Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Australia Government Security

Australian Government Tells Citizens To Turn Off Two-factor Authentication (arstechnica.com) 146

An anonymous reader writes with this news from Ars Technica: The Australian government has repeatedly called for citizens to turn off two-factor authentication (2FA) at its main digital government portal, myGov. The portal's Twitter account has recently been updated several times with cute pictures encouraging holidaymakers to "turn off your myGov security codes" so that "you can spend more time doing the important things."

The portal is the place where Australian citizens can use and manage a number of governmental services, including health insurance, tax payments, and child support. In case of myGov, two-factor authentication is implemented by sending users text messages that contain one-time codes to complement their usual passwords.

This discussion has been archived. No new comments can be posted.

Australian Government Tells Citizens To Turn Off Two-factor Authentication

Comments Filter:
  • Begs the question (Score:2, Interesting)

    by liqu1d ( 4349325 )
    Was it hacked or has someone been drinking too much fosters?
    • by Anonymous Coward

      The Australian government is just plain stupid (and undemocratic, too).

    • Note to self: RTFA. Must be the latter then :).
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Was it hacked or has someone been drinking too much fosters?

      Nobody here drinks fosters. Stop perpetuating this tired meme.

    • by AHuxley ( 892839 )
      As a 5 eye nation every packet in and out falls under "collect it all". US and UK collection is also no problem as Australian encryption is kept tame or as NSA ready US branded "standards" .
      At a gov level all contracts and bids have to be open to US contractors and brands under free trade deals.
      So its the perfect alignment of for profit interests, big gov and encryption but not too much good local encryption that would break 5 eye collect it all.
      The international issue is really the change of sim card
      • Nonsense. The whole identity check thing is theoretical only. Often it's ignored, and if you've got reason to not be checked, you'd just steal the SIM off the shelf, because there is little security over them. The security check is just the government fooling themselves.

    • It was hacked - there is no such thing as too much Fosters.

  • by fredgiblet ( 1063752 ) on Friday December 25, 2015 @01:13AM (#51181179)
    ...we're the government!
  • the reason why (Score:5, Insightful)

    by Gravis Zero ( 934156 ) on Friday December 25, 2015 @01:26AM (#51181201)

    The reasoning behind myGov's suggestion is understandable: some tourists will swap their Australian SIM cards to local ones while on holiday. Once this is done, they won't be able to receive myGov security codes without reinstalling their Australian SIMs, which is a hassle.

    it seems to me this is probably the result of many support calls/emails because people don't realize when they switched their card that they couldn't authenticate. perhaps instead of turning off two factor authentication in a situation when it's needed most, that they should add a "vacation mode" that let's you temporarily pick a new destination for the text messages.

    • Re:the reason why (Score:4, Insightful)

      by The MAZZTer ( 911996 ) <megazzt AT gmail DOT com> on Friday December 25, 2015 @01:29AM (#51181207) Homepage
      Or just use the same standard Google and a lot of other people use which doesn't use text messages or even require a phone number or internet access at all.
      • by icebike ( 68054 )

        Or just use the same standard Google and a lot of other people use which doesn't use text messages or even require a phone number or internet access at all.

        Wait, I missed something here. Exactly what does Google provide that doesn't require a phone or internet access at all?

        • Time-based one time password. For example, see FreeOTP [fedorahosted.org] (sponsored / published by Red Hat, compatible with the Google Authenticator)
          • by fennec ( 936844 )
            Added to the Google Authenticator app, you can also generate authentication codes in advance and keep them as a text file.
            • by icebike ( 68054 )

              No you can't.

              Authenticator runs on a phone or tablet. Without internet you can't even set it up. Without perfect clock sync the codes generated by authenticator stop working.

              The codes generated by authenticator have a very short shelf life, measured in seconds.

              • Re:the reason why (Score:4, Informative)

                by Rhyas ( 100444 ) on Friday December 25, 2015 @03:51AM (#51181373) Journal

                No you can't.

                Wrong. You absolutely can use pre-generated keys for google's authentication services. They call them backup codes.

                Authenticator runs on a phone or tablet. Without internet you can't even set it up.

                Wrong again. You can absolutely setup accounts in Google Authenticator (And most other similar apps) without network access. You can even install the app itself without access in many cases, if you want to side-load from a PC or something.

                Without perfect clock sync the codes generated by authenticator stop working.

