Author Topic: 2FA Weakness  (Read 852 times)

ukgimp

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1907
    • View Profile

rcjordan

  • I'm consulting the authorities on the subject
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7132
  • Debbie says...
    • View Profile
Re: 2FA Weakness
« Reply #1 on: August 01, 2018, 09:49:49 PM »

Drastic

  • Need a bigger hammer...
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2355
  • Resident Redneck
    • View Profile
Re: 2FA Weakness
« Reply #2 on: August 04, 2018, 12:05:12 AM »
Best alternatives?

ukgimp

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1907
    • View Profile
Re: 2FA Weakness
« Reply #3 on: August 04, 2018, 02:44:51 AM »
2fa better than nothing.

However I don’t have SMS enabled on my Google account.

Then I use Google Authenticator. Be advised though that if you backup your syncs are NOT back up / restored.

To mitigate this I have screen shorted and printed each QR code and have them in off site location.

1. Turn off 2fa
2. Turn back on
3. Print QR
4. Also scan with google Authenticator on second (old phone)

So now you need quite a bit to get in.

Drastic

  • Need a bigger hammer...
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2355
  • Resident Redneck
    • View Profile
Re: 2FA Weakness
« Reply #4 on: August 04, 2018, 03:28:18 PM »
Do most sites allow/use GA?

ukgimp

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1907
    • View Profile
Re: 2FA Weakness
« Reply #5 on: August 04, 2018, 04:51:17 PM »
Most do.

Obviously, if there is on sms 2fa it's better than nothing.

You can lock your phone number down too.

I looked at Authy, and felt that was not good enough BTW. 

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4259
    • View Profile
Re: 2FA Weakness
« Reply #6 on: August 04, 2018, 08:33:22 PM »
Google Authenticator, Lastpass Authenticator, Duo, etc are all essentially the same.

I think the hardest to defeat is probably something like Yubikey.

One tip for Google Auth - you might want to have multiple devices function for this. To do so, take a screenshot of the QR code and save it. You can use this to add a new device anytime. Just don't save it in the same place as your passwords :-)

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1281
  • Avast!
    • View Profile
    • Email
Re: 2FA Weakness
« Reply #7 on: August 17, 2018, 08:34:34 AM »
Although I've looked for better open source alternatives, I've been using Authy for years. With GA if you lose your phone you lose all of your 2FA...unless you take Ergo's advice and screenshot all the QR codes. I did do that for a while, but there are just so many now that maintaining my screenshots was difficult.

rcjordan

  • I'm consulting the authorities on the subject
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7132
  • Debbie says...
    • View Profile
Re: 2FA Weakness
« Reply #8 on: August 17, 2018, 12:46:02 PM »
"U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites currently support it, including Dropbox, Facebook, Github (and of course Google’s various services). Most major password managers also now support U2F, including Dashlane, and Keepass. Duo Security also can be set up to work with U2F."


Google: Security Keys Neutralized Employee Phishing

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/


ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4259
    • View Profile

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1281
  • Avast!
    • View Profile
    • Email
Re: 2FA Weakness
« Reply #10 on: August 18, 2018, 02:24:49 AM »
I've been using Authy for years

https://www.reddit.com/r/Bitcoin/comments/6f0hhb/coinbase_recommendation_migrate_from_authy_to/

The old SMS text vulnerability... That is a down side.
Hard for me to migrate from Authy just due to the time involved. I used to religiously screenshot the QR codes and save them, but I was using multiple devices and maintaining my OTPs among them was a PITA. Authy made all that go away. Things like wiping my phone and restoring then meant I had to setup Google Authenticator from scratch with all of the codes.

I guess for things that are critical like a bank or financial account you could still use an alternate OTP app like FreeOTP. I haven't found one yet that will allow me to easily backup and restore a OTP store. That would be ideal.

Might need to look into this YubiKey app mentioned in the thread.

ukgimp

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1907
    • View Profile
Re: 2FA Weakness
« Reply #11 on: August 18, 2018, 09:31:14 AM »
Chose not to go with Authy due to it's weakness.

Yubikey looks like a good one. One bloke in office uses one.

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1281
  • Avast!
    • View Profile
    • Email
Re: 2FA Weakness
« Reply #12 on: August 19, 2018, 02:55:44 AM »
Yubikey looks like a good one. One bloke in office uses one.

I've had YubiKeys for years. Problem with them for me is that most of the FIDO alliance sites only work with Chrome. So it's still not optimal in terms of browser support.

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4259
    • View Profile
Re: 2FA Weakness
« Reply #13 on: August 21, 2018, 05:54:26 PM »
What about Duo?

It allows you to add users. I am forced to use it for a corporate Lastpass account, but I have not looked into whether it is good or bad, since how I feel about it will have no impact on whether or not I have to use it!

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1281
  • Avast!
    • View Profile
    • Email
Re: 2FA Weakness
« Reply #14 on: August 22, 2018, 02:58:19 AM »
What about Duo?
I have to use Duo for one account, but that seems to be more for enterprise rather than consumer. I do like the interface and functionality. Seems more polished and stable than others. Do they even have a free version?