Author Topic: 2FA Weakness  (Read 165 times)

ukgimp

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1866
    • View Profile

rcjordan

  • I'm consulting the authorities on the subject
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 6952
  • Debbie says...
    • View Profile
Re: 2FA Weakness
« Reply #1 on: August 01, 2018, 09:49:49 PM »

Drastic

  • Need a bigger hammer...
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2310
  • Resident Redneck
    • View Profile
Re: 2FA Weakness
« Reply #2 on: August 04, 2018, 12:05:12 AM »
Best alternatives?

ukgimp

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1866
    • View Profile
Re: 2FA Weakness
« Reply #3 on: August 04, 2018, 02:44:51 AM »
2fa better than nothing.

However I donít have SMS enabled on my Google account.

Then I use Google Authenticator. Be advised though that if you backup your syncs are NOT back up / restored.

To mitigate this I have screen shorted and printed each QR code and have them in off site location.

1. Turn off 2fa
2. Turn back on
3. Print QR
4. Also scan with google Authenticator on second (old phone)

So now you need quite a bit to get in.

Drastic

  • Need a bigger hammer...
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2310
  • Resident Redneck
    • View Profile
Re: 2FA Weakness
« Reply #4 on: August 04, 2018, 03:28:18 PM »
Do most sites allow/use GA?

ukgimp

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1866
    • View Profile
Re: 2FA Weakness
« Reply #5 on: August 04, 2018, 04:51:17 PM »
Most do.

Obviously, if there is on sms 2fa it's better than nothing.

You can lock your phone number down too.

I looked at Authy, and felt that was not good enough BTW. 

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4064
    • View Profile
Re: 2FA Weakness
« Reply #6 on: August 04, 2018, 08:33:22 PM »
Google Authenticator, Lastpass Authenticator, Duo, etc are all essentially the same.

I think the hardest to defeat is probably something like Yubikey.

One tip for Google Auth - you might want to have multiple devices function for this. To do so, take a screenshot of the QR code and save it. You can use this to add a new device anytime. Just don't save it in the same place as your passwords :-)