Showing posts with label 2fa. Show all posts
Showing posts with label 2fa. Show all posts


Deficiency in Tumblr's two-factor authentication (2FA) implementation

This blog is mirrored, using an IFTTT applet (f.k.a. recipe), to  Two-factor authentication on a Tumblr account supports two methods: an app code generator (e.g. Google Authenticator, Authy, Duo Mobile), and SMS. Notably, it does not generate a list of one-time backup codes like most services do.

Backup codes are necessary in case the device is not accessible, e.g. lost or stolen, particularly if you are abroad without your usual SIM (perhaps it is also stolen) which means that SMS would not reach you.

SMS is not recommended for routine two-factor use because SMS can be hijacked. The National Institute of Standards and Technology (NIST) does not recommend SMS for two-factor authentication. See also: The Verge, and Schneier. As such, I normally do not enable SMS as a second factor.

Getting to the point, I got a new phone yesterday. I spent a couple of hours the night before making sure I had backup codes and/or a secondary method for the 2nd factor. All went well, but I had no Tumblr backup codes. Nor did I set SMS as an auth method.

Tumblr's recovery process requires that you have a photo of your face on your Tumblr account (avatar, etc.). Then, you send a picture of yourself holding a piece of paper with something particular written on it, which you then send to them, together with the URL of the picture already on Tumblr.

So, is now no longer under my control. It will, however, keep getting mirrors of posts here as long as IFTTT remains up.