English

Fairphone + Easy 2FA


#1

Hey there,

Let me preface my topic that I write it on the notion that 2FA is an important step forward in day to day authentication be it mobile devices, PCs, and what not. I assume the reader is familiar with that material, and agrees with me on the matter. If not, read https://en.wikipedia.org/wiki/2FA and consider using password-only authentication in public rooms is not feasible, nor it feasible to have memorable, strong passwords in use for every service. So you’d need an integration such as LastPass or Password Safe. Due to Safe Harbor, I wouldn’t be able to recommend LastPass to non US citizens. I recommend Password Safe (+ ownCloud). Anyway…

I’ve been following the Fairphone project for a while now and I am interested in it. The phone I currently use also has dual sim, and this is important for me. Its a budget phone (brand etc doesn’t matter), but it isn’t made in a fair manner, and the Fairphone has a few important advantages to my current phone both hardware- and software-wise.

The Fairphone (both versions) specifically lacks NFC, and I wouldn’t care for that normally. However, a recent product I saw changed my mind: Yubikey, more specific the Neo version https://www.yubico.com/products/yubikey-hardware/

It would allow one to easily use 2FA with their phone and a password (with integration of LastPass or Password Safe). NFC is the only way to get Yubikey to work with a phone since USB wouldn’t work, and if you don’t have Yubikey on your phone it seriously hinders the speed of 2FA to a slow authentication ie. practically useless.

Now of course, I could make a topic where “I demand feature X in Fairphone 2!”, but I know first of all the world doesn’t work like that and second I know in what stage of development you are. So instead, I ask you to consider NFC for Fairphone 3. On top of that, I ask the community if they know an alternative to my idea involving 2FA.


#2

2-factor authentication also works without additional hardware. I use it e.g. for my Dropbox and Google accounts. Have a look at Google Authenticator. There are also alternatives for it.

However this is only as a second channel when logging in on a computer. Unfortunately I don’t know of a way to use 2-factor authentication on a phone without NFC. There are some banks that send you a text message with a second PIN. However that seems ridiculously insecure because your phone is still a single point of failure.


#3

It was worded more subtle than that:


And NFC was on it. I remember some discussion about lack of NFC for FP1 on other Forums as well. Currently NFC is on the modules wishlist, and I’m sure it will be on the FP3 wishlist.

I’m no expect on NFC, but if I recall correctly most consumers who want NFC think about using it for making payments. In this case, I believe there needs to be a secure connection to a trusted element. I’m not sure whether this can be incorporated into an FP2 module, or that you run into issues like those outlined in the fingerprint scanner module discussion:

Also, I’ve not had time to check whether it is useful, but Keepass2Android (also available without network permissions) offers integration with InputStick, if there’s an easy way to also use the latter with an authenticator app, that would make things easier. I’m just not sure about the security of it all, but I see multiple usage scenarios for such a device.

At least that Nigerian (or other country) scammer who managed to remote install a keylogger on the computer that I foolishly used to log onto my bank doesn’t have my phone in Nigeria, and won’t be able to do anything with that account! (Okay, didn’t actually happen, but still).


#4

Well I have to say I feel very comfortable with PasswordMaker, which is very easy to use (you have to remember only one master password), very safe (it doesn’t need to store anything) and you can configure it to generate passwords with different degrees of complexity.
If you don’t want to install it you can also use a simple html file with a pair of javascript functions, which runs locally in you browser (I use it on Palemoon on the Fairpone because the Firefox extension doesn’t install) and copy it everywhere on your devices.


#5

This is not true, the FP2 has an internal USB Port (Expansion Port) which you could make a Yubikey module for, perhaps with a button on the back of the phone to signal the key-generation. Or just have a Yubikey Nano integrated into your phone.


#6

I moved this topic to the Software category since it is a general discussion and not about a specific problem of yours.


#7

Hi. Have just found this short article on a recent NFC alternative that requires no new in-device tech; indeed it could work on ‘very legacy’ devices too…

What do you reckon?


closed #8