back to article Australian government urges holidaymakers to kill two-factor auth

The Australian government is urging its citizens to turn off two-factor authentication while abroad. The official Twitter account for myGov – a portal for accessing government services online – told Aussies this week: "Going overseas this summer? If you're registered for myGov security codes make sure you turn them off before …

  1. Anonymous Coward
    Anonymous Coward

    Is it 1st April already?

    1. Adam 1

      No. Anyone who has had the, er, pleasure of using the my gov website would not be in the least part surprised. I am fortunate to have only rarely required to sign into that portal of hate, but my last memory of it was having to find a password simple enough for it. Then once it was happy with the credentials it basically pushed you back to the service it was supposed to be streamlining.

      1. frank ly

        @Adam1

        "...portal of hate ..."

        I first read that as '... portal of late' , which makes sense. I'm sure your choice of word makes sense too :)

  2. Anonymous Coward
    Anonymous Coward

    Arrh an old friend

    My My Gov account is fatally broken. Despite changing all my details, it still texts my old work phone and this cannot be changed or stopped apparently.

    My My Gov isn't mine anymore :-(

    1. Anonymous Coward
      Anonymous Coward

      Re: Arrh an old friend

      Surely that's not legal? I'd assume the law there would be similar in that the information they hold has to be accurate, if you're changing it and the system doesn't update to reflect this within a reasonable time frame then I'd be looking to file a complaint.

      If it happened in the UK the ICO would be the first port of call.

    2. Captain Scarlet
      Holmes

      Re: Arrh an old friend

      So basically this is to reduce the cost of having to text a mobile device whilst you are out of the country.

      1. Soruk

        Re: Arrh an old friend

        If that's really what they were thinking, they are missing the point in that it costs the same to text (or call) a mobile irrespective of whether or not it is roaming. The only difference is the owner of the phone may be liable to incoming call or text charges when roaming.

  3. Roq D. Kasba

    2FA is so poorly supported

    Not just here, but even PayPal actually told me to turn off 2FA if I wanted to pay for anything from my phone. We need a big old cultural shift to make it the norm, and widely supported, even if it means by federation.

    Much like we should eliminate the term 'password' and encourage 'passphrase' in its place. It's up to us to help the non-savvy towards better solutions...

    1. elDog

      Re: 2FA is so poorly supported

      I believe there is a free service offered by 5eyes.gov which will securely connect you to your cloudy services needing only a simple 1 or 2 character hack.

      It's ok if you forget your hack, they'll remind you of what it is - on your primary device in plain text. No need to have another two-factor device available. They trust you!

      Seriously, anyone else believe that this is just another way for injections to be made? Trust your carrier much? Probably the same one doing all your ins-and-outs and also sleeping with the other boys.

    2. Killing Time

      Re: 2FA is so poorly supported

      I understood PayPal to be member of the FIDO alliance so why they should object to your 2FA is strange. Been using 2FA on my cloud account for a year or so now and no problems, admittedly though, generally via trusted devices.

    3. Anonymous Coward
      Anonymous Coward

      Re: 2FA is so poorly supported

      I guess you have to use a service designed and operated in a technically competent country by people with a clue.

      I sometimes pay my bills for my summer house in Bulgaria using epay.bg - a local equivalent of paypal (nearly as old as it too). The service over the years has integrated everything - phone bills and pay as you go topups, utilities, taxes, people to people and even paying for tickets with the local airline.

      It uses phone based 2 factor auth and it is flawless. So is the mobile version of the website so you can pay from a mobile using 2 factor same as from a PC.

      Rather unsurprisingly it is still holding its ground against PayPal which has totally failed to gain market share locally and against various competing services regularly launched by banks.

      I am not surprised PayPal is flaky. Originally it was also tech driven, but it has long degenerated into a Bank/Credit card processor which goes along with the accompanying rot.

    4. NikNakk

      Re: 2FA is so poorly supported

      PayPal make it difficult, but it is possible to use 2FA on mobile.

      Firstly, you have to use device-based 2FA rather than SMS. You can get a physical key, but I use the VIP Access mobile app on iOS. There are details (with slightly out-of-date screenshots) at https://www.paypal-community.com/t5/Tips-from-Moderators/PayPal-Security-Key/td-p/433633 .

      Then, when using it on mobile, you have to enter your password and then the 6 digit code from the device or app **appended** onto the end of the password.

      So if your password was 'fasd91"kfasP' and the 6 digit code was '913763' you'd type 'fasd91"kfasP913763' as your password.

