
How to Enable Two-Factor Authentication on Amazon - maxt
https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-amazon
======
azinman2
I had MFA in my AWAS account using a hardware device. Just last night he
battery finally wore out and I wasn't able to login. So I clicked the link
saying I'm not able to login... and within 15 minutes amazon called me back to
remove the MFA on the account. They asked for the email on the account, and to
repeat back a code they emailed me.

So in the end, after thinking I was all secure with this special hardware one
time token generating device, it falls back to email + phone, both of which
can get taken over easily.

~~~
vollmond
> it falls back to email + phone, both of which can get taken over easily.

How easy is it really for someone to intercept a phone call Amazon makes to
your number?

(edit: I'm not arguing, I really don't know)

~~~
ohyeshedid
Attackers can social engineer the carrier to provision service onto a new sim
card, which means they then have access to calling and sms.

~~~
Ajedi32
Specific example of this, for reference: [https://medium.com/internet-
creators-guild/getting-hacked-as...](https://medium.com/internet-creators-
guild/getting-hacked-as-an-internet-creator-982d03637e86)

------
jjnoakes
Did Amazon recently merge the retail 2FA TOTP setup and the AWS 2FA TOTP
setup? My normal retail 2FA TOTP code failed, but my AWS code worked for
getting me into the retail 2FA settings (and also into the AWS settings).

Which seems really odd to me. Because I know I had two separate 2FA TOTP
seeds, one for AWS, one for retail.

Anyone else notice anything like this?

~~~
grapehut
That's odd indeed. I have a different 2FA seed for my retail and AWS account,
but I've never tried using the wrong one but it's conceivably they allow you
to use either

~~~
jjnoakes
I wasn't able to use either though, as I said above. My retail 2FA TOTP failed
for my retail account, but my AWS 2FA TOTP worked for my retail account (and
for my AWS account).

So something shady is going on.

------
stuff4ben
Anyone know if you can use the authenticator app on more than one device? My
wife and I share the same Amazon account and it would suck if I had to
generate a token for her whenever she wanted to buy something. I don't want to
have separate accounts because I don't want to pay for Prime more than once.

~~~
michaelt

      Anyone know if you can use the authenticator
      app on more than one device?
    

Not only can you do that, you can scan the QR code in the image in the article
and get the author's TOTP credentials in 'Google Authenticator'.

The normal way to do phone-based 2FA is a QR code with data of the format
"otpauth://totp/yourusername?secret=1F56D7AFLONGBASE64&issuer=Amazon" where
the secret is the secret needed for TOTP [2] one-time code generation.

As such, you can write down the secret (or print out the QR code) and scan it
into other phones (or use it with tools like oathtool on linux) and they'll
then generate identical codes to your main phone.

Obviously, if you store your TOTP secret alongside your password or keep a
copy somewhere that isn't safe, there's no point in using 2FA. And if people
fuck this up too often 2FA users will start insisting we install twenty shit
proprietary apps (one for steam, one for salesforce, one for symantec vip
access....) and nobody wants that. So use your new powers with care!

[1]
[https://www.eff.org/files/styles/large/public/2016/12/19/ama...](https://www.eff.org/files/styles/large/public/2016/12/19/amazon_6.png?itok=vlg3tjCh)
[2] [https://en.wikipedia.org/wiki/Time-based_One-
time_Password_A...](https://en.wikipedia.org/wiki/Time-based_One-
time_Password_Algorithm)

~~~
ckcheng
Printing out or otherwise saving the QR code (somewhere safe) is also the only
way to have a backup code in case the device is lost or broken, because they
don't provide one-time backup codes (unlike pretty much everyone else).

Then again, it sounds like it's really easy to disable 2FA with just a simple
phone call, so...

------
dbg31415
And for Gmail

* Google 2-Step Verification || [https://www.google.com/landing/2step/](https://www.google.com/landing/2step/)

And for everything else...

* Turn On 2FA | Turn It On || [https://www.turnon2fa.com/](https://www.turnon2fa.com/)

