History of multi-factor authentication

This may look a bit strange, but I could not find any reference online regarding the first in history multi-factor authentication.I know FFIEC has published a requirement for ebanking systems in 2005, but with could not find what systems existed at that time or before that.RFC for HOTP (which is now a de-facto standard for 2FA) is dated 2005.As of right now, the oldest two-factor system I can find is mOTP, its news section has dates in 2003. Does anyone has more reliable info on this? Thanks in advance...Read more

two factor authentication - Google Authenticator

I have question about the google authenticator or the general point of two factor authentification.I have a website where an user can login with username + password. So when I add TFA, all user get an individual secret key to generate a QR code but when a hacker already know the username + password, all he has to do is to scan the qr code and enter the 6 digits. So what is the point of TFA?...Read more

Apple developer Enroll with Two-Factor Authentication

This week I tried to enroll to the Apple developer program.Without that I can't publish an App to the store.When entered in the Enroll programhttps://developer.apple.com/programs/enrollIt ask me to turn on the two-factor authentication. I did that, inserted my phone number and now every time that I do the login I have to insert my password and my 4-digit sent to the phone.After I enter again in the Enroll program, it appear a disclaimer again to set the two-factor authentication.Anyone with the same problem?...Read more

adding two factor authentication on to cots?

I know, in general, what two factor authentication (2FA) is and how it works. I also know it's coded into the application that needs access. What I'm wondering is: has anyone ever come across or devised a method of using 2FA for a COTS (commercial, off-the-shelf) program?Here's a scenario: I've got product X, and to work, X needs a port on a firewall to be open so that it can access a server inside the firewall. X does not have 2FA. But I want to put 2FA into effect so that only after the authentication is deemed valid by the 2FA process,...Read more

one time password - Two Factor Authentication (2FA) Detect Timestep from TOTP Token/Passcode

Is it possible to detect the timestep length of a TOTP token/passcode (e.g. 30 seconds vs 60 seconds) when validating that token against the secret key? In other words, is the step time is programmed into the token? I'm trying to validate TOTP token using speakeasy but my tokens have 60 second time steps vs the default 30 second time steps that the validator expects. So the tokens don't validate unless I specify that the time step is 60 seconds. When turning this into a REST API would I need to require the timestep of the token in question as p...Read more

Is there a way to enable Two-factor authentication for my apple id without any physical device?

Apple has stopped publishing my apps in appstore, because my appleId has to be enabled with "Two-factor authentication" first. Now I have no MAC nor any iOS Phone / Tablet anymore.How can I enable "Two-factor authentication" without to be bounded to any physical device. I can still manage the disabled apps in "Apple Store Connect", but I am forced to enable "Two-factor authentication"....Read more

two factor authentication - App for setting up 2FA for the same account on different mobile phones?

At work I manage several online accounts together with my colleague. 2FA set up on a mobile is useful as security but causes issues for us because we cannot access the same accounts without 'helping' each other with a code - we work in different cities. Is there an app that would allow installing the Google 2FA on both our mobiles for the same accounts? Is that even technically possible?...Read more

two factor authentication - How to backup 2FA Google Authenticator

I'm using Google Authenticator for 2FA (2-factor-authentication) on several sites. Now what if I lose my Iphone? Than they're gone.Is there a save way to backup 2FA? I read about authy but it seems to me you lose the point of 2FA when you use it? + what if it's hacked? Another option I thought about was to disable 2FA, and reenable it. Take a real picture of the QR code and scanning it afterwards to reenable. But I'm not sure if that way will work?...Read more

two factor authentication - U2F Application ID (Facet ID) for a web site

The u2f dev guide leaves this part unspecified: will a single-facet AppId without the www prefix work for a visitor who accesses the site with the www-prefix? Will browsers consider them a match?If not, I believe there are two alternatives for U2F deployments, neither very pleasant IMO - I explain below why so:Redirect all web users from www.example.com to example.com then use "example.com" facet.Provide a JSON resource which describes at least two facets: www.example.com, example.comNow, I said that having to deal with the "www." explicitly is...Read more