NetFort Advertising

Be careful with notification apps if you use two factor authentication

23 April 2015 NetFort Blog By: Darragh Delaney
two factor autentication

Be security aware when using two factor autentication

Two factor authentication (2FA) is a must for most online services in today’s world. 2FA is good because it introduces an extra element (hence the name) into the logon process. When you go to access a service you would need your username, password and some random code. Without the code you cannot logon.

In a lot of cases, an end user would use Google Authenticator on their mobile phone and this generates a code which is required when you go to logon to your email or other application. In other cases the applications will send you a special code via text message to your mobile which you would then be prompted for.

The main driver behind this is to prevent access to your accounts should someone try and guess or brute force your passwords. It is something I would recommend that you use where it is available.

Another popular app at the moment is one called Pushbullet. It takes notifications from your mobile and displays them on your desktop. Some people find this handy in environments where their mobile is on silent or in their pockets. You can keep an eye on things without even unlocking your phone.

However, there is a potential security issue that you should be aware of. If you are the type of person that caches passwords on your laptop and you use something like Pushbullet then you will override the two factor authentication system.

Take this scenario. I use my laptop to access email and I enable two factor authentication to secure my account and to provide some sort of protection should my laptop be stolen. The problem is that if my laptop is stolen or someone gets access to it, they just need to watch the screen when logging on and the Pushbullet notification system will display the authentication code on screen. No need to have access to my mobile phone and the attacker gains access to my account.

pushbullet notification

You can go in and mute certain notifications but this is not done by default. The lessons are that if you want to use desktop notification services, be careful that you do not compromise your two factor authentication processes.

Darragh Delaney