Is It Weird That My Retirement Plan Folks Ask For My Authenticator Code?
August 21, 2024 6:48 AM
I have a 401K with Principal. I have my account set up for 2FA using Google Authenticator, so when I log in to the site, I get asked for the Authenticator code. But when I call them, they also ask for my Authenticator code. For all my other online accounts using an authenticator app, those numbers are only requested and entered online: no other vendor asks me for the code over the phone so that they can look at my account, so it feels weird when Principal do - is it?
A super paranoid security expert might say that it's possible that someone is intercepting your calls to Principal and pretending to be a customer service agent while using your authentication token to get into the public website and continue the spoof.
I'm with csox: I've seen verification codes pushed to your phone to verify your identity while on the call, but asking for a TFA token? I've never seen that.
I'd complain to Principal and say they need to get their systems up to date with modern practices. Sending authentication codes over unencrypted channels is a risk.
posted by JoeZydeco at 7:05 AM on August 21
I'm with csox: I've seen verification codes pushed to your phone to verify your identity while on the call, but asking for a TFA token? I've never seen that.
I'd complain to Principal and say they need to get their systems up to date with modern practices. Sending authentication codes over unencrypted channels is a risk.
posted by JoeZydeco at 7:05 AM on August 21
Counterpoint: if I've cloned your SIM card, then I can make calls and get 2FA text messages as you. But I won't have your TOTP seed so I won't be able to provide you a TOTP code. (So, I am not a security engineer but this seems like a better plan than texting you a code or something. A cursory look indicates that it's non-trivial to reverse a TOTP code into the original hash and timestamp, which you'd need to generate new ones.) Pushing a code via the app is better, though, I think, for reasons of noted main-in-the-middle attacks or a fake phone number or something.
posted by mrg at 7:12 AM on August 21
posted by mrg at 7:12 AM on August 21
I have left banks that do this. It's not 100% abnormal but it's a terrible practice. It trains you to give those codes over the phone, which is exactly what a scammer would want you to do.
posted by mskyle at 7:16 AM on August 21
posted by mskyle at 7:16 AM on August 21
JoeZydeco, doesn't that apply equally to literally any thing you say over the phone to authenticate yourself? They're all equally vulnerable to a "phone mitm" attack, but we just rely on that being super difficult and basically never happening. (Well, it happens whenever someone can be tricked into calling the wrong number or answering a call that they can't authenticate themselves. But calling the right number is safe enough as far as I know.)
The insecurity is not in sending TOTP (authenticator app) codes, it's in using the phone. If we're choosing to use the phone, then asking for a TOTP code is no less secure than asking for a pushed code, and I'd argue it's actually better (theoretically) due to potential insecurities in any push channel.
posted by whatnotever at 7:19 AM on August 21
The insecurity is not in sending TOTP (authenticator app) codes, it's in using the phone. If we're choosing to use the phone, then asking for a TOTP code is no less secure than asking for a pushed code, and I'd argue it's actually better (theoretically) due to potential insecurities in any push channel.
posted by whatnotever at 7:19 AM on August 21
I can confirm that American Express does this too, which I found out (aghast) while having a financial safety in the 21st century conversation with my parents. I was shocked too.
posted by phunniemee at 7:23 AM on August 21
posted by phunniemee at 7:23 AM on August 21
whatnotever, of course and you're right. It's not much better than the old standard "what's your mother's maiden name?" as the gold standard of voice authentication. It could just be security theatre for all we know.
posted by JoeZydeco at 7:26 AM on August 21
posted by JoeZydeco at 7:26 AM on August 21
If they only ask for the code when you call them, using their official number, this is ok. If they call you asking for the code, this is not.
posted by funkaspuck at 7:32 AM on August 21
posted by funkaspuck at 7:32 AM on August 21
I would prefer if everyone switched over to this approach, as many American based companies are not set up to handle international phone numbers. In fact, my largest reason for keeping a phone number in the United States is to accommodate sites that demand them.
Effectively, you’re just proving that you have control of your Google account instead of proving that you have control of your cell phone number. Works for me.
posted by Tell Me No Lies at 7:34 AM on August 21
Effectively, you’re just proving that you have control of your Google account instead of proving that you have control of your cell phone number. Works for me.
posted by Tell Me No Lies at 7:34 AM on August 21
There are a lot of mixed and conflicting opinions here, so maybe it will be helpful to lay things out clearly.
