2)
Well, if the 2nd factor is on a different device then you just significantly raised the stakes of anyone wanting to compromise you.
Or, you could ... (Score:2)
Why is the security they designed SIM dependent? (Score:1)
What confidence ... (Score:2)
Or maybe it means that the .AU government know that their security is fatally flawed, and this message comes from the thieves.