Pages:
Author

Topic: 2FA added (Read 1879 times)

legendary
Activity: 1722
Merit: 4711
**In BTC since 2013**
March 26, 2024, 02:36:19 PM
Isn't Google smart enough to know this is a cumbersome process and that they should provide a better way to export their users codes (such as an encrypted backup)? They are. Would they do it? No because this process makes it difficult for users to leave the application and acts more as a way to deter people from leaving the service.

It is true that perhaps they create these difficulties, so that the person does not easily leave their services.
But we also have to be realistic, that if it were easy to obtain this information, security levels would lower, making it even easier for criminals to obtain this data.
legendary
Activity: 1148
Merit: 3117
March 26, 2024, 12:55:12 PM
As far as I experienced it, migration from one app to another is rarely possible. Either the source 2FA app can show the secret in plain text or as QR code or export a backup file in which you can easily find the shared secrets of your 2FA accounts. But digital backup files are risky if you don't know how secure your device is which you usually can't know for certain depending on what internet shit you've already done with your device.
This is the case with Google Authenticator. The application only provides the scanning of a QR code as the way to import the details into another device. The most probable scenario is that a user wants to import the codes into another application using the same smartphone, so they are forced to take a picture of the QR code (ideally with a non internet connected device such as a digital camera) and then scan that picture with their smartphone.

Isn't Google smart enough to know this is a cumbersome process and that they should provide a better way to export their users codes (such as an encrypted backup)? They are. Would they do it? No because this process makes it difficult for users to leave the application and acts more as a way to deter people from leaving the service.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
March 25, 2024, 02:45:55 PM
One question: Is it easy to migrate from one service to another?

As far as I experienced it, migration from one app to another is rarely possible. Either the source 2FA app can show the secret in plain text or as QR code or export a backup file in which you can easily find the shared secrets of your 2FA accounts. But digital backup files are risky if you don't know how secure your device is which you usually can't know for certain depending on what internet shit you've already done with your device.

Therefore I developed the habit to make a physical backup on paper of the 2FA shared secret when I setup a new 2FA account. If I can get only a QR code for 2FA setup, I scan it with a designated privacy friendly QR code scan app that I have on my phone which allows me to decode the QR 2FA setup code and doesn't share this with any other app or cloud storage.

I don't make a digital photo of the 2FA setup QR code because usually pictures are uploaded to some cloud. If the QR code is displayed on a computer, printing it safely is another option. I make some effort to not leave any digital traces of 2FA setup codes on online digital devices.

Backup and migration is far from user friendly if you're concerned of security, unfortunately.


Or will it be necessary to do a new registration/configuration for each service that uses 2FA?

If you can't migrate a 2FA account or have no physical backup, that's unfortunately the only option to go for setup on a new device or 2FA app. I'd rather go the route to temporarily disable 2FA if that is possible and re-enable it for setup newly. But you have to be careful not to loose access and having to perform some painful recovery with service desk hell.
legendary
Activity: 1148
Merit: 3117
March 25, 2024, 04:39:59 AM
For whoever still using Google Authenticator, do note that your secrets are in the cloud[2] which means that you are no longer in control of the data and a malicious entity may be able to access them.

One question: Is it easy to migrate from one service to another?

Or will it be necessary to do a new registration/configuration for each service that uses 2FA?
Aegis supports importing your 2FA codes, so you don't need to add them individually into the application (or, worse, remove them first and add them on Aegis). If you use Google Authenticator you can try any of the methods explained here[1]. Aegis also supports backing up the file so that you can keep it in a safe place in the event that you loose your phone (for example).

[1]https://www.theverge.com/21410260/google-authenticator-2fa-how-to-phone-security-iphone-android
legendary
Activity: 1722
Merit: 4711
**In BTC since 2013**
March 25, 2024, 02:48:42 AM
For whoever still using Google Authenticator, do note that your secrets are in the cloud[2] which means that you are no longer in control of the data and a malicious entity may be able to access them.

One question: Is it easy to migrate from one service to another?