When you contact your bank by phone, they have to verify that you are who you are claiming to be. This is absolutely necessary, but it is difficult to accomplish because the channel (the phonecall) doesn't provide any secure mechanism to identify who is calling.
Typically, this is accomplished by you saying something to them that presumably only you could say. Sometimes, that has been information about yourself like your date of birth, mother's maiden name, last four digits of your social security number, etc. Those are all quasi-public now, though, so they are very insecure.
Another option is to register some hopefully-unique secret in advance, sort of like a password. For example, I've used a bank that had me set up a challenge question that they would ask me when I called and which hopefully only I could answer correctly. This is decent, but it depends on the customer choosing a secure question and answer that cannot be guessed or gleaned from public sources (including data breaches).
A TOTP code from your authenticator app is generated from a secret number that the bank shares with you when you register the bank in the application. This secret number is stored only at the bank and in your application. You can generate a code based on that secret and the current time, the bank can do the same, and then either party can verify that the other has access to that shared secret by comparing the generated codes.
In terms of anything you might say over the phone to securely verify to the bank that you are the customer you are claiming to be, saying a code generated by your authenticator app that you have previously securely registered with the bank is about as good as it gets.
[Theoretically, you could also ask the bank to tell you a generated code and compare it to what appears in your app to verify them. I've never heard of this being implemented however.]
Unfortunately, you have to be very careful that you do not ever share a generated code with anyone who is not the bank. If you do, then they can contact the bank, claim to be you, use the code, and gain access to your account. The generated codes are time-limited (only valid for a brief period of time), so the attacker would have to be contacting the bank at the moment you shared the code, but this is not difficult. The main way this attack might occur is by the attacker calling you, claiming to be the bank, and then asking you to authenticate yourself with your generated code or with any other method the bank uses. In this attack, it doesn't matter whether the bank is using authenticator codes, asking you what your favorite pizza topping is, or really anything else. All of the methods are equally insecure in that scenario. So the moral there is: always be absolutely certain that you are calling the bank, not the other way around, and that you are using the correct phone number to do so. This is not trivial, and there are lots of ways to be tricked and mix things up!
Many institutions try to educate their customers by regularly repeating that they should not share security codes outside of the "correct" channels. Often, the only correct channel is their website (after you have carefully verified that it is in fact the institution's website, which again is not trivial...). Also sharing security codes over the phone is secure, as described above, but it could blur and confuse the lines around when sharing the codes is okay and when it is not.
So you're absolutely right to be cautious about this, since it seems to go against a lot of common advice. It is secure, however, with the large caveat that you have to be sure you initiated the phone call and that you called the right number.
[Side note: there are authentication mechanisms that are more secure than TOTP codes. The math and algorithms used by physical security keys and, more recently, passkeys are pretty much the best thing we have going, currently. But they can't be implemented over a phone call, unfortunately. For one, they rely on sharing relatively large numbers that would be tedious and very error prone to dictate. Also, they rely on checking the domain name of the site you are visiting in your browser, which has no analog in a phone conversation.]
posted by whatnotever at 10:08 AM on August 21
When you contact your bank by phone, they have to verify that you are who you are claiming to be. This is absolutely necessary, but it is difficult to accomplish because the channel (the phonecall) doesn't provide any secure mechanism to identify who is calling.
Typically, this is accomplished by you saying something to them that presumably only you could say. Sometimes, that has been information about yourself like your date of birth, mother's maiden name, last four digits of your social security number, etc. Those are all quasi-public now, though, so they are very insecure.
Another option is to register some hopefully-unique secret in advance, sort of like a password. For example, I've used a bank that had me set up a challenge question that they would ask me when I called and which hopefully only I could answer correctly. This is decent, but it depends on the customer choosing a secure question and answer that cannot be guessed or gleaned from public sources (including data breaches).
A TOTP code from your authenticator app is generated from a secret number that the bank shares with you when you register the bank in the application. This secret number is stored only at the bank and in your application. You can generate a code based on that secret and the current time, the bank can do the same, and then either party can verify that the other has access to that shared secret by comparing the generated codes.
In terms of anything you might say over the phone to securely verify to the bank that you are the customer you are claiming to be, saying a code generated by your authenticator app that you have previously securely registered with the bank is about as good as it gets.
[Theoretically, you could also ask the bank to tell you a generated code and compare it to what appears in your app to verify them. I've never heard of this being implemented however.]
