Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Government Tells Citizens To Turn Off Two-factor Authentication (arstechnica.com)

Posted by timothy on from the perfect-security-vs-perfect-convenience dept.

An anonymous reader writes with this news from Ars Technica: The Australian government has repeatedly called for citizens to turn off two-factor authentication (2FA) at its main digital government portal, myGov. The portal's Twitter account has recently been updated several times with cute pictures encouraging holidaymakers to "turn off your myGov security codes" so that "you can spend more time doing the important things."

The portal is the place where Australian citizens can use and manage a number of governmental services, including health insurance, tax payments, and child support. In case of myGov, two-factor authentication is implemented by sending users text messages that contain one-time codes to complement their usual passwords.

18 of 146 comments (clear)

  1. Begs the question by liqu1d · · Score: 2, Interesting

    Was it hacked or has someone been drinking too much fosters?

    1. Re: Begs the question by Anonymous Coward · · Score: 2, Interesting

      The Australian government is just plain stupid (and undemocratic, too).

    2. Re:Begs the question by Anonymous Coward · · Score: 2, Interesting

      Was it hacked or has someone been drinking too much fosters?

      Nobody here drinks fosters. Stop perpetuating this tired meme.

    3. Re: Begs the question by mbadolato · · Score: 4, Funny

      Ozzies don't drink Foster's. That stuff is 'roo piss.

      "Foster's. It's Australian for 'Pabst Blue Ribbon'."

  2. You can trust us... by fredgiblet · · Score: 4, Funny

    ...we're the government!

  3. the reason why by Gravis+Zero · · Score: 4, Insightful

    The reasoning behind myGov's suggestion is understandable: some tourists will swap their Australian SIM cards to local ones while on holiday. Once this is done, they won't be able to receive myGov security codes without reinstalling their Australian SIMs, which is a hassle.

    it seems to me this is probably the result of many support calls/emails because people don't realize when they switched their card that they couldn't authenticate. perhaps instead of turning off two factor authentication in a situation when it's needed most, that they should add a "vacation mode" that let's you temporarily pick a new destination for the text messages.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:the reason why by The+MAZZTer · · Score: 3, Insightful

      Or just use the same standard Google and a lot of other people use which doesn't use text messages or even require a phone number or internet access at all.

    2. Re:the reason why by gl4ss · · Score: 2

      smartcard readers or wtf?

      fyi, google two factor authentication uses sms...

      probably australian governent buys the sms sending with a shitty deal with either expensive or nonfunctional internationl sms's - and just expensive for them for domestic.

      they probably bought it from telstra or some other shit company for ten cents a piece or something and thought they were getting a great deal because they had not checked the market in 15 years...

      --
      world was created 5 seconds before this post as it is.
    3. Re:the reason why by Ja'Achan · · Score: 2

      Time-based one time password. For example, see FreeOTP (sponsored / published by Red Hat, compatible with the Google Authenticator)

    4. Re:the reason why by Rhyas · · Score: 3, Informative

      No you can't.

      Wrong. You absolutely can use pre-generated keys for google's authentication services. They call them backup codes.

      Authenticator runs on a phone or tablet. Without internet you can't even set it up.

      Wrong again. You can absolutely setup accounts in Google Authenticator (And most other similar apps) without network access. You can even install the app itself without access in many cases, if you want to side-load from a PC or something.

      Without perfect clock sync the codes generated by authenticator stop working.

      Sorta wrong. The clocks don't have to be perfect, they just have to be close. Pretty much every service has the ability to deal with a certain amount of clock skew. Smartphones these days are pretty good at keeping time, even when not connected to the network, so this usually isn't an issue. But this is also dependent on if the service is using TOTP or HOTP. (Time based or Counter based codes)

      The codes generated by authenticator have a very short shelf life, measured in seconds.

      Here you got one right, every code has a 60 second lifespan. (:

      But to the point of the original post (GGGP?) that brought up the autheticator... They should at least have HOTP/TOTP as an option for those with smartphones in this case. They probably can't drop SMS altogether because of the users that *don't* have smart phones, but no reason not to support both.

    5. Re:the reason why by Ja'Achan · · Score: 2

      30 second lifespan, but implementations are encouraged to check the previous and next code as well, giving you a 90 second window. Which is more than enough for most smartphones, unless you travel without ever accessing wifi for months.

  4. myGov is a nightmare. by sg_oneill · · Score: 5, Interesting

    myGov has to be one of the worst executions of a good idea I've come across. Basicallly its a single sign on portal to other government services that appears to be designed by a committee of very user unfriendly elderly people. You dont get to have a username, you get a user number. The system insists on a *very* strict password, and if you get it wrong three times, your account is locked for the day, even if your on a welfare payment that requires you to log in that day by law. It also asks you to answer various questions ("What is your mothers maiden name" type things, and its anal about input to the point of paranoia. Capitals wrong? One day account lock!). I get that they are worried about security , but how about letting us have a user name we can remember, and setting that auth question to case insensitive!

    --
    Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
    1. Re:myGov is a nightmare. by dbIII · · Score: 2

      welfare ... I have an idea how to terminate the horrendous practice of a welfare state

      Wow - keywords really set you off don't they? How do you know one way or another that a "welfare state" applies? You don't seem to understand that Australia is currently run by people with politics either similar or identical to your own.
      Hilarious.

  5. New Phone Number by Anonymous Coward · · Score: 5, Insightful

    If you get a new phone number they have to completely delete your account and you have to link everything again from scratch. Takes a couple of months. Well designed portal...

  6. I would love to. by thegarbz · · Score: 3, Informative

    But in order to turn it off I need to log in. I can't log in because I'm living abroad without my Australian number. I can't change the system to use my new number because I can't log in.

    I hope implement a sensible workaround before tax time.

  7. I can't get it to stop trying to make me use 2FA by Anonymous Coward · · Score: 2, Interesting

    I'm an Australian with a MyGov account, and I refuse to give them my phone number. Every time I log in it asks for one, and tells me how much more secure I would be if I used 2FA. You can decline each time, but there's no way to tell the system "no, not now, not ever, don't ask me again". I even sent feedback to the webmaster asking how I could tell it that I DO NOT HAVE A MOBILE PHONE so it will stop asking me, and got no response.

    And now they're urging people to turn it off!
    Bizarre.
    (I always knew that the reason they wanted a phone number had nothing to do with protecting my security.)

  8. Re:Australian Gov tells citizens to turn off 2FA by Opportunist · · Score: 3, Insightful

    That doesn't even begin to make sense.

    How would that enable the Aussie feds to spy on you any better? We're talking about a government page for crying out loud, if they want to spy on you, they already own one end of the communication.

    Look, I'm usually not the one defending governments when it comes to sniffing in things they have no business in, but this is ridiculous.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Re: Fosters was prominent in The World's End movie by cyber-vandal · · Score: 3, Informative

    Simon Pegg is English.