I had MFA in my AWAS account using a hardware device. Just last night he battery finally wore out and I wasn't able to login. So I clicked the link saying I'm not able to login... and within 15 minutes amazon called me back to remove the MFA on the account. They asked for the email on the account, and to repeat back a code they emailed me.
So in the end, after thinking I was all secure with this special hardware one time token generating device, it falls back to email + phone, both of which can get taken over easily.
Did Amazon recently merge the retail 2FA TOTP setup and the AWS 2FA TOTP setup? My normal retail 2FA TOTP code failed, but my AWS code worked for getting me into the retail 2FA settings (and also into the AWS settings).
Which seems really odd to me. Because I know I had two separate 2FA TOTP seeds, one for AWS, one for retail.
I've read horror stories about people who's personal and seller Amazon accounts were conflated. As such, I recommend keeping AWS and retail usage completely separate. Different email, different card, different name too if possible.
That's odd indeed. I have a different 2FA seed for my retail and AWS account, but I've never tried using the wrong one but it's conceivably they allow you to use either
Anyone know if you can use the authenticator app on more than one device? My wife and I share the same Amazon account and it would suck if I had to generate a token for her whenever she wanted to buy something. I don't want to have separate accounts because I don't want to pay for Prime more than once.
Anyone know if you can use the authenticator
app on more than one device?
Not only can you do that, you can scan the QR code in the image in the article and get the author's TOTP credentials in 'Google Authenticator'.
The normal way to do phone-based 2FA is a QR code with data of the format "otpauth://totp/yourusername?secret=1F56D7AFLONGBASE64&issuer=Amazon" where the secret is the secret needed for TOTP [2] one-time code generation.
As such, you can write down the secret (or print out the QR code) and scan it into other phones (or use it with tools like oathtool on linux) and they'll then generate identical codes to your main phone.
Obviously, if you store your TOTP secret alongside your password or keep a copy somewhere that isn't safe, there's no point in using 2FA. And if people fuck this up too often 2FA users will start insisting we install twenty shit proprietary apps (one for steam, one for salesforce, one for symantec vip access....) and nobody wants that. So use your new powers with care!
The simple way to do this is to use the authenticator app on each of your phones and scan the QR code at the same time, when you setup 2FA. Since it's time-based, your apps will always be in sync and showing the same code.
Yes, there is oathtool that you can use on Linux (well, that's how it's called in Debian). I use the same, just type:
oathtool --totp -b "key value"
where your "key value" is your secret (same thing you would get if you scan QR
code). And then you just need to keep the secret safe, and you can run it on as
many devices you need.
EDIT: just realized that michaelt had much more substantial comment.
[+] [-] azinman2|9 years ago|reply
So in the end, after thinking I was all secure with this special hardware one time token generating device, it falls back to email + phone, both of which can get taken over easily.
[+] [-] vollmond|9 years ago|reply
How easy is it really for someone to intercept a phone call Amazon makes to your number?
(edit: I'm not arguing, I really don't know)
[+] [-] riffraff|9 years ago|reply
[+] [-] gozur88|9 years ago|reply
[+] [-] jjnoakes|9 years ago|reply
Which seems really odd to me. Because I know I had two separate 2FA TOTP seeds, one for AWS, one for retail.
Anyone else notice anything like this?
[+] [-] koolba|9 years ago|reply
[+] [-] grapehut|9 years ago|reply
[+] [-] taylorwc|9 years ago|reply
[+] [-] stuff4ben|9 years ago|reply
[+] [-] michaelt|9 years ago|reply
The normal way to do phone-based 2FA is a QR code with data of the format "otpauth://totp/yourusername?secret=1F56D7AFLONGBASE64&issuer=Amazon" where the secret is the secret needed for TOTP [2] one-time code generation.
As such, you can write down the secret (or print out the QR code) and scan it into other phones (or use it with tools like oathtool on linux) and they'll then generate identical codes to your main phone.
Obviously, if you store your TOTP secret alongside your password or keep a copy somewhere that isn't safe, there's no point in using 2FA. And if people fuck this up too often 2FA users will start insisting we install twenty shit proprietary apps (one for steam, one for salesforce, one for symantec vip access....) and nobody wants that. So use your new powers with care!
[1] https://www.eff.org/files/styles/large/public/2016/12/19/ama... [2] https://en.wikipedia.org/wiki/Time-based_One-time_Password_A...
[+] [-] fooey|9 years ago|reply
https://www.amazon.com/gp/help/customer/display.html?nodeId=...
https://www.amazon.com/myh/households
[+] [-] taylorwc|9 years ago|reply
[+] [-] avens19|9 years ago|reply
[+] [-] ust|9 years ago|reply
oathtool --totp -b "key value"
where your "key value" is your secret (same thing you would get if you scan QR code). And then you just need to keep the secret safe, and you can run it on as many devices you need.
EDIT: just realized that michaelt had much more substantial comment.
[+] [-] tedd4u|9 years ago|reply
[0] https://1password.com/
[+] [-] dbg31415|9 years ago|reply
* Google 2-Step Verification || https://www.google.com/landing/2step/
And for everything else...
* Turn On 2FA | Turn It On || https://www.turnon2fa.com/