Unfortunately, you have to be very careful that you do not ever share a generated code with anyone who is not the bank. If you do, then they can contact the bank, claim to be you, use the code, and gain access to your account. The generated codes are time-limited (only valid for a brief period of time), so the attacker would have to be contacting the bank at the moment you shared the code, but this is not difficult. The main way this attack might occur is by the attacker calling you, claiming to be the bank, and then asking you to authenticate yourself with your generated code or with any other method the bank uses. In this attack, it doesn't matter whether the bank is using authenticator codes, asking you what your favorite pizza topping is, or really anything else. All of the methods are equally insecure in that scenario. So the moral there is: always be absolutely certain that you are calling the bank, not the other way around, and that you are using the correct phone number to do so. This is not trivial, and there are lots of ways to be tricked and mix things up!
Many institutions try to educate their customers by regularly repeating that they should not share security codes outside of the "correct" channels. Often, the only correct channel is their website (after you have carefully verified that it is in fact the institution's website, which again is not trivial...). Also sharing security codes over the phone is secure, as described above, but it could blur and confuse the lines around when sharing the codes is okay and when it is not.
So you're absolutely right to be cautious about this, since it seems to go against a lot of common advice. It is secure, however, with the large caveat that you have to be sure you initiated the phone call and that you called the right number.
[Side note: there are authentication mechanisms that are more secure than TOTP codes. The math and algorithms used by physical security keys and, more recently, passkeys are pretty much the best thing we have going, currently. But they can't be implemented over a phone call, unfortunately. For one, they rely on sharing relatively large numbers that would be tedious and very error prone to dictate. Also, they rely on checking the domain name of the site you are visiting in your browser, which has no analog in a phone conversation.]
posted by whatnotever at 10:08 AM on August 21
How about a process like this, to make sure you're giving your code only to the "real" Principal?
1) Log in to your account to view account balances
2) Call Principal on their published phone number
3) When asked for the Authenticator code, ask them to first give you (for example) the cents portion of the current balance in your account, or the date of your most recent transaction, or something else that only a person already signed into your account could know?
posted by Snerd at 5:32 PM on August 21
1) Log in to your account to view account balances
2) Call Principal on their published phone number
3) When asked for the Authenticator code, ask them to first give you (for example) the cents portion of the current balance in your account, or the date of your most recent transaction, or something else that only a person already signed into your account could know?
posted by Snerd at 5:32 PM on August 21
I had a slightly odd thing happen to me yesterday that's related. I needed a signature guarantee for a thing I was doing with Fidelity. Misunderstanding that they needed a copy of my driver's license, I made the copy then left the DL in my printer/copier. Got to the Fidelity Investor Center...no DL. But they had ways of doing it anyway. The customer service guy disappeared into the back for a while, then had me log into my account on my phone and read him the SMS code that appeared (he was right there, sitting next to me), which obviously matched what he had on his screen. That was sufficient proof to them that I was who I said I was. I think this was OK because it was I've been a Fidelity customer for years, and it fell within whatever their rules are for a signature guarantee for a transaction within their own system.
posted by lhauser at 7:01 PM on August 21
posted by lhauser at 7:01 PM on August 21
Unfortunately, even though you would think banks would be at the forefront of cybersecurity, that really isn't the case. My former national bank would send emails about updating account information that were practically indistinguishable from phishing attempts. Poor password policies, weak two-factor authentication, you name it. So, no, it's absolutely not OK for them to be asking you for codes. Now, your particular company has decided that the risk of doing so is acceptable. Comcast does the same thing, but the consequences of compromise for a cable Internet account are a lot less than your whole retirement savings.
To be cynical, if your account gets cleaned out by crooks due to your giving a code over the phone, the company is going to say it wasn't their fault. After all, you were the one that gave out the code and allowed them to log in, right? Personally I would argue that that the company is conditioning you to ignore security red flags, and bears at least as much responsibility.
posted by wnissen at 10:44 AM on August 26
To be cynical, if your account gets cleaned out by crooks due to your giving a code over the phone, the company is going to say it wasn't their fault. After all, you were the one that gave out the code and allowed them to log in, right? Personally I would argue that that the company is conditioning you to ignore security red flags, and bears at least as much responsibility.
posted by wnissen at 10:44 AM on August 26
« Older Oh, the places we will go (San Francisco to... | Best tool to receive large uploads of images... Newer »
You are not logged in, either login or create an account to post comments
posted by csox at 7:00 AM on August 21