      1. Phil Kingston

        Re: 2FA is so poorly supported

        You can use SMS for PayPal 2FA.

        But, IIRC, only long as you don't also want to do anything crazy like make an eBay/PayPal purchase on your phone. SMSes from them take way too long to come through. Meaning you have to view PayPal's desktop site on your mobile browser to deactivate 2FA, make your purchase, then reactivate 2FA.

        I raised it as an issue with PayPal through various channels. Their universal response was along the lines of "yeah, we know it's rubbish, but what can you do, eh?".

        I closed my account.

      2. Roq D. Kasba

        Re: 2FA is so poorly supported

        PayPal 2FA on mobile - yes, you *can* get a device from them, perhaps, maybe - but they push you towards using SMS to a trusted number for the second factor. Great! Get a code sent to the very cellphone you're trying to use to pay for something - what could be simpler?

        Except the mobile interface will not give a link to the 'send key via sms' functionality. And the server refuses to honour 'please let me use the desktop version of the site instead of this ancient pile of crap you call a mobile interface, you bunch of twunts' browser functionality.

        So they refuse to send an SMS to the very device you are trying to use to use their site. Utter shit. Very lazy.

    5. Wzrd1 Silver badge

      Re: 2FA is so poorly supported

      Why, there is nothing any more or less wrong with turning 2FA off than leaving your front door of your home open, so that you don't have to search for your keys when you get home.

      Why, you'll get free housecleaning as well!

      As for passphrase, most of the public wouldn't have a clue. Indeed, how many use either "PassWord123" or "LetMeIn123"?

    6. Mark Simon

      Re: 2FA is so poorly supported

      “passcode” would be even better to encourage non-apha characters. Hmm, I think I’ll start using that myself.

  4. Anonymous Coward
    Windows

    "the advice was produced as a matter of policy"

    Idiocy, more likely. "Hey, when you go overseas and connect back to your essential services at home through unfamiliar networks, go ahead and turn off this important security feature! After all, what's the worst that could happen?"

    (Coincidentally, icon of man reduced to begging represents the worst that could happen.)

  5. ma1010
    Joke

    REALLY?

    Wow, imagine THAT! A government doing the exact opposite of what it should.

    Never happen here in the good ol' US of A.

    Right? I said RIGHT? (Cue crickets.)

    1. Anonymous Coward
      Joke

      Re: REALLY?

      In the USA, soon "two factor authentication" will simply means that both you and the NSA can authenticate to any of your accounts...

  6. Someone Else Silver badge
    Coat

    This comes from the Australian **government**?!?

    Ahh, well, that explains it, then....

  7. This post has been deleted by its author

  8. Old Handle
    Meh

    Seems logical to me. If you're going to be unable to receive texts for a while (and still plan to use the website) of course you have to turn 2FA off. The only thing I can think of that they should do better is provide a feature to disable it for preset length of time so people don't forget to turn it back on when they return.

    1. Phil Kingston

      There's usually some "backup" questions or codes that can be used for sites that provide 2FA.

      To be honest, I can't imagine the number of folks who, at any given moment, think "a-ha, I really must log in to MyGov but I'm abroad with no mobile signal and yet still have internet access" is more than 4.

      I'd suggest the inconvenience to the miniscule number of people to whom not being able to access MyGov in the normal way whilst on their jollies is massively outweighed by the effort expended by whichever teams in MyGov thought publicizing such nonsense was a good idea whilst high-fiving around the office. They must be *really* short of work (and brain cells).

      1. relmasian

        Backup questions in the same channel can be almost as good as two factor using a second channel (e.g. cell phone), especially if the site you are accessing pretends the correct password you first enter is bad and if there are several backup questions the site can randomly pick. Moreover, the site can even pretend a bad password is good while providing garbage information. Normal users just have to be informed they might have to log in again if they get garbage. The underlying idea of both tactics above is to make a hacked entry hard to repeat and to make hacked information untrustworthy.

  9. Anonymous Coward
    Anonymous Coward

    Blimey

    Fuck me: Aus really is weirder than I thought (not really - it's odder than that).

    Here in Blighty we are generally discouraged from using anything naughtier than ROT13 (not really) but down there you are being encouraged to disable 2F because ROAMING FEES. What kind of pencil pushing knob end came up with that gem? Damn: mentioned in the article.

    I suggest you don't (step down your protection) and accept that a SMS might be pricey but worth it.

    1. LaeMing

      Re: Blimey

      I imagine if you can afford to holiday off-shore, you can afford a couple of international SMSes.

      1. Dan 55 Silver badge

        Re: Blimey

        Do Oz carriers charge for incoming SMSs or incoming SMSs while abroad? If they do, do they charge more than the average amount you lose with identity theft?

      2. P. Lee

        Re: Blimey

        >I imagine if you can afford to holiday off-shore, you can afford a couple of international SMSes.

        That isn't the point. Most people swap out their sim cards for a local one so they don't receive anything at all. I had a similar issue in Europe with Australian banking codes sent by phone. I had no roaming and couldn't do anything.

        Upshot: perhaps using a particular SIM for 2FA is the wrong way to do it. I have an electronic doodad from NatWest which does challange-response type stuff for the bank when used with a card. I wonder if these could be made generically so you can use them for all banking, government (with an issued card) etc.

        1. Trixr

          Re: Blimey

          I travel all the time, and use local SIMs, and if have a single SIM phone and I'm expecting something from home - or I feel a compelling need to logon to My Gov (hah) or other services using 2FA - I can spend the 2 minutes putting in my home SIM and waiting for the text.

          In reality, because I do travel so much, I have a dual SIM phone. Problem solved.

          It's not rocket science, and I can't believe this money was spent - cute illustrations aren't free - on something that is bad advice, hardly a common use-case, and one that can be worked-around easily.

  10. Number6

    Sounds like the Aussies need a bit of two-finger auth to express their opinion to the Oz government.

  11. Winkypop Silver badge
    Unhappy

    MyGov account

    Cruel and unusual punishment.

  12. Anonymous Coward
    Anonymous Coward

    Can't be arsed with security?

    Heck, just turn it off.

  13. DanielR

    If Mygov is one massive outsourced security hole full of sql injection exploits I wouldn't expect anything less.

  14. Phil Kingston

    I thought I'd send MyGov some feedback that their advice is rubbish.

    Sadly, their online feedback page heads off to a CentreLink feedback page. Which kind of says it all really.

    Even if I sent them something, the chances of CentreLink actually understanding anything are quite slim.

    Edit: I sent them something anyway. I *really* shouldn't have been surprised at the response:

    "Service not available.

    This service is temporarily unavailable. Please try again later."

    Sums up MyGov really.

  15. xybyrgy

    Paper auth

    Facebook offers paper auths when a phone is not available. Print them out ahead of time, carry along, easy as pie...

  16. russsh

    It's HOLIDAY season

    To you - put those tax files down NOW!

    To the govt - stop sending useless messages to taxpayers on days of rest.

    1. AmenFromMars

      Re: It's HOLIDAY season

      No it's not, it's (nearly) Christmas.

  17. James Ashton

    Bean Counting?

    Could this be some kind of attack of the bean counters? Maybe their SMS gateway costs them more to send messages overseas. Also, they (and other sites that do 2FA via SMS) seem to have some kind of priority deal since the SMSes always arrive very promptly. I wouldn't be surprised if message validity expires before they are delivered overseas in some cases. Still, it's a stupid move to rate convenience over security.

    1. allthecoolshortnamesweretaken
      Pint

      Re: Bean Counting?

      Upvote for the "Attack of the Bean Counters" and the mental (yes, that's a perfectly cromulent word) images it triggered.

      1. Roadcrew
        Happy

        Re: Bean Counting?

        Beans, beans, food for the heart, the more you eat the more you....

  18. Jason Hindle

    Two points to bear in mind....

    Firstly, the risk of not getting the SMS is real. I've been there and done that. I couldn't access free WiFi, in a Mall in Oman, because a text message never arrived. It happened to a South African colleague who couldn't access his bank account, while a long way from South Africa. He nearly ended up having to go home, just to pay his daughter's university fees.

    Second.... Don't Google usefully allow you to generate a set of numbers, in advance, before you travel? Surely this is the best approach. A simple set of handwritten numbers, stored separately (on a separate person, if travelling with friends/colleagues/family).

    1. Phil Kingston

      Re: Two points to bear in mind....

      I'm gonna say that not being able to receive an SMS whilst shopping in a foreign country isn't as important as stopping someone else raiding my MyGov account.

      And your colleague didn't nearly end up going home to pay his daughter's university fees. He could have rung the bank and sorted something out. Or, failing that, rung the university and explained the situation.

      1. Jason Hindle

        Re: Two points to bear in mind....

