2FA: Is Google Voice really a good second form of Authentication?
2FA: Is Google Voice really a good second form of Authentication?
Inspired and motivated by some excellent posts on BH, I have started to adopt better online security practices such as using password manager (Bitwarden), 2FA, and using YubiKey wherever possible. Since many financial institutions don't allow YubiKey as a second form of authentication, I am still forced to use phone as a second factor. So,I want to eliminate the possibility of SIM swapping (especially because I use a very cheap phone service and I am sure it’s a relatively easy target for hackers). I have read that Google Voice (GV) is a good tool to protect against swim swap but I am struggling to understand how? I have obtained a GV number, which goolge issued to me only after I linked my SIM-based number. Now I see two options under GV settings:
1. Forward messages to the linked phone number. If I choose this option and later the linked number is SIM-swapped, the hacker will have access to my GV messages. We are back to the problem I intended to eliminate.
2. Forward messages to my Gmail. This will eliminate SIM-swapping but now it is no more an “independent” form of authentication i.e., it is effectively asking FI to use my email as a form of authentication, which they will be using anyways if and when needed (for example to reset my password).
Am I missing something? Is there a third option you are using with GV? Thanks in advance for your help!
1. Forward messages to the linked phone number. If I choose this option and later the linked number is SIM-swapped, the hacker will have access to my GV messages. We are back to the problem I intended to eliminate.
2. Forward messages to my Gmail. This will eliminate SIM-swapping but now it is no more an “independent” form of authentication i.e., it is effectively asking FI to use my email as a form of authentication, which they will be using anyways if and when needed (for example to reset my password).
Am I missing something? Is there a third option you are using with GV? Thanks in advance for your help!
Diversification is protection against ignorance - WB.
Re: 2FA: Is Google Voice really a good second form of Authentication?
I’m not as concerned about sim swapping (although I probably should be), I’m more concerned with losing my phone So I have google voce as a text number for financial services that only support phone as second auth method. For google itself, I use their authenticator as primary second auth, then backup codes in 1Password cloud + hard copy.
I keep the gvoice app on my phone as a device and not a linked number, so it isn’t tied to my sim. I assume/hope that if my phone is physically stolen, I have enough time to disable the gvoice link to my device (there’s a setting for that) and/or wipe my phone before they break into anything.
I keep the gvoice app on my phone as a device and not a linked number, so it isn’t tied to my sim. I assume/hope that if my phone is physically stolen, I have enough time to disable the gvoice link to my device (there’s a setting for that) and/or wipe my phone before they break into anything.
-
- Posts: 15371
- Joined: Fri Apr 10, 2015 12:29 am
Re: 2FA: Is Google Voice really a good second form of Authentication?
If a financial services provider will allow 2FA to a google voice number, and you set it up, forwarding the GV text traffic to email is the correct approach. The email would be mapped to your phone email client, and the same email address would be with the financial services if they did a password reset or 2FA by email.Samosa22 wrote: 2. Forward messages to my Gmail. This will eliminate SIM-swapping but now it is no more an “independent” form of authentication i.e., it is effectively asking FI to use my email as a form of authentication, which they will be using anyways if and when needed (for example to reset my password).
That google account would be protected with a hard token 2FA and not used for any other email traffic nor forvother google service.
The phone should be encrypted and a minimum 16-character phone password used. Additionally a fingerprint would be used so that you don't have to type in a long password to use the phone.
The phone encryption and long password protects you if your phone is lost or stolen. Getting the 2FA from GV by email protects you from a SIM/phone# swap because the new phone won't have your email.
Ideally, you would not type in a password on the same device where you get 2FA, which means not logging in with a phone app. This is so there is not a single point of compromise (in this case your phone) that compromises your account(s).
There is one major issue I can see, which is getting locked out of your google account. This should not stop the plumbing from working which means you can likely move it all to a new account.
Re: 2FA: Is Google Voice really a good second form of Authentication?
It is more secure to use the Google Voice app on a phone and not forward texts to an email client. That along with protecting the Google account with a hardware key like a YubiKey.Northern Flicker wrote: ↑Mon Oct 12, 2020 7:37 pmIf a financial services provider will allow 2FA to a google voice number, and you set it up, forwarding the GV text traffic to email is the correct approach. The email would be mapped to your phone email client, and the same email address would be with the financial services if they did a password reset or 2FA by email.Samosa22 wrote: 2. Forward messages to my Gmail. This will eliminate SIM-swapping but now it is no more an “independent” form of authentication i.e., it is effectively asking FI to use my email as a form of authentication, which they will be using anyways if and when needed (for example to reset my password).
