Topic: I dont like 2FA ...so ? (Read 1757 times)

1. Not all 2FA requires your phone number.

2. Any service that is storing money for you probably has already required to know far more identifying information about you than your phone number.

If you don't want to use 2FA that's fine; hackers will love you the first time they crack your email account, take a look, find emails from bitcoin services, tell those services to do an email password reset, log in, empty your account.

1BTC probably goes a long way in Elbonia.

Some services, like a Google Account, allow you to use several phone numbers (in case one of them is not available).

Correct.

I have all my 2FA bar codes tucked away just in case I lose my phone

Currently using 7 bitcoin related sites with 2FA enabled.

.. inconvenient to secure $450, aren't we privileged.

attacks can take place anywhere. a non-2FA online wallet is not an exception

Here is a story of the person using 2FA...

https://bitcointalksearch.org/topic/m.6475008

Well. don't use SMS-based 2FA then.

2 reasons :-

i. Inconvenience caused to secure less than 1 BTC.

ii. The moment I'm providing my phone no., the moment I'm surrendering my anonymity.

I believe your question has been answered by many people now, but I am curious about the reason why you don't like 2FA.

Security is always a balance between convenience and security. 2FA is more inconvenient, but of course- more secure. So its up to you, really.

2 factor authentication tries to mitigate remote control of your computer by asking for something you have rather than something you know. To do this remotely, you essentially need one-time passwords.

SMS based 2FA is not secure against corporations installing software on you phone: such as your carrier, Google, Apple, or Facebook. Almost by extension, it is not secure against governments either.

For example, the facebook app now asks for permission to read all of your SMS messages. If facebook was able to obtain your other login credentials (do you reuse you user-name/password? Did you let them log into your master e-mail account to download your address book (the same one used for resetting passwords)?

I suggested that my bank implement Paper-Based 2FA, rather than rely on "security questions" for "untrusted" computers.

You can add backup phones incase you lose one of your phones, that way you'd always be able to get on your account.

If you lose all your backup phones..then...call Google. , plus there are a ton of other ways to retrieve your account, security questions, linked accounts, etc etc.

Google 2FA works by computing the hash of the current time and the secret code used to set up the 2FA. Every user will have a different secret, so the list of codes will be different from user to user. An attacker can try to gain access by either guessing the secret or guessing a one-time-code. The secret is long enough that it is infeasible to guess/bruteforce. Guessing the one-time-code is a one in a million chance, since it's 6 digits. A good website will limit the number of attempts you're allowed to make with logging in, so guessing that is infeasible too.

The algorithm used by Google 2FA is open. There are alternative implementations to the app by Google. And the algorithm is simple enough that you could develop your own implementation of it. So it becomes a matter of which app-developer you trust the most, or if you don't trust any, you make the app yourself.

When you set up 2FA, you're provided with your secret code (an alphanumeric string and/or a QR code). With this code, you can at any time restore access with any 2FA app. So if you keep a backup of the secret code (preferably printed or written down, not stored digitally), you can use another device to regain access if you lose your phone.

Why would you not like 2 factor? Having a text sent to your phone makes your account very safe.

I think this argument does not stand, because phone based 2FA is connected to your no., not the set. So, even if u lose the phone, u can get back uR no. from the service provider through identity verification. Moreover, just by gaining access to your phone, an attacker cant get into your wallet, as he/she does not have access to the password.

I've never used a Phone call for 2FA... only Autheticator/YubiKey...

yeah, its quite ironic that to make something more secure you need to secure something else that is statistically more vulnerable to loss and theft.

What if I lose my 2FA phone, or it just stops to work?
If you can get acess to your account by others means, you are still vulnerable.
If you can't, you are adding another risk while decreasing other.

Thank u for all your response. But I have read sometimes blockchain.info 2FA users have been unable to authenticate themselves and the service provider cant do anything with that !!! This is scary...

The 2FA Joshuar uses may require a phone call.

The 2FA I have is called "Google 2-step Verification". It is an app which I have on my phone. It does not require me to accept a phone call. Rather the app cycles thru a list of 6 digit numbers. This number is asked for by the website. The app on my phone provides the correct 6 digit number.

The 6 digit number itself changes every 20 seconds. How does the app always have the right number for the website??

The two use the same long list of 6 digit numbers and they scroll through them in syncronistic lock step with each other. They stay in sync because when you first set up 2FA, the two start moving down the list at the same time.

The military uses a similar tool to secure communications although they use it for anti-jamming radio purposes. Pilots and soldiers on the ground will talk over radios. Both the radio in the plane and the radio on the ground rapidly change the frequency they're communicating over, again the change is made in sync. This way if any single frequency is jammed, they will only be talking over that frequency for fractions of a second and comms wont be interrupted significantly.

The ideas are similar though.  Two parties use a pre-agreed upon list. They cycle thru the list. They do this  in sync because they both started the list at the same time and change to the next item on the list at a pre-determined time increment. 20-30 seconds for 2FA.  Multiple times a second for military "Have Quick".


What are the weakness of this approach? Just some speculating here however...
Is every Google2FA using the exact same list or is every list different?
A broken clock is right twice daily. Perhaps someone could (small chance here in my mind) break into your account etc if they had your login and password credentials from wherever and then "broken clocked" the 2FA.
Is the provider of Google 2-SV trustworthy? Is there an open source alternative?


In information security there are three items used to provide identity verification and then secure access to info.
Who you are.
What you know.
What you have.

Passwords are a single facet. What you know. The password. This is a single layer of security.
2FA adds a second layer of security by also creating a "what you have" requirement for access. The current technology is 2FA (Google 2-SV) on a device which most people carry, their phone.

So 2FA will add a second layer of protection anytime you believe a password alone isn't sufficient to secure something. Like internet money.
And hopefully your phone is in your possession. You can lock yourself out (although there are secure workarounds) if you lose your phone without backing up your 2FA key.

How do people break passwords on a non-2FA?? How do they find your password? Are you using a password instead of a pass-phrase?? The resources to educate yourself already exist in abundance all over the web.

Wanna really beef up your security?  Add the third layer; Who you are, in addition to the other two.

Use a phone with a finger print sensor (who you are). On which you have 2FA(what you have). Only with those two layers of security satisfied can you finally use your pass-phrase (what you know) on a website to access your account.
If someone gets thru that then.....