Or will it be necessary to do a new registration/configuration for each service that uses 2FA?
legendary
Activity: 1148
Merit: 3117
March 24, 2024, 07:35:54 PM
Considering that I was away a couple of months, seeing this update to the forum security really made my eyes gauge with excitement. Thank you theymos for finding the time to analyze and adapt to the code of the forum the magnificent piece of code that PowerGlove made (props as well to you PowerGlove, you rock \o/). If anyone is lost in the sea of 2FA applications, my recommendation boils down to two excellent, free and open-source apps: ente Authenticator[1] and Aegis Authenticator[2] (both available in F-Droid).

[1]https://github.com/ente-io/auth/
[2]https://github.com/beemdevelopment/Aegis
Small update to my previous entry: Aegis has now reached v3.0 (~8 hours ago)[1] with a couple of neat features which deserves our attention:
Quote
Material 3 (and Material You)
Automatic assignment of icons to entries
Ability to select all entries in one go
Support for importing 2FAS schema v4 backups
Sort entries based on the last time they were used
Some clarifications related to importing and backup permission errors
Preparations for the ability to assign a single entry to multiple groups
Performance improvements when scrolling through an entry list with lots of icons
A new look for the third-party licenses list
For whoever still using Google Authenticator, do note that your secrets are in the cloud[2] which means that you are no longer in control of the data and a malicious entity may be able to access them.

[1]https://github.com/beemdevelopment/Aegis/releases/tag/v3.0
[2]https://security.googleblog.com/2023/04/google-authenticator-now-supports.html
legendary
Activity: 3416
Merit: 1225
Enjoy 500% bonus + 70 FS
January 24, 2024, 08:06:29 PM
(...) Am I the only one any help will be appreciated.
I'm sorry for the month-late response...

I think that what likely happened there is that you mistyped your OTP and then got spooked by the badly-worded error message. That error message has now been improved. Wink



Yes, I did, I mistyped it  Cheesy sorry too for not updating my post, I'm now using it and glad that we have this, and thank you for adding this feature here on Bitcointalk.
hero member
Activity: 510
Merit: 4005
January 24, 2024, 07:56:49 PM
(...) is it safe to assume that this authentication process cannot be made to synchronize with just one device?.. cus scanning out the code on the app would definitely need two devices..
You can do everything from a single device if you want (for example, most of the testing I did during development took place by ignoring the QR code and just copy-pasting the shared secret into KeePassXC).

I mean, single-device 2FA will make some people wag their finger at you, but I'd personally feel pretty comfortable keeping my shared secret in something like KeePassXC on the same device that I log in from. I'm a little biased though, because I hate using my phone (if I could yeet the contemptible thing into the fuggin' sun, I would; if it wasn't for my wife calmly preaching pragmatism, and trying to keep me on the reservation, so to speak, I probably wouldn't even own one).

(...) Am I the only one any help will be appreciated.
I'm sorry for the month-late response...

I think that what likely happened there is that you mistyped your OTP and then got spooked by the badly-worded error message. That error message has now been improved. Wink

There's a URL on the icon in the 2FA - it leads to a parked domain advertisement.  Is this deliberate, or a blunder?
You mean the QR code? The QR code contains a specially-crafted URI that's meant for convenient importing of your 2FA secret/settings into a TOTP-compatible authenticator application. It's not meant to be navigated to.

It's worth pointing out that scanning the QR code is optional: all of the info you need to manually import your 2FA secret (and related settings) into any TOTP-compatible application can be obtained from the account settings page. (More detailed settings, which are rarely needed because they correspond to widely-compatible default values, are visible when hovering over the "Shared secret (Base32)" field label.)

legendary
Activity: 1148
Merit: 3117
January 21, 2024, 11:34:25 AM
#99
It looks good. But it's weird the github has almost 1K stars, while it has only 1K+ download on google play[1]. So i'd continue to recommend Aegis, unless they use Apple device.
Like I previously said, Ente Auth was created due the developers of Ente Photos having a "(...) had a hard time finding a place to preserve our two-factor secrets.". The main focus of the Ente team seems to be their main application so I do not know if Ente Auth will get the same amount of development that their main application has. They did released a version 2.0 within a year after the first version was released[2], so who knows if this will develop in one full fledged project. Note the note at the end though:
Quote
Our source of revenue is our Photos app, and Auth continues to be a labor of love. So we hope you'll enjoy these goodies 💚
Do note, however, that they also talk about the possibility of this becoming a paid service[1]. For now it remains free to use.

[1]https://ente.io/blog/auth/
[2]https://ente.io/blog/auth-v2/
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
January 21, 2024, 09:29:37 AM
#98
It looks good. But it's weird the github has almost 1K stars, while it has only 1K+ download on google play[1]. So i'd continue to recommend Aegis, unless they use Apple device.

[1] https://play.google.com/store/apps/details?id=io.ente.auth

I heard more recommendations for Aegis than for Ente and code inspection of Ente Auth would take me too much time and I certainly lack also expertise to check the code properly and with confidence. But it's better to have more good options than fewer. I'll give both Aegis and Ente Auth a closer look and try after a quick scan over their codebase (I'm not too happy with the options that FreeOTP gives me. Yes, I can save backups, but I'd want to export individual OTP accounts on occasion.)
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
January 21, 2024, 04:13:09 AM
#97
Meanwhile, your recommendation (Aegis) let us copy encrypted backup file as we like.
ente Authenticator (a secondary product of ente[1]) also allows you to export your codes:

--snip--

It looks good. But it's weird the github has almost 1K stars, while it has only 1K+ download on google play[1]. So i'd continue to recommend Aegis, unless they use Apple device.

[1] https://play.google.com/store/apps/details?id=io.ente.auth
hero member
Activity: 1386
Merit: 599
January 21, 2024, 01:09:03 AM
#96
After all the discussions about 2FA and now it's finally implemented in the forum. I can't imagine the pressure it is for theymos when deciding on adding the 2FA or not because of previous discussion of the same topic. Before reading the OP, I checked the title and it says 2FA added then it came to my mind that there might be someone who is behind it. It's still new and there could be bugs and etc. Considering it is added on the forum recently then having someoneo complaining about it already been noticed y many and then fixed later and also it's improvement.

I guess the sqeaky wheel gets the grease! Lmao. Great job with this Theymos it's definitely a huge security development and one that we all needed to batton down the hatches of our forum account. We'll done!!!
legendary
Activity: 1148
Merit: 3117
January 20, 2024, 07:59:17 PM
#95
Meanwhile, your recommendation (Aegis) let us copy encrypted backup file as we like.
ente Authenticator (a secondary product of ente[1]) also allows you to export your codes:



  • 1. Click on the hamburger menu
  • 2. Data -> Export codes
  • 3. Choose if you would like to apply an encryption to the file (recommended) or just let it be plain text (don't do this)
  • 4. Enter the desired password and export the file to a custom location

The initial screen of the application may lead you to create an account but you do not need to do that, you can simply click on "Use without backups" when the application first launches to skip that option.

[1]https://github.com/ente-io
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
January 20, 2024, 04:53:49 AM
#94
I'm aware that the Authy app allows encrypted backups of your OTP accounts. Well, you need to remember the encryption password, so better write that down on an analog copy, too.
It does allow that but @Abhishek0.2 you should note that Authy is closed source and had some breaches in the past[1]. If you can I would still recommend that you opt for open sourced application (I have mentioned them[2] in my previous post).

[1]https://techcrunch.com/2022/08/26/twilio-breach-authy
[2]https://bitcointalksearch.org/topic/m.63470636

And it seems the Authy encrypted backup must be stored on their server[1]. Meanwhile, your recommendation (Aegis) let us copy encrypted backup file as we like.

[1] https://authy.com/blog/how-the-authy-two-factor-backups-work/
legendary
Activity: 1148
Merit: 3117
January 19, 2024, 02:27:13 PM
#93
I'm aware that the Authy app allows encrypted backups of your OTP accounts. Well, you need to remember the encryption password, so better write that down on an analog copy, too.
It does allow that but @Abhishek0.2 you should note that Authy is closed source and had some breaches in the past[1]. If you can I would still recommend that you opt for open sourced application (I have mentioned them[2] in my previous post).

