Results 1 to 10 of 10
  1. #1
    Star Lounger
    Join Date
    Oct 2002
    Posts
    64
    Thanks
    5
    Thanked 0 Times in 0 Posts

    2-stage authentication with trusted devices and virtual private networks

    2-stage authentication has obvious security advantages.
    I have used it only when necessary, such as establishing a new account.
    I have avoided it because of the inconvenience of constantly running to my telephone, recording a code, returning to my computer, and entering the code (essentially logging on twice).
    Recently, I learned that both MiniSquashed and Google have improved the process so that I may designate my home computer as a "trusted device" which will not be subject to the 2-stage log-on.
    I wish to reconsider 2-stage authentication as a means to protect me from unauthorized log-on from elsewhere.
    However, if my home computer is to be "trusted", the network must know that is my computer attempting log-on.
    I use a virtual private network, so the network server should not know my IP address, and I clear cookies frequently.
    So ...? Can designating my home computer as trusted give me both the protection and convenience that I seek with essentially no cookies and a VPN?

    Jim AuBuchon

  2. #2
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    If you clear cookies, it is most likely that your device will require authentication again.

    From a quick search, it is not totally clear how the device is identified: How does google recognize a trusted device with 2 step verification

    In theory, all needed information would likely be readily accessible through your browser, but it is likely that some information is kept locally, so cookies would be the most obvious way, though modern browsers, supporting HTML5 could allow other means to do it.
    Rui
    -------
    R4

  3. The Following User Says Thank You to ruirib For This Useful Post:

    AuBuchon (2016-07-19)

  4. #3
    Silver Lounger lumpy95's Avatar
    Join Date
    Feb 2013
    Location
    Mojave Desert CA
    Posts
    1,841
    Thanks
    258
    Thanked 174 Times in 147 Posts
    If you clear cookies, it is most likely that your device will require authentication again.
    That's exactly what happens with Google 2 step. My Android phone and tablet doesn't have to be re-authorized but when I clean out the cookies on any of my desktops or my laptop, I have to go through the new number again by receiving a text and putting in the numbers.

  5. The Following User Says Thank You to lumpy95 For This Useful Post:

    ruirib (2016-07-18)

  6. #4
    Star Lounger
    Join Date
    Oct 2002
    Posts
    64
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by lumpy95 View Post
    That's exactly what happens with Google 2 step. My Android phone and tablet doesn't have to be re-authorized but when I clean out the cookies on any of my desktops or my laptop, I have to go through the new number again by receiving a text and putting in the numbers.
    I think that you said:
    If you clear cookies on your android tablet, reauthorization is not required, but
    if you clear cookies on your desktop or laptop, reauthorization is required.
    This seems odd. If cookies are necessary as the only source of the device identity, no device could work without them.

    Either I misunderstood, or there is more to the story (another source of the information).

    Also, does anyone know a convenient way to delete all cookies except the one required to identify the device to a particular network?

    And, does anyone know the effect of a virtual private network on all of this?

    Jim AuBuchon

  7. #5
    Star Lounger
    Join Date
    Oct 2002
    Posts
    64
    Thanks
    5
    Thanked 0 Times in 0 Posts
    I read the link provided by ruirib. In the last (at the time I read it) reply to a post at that site, there was a link to https://panopticlick.eff.org/. It had a good discussion of browser fingerprinting. It would appear that my browser can be uniquely identified by information accessible to any website that I visit -- even without cookies, and the VPN probably is irrelevant.

    Browsers that are more generic than mine (have fewer distinguishing features) might require cookies to make them unique. This could explain the difference in behavior between lumpy95's tablet and desktop devices.

    The focus of the panopticlick site was susceptibility to tracking, not possible use of 2-factor authentication, but the discussion still applies.

    Thanks to everyone who replied to my post. It has been most helpful.

    Jim AuBuchon

  8. #6
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,722
    Thanks
    95
    Thanked 126 Times in 123 Posts
    There are cookie managers that will let you pick any/all cookies you want to delete. I do not know of any cookie manager that will delete all cookies except the one[s] clicked.
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  9. #7
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by AuBuchon View Post
    I think that you said:
    If you clear cookies on your android tablet, reauthorization is not required, but
    if you clear cookies on your desktop or laptop, reauthorization is required.
    This seems odd. If cookies are necessary as the only source of the device identity, no device could work without them.

    Either I misunderstood, or there is more to the story (another source of the information).
    Not really. Obviously with access to the OS you can identify a device without any difficulties and with no need for cookies. At least iOS and Windows Phone devices can even be locked or cleaned, which means having OS access makes it really easy to identify and control a device.

    And, does anyone know the effect of a virtual private network on all of this?
    i don't think a VPN would make any difference. It will only affect that external IP. Using your browser to access the internet while on the VPN will make no difference to accessing the internet when not connected to it. The IP can obviously not be used to identify a device.
    Rui
    -------
    R4

  10. #8
    Silver Lounger lumpy95's Avatar
    Join Date
    Feb 2013
    Location
    Mojave Desert CA
    Posts
    1,841
    Thanks
    258
    Thanked 174 Times in 147 Posts
    If you clear cookies on your android tablet, reauthorization is not required, but
    if you clear cookies on your desktop or laptop, reauthorization is required.
    This seems odd. If cookies are necessary as the only source of the device identity, no device could work without them.
    With an Android phone/tablet, you are always signed in ( you activate that device by signing in to your google account when you first start it ). With a desktop/laptop, you sign in every time you want to use anything Google ( Gmail, account, etc. ). When you clean out the cookies, that identifier is removed, hence, you need to re-verify your identity the next time you want to access your Google account.
    Last edited by lumpy95; 2016-07-19 at 10:24.

  11. #9
    New Lounger
    Join Date
    Sep 2016
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by RolandJS View Post
    There are cookie managers that will let you pick any/all cookies you want to delete. I do not know of any cookie manager that will delete all cookies except the one[s] clicked.
    Do you think CCleaner's Intelligent cookie thing would work for AuBuchon?

  12. #10
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,722
    Thanks
    95
    Thanked 126 Times in 123 Posts
    Quote Originally Posted by AtSea View Post
    Do you think CCleaner's Intelligent cookie thing would work for AuBuchon?
    Dunno know, haven't tried to do that yet
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •