Symantec vip access register3/10/2024 If you have the private code saved off, you can use it on your new phone to set up GA again on that new phone (I've had to move phones before and went through this process for all of my accounts). If you have to move phones, and you don't have your private key, you have to manually call and provide proof to that company that you are who you are to disable 2FA and then you can set it up again on the new phone. For GA you are required to save the private key off and it is only ever shown at the time that the 2FA link is created. So, that bank or company never gets your "private" key (or in this case "confidential id"). This code is only known to you (I believe it is generated from a code provided by the bank or company you are setting up 2FA with). It requires you to get a number code or use a QR code (which represents the same number) to initialize a new account for each bank or company. Google Authenticator does NOT work in this same way. So, seems likely that "confidential id" is how to do it for Symantec. And, for Google Authenticator it's the private key that allows you to move to a new phone. But, they likely have to allow you to move to a new phone somehow. They can likely just initialize that same Symantec app on their own phone and then they are able to generate codes just like your phone. If someone is able to take a picture of your "credential id" on your phone. I'm not really sure that it's that difficult to "spoof". How is this not a security disaster waiting to happen? Am I missing something obvious? There's still the other possibility where one of the sites stores your credential ID locally and gets compromised. If someone has access to your phone, they can already swipe to your other credentialId's.An attacker who can spoof the MFA codes would still need to know your username/password on each of the websites, but it seems like, for relatively low cost, this potential risk could be further mitigated by having the app generate/track multiple CredentialID's which would be linked to the device+website, instead of just the device.I've thought of a couple possibilities for why this might be ok. Unless I'm missing something, that means if someone is able to steal my credentialId from one of the sites, they can now spoof my MFA codes on any of them. It also seems this value is used to seed the OTP, which I verified by using the same 6-digit code to log in to both websites. I recently discovered multiple unrelated websites that use Symantic VIP Access ask you to enter the "Credential ID" at the top of the app.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |