Topic: Authentication: Types, Risks/ Attacks, Advice - page 2. (Read 1007 times)

Some exchanges combine email and 2fa. My experience when logging in to bittrex or indodax I have to confirm the email, after that enter the 2fa code. Make it longer but it looks safer. It takes 2 steps to confirm that it is the legal owner of the account. Unfortunately this is done when the IP address changes, if every time log in must be confirm email and 2fa, I think that's good.

Except it isn't open source and it doesn't allow you to make secure, encrypted back ups. Not to mention it's owned and operated by Google, the worst company on the planet when it comes to respecting users' privacy.

Choose one of the free and open source alternatives I listed above.

I relate to type 3 (being too lazy lmao), anyway I used to use Google authenticator but the access of codes on app open, no encryption and hassle of backup made me switch to Aegis. It's much better.

Most of these are not open source and do not allow proper encrypted back ups. Google Authenticator in particular is awful from the regard. FreeOTP is no longer in development. Here are the apps you should be using:
Android - Aegis or AndOTP
iOS - Tofu or Authenticator

Cloud storage is frequently hacked, and should not be used for sensitive data or back ups. A better option is to use one of the apps I listed to make an encrypted back up locally.

You still do not give valid reason why QR code is not good for 2FA backup.

This method is not good enough, you can  write it down on a papar like you have ones said, you can laminate it for more safety.

When backing up QR code, the secret code is included.

When the map is broken, you have nothing to recover your 2FA but with secret key, if one of characters is blurred or broken, you still can guess it from the leftover of broken character.

---

They are different things here: backup and transaction. What I meant is backup, not for transactions. For transactions, you should check a few first and last charaters. Checking a few in middle or whole characters if you want to do so.
How to lose your Bitcoins with CTRL-C CTRL-V

Correct me if I am wrong (I could be wrong). Thanks.

It is true. I never ever use qr code when storing 2FA secret codes. I'd rather use the code itself and write on a paper for example or store it on a flash drives then you can keep it safe from leaking. It seems you are using google authenticator. Is it because where you can sync your account from the current device to other device which in my opinion is good but it also have disadvantage where the company that create that platform may have access to your credentials which is bad. I have been using google auth and Authy for 2 years.

Im using it as back up for my some of my crypto asset wallet. How can you say QR code has likely more potential than in character type? When you use it for transaction, simply the confirmation would be guaranteed unlike character that you will used a copy paste method that have malware changing the address when you paste it.

I would be interested if you can expound the reason for this.

QR code backup is bad. Indeed, you should use secret code (in characters) for your backup, instead of QR code.

It's highly recommended that you put the safest and proven authentication on your emails and wallets, it's part of your education to understand how hackers attacks and what are the vulnerable point, in your online ventures, always get updates about security and the tools you are using and you are good to go and you can sleep soundly.

I am not sure about the difference but I saw mk4 commented with this post and I think he makes a point that storing private things yourself is better. It is not only about 2FA backups but generally also about synchronisation over devices. I don't want to sychronise everything I do over devices. If one of my devices is compromised, my data will be leaked. That's not good.

For the first time, I tried to use Two-Factor-Authentications (2FA) I tried Google 2FA in my android phone and after few months I switched to Authy since Authy you can input your email address or phone number there.
Did anyone get ideas which is much better of these two? Or the difference between them? Google 2FA and Authy. I still didn't explore so much about Authy 2FA.

Another most important point is that the Authentication software or authentication should totally be on a separate device from the one you use to log into your accounts or APPs. Keeping the Authentication software in the same device you use to log into your accounts kills the purpose authentication
For example. If you usually use your computer to log into your accounts, your Authentication software/app should be in a separate device like your tab or mobile phone that you don't use for logging into your accounts.

Some people screen shot the 2FA backup QR codes including the backup words and characters, some also store the back up on their phones note, this is a poor and a non recommended way to back up 2FA, instead, you should do the paper printing, laminate it and put it in a place safe from damage and intruders(hackers)

We need to also be careful of hackers. Any device our wallets or our 2FA apps are installed, we need to make it safe from malware, trojan horse is able to reveal the 2FA code, also are some malware like rootkit that can reveal detail informations stored on your device, in this way, it can steal the 2 FA backup screen shot.

Make sure your device is free from malware, and do a paper printed 2 FA backup.

There is one also I will like you to include, andOTP 2 factor authenticator, it is also good and open source.

People usually care about increasing their funds, their capital but do neither care about losses nor pay attention to protect their funds/ capital. There are some reasons why they don’t care about it.
-   Don’t aware of risks if they don’t protect their accounts.
-   Don’t have knowledge.
-   Being too lazy (aware of risks, have knowledge, but they don’t do anything to secure accounts).

How many types of authenticators?
-   SMS-based/ Email-based/ Voice-based/  Biometric-based authenticator
-   2-factor authenticators (2FA)
-   FIDO U2F hardware authenticators

Which one is recommended to use and should be your first priorities?
2-factor authenticator softwares. They are free and more secured. Try to use Yubikey if you actually want to secure better with some funds.
Don't use SMS-based authentication if you can do it. Unfortunately sometimes you don't have choice because service providers (like banks) don't only give you that type of authentication. As being said, whenever you can avoid this type, avoid it.

The first type is less secured and more risky because there are SIM swapping attacks (for SMS, voice code) and if you rely on email, your account will be compromised if hackers have access to your email.
[BEWARE] Sim Port Attack and SIM swapping protection
With SMS-based authenticator, you can secure it better by set up PIN code for your SIM card, deactivate lock-screen notifcations. More details in the guide from Kaspersky.

Biometric-based authenticator is risksy because if you pass away, your family members can not get access to your account.



The second type is more secured and is the one should be used. Most of them use the OATH TOTP (Time-based One-Time Password) algorithm.
There are some softwares for you. More details

Google Authenticator: Android, iOS
Duo Mobile: Android, iOS
Microsoft Authenticator: Android, iOS
Free OTP: Android, iOS
Authy: Android, iOS, Windows, macOS, Chrome
Yandex.key: Android, iOS
Aegis: Android
When using those apps, there are mandatory steps to do: backup 2FA codes (to recover later if your phones / devices broken and can not be prepaired), and test the validity of those backup codes (make sure that you make good backups and they can be used to recover).

Some people don't know these two important and vital steps. They activate 2FA on their accounts, enter 2FA codes to apps, but don't back those codes and don't test backup's validity. If their devices are stolen or broken, they get troubles.

Some advice for 2FA
- Make backups of 2FA codes before activating it
- Activating it by manually entering 2FA codes, don't scan QR code.
        Because when you entering 2FA code manually, you also check the validity of your code backup.
        If your code backup is not correct, you can not activate the code for your account.
- Retest code backup on another device if possible.
- Don't take a photo and store code backup on your device. There are risks that your devices can be compromised and photo or backup will be leaked.
- Install 2FA app on your another device, and it should mostly be offline. Don't store all eggs in one bag.

Remember that there are two layers of backup: backup codes, and 2FA secrect key (or bar code). I advise you to do backup for both of them, or if you choose only one to backup, it should be 2FA secret key, not barcode. With secret key, you will be easier to guess if character, figure are blurred a little bit but with bar code, it is almost nothing to do. Of course, saving 2FA secret key backups as best as possible is the must thing to do.

Store them offline.

Backup codes

2FA secret keys


FIDO U2F hardware authenticators: YubiKey and others