• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Sony rolling out two-factor authentication: AUS+NZL tomorrow, other regions to follow

T

ThoughtsOfSpeaking

Banned
Lima said:
People are concerned about SMS because sadly it is not viewed as secure anymore. Read this if you want a detailed report as to why published by the National Institue of Standards and Technology.

https://pages.nist.gov/800-63-3/sp800-63b.html

This isn't about losing your phone or someone else being able to access it.

It is about cloning your SIM card without you knowing it. It's another step 'hackers' have taken in social engineering over the last 2 years or so. They will call your mobile provider and acquire a SIM card with your phone number and then you are fucked. T-Mobile recently changed how easy it is to acquire SIM cards after big youtubers and twitch streamers got hacked that way.

It's also why pretty much all banks in Europe offer a hardware generator for online banking. Many of them still offer 2 step via phones but it is not recommended anymore.

It's a start for Sony but they should be working on getting Authenticator app support asap.
Click to expand...

In fairness, this requires alot more knowledge of the person and is far more a targeted attack than the typical PSN scam.

There is a pretty big gulf between the typical script kiddie who catches a few passwords via phishing and organised identity theft.
 
J

Jotaka

Member
Lima said:
People are concerned about SMS because sadly it is not viewed as secure anymore. Read this if you want a detailed report as to why published by the National Institue of Standards and Technology.
Click to expand...

If someone is targeting you at this level... well you are pretty much fucked. SIM swap scam is very focused attack.
 
K

Kysen

Member
I would have preferred to use Googles' authenticator app as that works with multiple of my accounts (live, lastpass). I don't know how this will handle a UK phone number on a JP account.
 
Aceofspades

Aceofspades

Banned
Lima said:
People are concerned about SMS because sadly it is not viewed as secure anymore. Read this if you want a detailed report as to why published by the National Institue of Standards and Technology.

https://pages.nist.gov/800-63-3/sp800-63b.html

This isn't about losing your phone or someone else being able to access it.

It is about cloning your SIM card without you knowing it. It's another step 'hackers' have taken in social engineering over the last 2 years or so. They will call your mobile provider and acquire a SIM card with your phone number and then you are fucked. T-Mobile recently changed how easy it is to acquire SIM cards after big youtubers and twitch streamers got hacked that way.

It's also why pretty much all banks in Europe offer a hardware generator for online banking. Many of them still offer 2 step via phones but it is not recommended anymore.

It's a start for Sony but they should be working on getting Authenticator app support asap.
Click to expand...

In my country SMS issuance requires your ID and fingerprints. They want to keep fraud and harassment to a minimum.
 
Rellik

Rellik

Member
mcz117chief said:
Thank God it's not smartphones only. I haven't been able to use steam marketplace and other places because of it, good think Sony is thinking of people who don't have a smartphone.
Click to expand...

I didn't even think of that.

I'm guilty sometimes of thinking everyone has a smartphone so I'm glad those who don't are able to use this too.

If someone wants to go through the effort of cloning my sim so they can play some free games that I've already purchased then good luck to them.

Hopefully this is out in the UK today.
 
S

Shadowheart

Member
Quick question: If I do a an SMS and then later changed my phone number, would I be locked out? Or can I still use my email to bypass it?
 
B

Bishop89

Member
can someone explain the device setup password for non ps4 devices?

Do i have to set up a different password for my ps3 and vita? Cant be the same pw?
 
Tainted

Tainted

Member
Shadowheart said:
Quick question: If I do a an SMS and then later changed my phone number, would I be locked out? Or can I still use my email to bypass it?
Click to expand...

When you login to the 2FA site, they provide you with 10 single use backup codes to access your account / devices

Backup Codes

If you are unable to receive your 2-step verification code for any reason, you can still sign in using a backup code. These are the only backup codes available to you. Each code can only be used once.
Click to expand...

Bishop89 said:
can someone explain the device setup password for non ps4 devices?

Do i have to set up a different password for my ps3 and vita? Cant be the same pw?
Click to expand...