That google account would be protected with a hard token 2FA and not used for any other email traffic nor forvother google service.
The phone should be encrypted and a minimum 16-character phone password used. Additionally a fingerprint would be used so that you don't have to type in a long password to use the phone.
The phone encryption and long password protects you if your phone is lost or stolen. Getting the 2FA from GV by email protects you from a SIM/phone# swap because the new phone won't have your email.
Ideally, you would not type in a password on the same device where you get 2FA, which means not logging in with a phone app. This is so there is not a single point of compromise (in this case your phone) that compromises your account(s).
There is one major issue I can see, which is getting locked out of your google account. This should not stop the plumbing from working which means you can likely move it all to a new account.
Re: 2FA: Is Google Voice really a good second form of Authentication?
I just went through this transition. If you go Google voice route, I would not forwards texts and calls to your cell phone number. That would defeat the purpose. I would keep GV separate and use it via app. Downside to this is if your Google account is hacked, then you have too many eggs in same basket. Also not all institutions let you use VoIP for 2FA texts. So depending on what institutions you do business with, you may still have to use your cellular phone number for receiving some texts.
What I have done is, I am using Gmail to get the codes via email and I have secured my Google account with yubikey, back up codes and via 2FA using Authy. Hopefully it makes it harder to hack my Google account and I also will not lock myself out of my account if I were to lose my phone. The back up codes are sitting in my safe and Authy is backed up to cloud with a copy on my desktop.
What I have done is, I am using Gmail to get the codes via email and I have secured my Google account with yubikey, back up codes and via 2FA using Authy. Hopefully it makes it harder to hack my Google account and I also will not lock myself out of my account if I were to lose my phone. The back up codes are sitting in my safe and Authy is backed up to cloud with a copy on my desktop.
Mr. Market is Bipolar.
Re: 2FA: Is Google Voice really a good second form of Authentication?
You will not lock yourself out of your Google account if you were to lose your phone. All you would need to do is log in on your computer and get GV texts that way. You are making things less secure by using a YubiKey, back up codes and Authy. All you are doing increasing the attack surface.tommy85 wrote: ↑Mon Oct 12, 2020 7:45 pm I just went through this transition. If you go Google voice route, I would not forwards texts and calls to your cell phone number. That would defeat the purpose. I would keep GV separate and use it via app. Downside to this is if your Google account is hacked, then you have too many eggs in same basket. Also not all institutions let you use VoIP for 2FA texts. So depending on what institutions you do business with, you may still have to use your cellular phone number for receiving some texts.
What I have done is, I am using Gmail to get the codes via email and I have secured my Google account with yubikey, back up codes and via 2FA using Authy. Hopefully it makes it harder to hack my Google account and I also will not lock myself out of my account if I were to lose my phone. The back up codes are sitting in my safe and Authy is backed up to cloud with a copy on my desktop.
Re: 2FA: Is Google Voice really a good second form of Authentication?
You do have a point. Maybe I will disable the back up codes and Authy and just keep yubikey.palanzo wrote: ↑Mon Oct 12, 2020 7:52 pmYou will not lock yourself out of your Google account if you were to lose your phone. All you would need to do is log in on your computer and get GV texts that way. You are making things less secure by using a YubiKey, back up codes and Authy. All you are doing increasing the attack surface.tommy85 wrote: ↑Mon Oct 12, 2020 7:45 pm I just went through this transition. If you go Google voice route, I would not forwards texts and calls to your cell phone number. That would defeat the purpose. I would keep GV separate and use it via app. Downside to this is if your Google account is hacked, then you have too many eggs in same basket. Also not all institutions let you use VoIP for 2FA texts. So depending on what institutions you do business with, you may still have to use your cellular phone number for receiving some texts.
What I have done is, I am using Gmail to get the codes via email and I have secured my Google account with yubikey, back up codes and via 2FA using Authy. Hopefully it makes it harder to hack my Google account and I also will not lock myself out of my account if I were to lose my phone. The back up codes are sitting in my safe and Authy is backed up to cloud with a copy on my desktop.
Mr. Market is Bipolar.
Re: 2FA: Is Google Voice really a good second form of Authentication?
For Google accounts you need two YubiKeys. I think that is the best way to go.tommy85 wrote: ↑Mon Oct 12, 2020 8:04 pmYou do have a point. Maybe I will disable the back up codes and Authy and just keep yubikey.palanzo wrote: ↑Mon Oct 12, 2020 7:52 pmYou will not lock yourself out of your Google account if you were to lose your phone. All you would need to do is log in on your computer and get GV texts that way. You are making things less secure by using a YubiKey, back up codes and Authy. All you are doing increasing the attack surface.tommy85 wrote: ↑Mon Oct 12, 2020 7:45 pm I just went through this transition. If you go Google voice route, I would not forwards texts and calls to your cell phone number. That would defeat the purpose. I would keep GV separate and use it via app. Downside to this is if your Google account is hacked, then you have too many eggs in same basket. Also not all institutions let you use VoIP for 2FA texts. So depending on what institutions you do business with, you may still have to use your cellular phone number for receiving some texts.
What I have done is, I am using Gmail to get the codes via email and I have secured my Google account with yubikey, back up codes and via 2FA using Authy. Hopefully it makes it harder to hack my Google account and I also will not lock myself out of my account if I were to lose my phone. The back up codes are sitting in my safe and Authy is backed up to cloud with a copy on my desktop.
-
- Posts: 15371
- Joined: Fri Apr 10, 2015 12:29 am
Re: 2FA: Is Google Voice really a good second form of Authentication?
Two yubikeys should work, maybe rotating which you use on a quarterly basis, so if the backup one fails you identify that before the other one fails as well.
Re: 2FA: Is Google Voice really a good second form of Authentication?
Why would you think a YubiKey would fail? It's a passive device. Nothing wrong with rotating.Northern Flicker wrote: ↑Mon Oct 12, 2020 10:39 pm Two yubikeys should work, maybe rotating which you use on a quarterly basis, so if the backup one fails you identify that before the other one fails as well.
-
- Posts: 15371
- Joined: Fri Apr 10, 2015 12:29 am
Re: 2FA: Is Google Voice really a good second form of Authentication?
Possibly, but many service providers offer the person trying to login the choice to receive 2FA by email instead of voice, whence the email client is already part of the attack surface. The GV app is a black box to me from a security perspective, and with software, it is usually best to assume it is "guilty until proven innocent."palanzo wrote: It is more secure to use the Google Voice app on a phone and not forward texts to an email client.
-
- Posts: 15371
- Joined: Fri Apr 10, 2015 12:29 am
Re: 2FA: Is Google Voice really a good second form of Authentication?
All hardware can fail.palanzo wrote: ↑Mon Oct 12, 2020 10:51 pmWhy would you think a YubiKey would fail? It's a passive device. Nothing wrong with rotating.Northern Flicker wrote: ↑Mon Oct 12, 2020 10:39 pm Two yubikeys should work, maybe rotating which you use on a quarterly basis, so if the backup one fails you identify that before the other one fails as well.
Re: 2FA: Is Google Voice really a good second form of Authentication?
In that case you use the Gmail app for the locked down Google account. Same account as for the GV for text of voice. The attack surface is the the same because it is the same Google account.Northern Flicker wrote: ↑Mon Oct 12, 2020 10:57 pmPossibly, but many service providers offer the person trying to login the choice to receive 2FA by email instead of voice, whence the email client is already part of the attack surface. The GV app is a black box to me from a security perspective, and with software, it is usually best to assume it is "guilty until proven innocent."palanzo wrote: It is more secure to use the Google Voice app on a phone and not forward texts to an email client.
-
- Posts: 15371
- Joined: Fri Apr 10, 2015 12:29 am
Re: 2FA: Is Google Voice really a good second form of Authentication?
Sure. But I'm not sure whether it matters if you forward the text codes to the email account associated with GV account and map that to a mail client on the phone or use both the GV app and a mail client. The latter does have a larger app footprint on the phone, however.
Re: 2FA: Is Google Voice really a good second form of Authentication?
Correct. GV is safer than regular mobile phone number against SIM swap. But it also has its own faults. For example, if your gmail account is hacked then your GV is also hacked (not really 2FA).Samosa22 wrote: ↑Mon Oct 12, 2020 6:55 pm So,I want to eliminate the possibility of SIM swapping (especially because I use a very cheap phone service and I am sure it’s a relatively easy target for hackers). I have read that Google Voice (GV) is a good tool to protect against swim swap but I am struggling to understand how?
Re: 2FA: Is Google Voice really a good second form of Authentication?
True, but. I personally recommend YubiKeys as they are completely designed and manufactured in Sweden or the USA. I would look at supply chain issues for other hardware keys. I don't work for Yubico or have any financial interest. I do have a strong security interest.
-
- Posts: 15371
- Joined: Fri Apr 10, 2015 12:29 am
Re: 2FA: Is Google Voice really a good second form of Authentication?
One other point is that many financial institutions only have a provision for 1 mobile number. You may need to be able to take voice calls at the GV number for it to work as the phone number on file with an institution. If the number is mapped to a mobile phone number, essentially being in the role of a phone number alias, then a sim swap or phone number port would capture that traffic. The Google supplied GV app may (likely will?) address this issue adequately, which could be a reason the app is mandatory for this solution to remediate the security risk adequately.
