Community Forum

Support for 2FA with non-Xfinity Authenticator App

Highlighted
New Poster

Support for 2FA with non-Xfinity Authenticator App

I tried to setup 2FA on my Xfinity account today, only to realize that I was being forced into installing an Xfinity app. If you know what 2FA is...you probably already have another authenticator app.

 

Why on earth would you want to install a 2FA app for each and every service you use??? Why not allow users to consolidate and use any 2FA app??? It really highlights xfinity's ignorance, as does your webchat bot.

Highlighted
Problem Solver

Re: Support for 2FA with non-Xfinity Authenticator App

Wouldn't any 2FA be unique to whatever service is implementing it?  Why would they use a generic 2FA scheme not under their control and susceptible to possible hacking?

Joe V
(not a Comcast employee, just another paying customer)
Highlighted
New Poster

Re: Support for 2FA with non-Xfinity Authenticator App

It's actually more secure. If you're interested, you can read about it here:

https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_algorithm

 

Generally, an app/service will display a qr code or give you the corresponding secret key phrase, which you then plug into any app (or develop your own). You could then manage it all with 1 app.

 

I'd wager that Xfinity's app uses the same authentication mechanism. They should just display the stinking qr code. I'm not installing that app.

Highlighted
Problem Solver

Re: Support for 2FA with non-Xfinity Authenticator App

Appears the Xfinity Authentication App has a few more features included specific to Comcast/Xfinity accounts:

Multi-Factor Authentication for Signing in and Xfinity Authenticator Setup

Comcast offers Multi-Factor Authentication using the Xfinity Authenticator app to provide extra layers of security for logging in and accessing most of your Xfinity services. The Xfinity Authenticator app is available for download on Apple and Android (phones only).

Xfinity Authenticator alerts you when someone attempts to use your Xfinity ID and password to sign in to your account. You can approve or deny the login attempt with a traditional verification code, yes/no button push, one-touch fingerprint ID or facial recognition.
Joe V
(not a Comcast employee, just another paying customer)
Highlighted
Contributor

Re: Support for 2FA with non-Xfinity Authenticator App

I have to agree that it is silly to have a "special" 2FA app just to access one vendor's  online customer service account. The veteran 2FA app user won't use it, they have a soft 2FA token app from Google, Microsoft, Authy or LastPass already, Xfinity should support them. And it is disingenuous to allow the uninitiated to believe such a one off app is necessary, not to mention non-supportive of industry interoperability. It's energy that could have garnered them some respect, instead it is off-putting.

Highlighted
New Poster

Re: Support for 2FA with non-Xfinity Authenticator App

It's worse than just a different unique app. Their app supports standard 2FA QR codes which means they're 2FA implementation is probably backed by the same. So really all their doing is refusing to give us access to the code what would allow us to use any standard 2FA key provider. I'm sure it's all done in the name of gathering even more data on their users, as if they don't know enough about me already.

Highlighted
New Poster

Re: Support for 2FA with non-Xfinity Authenticator App

Yet another inconvenienced user here and I agree full heartedly with OP. This is brain dead.

 

Here's my dilemma:

 

I'm on the Apple Upgrade Plan and at least once a year, I restore the backup of my previous phone to my new phone. The Xfinity authenticator app does not offer a mechanism to backup the 2FA seed, and so every year, I'm compelled to go through the cumbersome process of reinstalling and reconfiguring the Xfinity Authenticator app. I have dozens of other 2FA seeds encrypted and securely backed up in iCloud with my generic authenticator app that are higher value than my Comcast account. 

 

This is a major inconveneince but to make matters worse, Comcast still allows SMS as a backup 2FA mechanisms that cannot be removed. I work in infosec and this is not how to implement 2FA securely. In 2020, it's trivial for a motivated attacked to social engineer wireless carriers to port mobile number and defeat 2FA by retrieving the SMS code. This is so common that NIST issued a public guideline in June 2017, recommending POTS and SMS not be used for out of band, 2FA mechanisms: https://pages.nist.gov/800-63-3/sp800-63b.html

 

Comcast Product Team: Let us use generic 2FA apps. The insignificant number of customers using generic authenticator apps do not appreciate the value add and will not disrupt your metrics. Implementation and recurring cost (testing) wise, it's no extra work. You're already using an open protocol. Give us a two week sprint and reveal the seed in the authenticator app.

 

For those of you who can't wait for Comcast, install the app on a jailbroken iPhone and you can extract the seed using a debugger. The seed works with Authy.