Google 2FA decentralised alternative ?

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote

News from Microsoft:
Users with multi-factor authentication blocks 99.9% of account hacks

https://www.microsoft.com/en-us/security/technology/identity-access-management/passwordless
https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/

Bold statement to say.
You can read full Whitepaper here:
Password-less protection
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2KEup

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: naska21 on July 31, 2019, 01:25:55 AM

Quote from: Decimation on July 25, 2019, 10:25:25 AM

What exactly do you mean by "decentralized 2fa"? Just because something has the word "Google" in front of it, doesn't mean it isn't decentralized. You own your keys, and you are completely responsible for them. However I would argue that decentralized 2fa is unnecessary for the average person, as the chance of losing keys is much higher. Authy is tied to your phone number rather than your phone, making it much easier to restore lost data, without having to worry too much.

"My 2 cents" in regard of "decentralized 2fa":

Quote from: https://www.hydrogenplatform.com/2fa-app

Hydrogen 2FA uses cutting-edge cryptography and the blockchain to secure your accounts, transactions, and payments.

that said, relevant services should adopt Hydro Raindrop so you could use that "decentralized 2fa alternative".

Interesting, thank you.
First time I heard about that, but I will check it out.
Cheers!

naska21

hero member

Activity: 1358

Merit: 635

Quote from: Decimation on July 25, 2019, 10:25:25 AM

What exactly do you mean by "decentralized 2fa"? Just because something has the word "Google" in front of it, doesn't mean it isn't decentralized. You own your keys, and you are completely responsible for them. However I would argue that decentralized 2fa is unnecessary for the average person, as the chance of losing keys is much higher. Authy is tied to your phone number rather than your phone, making it much easier to restore lost data, without having to worry too much.

"My 2 cents" in regard of "decentralized 2fa":

Quote from: https://www.hydrogenplatform.com/2fa-app

Hydrogen 2FA uses cutting-edge cryptography and the blockchain to secure your accounts, transactions, and payments.

that said, relevant services should adopt Hydro Raindrop so you could use that "decentralized 2fa alternative".

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: stomachgrowls on July 30, 2019, 01:26:00 PM

Quote from: dkbit98 on July 30, 2019, 03:08:36 AM

There is a way hackers can compromise your 2FA with a virus.
One example for Android phones is Anubis Trojan Virus.
Virus Anubis renders 2FA void via a man-in-the-middle-atack.
It is targeting crypto exchanges

Read more in this articles:
https://blog.zerononcense.com/2019/07/27/anubis-virus-major-android-virus-attacking-bitfinex-binance-exchange-apps-and-others-pt-1/
https://www.zdnet.com/article/anubis-android-banking-malware-returns-with-a-bang/

Adding up some links about that Anubis Trojan.

https://www.bleepingcomputer.com/news/security/anubis-android-trojan-spotted-with-almost-functional-ransomware-module/

Android system cant be affected with Virus but only with malware and even application permission.

Article you posted is older date from April.
I found more recent info from Trend Micro
https://blog.trendmicro.com/trendlabs-security-intelligence/anubis-android-malware-returns-with-over-17000-samples/

Faebook was also using 2FA for serving us ads:
https://www.eff.org/deeplinks/2019/07/fixed-ftc-orders-facebook-stop-using-your-2fa-number-ads

stomachgrowls

hero member

Activity: 3010

Merit: 794

Quote from: dkbit98 on July 30, 2019, 03:08:36 AM

There is a way hackers can compromise your 2FA with a virus.
One example for Android phones is Anubis Trojan Virus.
Virus Anubis renders 2FA void via a man-in-the-middle-atack.
It is targeting crypto exchanges

Read more in this articles:
https://blog.zerononcense.com/2019/07/27/anubis-virus-major-android-virus-attacking-bitfinex-binance-exchange-apps-and-others-pt-1/
https://www.zdnet.com/article/anubis-android-banking-malware-returns-with-a-bang/

Adding up some links about that Anubis Trojan.

https://www.bleepingcomputer.com/news/security/anubis-android-trojan-spotted-with-almost-functional-ransomware-module/

Android system cant be affected with Virus but only with malware and even application permission.

leea-1334

hero member

Activity: 2296

Merit: 953

Temporary forum vacation

Looked good until the moment I saw that it costs you something to broadcast the transaction. So a crypto based plainly on 2FA? I think it is fine. There are other simple scripts out there you can use that just work fine for 2FA, you do not need to have another crypto just to do this.

royalfestus

hero member

Activity: 2436

Merit: 516

In the past 2 weeks I have had series of error from this google authentication from 2 of the exchanges I use, What have not seen until recently. I am afraid there is possibility of compromise if such error persist. Anything is possible with hacking in this space and we may not know the possibility until it happen. The google authenticator don't see much upgrade like other app, it might not be necessary if we are well protected .

dkbit98

legendary

Activity: 2212

Merit: 7064

There is a way hackers can compromise your 2FA with a virus.
One example for Android phones is Anubis Trojan Virus.
Virus Anubis renders 2FA void via a man-in-the-middle-atack.
It is targeting crypto exchanges

Read more in this articles:
https://blog.zerononcense.com/2019/07/27/anubis-virus-major-android-virus-attacking-bitfinex-binance-exchange-apps-and-others-pt-1/
https://www.zdnet.com/article/anubis-android-banking-malware-returns-with-a-bang/

xamxam

full member

Activity: 409

Merit: 100

2FA is very important to prevent hacker, in this way we can be more comfortable about our account. If you are using android authy is much better rather than google aunthenticator. But Authy was proven and tested to me already for every exchange that I used most often here in this field of crypto business industry.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: Red-Apple on July 28, 2019, 06:45:48 AM

Quote from: dkbit98 on July 24, 2019, 05:29:26 AM

Do we need alternative for 2FA?

I am 100% sure we need it!
We are becoming to attached to Google and services they offer, like Gmail, Youtube, Google 2FA, Google search.
They truck every single thing people are doing, and only way we can keep a bit off our privacy
is by slowly reducing usage of this services and gradually transition to alternative options we have.

you first need to prove there is actually something wrong with the current tools then argue about alternatives. i am personally not convinced with your argument here.

lets first look at how Google Authenticator works.
it is a very simple application that works offline and without needing Google servers or sending anything to them. it works based on your device's time and the password/key that you and the other party share. using that key you generate a number which acts as your 2FA.

now explain to me how are we relying on Google for any of it? it is not like Gmail that you need their server! everything happens inside your device and stored in your device.

besides if we assume we need an alternative, we definitely don't need a "cryptocurrency" for that! it doesn't even make sense to create one!!!

If you are talking about 2FA, and in specific TOTP
It has many flaws, and that is why they created better version U2F.
2FA Backup codes are sent online, they are probably not even encrypted,
and hackers can take control of password or backup.
You are trusting other party to save keep your secret code.

U2F is better because there is nothing shared over internet.

Hackers can not hack in to d2FA as there is no single point server that is keeping your secret.,
or maybe they can but in Quantum future.

haufranco

newbie

Activity: 82

Merit: 0

Quote from: naska21 on July 25, 2019, 02:26:17 AM

Quote from: dkbit98 on July 24, 2019, 05:29:26 AM

snip

Always use U2F if you can as private key is never sent over the internet at any time, and it is much easier to use.
You may find U2F on some well known hardware wallets as Trezor and Ledger.

snip

Can't comment on Trezor but the loss of security keys in Ledger after firmware update is the weak spot of that device:

Quote from: https://support.ledger.com/hc/en-us/articles/115005198545-FIDO-U2F

After a firmware update, all apps have to be reinstalled. Unfortunately, this means that the counter is reset and you will not be able to login using the FIDO U2F app on your device before reconfiguring the services you use it on

IMO, the dedicated usb tokens like Yubikey by Yubico are best suited to address U2F authorization.

Thanks for noticing. Got stuck with no option of signing-in back

Red-Apple

hero member

Activity: 1470

Merit: 655

Quote from: dkbit98 on July 24, 2019, 05:29:26 AM

Do we need alternative for 2FA?

I am 100% sure we need it!
We are becoming to attached to Google and services they offer, like Gmail, Youtube, Google 2FA, Google search.
They truck every single thing people are doing, and only way we can keep a bit off our privacy
is by slowly reducing usage of this services and gradually transition to alternative options we have.

you first need to prove there is actually something wrong with the current tools then argue about alternatives. i am personally not convinced with your argument here.

lets first look at how Google Authenticator works.
it is a very simple application that works offline and without needing Google servers or sending anything to them. it works based on your device's time and the password/key that you and the other party share. using that key you generate a number which acts as your 2FA.

now explain to me how are we relying on Google for any of it? it is not like Gmail that you need their server! everything happens inside your device and stored in your device.

besides if we assume we need an alternative, we definitely don't need a "cryptocurrency" for that! it doesn't even make sense to create one!!!

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: bitmover on July 25, 2019, 10:20:28 AM

Quote from: dkbit98 on July 25, 2019, 03:56:38 AM

Not to mention the 'lack of space' thing on Ledger Nano S and removal of option to sign a message,
it will not be even possible to install FIDO U2F if you have 2 or 3 coins in portfolio.

Scary stuff

There is a lot of misinformation here.

First of all, ledger nano S can sign messages. I really don't know what you are talking about.
I signed messages using Electrum, Mycrypto, Myetherwallet...

And you can use more than 20 coins in your portfolio. Just uninstall your App inside the ledger device and install again when you need to use again.

Yes, I did the unistall.
And having only Bitcoin, and Etherium filled up all the space,
so I cant install anything else...
And I need to install PGP app for that to work.

I am talking about Ledger Nano S,
and I can prove it, and I am not the only one with this issue

shoreno

full member

Activity: 1750

Merit: 118

i have tried using apps for 2fa's that i found on the google playstore , take note they arent related to google but after i tried those it seems that they didn work as i recieve a wrong otp message . but after i tried using back the google authenticator it worked again like a charm . i think the exchange that im using only supports google authenticator at the moment .

Decimation

member

Activity: 244

Merit: 43

What exactly do you mean by "decentralized 2fa"? Just because something has the word "Google" in front of it, doesn't mean it isn't decentralized. You own your keys, and you are completely responsible for them. However I would argue that decentralized 2fa is unnecessary for the average person, as the chance of losing keys is much higher. Authy is tied to your phone number rather than your phone, making it much easier to restore lost data, without having to worry too much.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

Quote from: dkbit98 on July 25, 2019, 03:56:38 AM

Not to mention the 'lack of space' thing on Ledger Nano S and removal of option to sign a message,
it will not be even possible to install FIDO U2F if you have 2 or 3 coins in portfolio.

Scary stuff

There is a lot of misinformation here.

First of all, ledger nano S can sign messages. I really don't know what you are talking about.
I signed messages using Electrum, Mycrypto, Myetherwallet...

And you can use more than 20 coins in your portfolio. Just uninstall your App inside the ledger device and install again when you need to use again.

poodle63

hero member

Activity: 2702

Merit: 510

Leading Crypto Sports Betting & Casino Platform

Quote from: bitmover on July 24, 2019, 10:54:25 AM

Quote from: dkbit98 on July 24, 2019, 09:21:33 AM

Are they using centralized servers or not?

If the answer is YES, then I think we do need them.

btw did you mean Bitcoin should be DEcentralized Grin

or centralized like you wrote ?

PS
I tried Authy.
For desktop I am using WinAuth at the moment

Thanks for the correction lol decentralized ofc.

Authy is better than winauthy imo. Give it a try.
They use centralized services, ofc. This is not a problem to security imo.

authy is more than enough for me, i don't need any service even like bitwings or this one. Centralized server means nothing when it was developed by the trusted company and authy is a reputable app with so many users.
anything must not be decentralized.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: naska21 on July 25, 2019, 02:26:17 AM

Quote from: dkbit98 on July 24, 2019, 05:29:26 AM

snip

Always use U2F if you can as private key is never sent over the internet at any time, and it is much easier to use.
You may find U2F on some well known hardware wallets as Trezor and Ledger.

snip

Can't comment on Trezor but the loss of security keys in Ledger after firmware update is the weak spot of that device:

Quote from: https://support.ledger.com/hc/en-us/articles/115005198545-FIDO-U2F

After a firmware update, all apps have to be reinstalled. Unfortunately, this means that the counter is reset and you will not be able to login using the FIDO U2F app on your device before reconfiguring the services you use it on

IMO, the dedicated usb tokens like Yubikey by Yubico are best suited to address U2F authorization.

Not to mention the 'lack of space' thing on Ledger Nano S and removal of option to sign a message,
it will not be even possible to install FIDO U2F if you have 2 or 3 coins in portfolio.

Scary stuff

naska21

hero member

Activity: 1358

Merit: 635

Quote from: dkbit98 on July 24, 2019, 05:29:26 AM

snip

Always use U2F if you can as private key is never sent over the internet at any time, and it is much easier to use.
You may find U2F on some well known hardware wallets as Trezor and Ledger.

snip

Can't comment on Trezor but the loss of security keys in Ledger after firmware update is the weak spot of that device:

Quote from: https://support.ledger.com/hc/en-us/articles/115005198545-FIDO-U2F

After a firmware update, all apps have to be reinstalled. Unfortunately, this means that the counter is reset and you will not be able to login using the FIDO U2F app on your device before reconfiguring the services you use it on

IMO, the dedicated usb tokens like Yubikey by Yubico are best suited to address U2F authorization.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

Quote from: dkbit98 on July 24, 2019, 09:21:33 AM

Are they using centralized servers or not?

If the answer is YES, then I think we do need them.

btw did you mean Bitcoin should be DEcentralized Grin

or centralized like you wrote ?

PS
I tried Authy.
For desktop I am using WinAuth at the moment

Thanks for the correction lol decentralized ofc.

Authy is better than winauthy imo. Give it a try.
They use centralized services, ofc. This is not a problem to security imo.

Topic: Google 2FA decentralised alternative ? (Read 359 times)