Two factor authentication on tablets

we are trying to implement 2FA on our server and I have a question about 2FA on tablets.
Is 2FA focused only on login in browser? Shouldnt 2FA be also enabled on tablets?
Maybe only once on first login on tablet could be fine.

Thank you.

Hello @martinb,

often the same device (phone or tablet) is used to install both the Interviewer App and the Authenticator App. If such device is lost, the person that finds it gets both and 2FA will not be an additional security. Thus the device must have a lock screen enabled, which will provide a second factor of authentication known to the legitimate user.

Best, Sergiy

Thanks for quick reply. Yes, I understand. Of course, device must have a lock screen enabled. And we will preffer to install the Authenticator App on different device (phone) than Interviewer App is installed if it is possible.
However, if an attacker knows server address and the interviewers credentials, attacker cant login by browser but if he will install app on some other android device, he can login to server easily without 2FA.

  1. Interviewer will lose all non-synced data.
  2. If the server has Enabled partial synchronization, an attaker can see new and started interviews. (Also new interviews can obtain some prefilled sensitive data)

Maybe I’m too worried about losing data, I don’t want to burden you with that. Just, I was expecting 2FA on Android tablets too.

@martinb, this is a very strong assumption to begin with. But given that we are discussing the 2FA, it makes sense, to discuss what are the risks when the first factor has been compromised and both the login and password become known to the attacker.

I think that your suggestion would necessitate to use the 2FA device for every synchronization session, otherwise the attacker can create a fake interviewer App and tell the server “Hey, Server, I have already authenticated Martin locally using the 2FA, here are his credentials, give me his interviews”. Interviewers will not appreciate having to pull out another device, login there etc. to restart the interviewer App.

Perhaps, more advantageous would be to have the interviewer confirm his own device switch (relinking of the tablet) online from a page which is 2FA-protected. Until such a confirmation the server should not talk to this account being accessed from any other device. In order to break through the attacker then would need to know the original device ID (and be able to fake it either by writing a custom app, or intercepting and substituting it in the traffic) or to have access to the original device (in which case he can even login to the app offline). The device ID (or some scramble of it) becomes then the second factor in play. What do you think? Do you see any vulnerability in this scenario?

As a side-benefit I see that this may also prevent some accidental re-links due to occasional unintended sign-ins on secondary devices.

And this can then be developed further to allow relinks only if approved by the supervisor, or only to a device that has been whitelisted by the server administrator, and other similar enhancements.

The device ID (or some scramble of it) becomes then the second factor in play. What do you think? Do you see any vulnerability in this scenario?

This option looks great. I have no more comments. As you said, there are also some useless side benefits, what is great.