Pages:
Author

Topic: I dont like 2FA ...so ? (Read 1798 times)

full member
Activity: 154
Merit: 100
May 03, 2014, 09:04:57 PM
#24
1. Not all 2FA requires your phone number.

2. Any service that is storing money for you probably has already required to know far more identifying information about you than your phone number.

If you don't want to use 2FA that's fine; hackers will love you the first time they crack your email account, take a look, find emails from bitcoin services, tell those services to do an email password reset, log in, empty your account.

1BTC probably goes a long way in Elbonia.
sr. member
Activity: 490
Merit: 250
April 30, 2014, 04:48:28 PM
#23
What if I lose my 2FA phone, or it just stops to work?
If you can get acess to your account by others means, you are still vulnerable.
If you can't, you are adding another risk while decreasing other.
Some services, like a Google Account, allow you to use several phone numbers (in case one of them is not available).
full member
Activity: 126
Merit: 100
April 30, 2014, 03:54:57 PM
#22
When you set up 2FA, you're provided with your secret code (an alphanumeric string and/or a QR code). With this code, you can at any time restore access with any 2FA app. So if you keep a backup of the secret code (preferably printed or written down, not stored digitally), you can use another device to regain access if you lose your phone.
Correct.

I have all my 2FA bar codes tucked away just in case I lose my phone

Currently using 7 bitcoin related sites with 2FA enabled.
legendary
Activity: 1310
Merit: 1000
April 30, 2014, 12:46:45 PM
#21
I would like to know how an attack takes place on a non-2FA online wallet that is not possible on a 2FA online wallet ?

I believe your question has been answered by many people now, but I am curious about the reason why you don't like 2FA.

2 reasons :-

i. Inconvenience caused to secure less than 1 BTC.

ii. The moment I'm providing my phone no., the moment I'm surrendering my anonymity.


.. inconvenient to secure $450, aren't we privileged.
member
Activity: 98
Merit: 10
April 30, 2014, 12:43:51 PM
#20
attacks can take place anywhere. a non-2FA online wallet is not an exception
legendary
Activity: 2394
Merit: 1216
The revolution will be digital
April 30, 2014, 12:23:07 PM
#19
Here is a story of the person using 2FA...

https://bitcointalksearch.org/topic/m.6475008
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
April 28, 2014, 11:01:48 AM
#18
Well. don't use SMS-based 2FA then.
legendary
Activity: 2394
Merit: 1216
The revolution will be digital
April 28, 2014, 10:55:50 AM
#17
I would like to know how an attack takes place on a non-2FA online wallet that is not possible on a 2FA online wallet ?

I believe your question has been answered by many people now, but I am curious about the reason why you don't like 2FA.

2 reasons :-

i. Inconvenience caused to secure less than 1 BTC.

ii. The moment I'm providing my phone no., the moment I'm surrendering my anonymity.
hero member
Activity: 896
Merit: 1000
April 28, 2014, 10:31:10 AM
#16
I would like to know how an attack takes place on a non-2FA online wallet that is not possible on a 2FA online wallet ?

I believe your question has been answered by many people now, but I am curious about the reason why you don't like 2FA.
legendary
Activity: 1204
Merit: 1002
RUM AND CARROTS: A PIRATE LIFE FOR ME
April 28, 2014, 10:22:10 AM
#15
I would like to know how an attack takes place on a non-2FA online wallet that is not possible on a 2FA online wallet ?

Security is always a balance between convenience and security. 2FA is more inconvenient, but of course- more secure. So its up to you, really.
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
April 28, 2014, 10:17:29 AM
#14
2 factor authentication tries to mitigate remote control of your computer by asking for something you have rather than something you know. To do this remotely, you essentially need one-time passwords.

SMS based 2FA is not secure against corporations installing software on you phone: such as your carrier, Google, Apple, or Facebook. Almost by extension, it is not secure against governments either.

For example, the facebook app now asks for permission to read all of your SMS messages. If facebook was able to obtain your other login credentials (do you reuse you user-name/password? Did you let them log into your master e-mail account to download your address book (the same one used for resetting passwords)?

I suggested that my bank implement Paper-Based 2FA, rather than rely on "security questions" for "untrusted" computers.
hero member
Activity: 504
Merit: 500
eidoo wallet
April 28, 2014, 08:46:13 AM
#13
What if I lose my 2FA phone, or it just stops to work?
If you can get acess to your account by others means, you are still vulnerable.
If you can't, you are adding another risk while decreasing other.

yeah, its quite ironic that to make something more secure you need to secure something else that is statistically more vulnerable to loss and theft.

You can add backup phones incase you lose one of your phones, that way you'd always be able to get on your account.

If you lose all your backup phones..then...call Google. Smiley, plus there are a ton of other ways to retrieve your account, security questions, linked accounts, etc etc.
hero member
Activity: 728
Merit: 500
April 28, 2014, 04:56:00 AM
#12
What are the weakness of this approach? Just some speculating here however...
Is every Google2FA using the exact same list or is every list different?
A broken clock is right twice daily. Perhaps someone could (small chance here in my mind) break into your account etc if they had your login and password credentials from wherever and then "broken clocked" the 2FA.
Is the provider of Google 2-SV trustworthy? Is there an open source alternative?

Google 2FA works by computing the hash of the current time and the secret code used to set up the 2FA. Every user will have a different secret, so the list of codes will be different from user to user. An attacker can try to gain access by either guessing the secret or guessing a one-time-code. The secret is long enough that it is infeasible to guess/bruteforce. Guessing the one-time-code is a one in a million chance, since it's 6 digits. A good website will limit the number of attempts you're allowed to make with logging in, so guessing that is infeasible too.