When I logged into my PS3 after setting up 2FA, it directed me to the site to retrieve a device code. This code is unique to your account and device. Once you have the code, you enter it into the password field in place of your normal password
 
L

Lima

Member
Bishop89 said:
can someone explain the device setup password for non ps4 devices?

Do i have to set up a different password for my ps3 and vita? Cant be the same pw?
Click to expand...

You will have to setup a devise code or app password as some services call it.

It's an option on the site after you enable 2FA. Just hit create and it will create a code and display it to you. You then use this to login with your email and this generated pw on the PS3. For the vita you would have to create another device code.

They stay permanently logged in then.
 
Tainted

Tainted

Member
Blackpuppy said:
I'm trying to get my head weapped around the PS3 method of 2fa... How is this more secure?
Click to expand...

If someone tried to access another PS3 using your account and you have 2FA active, it would force them to get a device code which are only accessible in your account area on the Sony website which itself is secured by SMS code. Hence they are unable to access your account
 
B

Blackpuppy

Member
Tainted said:
If someone tried to access another PS3 using your account and you have 2FA active, it would force them to get a device code which are only accessible in your account area on the Sony website which itself is secured by SMS code. Hence they are unable to access your account
Click to expand...

Ah there's the missing link. Interesting that they had to do this device code.
 
Tainted

Tainted

Member
Blackpuppy said:
Ah there's the missing link. Interesting that they had to do this device code.
Click to expand...

Yep, you will see how it works once you enable 2FA, its pretty straight forward. once you activate 2FA its account level across the board....so you cannot login to any part of the Sony website without an SMS code.
 
S

Shahed

Member
Shadowheart said:
Quick question: If I do a an SMS and then later changed my phone number, would I be locked out? Or can I still use my email to bypass it?
Click to expand...
Just update your phone number on PSN beforehand. If you do it via a place you've logged in previously you can probably change it as well. Won't be an issue
 
P

pixellated_man

Member
Tainted said:
Most probably

I have now received 40 SMS's from Sony within the space of around 20mins. I have had to switch my phone to silent as it is bugging the hell out of me.

I'm not sure when these SMS's are going to stop. I may need to block the number until this is sorted out. :(
Click to expand...

Typical.
You wait years for one 2FA SMS from Sony and then 40 arrive in the space of 20 mins :)
 
I

InsaneTiger

Member
I haven't followed every post but is SMS a problem for some folks? That's how I know most of the 2FA implementations work, several sites I use frequently send text messages to my phone for verification.
 
B

Bishop89

Member
really stupid question.

do i put my FULL number when it prompts me or do I exclude the country code number?

i.e if my country code is +61 (which is 0) do I enter 0412 345 678 or do i put 412 345 678
 
Gradly

Gradly

Member
Wace said:
What should I do if I don't have a mobile phone? I hope they keep old process available as well.
Click to expand...

You just won't be able to enable this feature. its not mandatory, unless Sony forces it which is highly unlikely. Or you buy a phone :)
 
Gradly

Gradly

Member
Bishop89 said:
really stupid question.

do i put my FULL number when it prompts me or do I exclude the country code number?

i.e if my country code is +61 (which is 0) do I enter 0412 345 678 or do i put 412 345 678
Click to expand...

In general you don't include the 0 when you input the full country code, in your example it will be +61412345678

Edit: And each service has its form design choices, some will allow you to choose the country code from a drop-down list, some will make you enter the full mobile number, some will show you an example but in all cases the final number will be as written before :)
 
B

Bishop89

Member
Gradly said:
In general you don't include the 0 when you input the full country code, in your example it will be +61412345678

Edit: And each service has its form design choices, some will allow you to choose the country code from a drop-down list, some will make you enter the full mobile number, some will show you an example but in all cases the final number will be as written before :)
Click to expand...

thanks dude
 
BigEmil

BigEmil

Junior Member
SMS authentication is still safer than without.
If the hacker got your account then finds out he also after has to go through the hassle of the SMS so has to also now clone your sim etc they wouldn't bother anymore. Plus they'll need your number and sim provider details in the first place. This is only an issue for famous people who have their details spread out
 
I

interfreak

Member
Bishop89 said:
really stupid question.

do i put my FULL number when it prompts me or do I exclude the country code number?

i.e if my country code is +61 (which is 0) do I enter 0412 345 678 or do i put 412 345 678
Click to expand...

I put my full number in (with the 0) and it works fine.

Bishop89 said:
is anyone else getting an error?

"An error occured during communication with the server"
Click to expand...

I did, just try it again and it should work.
 
B

Bishop89

Member
yeh just putting my mobile # as i normally would type it worked.

So this device setup for ps3, I enterred the code as per sony website, checked 'sign in automatically', now what?

So do I need to remember this random password now?
What happens if i sign out for whatever reason and want to sign back in, will I have to go back to the sony website to generate another code?


Edit: Wait, so the 'login' password which sony website generates is ONLy for signing in, you still use your normal pw for logging into anything else which prompts for it, such as account settings on the consoles?
 
T

TheSeks

Blinded by the luminous glory that is David Bowie's physical manifestation.
Bishop89 said:
So do I need to remember this random password now?
Click to expand...

...No, since you generate a new one everytime you login into a different place/location.

What happens if i sign out for whatever reason and want to sign back in, will I have to go back to the sony website to generate another code?
Click to expand...

No. They'll SMS you the code.

Bishop89 said:
Edit: Wait, so the 'login' password which sony website generates is ONLy for signing in, you still use your normal pw for logging into anything else which prompts for it, such as account settings on the consoles?
Click to expand...

Yes exactly. Something you know, something you have. AKA: 2-factor.

1. You know (your password)
2. You have (your phone/authenticator).

"2-factor."
 
B

Bishop89

Member
xSdbwTP.png

so it says my 2nd device setup pw is unused, but I just used it for my vita

(the first one i used for my ps3, tried to use it for my vita but wouldnt work so had to generate a new one).

1. Why isn't it showing it being used
2. what happens if i revoke it, will i get logged out on my vita?


Sorry for the billion questions, this is all new to me.




EDIT: NEVERMIND, its just delayed, it now says its being used.
 
T

theangrypirate

Member
Tainted said:
Most probably

I have now received 40 SMS's from Sony within the space of around 20mins. I have had to switch my phone to silent as it is bugging the hell out of me.

I'm not sure when these SMS's are going to stop. I may need to block the number until this is sorted out. :(
Click to expand...

As others have pointed out. Your password was compromised and someone was trying to access your account. Good thing you activated this security option :D
 
E

endlessflood

Member
idonteven said:
still nothing for the rest of the world ? thats kinda weird
Click to expand...
The "AUS+NZL" in the thread title refers to Australia and New Zealand.

The original source on Reddit (since proven to be true) stated that 2FA was being rolled out in AUS+NZL first, and Sony would monitor how it went before expanding the rollout to other regions. I guess we're still in the 'monitoring' stage.
 
P

polarizeme

Member
Sorry if this was addressed already (I didn't want to read through 400 posts because I'm at work... or lazy) but it's a fucking bummer it seems to be SMS only. What good is 2FA when your only method of authentication is through something that's unencrypted and able to be easily worked around (or intercepted)?

Any and all 2FA should have on-device generator support (Google Authenticator, Duo Security, etc) or push authentication. Any telephone or SMS auth is fucking ridiculous at this point. It's the equivalent of the chip-and-signature cards in the US when everyone else has been using chip-and-pin for years.

Barf. =/

edit: unless it does support authenticators, in which case ignore me. I saw the OP screencaps and it looked like it was SMS only.
 
You must log in or register to reply here.

Similar threads

UK retailer CeX have had a security breach
34
8K
yatesl replied
How Sony Can Improve PSN Account Security
2
83
8K
Justinh replied
Account "Hacks": Why do they happen & What you can do?
2 3
105
24K
ps3ud0 replied
Why gamers complain about their games being taken away |OT| Censorship Controversy Central
|OT| NSFW 26 27 28 29 30
1K
183K
Pantz replied
  • Locked
Diablo III |OT3| Turn On Elective Mode, Get an Authenticator
394 395 396 397 398
20K
1M
Minsc replied
Top Bottom