The Core
Why We Are Here => Hardware & Technology => Topic started by: ukgimp on July 31, 2018, 09:51:29 AM
-
Remove your cell from the process.
https://motherboard.vice.com/en_us/article/a3q7mz/hacker-allegedly-stole-millions-bitcoin-sim-swapping
-
Password breach teaches Reddit that, yes, phone-based 2FA is that bad
https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/
-
Best alternatives?
-
2fa better than nothing.
However I don’t have SMS enabled on my Google account.
Then I use Google Authenticator. Be advised though that if you backup your syncs are NOT back up / restored.
To mitigate this I have screen shorted and printed each QR code and have them in off site location.
1. Turn off 2fa
2. Turn back on
3. Print QR
4. Also scan with google Authenticator on second (old phone)
So now you need quite a bit to get in.
-
Do most sites allow/use GA?
-
Most do.
Obviously, if there is on sms 2fa it's better than nothing.
You can lock your phone number down too.
I looked at Authy, and felt that was not good enough BTW.
-
Google Authenticator, Lastpass Authenticator, Duo, etc are all essentially the same.
I think the hardest to defeat is probably something like Yubikey.
One tip for Google Auth - you might want to have multiple devices function for this. To do so, take a screenshot of the QR code and save it. You can use this to add a new device anytime. Just don't save it in the same place as your passwords :-)
-
Although I've looked for better open source alternatives, I've been using Authy for years. With GA if you lose your phone you lose all of your 2FA...unless you take Ergo's advice and screenshot all the QR codes. I did do that for a while, but there are just so many now that maintaining my screenshots was difficult.
-
"U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites currently support it, including Dropbox, Facebook, Github (and of course Google’s various services). Most major password managers also now support U2F, including Dashlane, and Keepass. Duo Security also can be set up to work with U2F."
Google: Security Keys Neutralized Employee Phishing
https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
-
I've been using Authy for years
https://www.reddit.com/r/Bitcoin/comments/6f0hhb/coinbase_recommendation_migrate_from_authy_to/
-
I've been using Authy for years
https://www.reddit.com/r/Bitcoin/comments/6f0hhb/coinbase_recommendation_migrate_from_authy_to/
The old SMS text vulnerability... That is a down side.
Hard for me to migrate from Authy just due to the time involved. I used to religiously screenshot the QR codes and save them, but I was using multiple devices and maintaining my OTPs among them was a PITA. Authy made all that go away. Things like wiping my phone and restoring then meant I had to setup Google Authenticator from scratch with all of the codes.
I guess for things that are critical like a bank or financial account you could still use an alternate OTP app like FreeOTP. I haven't found one yet that will allow me to easily backup and restore a OTP store. That would be ideal.
Might need to look into this YubiKey app mentioned in the thread.
-
Chose not to go with Authy due to it's weakness.
Yubikey looks like a good one. One bloke in office uses one.
-
Yubikey looks like a good one. One bloke in office uses one.
I've had YubiKeys for years. Problem with them for me is that most of the FIDO alliance sites only work with Chrome. So it's still not optimal in terms of browser support.
-
What about Duo?
It allows you to add users. I am forced to use it for a corporate Lastpass account, but I have not looked into whether it is good or bad, since how I feel about it will have no impact on whether or not I have to use it!
-
What about Duo?
I have to use Duo for one account, but that seems to be more for enterprise rather than consumer. I do like the interface and functionality. Seems more polished and stable than others. Do they even have a free version?
-
Do they even have a free version?
Free for up to 10 users and without advanced features
https://duo.com/pricing
-
Hmm. They were acquired by Cisco, and to get the 'free' version you have to provide them with a ton of private information so that you can run thru the 30 trial of the more advanced feature set...before it will revert to the simpler free version.
Might look into OpenOTP or other open source alternatives before I would go with Duo as there's no syncing feature on any of them that I can see.
-
Surely the syncing is where the risk comes in.
-
Yeah. That's probably the best feature and its Achilles heel.
Not being able to transfer 2FA tokens between devices certainly improves security, but setting up 100 or so accounts on multiple devices is unwieldy. Probably best to separate critical 2FA from my Authy profile and return to the more secure clients for those.
-
Big G pushing these:
Protect your online accounts with Titan Security Keys
https://www.blog.google/technology/safety-security/protect-your-online-accounts-titan-security-keys/
-
Don't trust anything invented by Kim Dotcom ;+}
Strong passwords for the win!
-
Big G pushing these:
Protect your online accounts with Titan Security Keys
Did we already mention here that Google now requires these of their employees. All work computers require a physical fob and they say it has brought the number of compromised accounts close to zero.
I don't doubt it. With every security measure, it's a convenience/security tradeoff. Everyone has to find their comfort level
-
Worth a read about how the exploit works
2FA codes can be phished by new pentest tool – Naked Security
https://nakedsecurity.sophos.com/2019/01/11/2fa-codes-can-be-phished-by-new-pentest-tool/