The algorithm used by Google 2FA is open. There are alternative implementations to the app by Google. And the algorithm is simple enough that you could develop your own implementation of it. So it becomes a matter of which app-developer you trust the most, or if you don't trust any, you make the app yourself.

What if I lose my 2FA phone, or it just stops to work?
If you can get acess to your account by others means, you are still vulnerable.
If you can't, you are adding another risk while decreasing other.
When you set up 2FA, you're provided with your secret code (an alphanumeric string and/or a QR code). With this code, you can at any time restore access with any 2FA app. So if you keep a backup of the secret code (preferably printed or written down, not stored digitally), you can use another device to regain access if you lose your phone.
newbie
Activity: 42
Merit: 0
April 28, 2014, 04:55:31 AM
#11
Why would you not like 2 factor? Having a text sent to your phone makes your account very safe.
legendary
Activity: 2394
Merit: 1216
The revolution will be digital
April 28, 2014, 04:40:24 AM
#10
What if I lose my 2FA phone, or it just stops to work?
If you can get acess to your account by others means, you are still vulnerable.
If you can't, you are adding another risk while decreasing other.

yeah, its quite ironic that to make something more secure you need to secure something else that is statistically more vulnerable to loss and theft.

I think this argument does not stand, because phone based 2FA is connected to your no., not the set. So, even if u lose the phone, u can get back uR no. from the service provider through identity verification. Moreover, just by gaining access to your phone, an attacker cant get into your wallet, as he/she does not have access to the password.
full member
Activity: 379
Merit: 100
April 27, 2014, 10:05:18 PM
#9
2FA requires a phone call to your phone to login. Thereby making it harder/pretty impossible for a hacker/attacker to login on your account without also having your phone.

I recommend 2FA for your email as well as for any exchange you use.

I've never used a Phone call for 2FA... only Autheticator/YubiKey...
sr. member
Activity: 266
Merit: 250
April 27, 2014, 09:40:28 PM
#8
What if I lose my 2FA phone, or it just stops to work?
If you can get acess to your account by others means, you are still vulnerable.
If you can't, you are adding another risk while decreasing other.

yeah, its quite ironic that to make something more secure you need to secure something else that is statistically more vulnerable to loss and theft.
hero member
Activity: 616
Merit: 500
April 27, 2014, 08:05:42 PM
#7
What if I lose my 2FA phone, or it just stops to work?
If you can get acess to your account by others means, you are still vulnerable.
If you can't, you are adding another risk while decreasing other.
legendary
Activity: 2394
Merit: 1216
The revolution will be digital
April 27, 2014, 06:12:46 PM
#6
Thank u for all your response. But I have read sometimes blockchain.info 2FA users have been unable to authenticate themselves and the service provider cant do anything with that !!! This is scary...
full member
Activity: 180
Merit: 100
April 27, 2014, 03:13:06 PM
#5
2FA requires a phone call to your phone to login. Thereby making it harder/pretty impossible for a hacker/attacker to login on your account without also having your phone.

I recommend 2FA for your email as well as for any exchange you use.

The 2FA Joshuar uses may require a phone call.

The 2FA I have is called "Google 2-step Verification". It is an app which I have on my phone. It does not require me to accept a phone call. Rather the app cycles thru a list of 6 digit numbers. This number is asked for by the website. The app on my phone provides the correct 6 digit number.

The 6 digit number itself changes every 20 seconds. How does the app always have the right number for the website??

The two use the same long list of 6 digit numbers and they scroll through them in syncronistic lock step with each other. They stay in sync because when you first set up 2FA, the two start moving down the list at the same time.

The military uses a similar tool to secure communications although they use it for anti-jamming radio purposes. Pilots and soldiers on the ground will talk over radios. Both the radio in the plane and the radio on the ground rapidly change the frequency they're communicating over, again the change is made in sync. This way if any single frequency is jammed, they will only be talking over that frequency for fractions of a second and comms wont be interrupted significantly.

The ideas are similar though.  Two parties use a pre-agreed upon list. They cycle thru the list. They do this  in sync because they both started the list at the same time and change to the next item on the list at a pre-determined time increment. 20-30 seconds for 2FA.  Multiple times a second for military "Have Quick".


What are the weakness of this approach? Just some speculating here however...
Is every Google2FA using the exact same list or is every list different?
A broken clock is right twice daily. Perhaps someone could (small chance here in my mind) break into your account etc if they had your login and password credentials from wherever and then "broken clocked" the 2FA.
Is the provider of Google 2-SV trustworthy? Is there an open source alternative?


In information security there are three items used to provide identity verification and then secure access to info.
Who you are.
What you know.
What you have.

Passwords are a single facet. What you know. The password. This is a single layer of security.
2FA adds a second layer of security by also creating a "what you have" requirement for access. The current technology is 2FA (Google 2-SV) on a device which most people carry, their phone.

So 2FA will add a second layer of protection anytime you believe a password alone isn't sufficient to secure something. Like internet money.
And hopefully your phone is in your possession. You can lock yourself out (although there are secure workarounds) if you lose your phone without backing up your 2FA key.

How do people break passwords on a non-2FA?? How do they find your password? Are you using a password instead of a pass-phrase?? The resources to educate yourself already exist in abundance all over the web.

Wanna really beef up your security?  Add the third layer; Who you are, in addition to the other two.

Use a phone with a finger print sensor (who you are). On which you have 2FA(what you have). Only with those two layers of security satisfied can you finally use your pass-phrase (what you know) on a website to access your account.
If someone gets thru that then.....  
Pages:
Jump to: