MFA Alternative

VisiblyPresent
Intermediate III

‎08-17-2023 06:55 AM - edited ‎02-02-2024 01:27 PM

FWIW, the latest version of the app (at least on Android) now supports an alternative to MFA:

What's new

· Trusted Devices as an alternative to MFA OTP for a faster and more secure login experience
· Promo code text box to apply discounts towards monthly service plan balance
· Bug fixes and performance improvements
 
Install the updated app on an alternate device (no browser support yet it appears). Open the app on that device an sign in, you'll be prompted to enter the code sent to you primary phone via SMS. Enter it and check the box that says "Don't require verification for future logins on this trusted device"
 
P.S. Other sources indicate it's now available with the latest iOS update.
 
Still not the optimal solution but a giant step forward in the right direction. So Kudos to Visible. Once trusted devices are added in this manner they can be managed from the app under Privacy, Account Security.
 
Some others have reported that it was necessary to clear their apps cache and data to get this to work - probably depends on operating system version.
 
P.P.S. As currently implemented with no browser support, this does does require having a second phone so offers little relief to those having only a single phone on Visible. The app (at least on Android) always automatically entered the SMS OTP code on receipt when used with the phone registered with the Visible phone number - effectively your Visible phone is already a "trusted" device with that automatic feature. As has been noted, when SMS isn't working or the phone isn't working folks weren't able to sign into their account. This update does provide relief to those having a second.
 
IMHO, Visible still needs to implement alternate MFA via email, an alternate phone number, or an authenticator app (e.g. Google or Microsoft) to fully address security issues associated with compromised usernames and passwords. Effectively this update actually weakens allowing OTP to be bypassed on an alternate device (it already does that automatically on the primary device)- nothing wrong with that provided users understand the consequences, but novices may not fully comprehend the impact of doing so. Similarly, Visible should move away from using email addresses for the app signin - once a bad actor has your email address and knows you're a Visible user, they're 1/2 way there to getting past the sign-in prompt and can start guessing the password if the device falls into the wrong hands. Disabling OTP doesn't provide a more secure login experience as claimed the What's New but is faster and gets around the issues with signing in when SMS or the device is not functioning. Don't confuse convenience and security - the two often conflict.
Labels:
0 Kudos
2 REPLIES 2

chmedly
Novice II

‎02-02-2024 08:09 AM

I just tried to login to my account without the sim at hand and discovered this terrible problem. I agree that alternative MFAs need to exist. How does a soccer mom handle all of her kids accounts when their devices are spread all over town? 

I want yubikey support for the MFA. 

 

0 Kudos

VisiblyPresent
Intermediate III
In response to chmedly

‎02-02-2024 01:21 PM - edited ‎02-02-2024 01:24 PM

Not much has changed since August with the MFA (nor do I suspect much will). Visible's recommendation is to consider using bio-metrics or establishing trusted devices. In your case, you'd want your device(s) established as a trusted device for your kids' accounts allowing you to manage all of them. See: https://www.visible.com/help/multi-factor-authentication.

Specifically, you'd login to each of your kids' accounts from your device when they are present so that you could check the trusted device checkbox while entering the code their phones receive.

Unfortunately Visible by Verizon isn't real family friendly (not really their market) - if they were, they'd be the same as Total by Verizon for all intents and purposes.

0 Kudos
Copyright © 2024 Khoros, LLC