william_a's profile

New Poster

 • 

2 Messages

Tue, Feb 18, 2020 7:00 AM

Support for 2FA with non-Xfinity Authenticator App

I tried to setup 2FA on my Xfinity account today, only to realize that I was being forced into installing an Xfinity app. If you know what 2FA is...you probably already have another authenticator app.

 

Why on earth would you want to install a 2FA app for each and every service you use??? Why not allow users to consolidate and use any 2FA app??? It really highlights xfinity's ignorance, as does your webchat bot.

Responses

jav6joev

Gold Problem Solver

 • 

2.2K Messages

2 y ago

Appears the Xfinity Authentication App has a few more features included specific to Comcast/Xfinity accounts:

Multi-Factor Authentication for Signing in and Xfinity Authenticator Setup

Comcast offers Multi-Factor Authentication using the Xfinity Authenticator app to provide extra layers of security for logging in and accessing most of your Xfinity services. The Xfinity Authenticator app is available for download on Apple and Android (phones only).

Xfinity Authenticator alerts you when someone attempts to use your Xfinity ID and password to sign in to your account. You can approve or deny the login attempt with a traditional verification code, yes/no button push, one-touch fingerprint ID or facial recognition.

Visitor

 • 

1 Message

@jav6joev

You did not answer the question as posed. 

Again

Expert

 • 

26.4K Messages

@user_f533f2 

You responded to a 16 month old post.

If you're having issues, please start a new thread describing your problem.

This one is now closed.

I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Please mark an Accepted Answer!tick
william_a

New Poster

 • 

2 Messages

2 y ago

It's actually more secure. If you're interested, you can read about it here:

https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_algorithm

 

Generally, an app/service will display a qr code or give you the corresponding secret key phrase, which you then plug into any app (or develop your own). You could then manage it all with 1 app.

 

I'd wager that Xfinity's app uses the same authentication mechanism. They should just display the stinking qr code. I'm not installing that app.

jav6joev

Gold Problem Solver

 • 

2.2K Messages

2 y ago

Wouldn't any 2FA be unique to whatever service is implementing it?  Why would they use a generic 2FA scheme not under their control and susceptible to possible hacking?

jfederline

Contributor

 • 

50 Messages

2 y ago

I have to agree that it is silly to have a "special" 2FA app just to access one vendor's  online customer service account. The veteran 2FA app user won't use it, they have a soft 2FA token app from Google, Microsoft, Authy or LastPass already, Xfinity should support them. And it is disingenuous to allow the uninitiated to believe such a one off app is necessary, not to mention non-supportive of industry interoperability. It's energy that could have garnered them some respect, instead it is off-putting.

New Poster

 • 

1 Message

1 y ago

It's worse than just a different unique app. Their app supports standard 2FA QR codes which means they're 2FA implementation is probably backed by the same. So really all their doing is refusing to give us access to the code what would allow us to use any standard 2FA key provider. I'm sure it's all done in the name of gathering even more data on their users, as if they don't know enough about me already.

New Poster

 • 

1 Message

1 y ago

Yet another inconvenienced user here and I agree full heartedly with OP. This is brain dead.

 

Here's my dilemma:

 

I'm on the Apple Upgrade Plan and at least once a year, I restore the backup of my previous phone to my new phone. The Xfinity authenticator app does not offer a mechanism to backup the 2FA seed, and so every year, I'm compelled to go through the cumbersome process of reinstalling and reconfiguring the Xfinity Authenticator app. I have dozens of other 2FA seeds encrypted and securely backed up in iCloud with my generic authenticator app that are higher value than my Comcast account. 

 

This is a major inconveneince but to make matters worse, Comcast still allows SMS as a backup 2FA mechanisms that cannot be removed. I work in infosec and this is not how to implement 2FA securely. In 2020, it's trivial for a motivated attacked to social engineer wireless carriers to port mobile number and defeat 2FA by retrieving the SMS code. This is so common that NIST issued a public guideline in June 2017, recommending POTS and SMS not be used for out of band, 2FA mechanisms: https://pages.nist.gov/800-63-3/sp800-63b.html

 

Comcast Product Team: Let us use generic 2FA apps. The insignificant number of customers using generic authenticator apps do not appreciate the value add and will not disrupt your metrics. Implementation and recurring cost (testing) wise, it's no extra work. You're already using an open protocol. Give us a two week sprint and reveal the seed in the authenticator app.

 

For those of you who can't wait for Comcast, install the app on a jailbroken iPhone and you can extract the seed using a debugger. The seed works with Authy.

New to the Community?

Start Here