Topic: Google 2 A Authentication (Read 1229 times)

Looks like they don't have the time sync feature for iOS yet:

https://code.google.com/p/google-authenticator/issues/detail?id=329

Thats pretty annoying, I copied those instructions straight off of the website and there was no mention it was on android only.

Does it not work anyway? it should work so long as both devices have an accurate time set on the clock.

This does not work as when I open the app on iPhone or iPad there is no menu, to the left of the word Authentictor when you open the app, you have a i button, press that and all you get is
Information
Send feedback
Terms of service
Privacy policy
Legal notices

I don't see any settings anywhere.

Ah, I see - I guess it makes a little better sense now... so you're assigned permanent QR codes that's just used to generate a random token. Like I said I don't use that option, can't say that I ever will. I tried scanning a QR code once using my iPad. It only took that once to determine the hell with them, lol. But maybe it was the high glare from my thunderbolt, but my iPad couldn't read that bastard for anything - and I was trying to donate to someone. Oh well, I gave it a shot. I don't even have a QR scanner now.

To set up iToken, an email link was sent to me  and I had to open on my iPad (from computer where app is to be downloaded)... and enter an activation code. That's as far as my tech knowledge goes in that direction. But I can only use that iToken app with that website unless I 'register' additional sites, each with a different token. iToken's made by Quest... and looking at the more info button, it has my device ID captured. Nice... it even tells me the token type, serial number, date, cycle - wow. Anyhoo, this app wouldn't be used by anyone who'd want to remain anon, because it pretty much knows who the device is registered to.

The token generating apps I used be fore and had a version installed on an iPhone and iPad was Coinbase's - actually that may have been during the time I had an android tablet and an iPhone... but even so - I remember testing it, if you will. Each code generated was different is my point, on both devices, even tho they were tied to the same online account.

Thanks once again I will try this.

If someone gets your QR code, you're 2FA is bypassed. Of course passwords etc are additional security. I was referring to the situation where an attacker already has your password which is what 2FA protects you against, if the hacker doesn't have your password having your 2FA is useless.

When setting up the 2FA initially of course you do it somewhere private, yes cameras can pick it up, thats why showing a new code for each login is a bad idea because each time you login you'd have a chance of being filmed or malware on your PC compromising it.


How did you setup iToken with the website? From what I can tell, iToken works similar under the hood as the QRcodes (Google Authenticator). I'm guessing they probably SMS'ed your app the secret key (random string). I'm curious to know how it works

You might want to confirm that... it's possible it could be device based. When I carried an iPhone and iPad - I could hit the 'generate' button at the same time and both would generate a different code. Again - I don't use QR codes so it could work totally different... but with non QR code token generating apps (that's what they are - I use iToken now) after entering my password for the site, I just have to add the code provided by iToken.

Yes, you may need to do this on both devices:

    Go to the main menu on the Google Authenticator app
    Click Settings
    Click Time correction for codes
    Click Sync now

I'm not saying it's the most secure way, no. Nothing is the most secure. However, a hacker would need to know both my password and have access to my cell, iPad and/or email to access the accounts I use 2FA for. I never use any type of auto log on feature like what I think you're describing? I know how the random code generator works for 2FA - I use it on my iPad, but it's conjunction with my account password (if that makes sense). But isn't that method tied to a specific device anyway? Again I don't use QR codes so my 2FA apps are always tied to my device... IDK...maybe it seems that the a new QR code should be generated for each log in?  I'd feel much 'safer' with a random QR codes for each log in. What if I'm sitting at work (I'd never do this), and have the QR code on my screen - with the cameras on today's code, someone 10 feet behind could take a pic of screen and capture my code. That's a little extreme, but what if I lose my phone with the QR pic saved as a pic? Rhetorical question of course.

Wow, if you are right  Forgotten, that would put my mind at rest knowing I at least have a backup without all the hassle, like I said I use strong passwords so would be willing to take the risk.

Oops idiot moment again, I take it both devices will keep ( stay in exact time )  considering that I move around with my mobile

No apology needed, Lucky thanks for the reply, backup to iCloud you say, shit I ran out of my free space long ago. Might have to revalue ate that choice

What if your email account was hacked? SMS/phone call also isn't the most secure way to do it. Phone company can see those, greedy employee's or hackers who've hacked your phone company can get them.

In simple, the QR code method works like this. The website generates a big long random string of letters. They make it into a QR code so you don't have to type it in. You scan it, your phone saves the random letters.

When you open the app on your phone, your phone gets the current date and time and the random string and hashes it. Hashing it basically jumbles it up in a way that can't be easily reversed back, the end result is a six digit code.

You enter that in the website, and the website uses the same random string that they gave you before and the current date + time and does the same thing, hashes it. It should calculate the same six digit code. If the code you gave them matches the same one they calculated it'll let you in, if they don't it won't.

This way is MUCH more secure than SMS/email. You do not need internet access on your phone to do this, all your phone needs is the random letters and the right time (has to be almost to the second accurate or else you'll have a different code to the one the website generates). Someone wanting to hack your account needs the random letters and they are long and random, it'll take a LONG LONG time to guess them like a bitcoin private key. And if someone uses your phone and writes down the six digit code, it'll only be valid for 30 or so seconds.


Lucky Cris was wrong. This will work fine so long as both iPad and phone have the exact right time set. Try it out, I do something similar.

Nope, they'll be different.

well, I feel better that you accepted my apology (yeah, that was my sorry ass version, lol), but at least you own an iTrash device... this coming from someone who owns many iDevices btw. If you worry about data your phone again... take a screenshot of your QR code (press home & power button together), then back that shit up to iCloud.

I wonder if it would work to have it set up on a phone and iPad at the same time, would the 30 seconds code sequence be the same?
I would take the security risk as I use strong passwords that are kept off line.


Shit damn I have to wait for 360 seconds between posts.  I don't have a stutter 

Many thanks for the reply, that would be a fair request to have it returned to sending address.
About 18 months ago my iPhone crashed on me and had to be replaced. I hope it doesn't happen to my new one.

Seems to me no system is perfect.

Thank you kind Sir, that is helpful.

You know... my response had absolutely nothing to do with you or your question - that's my problem. I was where you are before, so I know better. So let's try this again....

Personally I prefer emailed, SMS, or phone call 2FA, but that's only because I'm not familiar with the QR code method. Okay I confess, I prefer to carry a clam shell phone, but I do have my iPad mini but still. If push comes to shove, one would think you'd be able to request that the exchange send the coins back to the originating address. In that situation, it's less likely that you're a person attempting to gain access to someone else's exchange account. It probably won't work, but a shot nonetheless.

When you enable 2FA they ask you to scan a QR code with your phone.

Before you scan it take a picture of the QR code and store it on something other than your phone, like a memory stick and keep it safe (if someone gets it they can login to your account without your phone).

If you lose your phone, you can use another phone to scan the QR code in the picture and you'll have 2FA for that account on that phone. Enter the code to login as normal. Additionally there is software you can download on your computer that can read it if you don't have a phone to do it with.

Wow that was helpful, tell me something I don't know

I want to also set up an account with Coin Jelly a online BTC wallet, where they guarantee every acc up to 20 BTC. They also use 2FA