Re: 2FA: Is Google Voice really a good second form of Authentication?
.....
Last edited by benway on Tue Aug 02, 2022 9:44 am, edited 1 time in total.
Re: 2FA: Is Google Voice really a good second form of Authentication?
From what I understand, if you use a Yubikey, Google access is locked to your device, and some cookie that is hijacked isn't going to work. Maybe someone else can confirm, would like to know if this is not a valid assumption.
-
- Posts: 4902
- Joined: Sat Oct 25, 2014 3:23 pm
Re: 2FA: Is Google Voice really a good second form of Authentication?
Protecting email with 2FA is probably a good idea. Being careful with browser extensions is probably a good idea. I created a separate Google account for a 2FA Google Voice number. I don’t use that account for anything else.
Last edited by TravelGeek on Sat Jan 16, 2021 12:47 pm, edited 2 times in total.
-
- Posts: 674
- Joined: Tue Jun 01, 2010 4:41 pm
Re: 2FA: Is Google Voice really a good second form of Authentication?
No, its not. I personally know of people who have been permanently locked out of their Google accounts. There is no recourse, no support and no phone number to call. That's it.
Not to mention once Vanguard gets around to blacklisting Google Voice they will not provide advance notice.
Not to mention once Vanguard gets around to blacklisting Google Voice they will not provide advance notice.
Today's high is tomorrow's low.
- Dan-in-Virginia
- Posts: 841
- Joined: Sat Apr 16, 2011 5:33 am
- Location: Virginia
Re: 2FA: Is Google Voice really a good second form of Authentication?
I use my GV # as an additional factor for some services. I run the app on my phone with messages to email. I have MFA in-place to access my Google Account, with backed up one-time authentication codes.
Re: 2FA: Is Google Voice really a good second form of Authentication?
As for the last bit of your post... that is doomsaying and I find that HIGHLY unlikely given the preponderance of VOIP in this age and it's likely growth in the future. The first part of your post is addressed below by the other poster.Nummerkins wrote: ↑Sat Jan 16, 2021 12:46 pm No, its not. I personally know of people who have been permanently locked out of their Google accounts. There is no recourse, no support and no phone number to call. That's it.
Not to mention once Vanguard gets around to blacklisting Google Voice they will not provide advance notice.
Yes, to lose complete access to your account requires extreme carelessness. You are given 10 one-time-use codes to unlock your account if your hardware token is lost. Ten!
To be completely and permanently locked out that means:
- You lost your hardware token
- You lost your backup hardware token
- You lost your 10 one time use backup codes
Re: 2FA: Is Google Voice really a good second form of Authentication?
Thanks for pointing this out. Just thinking this through - besides reliance on Google, and needing to use Google Voice to call customer service, is there a downside to using a Google Voice number as the only phone number on file at the financial institution? I'm considering doing this for all of my investment accounts (along with using Yubikeys).Northern Flicker wrote: ↑Thu Oct 15, 2020 1:44 am One other point is that many financial institutions only have a provision for 1 mobile number. You may need to be able to take voice calls at the GV number for it to work as the phone number on file with an institution. If the number is mapped to a mobile phone number, essentially being in the role of a phone number alias, then a sim swap or phone number port would capture that traffic. The Google supplied GV app may (likely will?) address this issue adequately, which could be a reason the app is mandatory for this solution to remediate the security risk adequately.
Withdrawal Phase Plan: Equities <= 50% | TIPS, I Bonds | VPW Worksheet | TPAW | Social Security @70
Re: 2FA: Is Google Voice really a good second form of Authentication?
Other than providing more data to Google, I don’t see any major downsides. In fact with Google voice you can call from anywhere, even even you are out of country.Zardoz wrote: ↑Mon Sep 06, 2021 1:34 pmThanks for pointing this out. Just thinking this through - besides reliance on Google, and needing to use Google Voice to call customer service, is there a downside to using a Google Voice number as the only phone number on file at the financial institution? I'm considering doing this for all of my investment accounts (along with using Yubikeys).Northern Flicker wrote: ↑Thu Oct 15, 2020 1:44 am One other point is that many financial institutions only have a provision for 1 mobile number. You may need to be able to take voice calls at the GV number for it to work as the phone number on file with an institution. If the number is mapped to a mobile phone number, essentially being in the role of a phone number alias, then a sim swap or phone number port would capture that traffic. The Google supplied GV app may (likely will?) address this issue adequately, which could be a reason the app is mandatory for this solution to remediate the security risk adequately.