Pages:
Author

Topic: Authentication: Types, Risks/ Attacks, Advice (Read 1000 times)

hero member
Activity: 1722
Merit: 801
November 30, 2020, 01:11:11 AM
#35
Hi, could you add to OP this resource https://twofactorauth.org/  that listed plenty of entities (including  cryptocurrency) which implemented 2FA  and separated them through out realms like Banking, Betting, Finance, Email etc, 32 titles in all. Those realms can  be even filtered by Regions. It can be run nay locally https://github.com/2factorauth/twofactorauth
It is a new website and helpful for authentication on our devices. I did not know it if you don't tell me.

For newbies who use exchanges, merchants, marketplaces, set up your 2-factor authenticators is important to protect your account and money, prevent potential hacks. SMS code should not be used after your account registration, email verification and if you decide to activate 2FA for your account. Choose good 2FA app and backup the code for recovery.
hero member
Activity: 491
Merit: 1259
Nihil impunitum
legendary
Activity: 2324
Merit: 1604
hmph..
If a site such as a crypto exchange says "Scan this code with your Google Authenticator App", then you should be able to use any 2FA app. I have certainly done this in the past and it works fine.

I understand now, the point is we can scan Google 2FA barcodes with other applications running 2FA. So far, I thought that if the choice of service was only Google 2FA, then we could only use Google 2FA. From your explanation, I tried to scan the 2FA key (on the service mentioned Google 2FA) using aegis on my phone and it worked. I just understood this today, and I was wrong all this time thinking that Google's 2FA can only use Google. Thank you very much for this knowledge
legendary
Activity: 2268
Merit: 18711
if most of service currently just have Google 2FA on their services?. So far, I'm just seeing it on service i use no other 2FA options except SMS/email  verification.
I'm not entirely sure what you mean here, perhaps because I do not use any Google products so I'm not aware of what their 2FA options are. If a site such as a crypto exchange says "Scan this code with your Google Authenticator App", then you should be able to use any 2FA app. I have certainly done this in the past and it works fine.

If the service only offers SMS or email verification for 2FA, then you obviously can't use an app - you can only use what the site offers. Both of these are not great choices, but you can make it slightly better by using a different email address with a different password to the one you use to log in to the account, or by using a burner phone with a number you do not use for anything else and which you never use to access the services in question.

write it down on the paper or save it in password managers like https://keepass.info/ or https://bitwarden.com/
The issue with that is if you store the password to the service in question in the same password manager. If someone can access both your password and your 2FA by compromising a single source - in this case, your password manager - then your 2FA isn't really a second factor at all, it is both factors rolled in to one.

I had to check and correct timer on my devices to help 2FA works again. I don't know reasons why timer was broken like that. Could you explain it, please.
I can't explain the specifics, but the way that most 2FA apps work is to take the current time, round it down to the nearest 30 seconds, and use that along with the shared secret to generate a code. Therefore, the code will change every 30 seconds as the time updates every 30 seconds. If the clock on your device and the clock on the service are out of sync with each other by 30 seconds, then the code you generate will always be different to the code the service is generating, and so they will never match until you resync your timer.
hero member
Activity: 1722
Merit: 801
Ideally sites will show you both - a QR code you can scan with your app and a string of characters you can write down as a back up.
To back up 2FA for recovery or installation on other devices, I'd prefer to choose the second method: write it down on the paper or save it in password managers like https://keepass.info/ or https://bitwarden.com/

