Pages:
Author

Topic: 2FA Google authentication (Read 467 times)

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
December 07, 2020, 12:34:45 PM
#30
Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

No, Google should not have your security code.

This is not correct. Authenticator codes are a function of the secret key and the current time, so the only way for Google to make the same code as the one you typed in Authenticator for verification purposes is if they also have the secret key. And they do, for precisely this reason. It's the only way to verify if the code you typed is correct.

That being said, other people should not be able to know the secret key, unless those people saw your screen when the secret key was first shown (because you're supposed to have only one chance to see the secret key to put it in Authenticator - when the login is first created, but then again, a site could violate this important assumption, which would allow any hacker already logged in to the account to get the secret key)

If the site in question is not Google, then of course they don't know your key - the TOTP process doesn't send anything to Google's servers.
legendary
Activity: 1400
Merit: 1001
Undeads.com - P2E Runner Game
December 07, 2020, 11:46:41 AM
#29
Hi tech guys,
Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

Google 2FA work very well to secure access to your private area. Actually we can not know google will have your security code or not, because ethically Google shouldn't have it.

I've forgotten / lost google 2FA on an exchange, and resetting old data is quite difficult. Those exchange can not send me backup my last security code but they can delete my last 2FA configuration. I really sure that every platform have diffrent rules about this.

It's better to have and organize your backup key
legendary
Activity: 1624
Merit: 2481
November 16, 2020, 12:55:34 PM
#28
Google Authenticator now allows users to create and download a backup of their codes. Were you able to import this backup into Aegis or did you add the 2FA codes manually?
That's not quite correct... GA now allows you to create a single "QR Code" on screen that you're supposed to scan with Google Authenticator on a "new" device and it will import all your codes for you... but there is no option to "save" that QR code and screenshot is disabled within the app.


This exact QR can still be used as a backup.
While the application does not allow screenshots to be taken, other applications which have the permission to add an overlay over other apps, still can save that QR, so it can act as a form of backup.

Then, whenever needed, a scan with GA or other authenticator apps who support the format, will restore the saved seeds.
HCP
legendary
Activity: 2086
Merit: 4361
November 14, 2020, 03:16:28 AM
#27
Is it possible to have authentication codes of the same site across two or more 2FA apps at the same time?
Yes, it is... I have Google Authenticator, Authenticator Plus and Aegis installed and running... I have the codes for several sites in either 2 or all three of the apps without any issues.

NOTE: I mainly use Aegis these days... the other 2 are "leftovers" Wink I stopped using Authenticator Plus because it stopped getting updates (last update Dec 2018).
legendary
Activity: 2730
Merit: 7065
November 14, 2020, 03:00:55 AM
#26
That's not quite correct... GA now allows you to create a single "QR Code" on screen that you're supposed to scan with Google Authenticator on a "new" device and it will import all your codes for you... but there is no option to "save" that QR code and screenshot is disabled within the app. As far as I can tell, the idea is that you go directly from GA on Device 1 to "authenticator app" on Device 2 etc... Aegis does seem to be able to read and import this single QR Code tho.
Great, thanks for clarifying that. I have never tested their latest "backup" method, I guess I memorized it wrongly. The method you described is safer than having to save a unique unencrypted file that some users would surely end up losing, misplacing, or leaking to third parties. From your and NeuroticFish's answer I can conclude that you are both using multiple 2FA apps. Is it possible to have authentication codes of the same site across two or more 2FA apps at the same time? 
HCP
legendary
Activity: 2086
Merit: 4361
November 13, 2020, 08:11:28 PM
#25
Google Authenticator now allows users to create and download a backup of their codes. Were you able to import this backup into Aegis or did you add the 2FA codes manually?
That's not quite correct... GA now allows you to create a single "QR Code" on screen that you're supposed to scan with Google Authenticator on a "new" device and it will import all your codes for you... but there is no option to "save" that QR code and screenshot is disabled within the app. As far as I can tell, the idea is that you go directly from GA on Device 1 to "authenticator app" on Device 2 etc... Aegis does seem to be able to read and import this single QR Code tho.


Quote
Also, can Aegis be used all over the place same as Google Authenticator or does it come with some limitations? I am considering using Aegis myself, so it might be good to know. 
I have not found any GA code that is not compatible with Aegis... again, the only issue I've had is the occasional "time sync" error, where it won't accept the code, but doing the sync in GA seems to fix that issue.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
November 13, 2020, 10:46:33 AM
#24
You can now export all your codes but in an unencrypted format if I remember correctly.

Nice, but late. I won't go back  Cheesy

Can you use it on every exchange that accepts Google Authenticator, for example. Or are there certain exchanges where Aegis can't be used, and you have to use an alternative?

I have 29 2FA services in my Aegis, I didn't encounter any issues.
Basically from one seed (text or qr) and current time some calculation is made and a number is shown. It's not rocket science and I see no reason to implement it (slightly) different.
And having so many services supported (OK, I no longer actually use 3/4 of them), I think it's a good test it's fine.
 
Sorry, what is the time sync Huh

I had a couple times in the past this issue. As I wrote, the result is based on the current time. If the time is off (on my phone or on the target web service) the result/number will not be accepted.
It happened to me especially when I traveled abroad and back, I don't know of other things that triggered this. However, Google Auth had (has!) "Time correction for codes", which I think it's some sort of time sync with an atomic clock. After such a sync the codes were accepted again.
Aegis, afaik, doesn't have this.
Of course, one needs it seldom and can sync the phone's time by hand to atomic clock or install Google Auth shortly just for that. (I still have it installed for that sole reason, with only one dummy 2FA in it).
legendary
Activity: 2730
Merit: 7065
November 13, 2020, 06:14:30 AM
#23
I am almost certain that back then Google Authenticator didn't have any kind of export/backup (I am surprised it has now!); however, I've imported them manually.
You can now export all your codes but in an unencrypted format if I remember correctly.

I am not sure what you mean by limitations for Aegis.
Can you use it on every exchange that accepts Google Authenticator, for example. Or are there certain exchanges where Aegis can't be used, and you have to use an alternative?
 
The only thing I've missed in Aegis (and it happened only once) was the time sync Google Authenticator used to offer.
Sorry, what is the time sync Huh
hero member
Activity: 2800
Merit: 595
https://www.betcoin.ag
November 11, 2020, 07:44:20 AM
#22

About google having our code is just something to also worry but just in case you can't sleep about it, don't store millions to your account. Send them to your personal wallet.

Google Authenticator now allows users to create and download a backup of their codes. Were you able to import this backup into Aegis or did you add the 2FA codes manually? Also, can Aegis be used all over the place same as Google Authenticator or does it come with some limitations? I am considering using Aegis myself, so it might be good to know. 

I am almost certain that back then Google Authenticator didn't have any kind of export/backup (I am surprised it has now!); however, I've imported them manually.
I am not sure what you mean by limitations for Aegis. It's an Android (5+) application and I think that's the only platform it was made for (at least until now). So it cannot be used "all over the place". (But that doesn't affect me, really).
The only thing I've missed in Aegis (and it happened only once) was the time sync Google Authenticator used to offer.

I didn't do this 2 years ago and when I lost my phone, I have to submit a ticket to binance and perform the KYC again which they end up wanting me to blink on the camera and the documents needed.  It's better to just have it backed up manually and then whenever you lost your phone, you can just scan the code again.

legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
November 11, 2020, 07:31:10 AM
#21
Google Authenticator now allows users to create and download a backup of their codes. Were you able to import this backup into Aegis or did you add the 2FA codes manually? Also, can Aegis be used all over the place same as Google Authenticator or does it come with some limitations? I am considering using Aegis myself, so it might be good to know. 

I am almost certain that back then Google Authenticator didn't have any kind of export/backup (I am surprised it has now!); however, I've imported them manually.
I am not sure what you mean by limitations for Aegis. It's an Android (5+) application and I think that's the only platform it was made for (at least until now). So it cannot be used "all over the place". (But that doesn't affect me, really).
The only thing I've missed in Aegis (and it happened only once) was the time sync Google Authenticator used to offer.
legendary
Activity: 2730
Merit: 7065
November 11, 2020, 07:11:17 AM
#20
But also during the years I had (1 or 2) weird surprises: no seed was provided so I can save, only the QR code.
I know what you mean. I noticed this on an exchange I was forced to use occasionally many years ago. 

I've migrated away from Google Authenticator (many months ago) and I am since then a happy Aegis user  Cheesy
Google Authenticator now allows users to create and download a backup of their codes. Were you able to import this backup into Aegis or did you add the 2FA codes manually? Also, can Aegis be used all over the place same as Google Authenticator or does it come with some limitations? I am considering using Aegis myself, so it might be good to know. 
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
November 11, 2020, 07:04:11 AM
#19
And Google really should implement a "proper" (encrypted) backup solution for Google Authenticator. Relying on users to safely store the individual "secrets" themselves is messy and prone to error.
I agree with the suggestion to introduce encrypted backups, but not with the second part of your statement. At least we Bitcoiners should be well accustomed with storing weird strings (private keys) or a bunch of word combinations (the seed). I have a written copy of each of my 2FA codes that I use for exchanges and other services. It came in handy a few years ago when my old phone suddenly died. 

I've done the same during the years. But also during the years I had (1 or 2) weird surprises: no seed was provided so I can save, only the QR code.
And in such cases proper software that can do proper backup it's not "a solution for the lazy", it's actually the better solution.

