Steve really put a fright in me with his latest podcast end segment where he basically said your mobile number security hangs by a thin thread of a four-digit PIN. He transferred his mobile number to a new phone with nothing more than this PIN. You can also lose your phone physically, you can accidentally destroy it, or you might lose it in a SIM-swapping attack. Is a mobile phone number sufficiently secure for use for 2FA? Is Google Voice better?
Use an authenticator app on your phone if the web site supports it. Because Google Authenticator has no backup or second device option and doesn't provide any password protection on the app when running, I prefer Authy. I have Authy on my Android phone with a backup vault on my Debian-based laptop. If I lose my phone, even unlocked, no bad guy can access Authy without my four-digit PIN and I have access to Authy on my laptop until I get a new phone. I think this is the best option.
But if your sensitive web site doesn't support Authy or GAuth, you need to use texting or calling to a phone number. What about Google Voice? Google Voice runs on your phone or your laptop via a web browser. Google has strong security and backup codes.
I think it might work if I setup a new Google account on an alternate browser (Chromium instead of my main Firefox browser). I only use Google on this Chromium browser and never logon to my main Google account there. Of course, Google can link this second account to my first account using my mobile number or my IP address or my location derived from their location technology using GPS and Wi-Fi. This is a privacy issue, not a security issue, so long as this account is only used for 2FA.
One thing to take note is that web sites require "mobile" numbers not "landline" numbers, but I have found that if you put the landline-based Google Voice number in and identify it as a mobile number, most web sites will send texts to GV for 2FA.
I know there has been a lot of criticism of GV as a 2FA number and Jason Howell of TWIT famously bricked a Google account, but I think Google security is superior to cellular carrier security and their recovery process is secure and flexible. You don't risk losing your number if you login to your sensitive sites on a regular basis.
Would you use a virgin Google account with GV as a 2FA number for your sensitive web sites?
Use an authenticator app on your phone if the web site supports it. Because Google Authenticator has no backup or second device option and doesn't provide any password protection on the app when running, I prefer Authy. I have Authy on my Android phone with a backup vault on my Debian-based laptop. If I lose my phone, even unlocked, no bad guy can access Authy without my four-digit PIN and I have access to Authy on my laptop until I get a new phone. I think this is the best option.
But if your sensitive web site doesn't support Authy or GAuth, you need to use texting or calling to a phone number. What about Google Voice? Google Voice runs on your phone or your laptop via a web browser. Google has strong security and backup codes.
I think it might work if I setup a new Google account on an alternate browser (Chromium instead of my main Firefox browser). I only use Google on this Chromium browser and never logon to my main Google account there. Of course, Google can link this second account to my first account using my mobile number or my IP address or my location derived from their location technology using GPS and Wi-Fi. This is a privacy issue, not a security issue, so long as this account is only used for 2FA.
One thing to take note is that web sites require "mobile" numbers not "landline" numbers, but I have found that if you put the landline-based Google Voice number in and identify it as a mobile number, most web sites will send texts to GV for 2FA.
I know there has been a lot of criticism of GV as a 2FA number and Jason Howell of TWIT famously bricked a Google account, but I think Google security is superior to cellular carrier security and their recovery process is secure and flexible. You don't risk losing your number if you login to your sensitive sites on a regular basis.
Would you use a virgin Google account with GV as a 2FA number for your sensitive web sites?