Here is another topic which could go in two sub sections - one technical (where it perhaps won't be seen by so many) and one more general. I have decided to post to the general area first, as the technical aspects are subsidiary. [Of course if posts could be tagged - see "Smart Thread" idea mentioned earlier elsewhere, this could easily be done in other ways. Indeed this site does support tags - but maybe not so many of us have noticed - yet! Whether the tags could be used in a helpful way in this forum I can't be sure yet.]
Over the last few months I have become more aware of two factor identification, and the benefits, and disadvantages which arise from it. Allegedly the advantages are that it makes some transactions or access to sites more secure, and "verifies" the identity of the person accessing sites or authorising payment. Having said that, there are ways to subvert it - which I won't go into here - but they are documented elsewhere.
My concerns are that this extra security may be obtained at a very high cost in terms of convenience, and also that unexpected behaviour can emerge which is most likely undesirable.
The problems with two factor identification on the Apple store have been discussed in the Tecchie thread.
Problems can arise with banks and credit card companies, as I noted a few days ago. One bank I deal with sometimes uses a second line of verification when dealing with on-line transactions, but it usually manages to give me an online notification of what is going to happen, so it's manageable.
Another bank/credit card company seems to make assumptions, and is rather less helpful. A few days ago I tried to order some software from the USA. This was from two separate companies. The first transaction failed - and partly that was because the web site was unclear about the information it wanted - whether a start or expiry date on the card. I tried again, using the expiry date instead of the start date, but it still failed. After two attempts I used another credit card to do the transaction, which was successful.
I then thought I'd try the second order with the original card, but again that failed, and I had to resort to the other card for the transaction - again successful.
A day later I started to get automated messages from the bank asking me to check for fraud. So much for banks "never phoning you up ..."!!!! However, finally it emerged that the bank has been using two factor identification, apparently based on my mobile phone. As it happened, I had temporarily lost my mobile phone (thankfully now been found) - though that is somewhat irrelevant as (a) the phone was switched off, and (b) we live in an area where mobile phone reception is poor, so many calls don't get through. However, text messages may be OK.
It seems that the particular bank probably does not use two factor authentication on transactions within the UK, or maybe even the EU, but for transactions with US companies such checks are likely. However, without an on screen message telling the user that this process is to be invoked, which might at least alert him/her to turn a mobile phone on, and maybe place it somewhere where there is a chance that a text message can be picked up, this is useless.
At least I know now, though a consequence of this is that I will now try to be more careful about where I put my phone. The particular phone is probably not my smart phone, because that runs down so fast that it's next to useless unless I really want to use it - but an older one which will retain a charge for a long time, and not run down every one or two days.
Technology is supposed to make some things simpler and easier - which it often does - but sometimes it makes for added and puzzling unwanted complications.
Over the last few months I have become more aware of two factor identification, and the benefits, and disadvantages which arise from it. Allegedly the advantages are that it makes some transactions or access to sites more secure, and "verifies" the identity of the person accessing sites or authorising payment. Having said that, there are ways to subvert it - which I won't go into here - but they are documented elsewhere.
My concerns are that this extra security may be obtained at a very high cost in terms of convenience, and also that unexpected behaviour can emerge which is most likely undesirable.
The problems with two factor identification on the Apple store have been discussed in the Tecchie thread.
Problems can arise with banks and credit card companies, as I noted a few days ago. One bank I deal with sometimes uses a second line of verification when dealing with on-line transactions, but it usually manages to give me an online notification of what is going to happen, so it's manageable.
Another bank/credit card company seems to make assumptions, and is rather less helpful. A few days ago I tried to order some software from the USA. This was from two separate companies. The first transaction failed - and partly that was because the web site was unclear about the information it wanted - whether a start or expiry date on the card. I tried again, using the expiry date instead of the start date, but it still failed. After two attempts I used another credit card to do the transaction, which was successful.
I then thought I'd try the second order with the original card, but again that failed, and I had to resort to the other card for the transaction - again successful.
A day later I started to get automated messages from the bank asking me to check for fraud. So much for banks "never phoning you up ..."!!!! However, finally it emerged that the bank has been using two factor identification, apparently based on my mobile phone. As it happened, I had temporarily lost my mobile phone (thankfully now been found) - though that is somewhat irrelevant as (a) the phone was switched off, and (b) we live in an area where mobile phone reception is poor, so many calls don't get through. However, text messages may be OK.
It seems that the particular bank probably does not use two factor authentication on transactions within the UK, or maybe even the EU, but for transactions with US companies such checks are likely. However, without an on screen message telling the user that this process is to be invoked, which might at least alert him/her to turn a mobile phone on, and maybe place it somewhere where there is a chance that a text message can be picked up, this is useless.
At least I know now, though a consequence of this is that I will now try to be more careful about where I put my phone. The particular phone is probably not my smart phone, because that runs down so fast that it's next to useless unless I really want to use it - but an older one which will retain a charge for a long time, and not run down every one or two days.
Technology is supposed to make some things simpler and easier - which it often does - but sometimes it makes for added and puzzling unwanted complications.