        It was fun watching my colleague on the phone, pleading with his bank. Then I watched him to the same, with the university. They were having none of it. When it comes to banking, and fraud prevention, Africa might as well be another planet (and you might as well call it Planet Kafka). To put things into perspective, it was easier for my colleague to escalate to Vodacom South Africa's core network. Anyone who works in the telecoms business will tell you that should be hard.

        Now, the shopping mall. I needed internet access. It was either free access, or pay EE £60 for another bundle of 50 Megabytes. I ended up paying EE.

        1. Martin
          WTF?

          Re: Two points to bear in mind....

          Well, I guess the fact you paid EE £60 indicates you needed internet access in a shopping mall, but I'm still at a loss to understand what could be so important on the internet when you were shopping that it couldn't wait till later.

          1. Jason Hindle

            Re: Two points to bear in mind....

            "Well, I guess the fact you paid EE £60 indicates you needed internet access in a shopping mall, but I'm still at a loss to understand what could be so important on the internet when you were shopping that it couldn't wait till later."

            I'm at a loss as to why bother to reply based on incomplete information. Obviously, there's a lot I left out due to it being off point and off topic. That I needed internet access, at a give point in time and space, is a fact. Why I needed it is none of your bloody business.

  19. BurnT'offering

    Have they been listening to advice from ...

    ... the UK Gov's Digital Service?

  20. WatAWorld

    What the Aus gov't is saying sometimes makes total sense

    What the Aus gov't is saying sometimes makes total sense.

    There are huge tracts of Canada and ocean where there is no cell service, period.

    I expect there are also huge tracts of Australia where there is absolutely no cell service.

    What they should have said is something like:

    1. Do you use your cell phone as part of two factor identification for logon to ....

    2. Will your vacation take you to an area out of cell range?

    3. Will you possible want to access .... on your vacation?

    4. If the answers to 1, 2 and 3 are all 'yes', then be certain to disable two factor authentication before you leave.

    Also, even if you can get cell phone service, if you changed your SIM card to a local one you're not going to be able to get your two factor ID codes.

    But if your two factor ID relies on something like a Yubi key none of these concerns exist.

  21. Joeman

    On Holiday FFS!

    Who does government tax return stuff on holiday anyway??

    I'd rather pay a fine when i got back than interrupt my drinking time with boring accounts!!!

  22. OffBeatMammal

    Why rely on an SMS when there are well established rolling code, time based authentication solutions available?

  23. Anonymous Coward
    Anonymous Coward

    How mucg security does 2FA via SMS / Text message add anyway?

    Frankly, if the 2FA is via SMS, it does not add much protection anyway. At least, research suggests that Google (and Apple) have pretty much killed 2FA via SMS. Google "bandroid vulnerability" for a detailed explanation. The researchers are presenting a paper on this at the Financial Crypto conference in February.

    Snippet from the webpage:

    "In broad strokes, the scenario is as follows. If attackers have control over the browser on the PC of a user using Google services (like Gmail, Google+, etc.), they can push any app with any permission on any of the user's Android devices, and activate it - allowing one to bypass 2-factor authentication via the phone. Moreover, the installation can be stealthy (without any icon appearing on the screen). For short, we refer to the vulnerability as the BAndroid (Browser-to-Android) vulnerability and to attacks that abuse it as BAndroid attacks."

    In other words: own the browser and you can push (and activate) an SMS stealing app to the phone. Back to 1FA.

    1. Phil Kingston

      Re: How mucg security does 2FA via SMS / Text message add anyway?

      Whilst not perfect, some 2FA is better than no 2FA.

      The example vulnerability you mentions is interesting, but I'd still rather have 2FA than not. And hope any bad guy targets lower-hanging fruit.

  24. Mark Quesnell

    Of course it was on purpose. If the government (not just Australia either) can convince it's citizens that security and privacy needs to be forfeited in the name of convenience then they may be able to get them to use a lower level of such security and expect less privacy. Of course that makes them more vulnerable to the bad guys - but the point as far as the government is concerned is that it makes it easier for them to access your information with less complaining on your part. It's just another take on the governments mantra that personal security and privacy needs to be sacrificed on the alter of government surveillance.

  25. David Roberts

    Full use case?

    Nobody seems to have worked this through fully.

    (1) Abroad and want to use email, web, Google Maps on my mobile device. Also wish to make in country phone calls. Also need to be able to access bank/credit card site at home. So buy local SIM with reasonable data allowance.

    (2) Need to access site using 2FA.

    So I am connecting over a data connection using my in-country SIM. Is the suggestion that when asked for 2FA I quit the browser session, power down my phone, change SIM, power up the phone, wait for roaming to register, wait for the SMS to arrive, note the one time code, power down the phone, change SIM, power up the phone, navigate back to the login screen (will it even accept a previous 2FA code when you have quit the session ) and then submit the 2FA code all within the limited time window the code is valid?

    Or am I expected to undertake any security based action using my native SIM and paying roaming data charges (assuming roaming data is included in my package and supported in the foreign country)? Not quite the same as "the cost of a couple of SMS messages".

    Of course, in the right country and with the right carrier in your home country {cough} 3 UK {cough} you roaming agreement includes bundled voice, data and SMS back to the home country so you can connect to your web site and use 2FA just as you would at home. However calls/texts to people in your holiday location can be a lot more expensive.

    You can work around the scenario with two devices, one local and one roaming, or use local WiFi (assuming you can establish a secure VPN back to home base before you start establishing "secure" HTTPS sessions through a 3rd party gateway) but this isn't quite as simple as some posters seem to think.

    So 2FA is often a good thing (not just an excuse from Google to harvest another phone number) but more work needs to be done to make it secure and reliable and above all easy when you are away from home. Make it hard and people won't use it.

    1. Phil Kingston

      Re: Full use case?

      Your points are valid.

      But still, exactly how many people when travelling abroad who don't have the registered SIM on a reliable network suddenly feel the need to check their MyGov account? I'll bet it's not many,

      And for those very few people, they can still access the site by following the instructions to contact the helpdesk and presumably perform some sort of verification. Although, in a further example of how badly thought out the whole thing is, the helpdesk number is only given in local Australian format - no international number.

      The whole set-up is clearly not run by anyone with common sense. And gives me great concern for how they're actually handling what is extremely important data.

      1. David Roberts

        Re: Full use case?

        @Phil

        I was really replying to the broader discussion, for example where someone wanted to transfer money to pay University fees. The comments seemed to be pushing the view that somehow it was this poor guy 's problem that he couldn't use his bank without 2FA. My point being that 2FA isn't always practical when you are abroad.

        I assume some (at least) of the dismissive comments were from people who rarely if ever travel outside their home country for more than a couple of weeks a year.

  26. Spotswood

    Support Reduction

    My take: overseas SMS's may not always be delivered and this would generate an influx of support queries during a time when only skeleton staff are on deck. Turning the 2FA off would result in more people successfully logging in and therefore generate less support calls.

  27. robshmob

    Here's some advice: NEVER USE SMS BASED 2FA. It is weak by design and adds very little security (SMS is terrible, and people often leave message codes popping up on the lock screen, so all someone needs is access to your phone) and can actually lead you into trouble overseas.

    I've been travelling two years now and I change SIMs every month or two - I WISH I could find a bank that didn't require SMS codes all the time, I find myself having to ring up the bank via skype, waiting on a call center for an hour, and changing my number to wherever I am just to log in.

    SIMs are a terrible method. Systems like Authy are much better, but no banks or govts seems to use them.

    Pass phrases would be great, but most banks still use PIN numbers and 8-character alphanumeric passwords.

    We are living in a society where the digital properties that need the MOST security are governed by the least educated.

    But in this case, I agree with the PSA, and think the authors mockery just makes himself look foolish.

  28. -tim
    Big Brother

    If you think their 2FA policy is bad, look at the health records

    Take a look at the eHealth record system which is part of the MyGov system. Someone should mention to that predictable Cookie hijacking of login details is so 1990s so why don't they fix that but using someone else's 2FA sure is convenient.

    The terms of service describe a " System Operator" which seems to be doublespeak for "a big brother contractor" . The system is no longer opt-in and the "System Operator" keeps all the info they have collected even after you opt-out so it might be best to sign up and then opt-out before they siphon any personal data.

  29. Mark Simon

    They have no idea about security.

    These are the same morons who implemented a Java-based “AusKey” security that took weeks to apply for and failed every time there was a Java update. Java plus 1FA. What could possibly go wrong?

  30. bep

    actually

    The advice is correct and the article is poor. MyGov is a nightmare to deal with but that's beside the point. When 2f is turned off you are asked security questions instead; you don't just log straight in. I wonder how many of the commenters have travelled outside Europe. Did everyone get their 'Happy New Year' SMSs? What, still arriving? Here's a scenario for you; you've just been robbed in a foreign country and they got your passport, wallet and MOBILE PHONE with your home SIM in it. How does 2f work for you now?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like