Saturday, February 24, 2018

UK Government Gateway 2FA/2SV

The UK Government Gateway now requires two factor authentication, which they call two step verification (2SV), when you login. This is a very good thing. You can download the HMRC app, receive SMS text messages (very insecure) or receive an automated phone call (quite insecure). They push you to download the HMRC app for your phone. However, I've discovered they are using industry standard Time-Based One-Time Password (TOTP) passwords (another very good thing). As a result you can use the standard Google Authenticator or Microsoft Authenticator on your iPhone instead of the HMRC app.
Simply select "Mobile App" as your authentication method in the HMRC web site to display a QR code. Scan the QR code from your mobile authenticator app and you will be up and running in seconds. No need to download the HMRC app. Generally TOTP mobile phone authentication is much more secure than text messages or phone calls. Two factor authentication by SMS text message, used by many banks, should be banned as it's highly insecure due to serious vulnerabilities with the SS7 protocol used between mobile networks. It's so insecure that NIST (US Standards body) are no longer recommending SMS text messages a part of a two factor authentication scheme. For more details see It's a shame the UK Government even offer SMS based authentication as it lends credibility to an insecure authentication method.

No comments: