Taking this off list. On 2024-01-15 18:15, o1bigtenor via talk wrote:
On Mon, Jan 15, 2024 at 2:46 PM Alvin Starr via talk <talk@gtalug.org> wrote:
On 2024-01-15 13:53, o1bigtenor via talk wrote: [snip]
FWIW, much of my most important supplemental authentication -- including a number of government accounts -- is done through an authenticator app which does not rely on SMS.
Well some authenticator apps may only run on phones but not all of them. a number have standalone workstation versions. Had not heard of such to date - - - thank you. google authenticator has a chrome extension you can use. I use a package called authy that has a desktop version. It may not be the most secure because it communicates new authentication keys with the other authy clients you have installed.
So there is no need for a cell phone at all.
Of course if you have lost control of your workstation or your phone then your authenticator app is compromised. Of course!
Hmmmmmm - - - you're still using a stupid phone - - - - - lets say your stupid phone service died and you would not be able to replace said service for 60 days - - - what would you do then?
Use your workstation.
It doesn't seem like you're getting the extent of the issue - - - you're offerring solutions that just don't work if one doesn't have access to cellphone service.
The solutions work but it may require a slight compromise on your end. Compromise being? I have clients who use MS and I hate MS products and services. But I use them because it just makes my life a lot easier than constantly trying to explain why I will not use the shit office stuff. Authy's linux client comes as a Snap and I hate Snaps and flatpacks but It works so I put up with it. Its either that or build my own version from their sources.
I have one - - - use it when I go into town - - - - otherwise - - - imo - - - - its a stupidly expensive (and quite useless here) communication device - - - - and not much else.
Where do you live that the service is so bad?
In rural Canada (more accurately in rural Manitoba) - - - that this is surprising is actually quite astounding to me. Service is this bad in significant amounts of rural Canada. So bad in fact that emergency responders (flooding/forest fires) have refused to assist in certain areas. "The safety of their personnel would be compromised was the response." Not much concern for those living there. Lived in one are where you had to drive some 30 odd km to get to the closest point where you just might get a cell phone signal - - - that's when its really bad. Here I could walk north of the yard a couple hundred meters and I would get a poor signal - - - still tough to use with my desktop - - - yes? I had no obviously easy to know where your posting from. I guess the thing is that your posting to a Greater Toronto Area LUG from away. There is no reason why you should not do that, its just the assumption that your likely local. I know a lot of people on this list and they are all pretty well local but for one guy in Africa.
We have a cottage and I like to work from there but it is in Rural Ontario and I could provide you with days of complaints about the quality of service and how I dislike Bell. Because the area were we are is gently rolling hills we have 0 cell phone coverage in the bowl that our lake sits in. There is DSL but the link speeds can be measured in bits/second. Last year I got Starlink and cut my bell connections but for the party line that we keep just for emergencies. Starlink works very well but is not cheap ($160/month) but now I can work from the cottage. P.S. I looked at the PDFs you sent and I get where the person is coming from and they are suggesting that they use RSA SecureID hardware keys. The trouble is that you would have a hard time to get customers to buy hardware keys for a few hundred dollars a piece. Secure keys work for enterprises who are investing thousands of dollars in an employee but not so much for the guy who wants to have an Outlook email account. And even at that the RSA keys have been hacked. The phone hacks mentioned are real but for someone to steal your phone service or setup a bogus cell tower next to you. It can be done but is fairly low risk. You have to keep the relative risks and benefits in mind when you are doing these things. If you want complete security then turn your computer off because there are demonstrations of people getting the crypto keys by monitoring the power LEDs or power supplies AC usage. People have done demonstrations of reading a screen from the EM that it emits and other have go so far as to use telescopes to read the screen from your eye reflections. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||