====== Authentication ======

[[American Expat Retiree Financials | contents]]

Authentication is necessary in four situations.

  - login
  - telephone call-in
  - in person
  - signature

Authentication methods

  * email address
  * phone number - Sim card, land line, VOIP numbers not always allowed
  * push notification to an app - a feature available on most phones
  * phone app

=== Factor Categories ===

Categories of authentication factors:

  * Knowledge Factors - things you know:
    * username
    * ID
    * password
    * PIN
    * challenge question and response
    * OTP - one-time passcode
  * Possession Factors - things you have:
    * OTP token, hardware or software that generates an OTP
    * key fobs
    * smartphones with OTP apps
    * employee ID cards
    * sim cards
  * Inherence Factors - things you are, biometrics:
    * fingerprint scans
    * facial recognition
    * voice recognition
    * retina scans
    * iris scans
    * hand geometry
    * earlobe geometry
  * Time
  * Location

Single Factor Authentication (SFA) - use factors from only one category\\
Two Factor Authentication (2FA) - use at least one factor from each of two categories\\
Three Factor Authentication (3FA) - use at least one factor from each of three categories\\
Multi Factor Authentication (MFA)

=== Strength and weakness ===

Username/password is SFA because it uses only one category: knowledge factors. SFA = weak.

Email address is a knowledge factor.\\
If you receive an OTP via email, this can imply possession of a secured device and access method to receive the OTP.

Phone number is a knowledge factor.\\
Sim card is a possession factor.\\
Land line is a possession factor but is weak because it might be shared.\\
VOIP number associated with a device is a possession factor, but is weak because it might be accessed from multiple devices, i.e. computer and phone.

Phone app, makes possible:\\
push notification - available on most modern phones\\
PIN\\
Code generation

Vulnerabilities

  * SIM swapping
  * email interception

Strengths

  * independence from networks, like email and sim

=== Authenticator Apps ===

Google Authenticator - app available at Google Play Store\\
[[http://ID.me|ID.me]] Authenticator app\\
IBKR Authenticator app\\
SDFCU mobile app, push notification

=== How critical vendors authenticate: ===

[[http://ID.me|ID.me]] (SSA,IRS) - text message to phone/sim, Authenticator\\
SDFCU - push notification to SDFCU mobile app, plus text message to phone/sim\\
IDBKR - push notification to IBKR App, plus PIN entered into App

[[http://ID.me|ID.me]]\\
text message to phone/sim\\
push notification to [[http://ID.me|ID.me]] Authenticator App\\
Code Generator via [[http://ID.me|ID.me]] Authenticator App

SDFCU\\
text message to phone/sim\\
voice message to phone/sim\\
WhatsApp\\
From Call Center\\
push notification to SDFCU mobile app

IBKR\\
push notification to IBKR App

=== Risk and recovery ===

Email\\
Email server company fails.

Sim card\\
get a new sim card\\
roaming fails\\
out of cellular coverage

Phone\\
new phone\\
lost, stolen, damaged phone

Recovery\\
get a new phone, install apps from play store\\
get a new sim card\\
use alternate email address

Be prepared.\\
Have multiple authentication methods in place.\\
Alternate email address.

In each app, how do we reset authentication for new phone, new sim, new email?

=== July 2025 ===

If authentication is based on a SIM, and the user travels, the SIM card must do roaming.\\
AIS sim card does roaming by default.\\
User can also buy a roaming package thru the MyAIS app, before or during travel.

The IB authentication works via push notification on my phone.\\
So as long as my phone is on the internet, the authentication will work.\\
It does not need to be the same SIM card. It could be Wi-Fi.\\
This could be tested here by removing the SIM card.

The credit union authentication uses an email code. That does not depend on the SIM card but does require an internet connection.

How could I lose access to my email address?

What are my goals? Well ideally for being prepared for the future I want to be able to travel anywhere including America or South America and Europe and Asia.

So I need to figure out if my current systems support that or if I need to add or maintain some systems.

for id.me\\
now only one authentication method - sim card

Test Message or Phone Call - fair\\
we could add a text message sent to 847 number

Push Notification - moderate\\
Approve sign-ins via Push Notifications sent to the ID.me Authenticator mobile app. <setup>

Code Generator - Strong\\
Generate verification codes via code generator apps like ID.me Authenticator to sign in. <setup>

id.me authenticator app available on play store

authenticate with ibkr\\
will my phone work in USA (roaming)\\
will push notifications work on the app while roaming in USA\\
push notifications is based on http, correct?

====== Signature ======

=== How to sign digitally ===

There are systems available to digitally certify a valid signature, used on contracts.

There are supposedly several software products that can be used to add a signature to a PDF.

  * Adobe Acrobat - Fill and sign
  * Libre Office Draw

Adobe Acrobat

  * Desktop Windows or Mac but not Linux
  * Online at [[http://adobe.com|adobe.com]] - Fill and Sign requires monthly subscription
  * Android Fill and Sign is free

===== Medallion Signature Guarantee =====

Per wikipedia:\\
In the United States, a medallion signature guarantee is a special signature guarantee used primarily when a client transfers or sells US securities. It is an assurance by the financial institution granting the guarantee that the signature on the transaction is genuine and that the guarantor accepts liability for any forgery.

When United States citizens are outside the United States, they are typically unable to obtain a medallion signature guarantee stamp.

Per Grok: Where to Get One: Available from institutions participating in one of three Medallion programs:

  * STAMP (Securities Transfer Agents Medallion Program): Over 7,000 U.S. and Canadian banks, credit unions, and brokers.
  * SEMP (Stock Exchange Medallion Program): Regional stock exchange firms and clearing companies.
  * MSP (New York Stock Exchange Medallion Signature Program): NYSE member firms.
  * Typically, you must be an existing customer (often for at least 6 months) at a participating bank, credit union, or brokerage, like Bank of America or Visions Federal Credit Union.

Requirements:

  * Valid government-issued photo ID.
  * Documents related to the securities (e.g., stock certificate or account statement).
  * Additional documentation for special cases (e.g., Power of Attorney or estate transfers).
  * All signers must be present in person.

Process: Contact your financial institution, schedule an appointment, and bring required documents. The stamp, often with a unique barcode and green security ink, can be issued same-day if all requirements are met, or it may take 2–5 days.

Limitations:

  * Not available from non-participating institutions or notaries public.
  * Overseas investors may face challenges; some U.S./Canadian bank branches abroad or firms like Fraser and Fraser in the UK can help.
  * Stamps have value limits (e.g., a “D” prefix stamp covers up to $250,000; a “C” prefix up to 500,000).