                Sorta wrong. The clocks don't have to be perfect, they just have to be close. Pretty much every service has the ability to deal with a certain amount of clock skew. Smartphones these days are pretty good at keeping time, even when not connected to the network, so this usually isn't an issue. But this is also dependent on if the service is using TOTP or HOTP. (Time based or Counter based codes)

                The codes generated by authenticator have a very short shelf life, measured in seconds.

                Here you got one right, every code has a 60 second lifespan. (:

                But to the point of the original post (GGGP?) that brought up the autheticator... They should at least have HOTP/TOTP as an option for those with smartphones in this case. They probably can't drop SMS altogether because of the users that *don't* have smart phones, but no reason not to support both.

                • 30 second lifespan, but implementations are encouraged to check the previous and next code as well, giving you a 90 second window. Which is more than enough for most smartphones, unless you travel without ever accessing wifi for months.
                • Here you got one right, every code has a 60 second lifespan. (:

                  Google also provides OTPs that are not time-limited. They're called backup codes; you get them from the Google account web site, print them out and keep them in a safe place. It's good to keep a few in your wallet when traveling, in case your phone is lost or broken.

                • Funny, I just installed OTP Authenticator on my phone. Sounds like the aussies need to get a clue. Euther that or never come back from vacation. https://github.com/0xbb/otp-au... [github.com]
        • by mlts ( 1038732 )

          Google provides a standard (as in open source and standard usable by all comers) TOTP/RFC 6238 app.

          This really should be an option. For example, a user can opt to have their code texted, type in their six digit second authentication, or perhaps have a scratch-off card with one time use codes on it as the last resort. On iOS, maybe make a deal with Apple, so the code can appear using Apple's protocol that works regardless of SIM card used.

          This should not be too difficult... the RFC is open source, easily u

      • by gl4ss ( 559668 )

        smartcard readers or wtf?

        fyi, google two factor authentication uses sms...

        probably australian governent buys the sms sending with a shitty deal with either expensive or nonfunctional internationl sms's - and just expensive for them for domestic.

        they probably bought it from telstra or some other shit company for ten cents a piece or something and thought they were getting a great deal because they had not checked the market in 15 years...

        • Nope. Google 2-Factor can use the authenticator app installed on your phone and independent of the phone number.
        • by tlhIngan ( 30335 )

          probably australian governent buys the sms sending with a shitty deal with either expensive or nonfunctional internationl sms's - and just expensive for them for domestic.

          they probably bought it from telstra or some other shit company for ten cents a piece or something and thought they were getting a great deal because they had not checked the market in 15 years...

          No, likely it's that the user forgets to update his account with a new phone number.

          I mean, if you're traveling and you're using a local SIM, it

        • fyi, google two factor authentication uses sms...

          Google two-factor uses any and all of:

          1. Security key (any FIDO U2F-compliant device will work). This is a small device that plugs into a USB port. Some of them also have NFC capability so you can use them on your phone by tapping the key against the back of your phone. If you have multiple Google accounts you can use the same security key for all of them.
          2. Google Authenticator app, or compatible (it's an open standard). The app also supports multiple accounts, and does both time-based and counter-based

      • I went overseas and google locked me out because it thought someone else was using my account (because no-one ever travels right?). And because I was travelling, I disable roaming to avoid exorbitant fees and buy a sim in the country I'm in (which a lot of people do) so can't verify my account.
        So Google's method involves locking everyone out who travels. You can keep that.
        • "I went overseas and google locked me out because it thought someone else was using my account (because no-one ever travels right?)."

          No need to travel, I get locked out regularly when I check my mail on with my VPN active.

        • I bet you were not using 2 factor authentication. Lock out only happens to users using only password.

      • by AmiMoJo ( 196126 )

        Indeed, the Google authenticator app actually implements a standard that anyone is free to use. I use it with Microsoft services. You can use other apps too, if you don't like the Google one.

      • I'd recommend Authy [authy.com] instead of Google Authenticator. Authy requires you to enter a 4-digit PIN to use it. Anyone who has access to your phone (if it's lost, stolen, or borrowed without a passcode) can use Authenticator. Authy also allows you to sync it with multiple devices on multiple platforms, not just your phone/tablet.
    • That's one possible solution.

      Alternatively do what other multi-factor systems do: create backup options. Don't have the phone/app/dongle? Use the printed out one time codes. Send a code to the associated email address or the backup email address. Set up authentication questions (no free text.) Require a backup phone number to be set up at the same time.

    • by dbIII ( 701233 )
      But that would mean employing more staff instead of the sort of cuts that led to something like this making it out into the wild instead of staying as a brain fart expressed by a political advisor that has never had a different job.
      So it's a fuckup to try to make up for the fuckup of not having enough support staff.
  • So the problem is that people swap their Australian SIMs when they go abroad, and don't get alerts. Okay, well why not just send an email saying "you have an alert, log in to see it out replace your Australian SIM and pay $$$ to get the text message"?

    That's what the lottery in the UK does. You get a message saying you have good news, log in to see it. Then you find out you won £2.37 and it was barely worth the effort.

    • So the problem is that people swap their Australian SIMs when they go abroad, and don't get alerts. Okay, well why not just send an email saying "you have an alert, log in to see it out replace your Australian SIM and pay $$$ to get the text message"?

      That's what the lottery in the UK does. You get a message saying you have good news, log in to see it. Then you find out you won £2.37 and it was barely worth the effort.

      The problem is that carriers gouge people who are traveling abroad if they have the temerity to turn on their phone with the home SIM installed.
      I quote from the text message to my phone when I landed in Canada on a flight from Hong Kong, on my way to the US..
      "AT&T Free Msg:
      Welcome abroad! Please note your current international rates are: data $2.05/MB, talk $1.00/min, text $0.50/msg sent; $1.30/photo or video msg sent. Reply YES to learn how to get lower rates. For questions, or to block data, call +1.2

      • by Lorens ( 597774 )

        Yes over 2 dollars per megabyte. I shit you not.

        Using Sosh (a sub-brand of French Orange, whose client I have been since 1997, even though the monthly price is substantially higher than that of competitor Free), I got two different SMSs when arriving in the US. The voice price was substantially different between the two, but the data price was over USD 13 per megabyte. My fellow travelers use Free, the newest big French mobile phone company. They got an SMS saying that all their voice and data were counted like at home: unlimited with no surcharge, restr

        • > For less that 2 MB using the Sosh price, I could have bought a month with Free just to visit the US. I'm wondering why my carrier still has clients.

          You ARE the client who still keeps them. Why tf are you still with them?

    • Yes, email can be used as a backup; it's not as robust as SMS because the communication channel is independent; that is to use email you use the internet; but SMS arrives thru' the cell-phone network. So if a hacker has complete access to your computer and internet, in 2FA with SMS, he still can't login into your network. But with email, he can login into your mail (gmail say) and grab the code. Of course this is lot better than locking out the service or using only 1 factor; There should be a way a user c
      • by mlts ( 1038732 )

        The main thing 2FA protects against is keyboard loggers and a compromised machine. Even if the password is emailed, it still is a lot more difficult for an attacker to get in. Mainly because hacking someone's E-mail and constantly looking at it is more difficult than just passively retrieving a stream of a user's keyboard output from a keylogger.

        Of course, the ideal is an application on a separate connection that isn't connected in any way to the computer, but even an emailed password is better than nothi

        • [Edit: I meant to say '..he still can't login into your account (not network)']

          Not sure why logging into email account is any harder; once we accept a keyboard logger, he basically sees everything you do on the computer (basically he is looking over your shoulder all the time). And it's very reasonable to expect the hacker had seen and obtained your email login/password [as it's reasonable people use their email account often]. Yes, sure, two independent channels of communication is good - or hard-token
  • by sg_oneill ( 159032 ) on Friday December 25, 2015 @01:32AM (#51181211)

    myGov has to be one of the worst executions of a good idea I've come across. Basicallly its a single sign on portal to other government services that appears to be designed by a committee of very user unfriendly elderly people. You dont get to have a username, you get a user number. The system insists on a *very* strict password, and if you get it wrong three times, your account is locked for the day, even if your on a welfare payment that requires you to log in that day by law. It also asks you to answer various questions ("What is your mothers maiden name" type things, and its anal about input to the point of paranoia. Capitals wrong? One day account lock!). I get that they are worried about security , but how about letting us have a user name we can remember, and setting that auth question to case insensitive!

    • Basicallly its a single sign on portal to other government services that appears to be designed by a committee of very user unfriendly elderly people.

      The problem with public service is that process takes priority over outcomes, and it has to be that way since it is public money at stake.
      You never get greatness with this model, but you hopefully never get Enron style failures either (ie bankrupt government). So you have to take the good with the bad.

      • Very cynical to say it has to be that way. I think it is that way because they appoint ladder climbing bureaucrats to run these things rather than domain experts, and thus they always get rubbish results. But I don't think it has to be this way.

        • I've done work for govt depts and even the smart people are limited on what they can do because of accountability. And the bigger the project, the more accountable you have to be. The other problem is that domain experts don't want to work in an environment like that. If you're the best, you're not going to last long stuck knee deep in bureaucracy
          Govt can't work like Apple or Google.
    • That's ridiculous. So anyone with a small amount of knowledge could write a script to lock out thousands of users by attempting to login but deliberately using the wrong password.
  • New Phone Number (Score:5, Insightful)

    by Anonymous Coward on Friday December 25, 2015 @02:07AM (#51181243)

    If you get a new phone number they have to completely delete your account and you have to link everything again from scratch. Takes a couple of months. Well designed portal...

    • Yup. The rules that govern myGov are rubbish, and if you make a mistake, it is unrecoverable, and you have to start again.

  • by Anonymous Coward

    ... called for citizens to turn off two-factor authentication ...

    Every-time I log-in, I get a nag screen demanding I turn two-factor authentication on; every time. This is precisely the reason I won't: no phone, no access.

  • I would love to. (Score:4, Informative)

    by thegarbz ( 1787294 ) on Friday December 25, 2015 @04:28AM (#51181421)

    But in order to turn it off I need to log in. I can't log in because I'm living abroad without my Australian number. I can't change the system to use my new number because I can't log in.

    I hope implement a sensible workaround before tax time.

  • "The Australian government has repeatedly called for citizens to turn off two-factor authentication (2FA)" .. so as they can more easily spy on you.
    • by Opportunist ( 166417 ) on Friday December 25, 2015 @05:21AM (#51181491)

      That doesn't even begin to make sense.

      How would that enable the Aussie feds to spy on you any better? We're talking about a government page for crying out loud, if they want to spy on you, they already own one end of the communication.

      Look, I'm usually not the one defending governments when it comes to sniffing in things they have no business in, but this is ridiculous.

      • I would go one step further. Spy ON WHAT?

        The portal is an access for citizens TO the government, not the other way around. Not only do they already own one end of the communication they actually already own all the content too.

  • by Anonymous Coward

    I'm an Australian with a MyGov account, and I refuse to give them my phone number. Every time I log in it asks for one, and tells me how much more secure I would be if I used 2FA. You can decline each time, but there's no way to tell the system "no, not now, not ever, don't ask me again". I even sent feedback to the webmaster asking how I could tell it that I DO NOT HAVE A MOBILE PHONE so it will stop asking me, and got no response.

    And now they're urging people to turn it off!
    Bizarre.
    (I always knew that the

    • You don't have a phone, but you have an Internet connection and are geek enough to access slash dot? Lol.

  • 2-factor auth by mobile phone (or tablet) is fucking cretinous. mobile phones aren't in the least bit secure, they're even worse than Microsoft Windows - and that includes both Android and Apple.

    Anyone who trusts their phone for anything where security is important - like banking, or as a credit card substitute or other payment system, or even just to login to a web site - is a fucking moron.

    they are inherently compromised by spyware and malware - even if you're extremely careful about the apps you install

    • by Nemyst ( 1383049 )
      It seems you have absolutely no understanding of 2 factor authentication then. The entire point of 2FA is that neither the phone nor the password are sufficient on their own to login. Compromising the phone gives you fuck all, a string of numbers that do not give you any information about the account. Getting the password means you still can't login without also compromising the phone that matches with that account.

      Is it perfect? No. Web security is inherently imperfect. Is it better than not having 2FA?
      • by cas2000 ( 148703 )

        it's you who doesn't understand - if the 2nd factor (e.g. the thing you have rather than the thing you know) is inherently compromised and insecure then it's worse than useless.

        and no, you have to be a fucking moron to trust something inherently untrustworthy like a mobile phone for 2FA.

        this is doubly true if you are stupid enough to also use a browser on your phone to perform the login - actual compromise is more difficult without that, but locking someone out of their account is trivial with phone-based

        • Well, if the 2nd factor is on a different device then you just significantly raised the stakes of anyone wanting to compromise you.

  • ... just not check in with your government websites while on holiday.

  • From the article: "The reasoning behind myGov's suggestion is understandable: some tourists will swap their Australian SIM cards to local ones while on holiday. Once this is done, they won't be able to receive myGov security codes without reinstalling their Australian SIMs, which is a hassle." Why aren't they using a Yubikey or an authenticator app, such as Google Authenticator, Authy or one of the many others that are available? If the argument is that "SIM dependent" authentication is more secure that
  • .. .AU people must have in their government.

    Or maybe it means that the .AU government know that their security is fatally flawed, and this message comes from the thieves.

One good suit is worth a thousand resumes.

Working...