I've migrated away from Google Authenticator (many months ago) and I am since then a happy Aegis user  Cheesy
legendary
Activity: 2730
Merit: 7065
November 11, 2020, 06:56:32 AM
#18
And Google really should implement a "proper" (encrypted) backup solution for Google Authenticator. Relying on users to safely store the individual "secrets" themselves is messy and prone to error.
I agree with the suggestion to introduce encrypted backups, but not with the second part of your statement. At least we Bitcoiners should be well accustomed with storing weird strings (private keys) or a bunch of word combinations (the seed). I have a written copy of each of my 2FA codes that I use for exchanges and other services. It came in handy a few years ago when my old phone suddenly died. 
hero member
Activity: 2660
Merit: 651
Want top-notch marketing for your project, Hire me
November 10, 2020, 06:59:57 PM
#17
I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved
That is your fault, smart boy didn't save the backup code on the same phone. Backup code is just number, you can easily write it on paper and keep it far away from your phone. Or if you lazy to write the code, first time set up Google Authenticator, simply make a screenshot of the barcode and print it.
In an occasion where security is top priority, the backup code should only be screenshot and print only through an airgap computer or write it down instead. However, there have been an occasion where attacker are able to bypass google authenticator and I will advise the OP to you use open source and decentralized authenticator like Aegis.
legendary
Activity: 2324
Merit: 1604
hmph..
November 10, 2020, 05:04:50 PM
#16

That is your fault, smart boy didn't save the backup code on the same phone.
Just because someone doing bad or makes a mistake, it doesn't mean he/she not a smart person. thousand people learning new knowledge everyday. From the case, people will learn to be a better person. Now he makes a mistake storing key in the same device, because he is new about this.
legendary
Activity: 2366
Merit: 2054
November 10, 2020, 08:32:45 AM
#15
I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved
That is your fault, smart boy didn't save the backup code on the same phone. Backup code is just number, you can easily write it on paper and keep it far away from your phone. Or if you lazy to write the code, first time set up Google Authenticator, simply make a screenshot of the barcode and print it.
jr. member
Activity: 42
Merit: 2
November 10, 2020, 07:20:35 AM
#14
yes, that's exactly what I'm afraid of and it definitley sucks when it happens, I will be checking the alternatives that many helpful fellows recommended



I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved and i then i realized that i am unable to access my google account even my phone number was registered in gmail . I've lost all my data and trust me It sucks.
jr. member
Activity: 42
Merit: 2
November 10, 2020, 07:17:05 AM
#13
Thank you for your reply, I'll be checking alternatives you mentioned to Google 2FA


Yes I know it now, you can ceck my last comments. Here, my misunderstanding is because the service just mentioned G2FA only, so i think if it only works for google 2FA only.
Yeah, it's a common misconception that "Google Authenticator" is a "Google Only" service... you're not the first (and won't be the last) person to get confused by that. I certainly was when I first started using Google Authenticator several years ago. The sites that have implemented the 2FA service are partly to blame by calling it "Google 2FA" etc...

And Google really should implement a "proper" (encrypted) backup solution for Google Authenticator. Relying on users to safely store the individual "secrets" themselves is messy and prone to error. Authy, Aegis and Authenticator (Plus) (and others) have all been able to come up with solutions, I'm not sure why Google can't? Huh
jr. member
Activity: 42
Merit: 2
November 10, 2020, 07:15:12 AM
#12
Yeah, that's what I meant if I don't back up the seed for the authenticator. Thanks for the information, I'll check the alternatives to Google 2FA


Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

No, Google should not have your security code. Actually if you lose your phone and didn't back up properly the seed for the authenticator (when you created/set up the 2FA) you'll probably lose it.
This being said there are better alternatives than Google Authenticator, which do the same job but also allows you keep a safe copy somewhere.

It works well, but you may have surprises in the future, because the generated code is based on timestamp. And if your phone, the auth app or the website where you try to enter don't have the time set well, the code will not be accepted. (Usually a sync of your phone fixes this).

About losing crypto. If you use the 2FA on the same phone as you access the web services, you weaken the security by a great deal and if the phone is lost, stolen or compromised you may lose funds also with 2FA.


Imho the main rule is to keep the funds you don't need "now" safely offline on a wallet you and only you control. This means no web wallet, no big money on exchanges, no cloud, desktop or e-mail backup of the seed/private keys (use paper, steel, whatever). And/or make use of hardware wallet.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
November 10, 2020, 04:45:31 AM
#11
Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

No, Google should not have your security code. Actually if you lose your phone and didn't back up properly the seed for the authenticator (when you created/set up the 2FA) you'll probably lose it.
This being said there are better alternatives than Google Authenticator, which do the same job but also allows you keep a safe copy somewhere.

It works well, but you may have surprises in the future, because the generated code is based on timestamp. And if your phone, the auth app or the website where you try to enter don't have the time set well, the code will not be accepted. (Usually a sync of your phone fixes this).

About losing crypto. If you use the 2FA on the same phone as you access the web services, you weaken the security by a great deal and if the phone is lost, stolen or compromised you may lose funds also with 2FA.


Imho the main rule is to keep the funds you don't need "now" safely offline on a wallet you and only you control. This means no web wallet, no big money on exchanges, no cloud, desktop or e-mail backup of the seed/private keys (use paper, steel, whatever). And/or make use of hardware wallet.
Pages:
Jump to: