[randomroyalty]

Google, Apple and Microsoft as well as many other services offer 2 step authentication. BlackBerry still doesn't.

For all their vaunted security, I find this pretty lame and makes me take BlackBerry less seriously when it comes to security.

Posted via CB10

[MobileMadness002]

2 Step Auth for what? Registering your ICCID or MEID on the backend servers when associating your BBID with the device PIN.

And besides, the security is mainly with BES connectivity. Till your on a BES, your device is as as secure as the user.

[randomroyalty]

I disagree...anyone with your BBID and your password can take over your BBM, BBWorld and probably wipe your phone. With 2 step authentication they either need your authenticator or the text message with the auth code.

And not everyone is on BES...

I'm concerned that BlackBerry is lax in protecting my account, and wonder why they haven't implemented a beefier authentication option.

Posted via the CrackBerry App for Android

[peter0328]

Agreed. They need to add 2 factor authentication.

Posted via CB10

[Superdupont 2_0]

I respectfully disagree.

Google, Apple and Microsoft IDs are associated with cloud services which (potentially) backup all content of your device.

The BlackBerry ID however is not linked to any such service.
Even if my BlackBerry ID + password would be leaked, the attacker would not have access to any private communication, files, contacts or calendar .

The attacker could only remotely wipe my device, and I am tempted to say that I would deserve this little treatment when I leaked a password.

I like to make things secure, but I use my limited resources for the critical vulnerabilities.


Posted via CB10

[keithhackneysmullet]

There is no excuse for weak security from a company who sells it's self as the standard in mobile security.

Posted via CB10

[Prem WatsApp]

Maybe it's already in the pipeline as we speak?

:-)



�   Chendroid or not? - QNoX powered ftw...?   �

[LazyEvul]

The attacker could only remotely wipe my device, and I am tempted to say that I would deserve this little treatment when I leaked a password.

I like to make things secure, but I use my limited resources for the critical vulnerabilities.


Posted via CB10

What if it isn't you? What if BlackBerry's password database is broken into? This is the entire point of two-factor authentication - an extra layer of protection if other security measures fail. Any company that takes security seriously should be prepared for the worst-case scenario.

As such, it's pretty laughable that BlackBerry, a supposedly security-conscious company, doesn't offer 2FA - this has been considered Security 101 for some time now.

[bobshine]

Security is about cost / benefit.

You don't spend millions on a bank vault to protect 8 rolls of toilet paper you just bought right?

I don't see the point of spending millions on a two factors authentication just to prevent someone from logging in to your account.

There is nothing much they can access. They can't see your previous conversations, your contacts, your personal information.

And as for BBM, it's associated to 1 PIN only so you'll know if your account is compromised.

So again, security is about a good balance between cost and benefits. It's not about getting the best most secure protection and just basically creating an empty, unbreakable shell

Posted via CB10

[Witmen]

There is no excuse for weak security from a company who sells it's self as the standard in mobile security.

Posted via CB10

Yet this thread is already starting to fill up with people making excuses!

I've always thought BlackBerry should offer two step verification. I use it on all of my accounts that have the option.

[Superdupont 2_0]

What if it isn't you? What if BlackBerry's password database is broken into? This is the entire point of two-factor authentication - an extra layer of protection if other security measures fail. Any company that takes security seriously should be prepared for the worst-case scenario.

As such, it's pretty laughable that BlackBerry, a supposedly security-conscious company, doesn't offer 2FA - this has been considered Security 101 for some time now.

Nope, the entire point of two-factor authentication is securing an asset.
The BlackBerry ID is NOT an asset, because it is not linked to any cloud service.

This was my main point and interestingly your response didn't address it.

The OP is comparing BlackBerry with Google, Apple and Microsoft, however, since BB 10 BlackBerry doesn't store any of your data on their servers anymore.
No data = no asset = no need for higher security level.


I don't like it when my boss, co-workers or business partners come up with unreasonable requests based on false information, which waste my time and money for no benefit.
And I think this request belongs to this category.

However, just to avoid any misunderstanding, you may tell me which of my data will be stolen with my BlackBerry ID in the wrong hands?

[KermEd]

However, just to avoid any misunderstanding, you may tell me which of my data will be stolen with my BlackBerry ID in the wrong hands?

Offhand my concerns around BBID would be...

BlackBerry protect in of itself grants them the ability to track you, lock your phone or remotely destroy data on your device including contact information.

Couple that with BBM doing a contact cloud sync, allowing them to kick you out of BBM and hijack your contacts on your behalf (i.e. Spam or fraud potential).

One end case, if your a developer, access to your entire app catalogue including sales information and full access to modify or delete your apps... Potentially allowing an intruder to damage your digital assets in such a way as they are unrecoverable (due entirely to the appworld vendor portal submission system).

But that's everything I can think of... I imagine the bigger problem might be how to do you do two factor when the second factor comes back to the device anyway?

Posted to CB via my Passport | Lloyd Summers | FileArchiveHaven

[itzJustMeh]

Now tell me, how could I use two-step to log in my phone, where all my two-steps I have require my phone?

[Mansoor2]

The lack of two step verification is the least of your worries if you use BBM: the messages aren't even end to end encrypted, something that even whatsapp(owned by Facebook of all companies) offers. I started using BBM when I got into bb10 but it's time to jump ship. Download telegram and enjoy the peace of mind of a secure, open source messenger.

Posted via CB10

[Superdupont 2_0]

Offhand my concerns around BBID would be...

BlackBerry protect in of itself grants them the ability to track you, lock your phone or remotely destroy data on your device including contact information.

Since I backup my data (and everyone else should do this), I do see only little damage and practically no data loss.
Tracking my location could work until I find out the breach, assuming location service is always on.

Couple that with BBM doing a contact cloud sync, allowing them to kick you out of BBM and hijack your contacts on your behalf (i.e. Spam or fraud potential).

You remember the episode of How I Met Your Mother, when the teenager is using Marshall's phone for sexting with Lily, requesting her to send some pics of her boobs?
Yes, something like this could happen here, but no classical data loss.

One end case, if your a developer, access to your entire app catalogue including sales information and full access to modify or delete your apps... Potentially allowing an intruder to damage your digital assets in such a way as they are unrecoverable (due entirely to the appworld vendor portal submission system).

Okay, that is indeed significant.
For me this would be reason enough to offer a two factor auth.

But that's everything I can think of... I imagine the bigger problem might be how to do you do two factor when the second factor comes back to the device anyway?

I think for the above threats the attacker doesn't need your device, but another BlackBerry (which in turn makes the attracker somewhat traceable for LEA)?

[Superdupont 2_0]

The lack of two step verification is the least of your worries if you use BBM: the messages aren't even end to end encrypted, something that even whatsapp(owned by Facebook of all companies) offers. I started using BBM when I got into bb10 but it's time to jump ship. Download telegram and enjoy the peace of mind of a secure, open source messenger.

Posted via CB10

WhatsApp offers end to end encryption only for Android.
And typically the app asks you to upload all your contacts informations, which is afaik at least for most Android version unavoidable.

[erwinfr]

Now tell me, how could I use two-step to log in my phone, where all my two-steps I have require my phone?

True and even on iPhone en i think Android, when you log in with your ID on first setup of your phone, there is no 2 step verification.

[Warlack]

There are several ways how strong authentication could be implemented and it would make sense.

Furthermore I have not been able to use strong authentication for the enterprise store, allowing me access to the whole BES12 cloud.

This is something I believe is a bigger omission...
RSA is a security company and all resources which might be remotely worth securing are secured with strong authentication.

Secure passwords are secure as long as they are just available to the right person. Keylogger and many other attacks are posing a high risk that even a 100 character password of an admin from a large organisation is leaked obtained by a hacker.

All information that could be gathered from the BES is not too sensitive, but can be used in a more elaborate attack.


Posted via CB10

[Prem WatsApp]

There are several ways how strong authentication could be implemented and it would make sense.

Furthermore I have not been able to use strong authentication for the enterprise store, allowing me access to the whole BES12 cloud.

This is something I believe is a bigger omission...
RSA is a security company and all resources which might be remotely worth securing are secured with strong authentication.

Secure passwords are secure as long as they are just available to the right person. Keylogger and many other attacks are posing a high risk that even a 100 character password of an admin from a large organisation is leaked obtained by a hacker.

All information that could be gathered from the BES is not too sensitive, but can be used in a more elaborate attack.


Posted via CB10

Not as big as omitting a lock-out after X retries... see iCloud hacks!

:-)

�   Chendroid or not? - That is the question...   �

[randomroyalty]

Whether or not 2 factor authentication is necessary (and valid arguments have been made) is not the point. If Blackberry's only real competitive advantage is security, it must at least give the impression that relatively simple to implement measures are in place.

And since BlackBerry has complete access to your phone via the ID, I would not assume that private data is not sitting on their servers.

Posted via the CrackBerry App for Android

[mutigbeere]

BBM Money is already used in some countries. That in itself should warrant 2-step authentication. I don't think that BBM Money could go global without it.

[Superdupont 2_0]

And since BlackBerry has complete access to your phone via the ID, I would not assume that private data is not sitting on their servers.

Nope, they don't have complete access to you phone and if a security researcher would find a any prove for your claim, BlackBerry as a company would be history the next day.

Actually BB 10 devices have a hidden monitoring tool for admins (disabled by default), which is normally used for trouble shooting, but I would imagine one could use it to detect suspicious traffic.
Unfortunately I have forgotten the name of this tool...

[KermEd]

Since I backup my data (and everyone else should do this), I do see only little damage and practically no data loss.
...

I agree, for me, it's more that it would be a nice to have for edge cases like me. But certainly not too scary - no vendor portal supports two stage auth today anyway.

Posted to CB via my Passport | Lloyd Summers | FileArchiveHaven

[jdesignz]

They need to implement alphanumeric+special characters on BBID password. No need for 2SA.

Cheers!

Pasaporte Pilipinas | SQW100-1/10.3.2.2339

[mad_mdx]

What's the point if it just goes back to your phone.