This week we’ll talk about some sad news from the makers of my beloved Clarify, then I’ll do a crazy deep dive into the National Institute of Standards and Technology about two-factor authentication. I do this to help you understand what your bank needs to know about using SMS or email or a phone call for authentication (spoiler, they shouldn’t). Then I’ll tell you about how much fun Sandy Foster and I had figuring out how to rip a (non-copy-protected) DVD in a modern version of macOS. In the last segment we’ll have fun with geometry as I try to figure out which screen is physically bigger, iPhone X or iPhone 8 Plus.
One of the best things about being retired is having the time to talk to companies on the phone. When I was working, I would simply let things go that were irritating me because there just wasn’t the time.
This week my mission became talking to every bank I deal with about their security model. For reasons that are irrelevant to the discussion, (and highly annoying to me) I’m associated with four different financial institutions, and each of them got some messaging from me this week.
Their current service varied from two of them having no two-factor authentication, and two having SMS, email and phone call verification. None of them use a software authenticator method like Google Authenticator or the one built into 1Password.
Before I spoke to them, I decided it would sound a bit weak to say, “My friend Bart is real smart on this stuff and HE says…” So I started to do my research. I wanted to make sure I had a crisp explanation of why using SMS is a bad idea for two-factor authentication.