2FA on Outdated Phone?

[cmm093]

Hi guys.

 

So, lately I've been trying to update all of my passwords and better secure my various online accounts, and I was looking into using 2FA on my phone, but my phone is old and no longer getting security updates. I don't have the money to upgrade right now, and I was wondering if setting up Two Factor Authentication on it would be a good thing or bad.

[Roswell]

The effort to exploit your old phone's vulnerability to compromise 2FA is much higher than exploiting your passwords. So regardless, you'd be safer using it than not.

[Kisai]

3 hours ago, cmm093 said:

Hi guys.

 

So, lately I've been trying to update all of my passwords and better secure my various online accounts, and I was looking into using 2FA on my phone, but my phone is old and no longer getting security updates. I don't have the money to upgrade right now, and I was wondering if setting up Two Factor Authentication on it would be a good thing or bad.

 

It depends. If it's 2FA via text message (which is bad to be honest) your old phone can receive text messages, that won't change for the near future. But the sim-swap attack is directed at that form of 2FA.

 

The kind of 2FA you want is "thing you know  + thing you have" So usually "thing you have" is a biometric like a face, finger, voice print, or even another physical key (eg one of those keys that display 6 digit numbers.) Then the thing you know is an easier to remember PIN or passphrase.

 

The App-based 2FA is, at best, "a physical key" in this regard. So the phone manufacturer can also screw you over should they make the app no longer work (such as Apple and Android's forced 64-bit upgrades.) Unfortunately a lot of "app" based 2FA is only as good as the primary authentication mechanism of the device (eg FaceID, Touch, PIN), so if you have an app push 2FA, but your phone is just a PIN, pretty much anyone who has the device at the time and knows your PIN can defeat the 2FA request.

 

If I'm being totally honest. we've all f*cked ourselves when 2FA is enabled since companies like Google and Apple want you to use their devices, but store the credentials to everything in the cloud. All it takes is being hospitalized and your family will have no idea what happened to you and if you can pay for it. Let's say, you lose the ability to use the biometric/pin, now you're locked out of everything.

 

To which I'm going to make the obvious suggestion of only turning on 2FA for services that you

a) store/pay money to (bank, paypal, etc)

and

b) can make changes to the service that add costs (eg Steam, Apple Store, Google Play, and your wireless ISP's store/service plans)

 

If you only pay money to it (eg Netflix, Crunchyroll, Disney+, etc), and you can't make any change to the account from within it, then don't even bother with 2FA, create a password and put it on a stickynote and share it with your parents. 2FA'ing these services is only asking you to get locked out of them and paying for them while being unable to use them.

 

Like Paypal is probably one of those accounts where you could be screwed big time, but same with Amazon, if someone gets into your account. But you also make it incredibly inconvenient and unusable to use if you turn 2FA on. 

 

With that said, OTP is probably the preferable mechanism if done via a physical token, and should be reserved for only your most valuable logins, because losing the physical key generator is just as good as losing the account.