Quote
When you need to enter the 2FA code in the future, your app will combine that shared secret with the current time (floored to the nearest 30 seconds), hash it, and use part of the result to generate your 6 digit 2FA code. The website will do the same thing, and check that what you have entered matches what they have calculated.
I got troubles with timer on my device a few times. 2FA works smooth but suddenly one day it was broken. Anytime I entered 2FA code to login account, it failed. I had to check and correct timer on my devices to help 2FA works again. I don't know reasons why timer was broken like that. Could you explain it, please.
legendary
Activity: 2324
Merit: 1604
hmph..
Thank you for your explanation how it works, but the main issue not about how it works, but how we can use open source 2FA if most of service currently just have Google 2FA on their services?. So far, I'm just seeing it on service i use no other 2FA options except SMS/email  verification.
legendary
Activity: 2268
Merit: 18711
about using open source 2FA, unfortunatelly, most of service currently using Google 2FA even no more updates for this service. How we can choose other 2FA if the site still using Google 2FA, maybe someone can give any explanation more about this, since lot of people says if Google 2FA not save etc, but exchange still prefer to use this service, how we (as user) can move to open source?
There is nothing special about Google 2FA. Any 2FA app should work.

Very simply, when you set up 2FA, the site displays for you a shared secret. This is usually in the form of a QR code, but sometimes it is a string of characters. Ideally sites will show you both - a QR code you can scan with your app and a string of characters you can write down as a back up. When you need to enter the 2FA code in the future, your app will combine that shared secret with the current time (floored to the nearest 30 seconds), hash it, and use part of the result to generate your 6 digit 2FA code. The website will do the same thing, and check that what you have entered matches what they have calculated.

The process for combining the secret with the time and hashing it is standardized, and all 2FA apps and websites do it the same way. (There is more info here if you are interested: https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm). Given that, although the website says Google 2FA, any good open source 2FA app should work. See my post on the previous page of this thread for some good open source 2FA apps.
legendary
Activity: 2324
Merit: 1604
hmph..

2FA and email address combined is a very good authentication method. But in this case, you need to be more responsible about the security of your phone. If it is lost, the fraudster can get access not only to 2FA, but also to your E-mail, that will help them get full control of your account.

I'm also thinking about this few times before, and I don't have any good option rather than my current ways. So basically I'm using Eset Mobile Security (not promoting them/affiliate with them, just sharing my way), that allow me to lock my phone in case lost with pairing to other phone number. the command also easy just send a sms from paired number to number on our lost phone.

I don't know how safe using this third party, at least I can locked my phone from other device easily without internet. And using this service i can locked our important application such as our 2FA. (DWYOR&DYOR)


about using open source 2FA, unfortunatelly, most of service currently using Google 2FA even no more updates for this service. How we can choose other 2FA if the site still using Google 2FA, maybe someone can give any explanation more about this, since lot of people says if Google 2FA not save etc, but exchange still prefer to use this service, how we (as user) can move to open source?
newbie
Activity: 371
Merit: 0
This is a resourceful advice OP, i can't emphasize on how you will be appreciated by many for clearing this out. 2FA are always a better solution to any other digital authentication alternative out there. SMS has it risk as well as the Biometrics.
hero member
Activity: 1722
Merit: 801
Which two factor is the best?  Google authenticator or just Authy?
Try to use better apps that need to be open-source.

Most of these are not open source and do not allow proper encrypted back ups. Google Authenticator in particular is awful from the regard. FreeOTP is no longer in development. Here are the apps you should be using:
Android - Aegis or AndOTP
iOS - Tofu or Authenticator
full member
Activity: 1750
Merit: 186
Which two factor is the best?  Google authenticator or just Authy?
legendary
Activity: 2268
Merit: 1655
To the Moon
I find it easy to use 2FA because it's not stressful and easily understandable, the email and phone number security method are somehow open to hackers and many user had fall victim of such attack. Could rememeber when unknown users sent withdrawal request to my email due to the fact that I haven't set authentication method.

2FA and email address combined is a very good authentication method. But in this case, you need to be more responsible about the security of your phone. If it is lost, the fraudster can get access not only to 2FA, but also to your E-mail, that will help them get full control of your account.
legendary
Activity: 2268
Merit: 18711
This requires direct objects, so it is difficult to get fingerprints online, except for hacking database storage for authentication files.
Sure, but hardly anyone is using a fingerprint scanner directly connected to their home computer to unlock an account on an online website. Almost everyone is using a fingerprint scanner to unlock their phone which contains their 2FA app. If someone steals your phone then they can reconstruct your fingerprint from the fingerprints you have left on the phone itself and then use that to unlock it. Fingerprint scanners on phones are only one step above writing your PIN on a sticky note and attaching it to your bank card. Use passwords.

if forced to be recognized by law and the owner gives it.
"And the owner gives it" is the crucial point here. Law enforcement can physically restrain you and use your fingerprint or face to unlock your phone. They can't do that with passwords.
hero member
Activity: 1400
Merit: 770
First, how easy they are to break. You leave your fingerprints on everything that you touch, including the very device you are using biometrics to unlock. An attacker can print a 3D model of your finger good enough to fool the most advanced fingerprint readers in a matter of minutes.
Yes you are right, get fingerprints from there. But I think this is also difficult and like in hollywod movies. This requires direct objects, so it is difficult to get fingerprints online, except for hacking database storage for authentication files.

Second, if you are in the US (and some other jurisdictions - check your own), law enforcement can force you to unlock a device using your fingerprint or face. They cannot force you to hand over your passwords.
I think about this coercion carried out by law as a result of illegal actions, other passwords can also be unlocked, if forced to be recognized by law and the owner gives it.

Sorry, this is just my opinion. Corrected me if I'm wrong.
legendary
Activity: 2268
Merit: 18711
How can? many articles that discuss biometrics are the authentication of the future. Code theft will be difficult, although this can happen.
There are multiple problems with biometrics.

First, how easy they are to break. You leave your fingerprints on everything that you touch, including the very device you are using biometrics to unlock. An attacker can print a 3D model of your finger good enough to fool the most advanced fingerprint readers in a matter of minutes. Have a look at this: https://imgur.com/gallery/8aGqsSu. Face scanning on many phones can be beaten with a simple photo, like one of the ones most people have posted all over the internet and their social media accounts.

Second, if you are in the US (and some other jurisdictions - check your own), law enforcement can force you to unlock a device using your fingerprint or face. They cannot force you to hand over your passwords.

Third, biometrics can never be changed if they are hacked or compromised like a password can.

There is a reason that phones require you to enter your PIN or password after you reboot them before you can use your biometrics again. Biometrics are not secure.
newbie
Activity: 23
Merit: 0
I highly recommend google authentication for your encryption, u have a total control of your account without intruder gaining access to your account.
The QP code backup can be compromised and your data forever lost.
hero member
Activity: 1400
Merit: 770
, with many fingerprint and facial scanners being fairly easy to fool or bypass. Better to secure your 2FA with a strong password.
How can? many articles that discuss biometrics are the authentication of the future. Code theft will be difficult, although this can happen.
sr. member
Activity: 1232
Merit: 379
I find it easy to use 2FA because it's not stressful and easily understandable, the email and phone number security method are somehow open to hackers and many user had fall victim of such attack. Could rememeber when unknown users sent withdrawal request to my email due to the fact that I haven't set authentication method.
legendary
Activity: 2268
Merit: 18711
If someone is scared of Google then Authentication can be installed on the old smartphone and used when radio-module is deactivated.
True, but I still think it's a better option to just avoid Google products altogether. Further, if you use a device with no connectivity, you will have to manually make sure the clock is accurate, as any drift from the real time can result in incorrect codes being generated.

The data it holds  can be sealed by biometrics
Biometrics are one of the least secure forms of protecting data, with many fingerprint and facial scanners being fairly easy to fool or bypass. Better to secure your 2FA with a strong password.
hero member
Activity: 1722
Merit: 801
Some exchanges combine email and 2fa. My experience when logging in to bittrex or indodax I have to confirm the email, after that enter the 2fa code. Make it longer but it looks safer. It takes 2 steps to confirm that it is the legal owner of the account. Unfortunately this is done when the IP address changes, if every time log in must be confirm email and 2fa, I think that's good.
It will be required if you log in your account on a new device or with a new IP address. Log in on same device and same IP address don't force you to confirm the login activity by email confirmation.

Binance has a similar requirement too.
Pages:
Jump to: