Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Government Tells Citizens To Turn Off Two-factor Authentication (arstechnica.com)

Posted by timothy on from the perfect-security-vs-perfect-convenience dept.

An anonymous reader writes with this news from Ars Technica: The Australian government has repeatedly called for citizens to turn off two-factor authentication (2FA) at its main digital government portal, myGov. The portal's Twitter account has recently been updated several times with cute pictures encouraging holidaymakers to "turn off your myGov security codes" so that "you can spend more time doing the important things."

The portal is the place where Australian citizens can use and manage a number of governmental services, including health insurance, tax payments, and child support. In case of myGov, two-factor authentication is implemented by sending users text messages that contain one-time codes to complement their usual passwords.

3 of 146 comments (clear)

  1. Re:the reason why by Rhyas · · Score: 3, Informative

    No you can't.

    Wrong. You absolutely can use pre-generated keys for google's authentication services. They call them backup codes.

    Authenticator runs on a phone or tablet. Without internet you can't even set it up.

    Wrong again. You can absolutely setup accounts in Google Authenticator (And most other similar apps) without network access. You can even install the app itself without access in many cases, if you want to side-load from a PC or something.

    Without perfect clock sync the codes generated by authenticator stop working.

    Sorta wrong. The clocks don't have to be perfect, they just have to be close. Pretty much every service has the ability to deal with a certain amount of clock skew. Smartphones these days are pretty good at keeping time, even when not connected to the network, so this usually isn't an issue. But this is also dependent on if the service is using TOTP or HOTP. (Time based or Counter based codes)

    The codes generated by authenticator have a very short shelf life, measured in seconds.

    Here you got one right, every code has a 60 second lifespan. (:

    But to the point of the original post (GGGP?) that brought up the autheticator... They should at least have HOTP/TOTP as an option for those with smartphones in this case. They probably can't drop SMS altogether because of the users that *don't* have smart phones, but no reason not to support both.

  2. I would love to. by thegarbz · · Score: 3, Informative

    But in order to turn it off I need to log in. I can't log in because I'm living abroad without my Australian number. I can't change the system to use my new number because I can't log in.

    I hope implement a sensible workaround before tax time.

  3. Re: Fosters was prominent in The World's End movie by cyber-vandal · · Score: 3, Informative

    Simon Pegg is English.