[1]https://techcrunch.com/2022/08/26/twilio-breach-authy
[2]https://bitcointalksearch.org/topic/m.63470636
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
January 19, 2024, 01:43:01 AM
#92
Incase of lost otp address is there any backup for this or one address for one time only ? anyway i have attached on authy.

You can write down the secret that is displayed as text and shared to an OTP app via the QR code when you setup or renew the 2FA. Most OTP apps allow a manual setup, that's where you enter the secret text code by typing it.

I advise not to make a screenshot of the QR code, nor save the shared secret text on any digital online device. Why? Pictures very often get synced to some cloud service(s) and you don't have any control who may access or analyse them there. Digital copies may get in wrong hands when an online device gets compromised or lost.

I'm aware that the Authy app allows encrypted backups of your OTP accounts. Well, you need to remember the encryption password, so better write that down on an analog copy, too.
newbie
Activity: 11
Merit: 2
January 18, 2024, 05:29:15 PM
#91
Thanks to PowerGlove, who did 90% of the work on this, the much-requested 2-factor authentication feature has finally been added. You can enable it in your Account Settings, and then you have to give the code when logging in. If you don't have 2FA enabled, you have to leave the OTP field blank when logging in.

If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure. If you don't want to set an email address, use something like [email protected]; don't use a random nonsense email like [email protected], since somebody might create that domain/email.

Let me know if there are any bugs.


I came on this forum after a several month things changing vastly just tested 2fa, worked fine. Incase of lost otp address is there any backup for this or one address for one time only ? anyway i have attached on authy.

thanks
legendary
Activity: 1148
Merit: 3117
January 09, 2024, 05:43:00 PM
#90
Considering that I was away a couple of months, seeing this update to the forum security really made my eyes gauge with excitement. Thank you theymos for finding the time to analyze and adapt to the code of the forum the magnificent piece of code that PowerGlove made (props as well to you PowerGlove, you rock \o/). If anyone is lost in the sea of 2FA applications, my recommendation boils down to two excellent, free and open-source apps: ente Authenticator[1] and Aegis Authenticator[2] (both available in F-Droid).

[1]https://github.com/ente-io/auth/
[2]https://github.com/beemdevelopment/Aegis
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
January 04, 2024, 07:36:13 PM
#89
when the phone's clock gets out of sync by as little as a couple of seconds, then the 2FA app will give a skewered result. Connecting to the net exposes the phone to hacking. (Tin foil hat moment)

Well implemented TOTP 2FA authentication doesn't need the clocks of server and TOTP client app to be strictly in sync. It is recommended that the TOTP code from the current 30-seconds window should not only be accepted on the spot, but also to accept the TOTP code from the previous and the future 30s window. That way you avoid unnecessary authentication fails when clocks drift somewhat apart.

You don't loose security by this, being a bit relaxed clock-wise. Yeah, you can demand that clocks run in sync, but frankly that's not reality and a bit too strict and giving no good user experience.
hero member
Activity: 784
Merit: 672
Top Crypto Casino
January 04, 2024, 05:51:49 PM
#88
Except when the phone's clock gets out of sync by as little as a couple of seconds, then the 2FA app will give a skewered result. Connecting to the net exposes the phone to hacking. (Tin foil hat moment)
In most cases Phone's clock never gets out of sync even by a second but if that happens then the user can fix the time manually without any issues. Connecting to internet surely exposes the phones to hackers and for that reason it's always better to use a phone with a Linux based distribution.

A phone like Pine-Phone supports many of the open-source operating systems. You can also use a Linux distribution like Ubuntu touch on Google Pixel Phones, Xiaomi phones, and Oneplus phones. The open-source operating systems based on Linux are still safe and hackers would have to do a lot of work to find vulnerabilities in those operating systems. If fact they don't because they don't really care about less than 0.00001% of members who use Linux based open-source operating systems on their phones.
Pages:
Jump to: