2FA Weakness

ukgimp · July 31, 2018, 09:51:29 AM

Remove your cell from the process.

https://motherboard.vice.com/en_us/article/a3q7mz/hacker-allegedly-stole-millions-bitcoin-sim-swapping

rcjordan · August 01, 2018, 09:49:49 PM

Password breach teaches Reddit that, yes, phone-based 2FA is that bad

https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/

Drastic · August 04, 2018, 12:05:12 AM

Best alternatives?

ukgimp · August 04, 2018, 02:44:51 AM

2fa better than nothing.

However I don't have SMS enabled on my Google account.

Then I use Google Authenticator. Be advised though that if you backup your syncs are NOT back up / restored.

To mitigate this I have screen shorted and printed each QR code and have them in off site location.

1. Turn off 2fa
2. Turn back on
3. Print QR
4. Also scan with google Authenticator on second (old phone)

So now you need quite a bit to get in.

Drastic · August 04, 2018, 03:28:18 PM

Do most sites allow/use GA?

ukgimp · August 04, 2018, 04:51:17 PM

Most do.

Obviously, if there is on sms 2fa it's better than nothing.

You can lock your phone number down too.

I looked at Authy, and felt that was not good enough BTW.

ergophobe · August 04, 2018, 08:33:22 PM

Google Authenticator, Lastpass Authenticator, Duo, etc are all essentially the same.

I think the hardest to defeat is probably something like Yubikey.

One tip for Google Auth - you might want to have multiple devices function for this. To do so, take a screenshot of the QR code and save it. You can use this to add a new device anytime. Just don't save it in the same place as your passwords :-)

bill · August 17, 2018, 08:34:34 AM

Although I've looked for better open source alternatives, I've been using Authy for years. With GA if you lose your phone you lose all of your 2FA...unless you take Ergo's advice and screenshot all the QR codes. I did do that for a while, but there are just so many now that maintaining my screenshots was difficult.

rcjordan · August 17, 2018, 12:46:02 PM

"U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites currently support it, including Dropbox, Facebook, Github (and of course Google's various services). Most major password managers also now support U2F, including Dashlane, and Keepass. Duo Security also can be set up to work with U2F."

Google: Security Keys Neutralized Employee Phishing

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

ergophobe · August 17, 2018, 07:11:21 PM

Quote from: bill on August 17, 2018, 08:34:34 AM
I've been using Authy for years

https://www.reddit.com/r/Bitcoin/comments/6f0hhb/coinbase_recommendation_migrate_from_authy_to/

bill · August 18, 2018, 02:24:49 AM

Quote from: ergophobe on August 17, 2018, 07:11:21 PM
Quote from: bill on August 17, 2018, 08:34:34 AM
I've been using Authy for years

https://www.reddit.com/r/Bitcoin/comments/6f0hhb/coinbase_recommendation_migrate_from_authy_to/

The old SMS text vulnerability... That is a down side.
Hard for me to migrate from Authy just due to the time involved. I used to religiously screenshot the QR codes and save them, but I was using multiple devices and maintaining my OTPs among them was a PITA. Authy made all that go away. Things like wiping my phone and restoring then meant I had to setup Google Authenticator from scratch with all of the codes.

I guess for things that are critical like a bank or financial account you could still use an alternate OTP app like FreeOTP. I haven't found one yet that will allow me to easily backup and restore a OTP store. That would be ideal.

Might need to look into this YubiKey app mentioned in the thread.

ukgimp · August 18, 2018, 09:31:14 AM

Chose not to go with Authy due to it's weakness.

Yubikey looks like a good one. One bloke in office uses one.

bill · August 19, 2018, 02:55:44 AM

Quote from: ukgimp on August 18, 2018, 09:31:14 AMYubikey looks like a good one. One bloke in office uses one.

I've had YubiKeys for years. Problem with them for me is that most of the FIDO alliance sites only work with Chrome. So it's still not optimal in terms of browser support.

ergophobe · August 21, 2018, 05:54:26 PM

What about Duo?

It allows you to add users. I am forced to use it for a corporate Lastpass account, but I have not looked into whether it is good or bad, since how I feel about it will have no impact on whether or not I have to use it!

bill · August 22, 2018, 02:58:19 AM

Quote from: ergophobe on August 21, 2018, 05:54:26 PM
What about Duo?

I have to use Duo for one account, but that seems to be more for enterprise rather than consumer. I do like the interface and functionality. Seems more polished and stable than others. Do they even have a free version?