To Electrum 2FA wallet users and other bitcoin 2FA wallet users

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: Wend on May 03, 2023, 10:43:37 AM

I wonder one thing, these open source applications do not collect any user data, which means they will not have the funds to maintain and develop the application in the long run. At some point, if it stops working, will our data still be safe?

There are thousands of completely free pieces of software with no steady income stream out there which survive just fine. There is also a donation link on the Aegis website if anyone is so inclined.

Still, even if development stops tomorrow, nothing changes with the app you have already downloaded and are running. And of course, you should utilize Aegis' ability to create encrypted exports of your database, so even if you can't install Aegis on a new device you can still import your 2FA codes in to a different app.

Wend

sr. member

Activity: 1386

Merit: 283

Quote from: o_e_l_e_o on May 02, 2023, 11:25:17 AM

I'm not a fan of 2FAS because it harvests way more data than it needs to. (And actually, for a 2FA app, the amount of data it requires about you or your device is exactly zero. All it needs to do is scan QR codes and then combine them with the time and hash them. Zero data required.)

Take a look at its Privacy Policy here: https://2fas.com/privacy-policy/

They collect a lot of information about your device, your email address, records of your usage, drop cookies on you, share your data with Google Analytics, etc. Completely unnecessary and unwanted.

Compare this to the best in class privacy policy from Aegis: https://getaegis.app/aegis/privacy.html

5000 words for 2FAS, versus 10 for Aegis. "Aegis Authenticator does not collect any data from your device."

What you said is true, I have spent some time researching, and as far as I know, 2FAS is a closed source application, and they just switched to open source in the last 2 months. So it's unsurprising that they collect user data like Google or Authy. I didn't know this for a long time, I just installed Aegis and will moved all the data over the weekend.

I wonder one thing, these open source applications do not collect any user data, which means they will not have the funds to maintain and develop the application in the long run. At some point, if it stops working, will our data still be safe?

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

I'm not a fan of 2FAS because it harvests way more data than it needs to. (And actually, for a 2FA app, the amount of data it requires about you or your device is exactly zero. All it needs to do is scan QR codes and then combine them with the time and hash them. Zero data required.)

Take a look at its Privacy Policy here: https://2fas.com/privacy-policy/

They collect a lot of information about your device, your email address, records of your usage, drop cookies on you, share your data with Google Analytics, etc. Completely unnecessary and unwanted.

Compare this to the best in class privacy policy from Aegis: https://getaegis.app/aegis/privacy.html

5000 words for 2FAS, versus 10 for Aegis. "Aegis Authenticator does not collect any data from your device."

Wend

sr. member

Activity: 1386

Merit: 283

Quote from: o_e_l_e_o on May 02, 2023, 01:53:21 AM

Quote from: Smack That Ace on May 01, 2023, 04:09:46 AM

By the way, I also wanted to ask if anyone has any suggestions for an open-source 2FA app for iOS, I saw o_e_l_e_o mentioning Tofu. I will try it, but I also want to experience a few other applications.

The only other one I am aware of is: https://github.com/raivo-otp/ios-application

Quote from: Crypt0Gore on May 01, 2023, 09:06:04 AM

If you don't like the latest Google 2fa update go to the settings and off linking to your google Gmail account, I've tested this and it works but I don't see anything bad with this

The fact remains that Google's 2FA app is closed source, difficult to actually back up locally, and since it is ran by Google will 100% be harvesting your data.

Currently, I am using 2FAS, and as far as I know, it is also an open-source application like Aegis, Tofu, or Raivo. The advantage I find superior to other applications is that they are available in 2 versions for both Android and IOS operating systems. The rest of the features are not too different. Do you know about it, and is it safe to use? I'm using it, but I don't know if it's safe for long-term use.
https://2fas.com/
https://github.com/twofas

BTCGalaxyA12

member

Activity: 111

Merit: 17

Quote from: _act_ on April 30, 2023, 05:50:07 PM

Let me tell you the negative effect.

Do you have chrome on your Android phone? Click on the dots at the upper right corner and click on settings. You will see password manager.

Assuming you have your 2FA on another device because you think it is safe like that. Some people that are using online accounts like custodial wallet, exchanges or anything that has to do with 2FA like Electrum 2FA wallet can be affected because what is called two factor authenticator is no more two factor authenticator if it is linked to the email on the phone. By just downloadimg the app on the device and use the email with it, you will see the OTPs generating. Some people can be very careless and synchronize their username, password and 2FA. What else do hackers need to hack successfully? Nothing. Those three are enough to steal from people.

Do not save your username, password and 2FA codes on Google cloud, it is very dangerous.

Luckily I don't save my passwords in the Google cloud even though a prompt appears above the right side of the android.
Coin theft can be done by hackers through the process you convey.
I was surprised and thought that couldn't be the case with Electrum because Electrum is a very good wallet that has been proven.

Thanks OP.
Users who choose to allow passwords, usernames are stored automatically via synchronization with email, assuming that this makes it easier the next time they replace a new Android or iPhone. Though it is very risky.

_act_

hero member

Activity: 868

Merit: 1094

Quote from: Smack That Ace on May 02, 2023, 06:01:05 AM

Yesterday, I also spent the whole evening looking for an alternative to my 2FA app, and I also found this Raivo app. I see Raivo's developers being more active and constantly releasing updated versions to make the application more and more complete. Since I'm not tech-savvy, I spent some time watching people on Reddit review these 2 apps(tofu and raivo). In the end, I will follow the majority and choose Raivo to replace GG authenticator. Thank you for suggesting me.

The developers claimed that the source code is reproducible. If that is true, it would be a good authentication app. I will still prefer Aegis for Android. Tofu for iOS is good too. The authenticators that I can tell people not to use are the close source authentications and those that are having online backups which makes it not safe to use. Google and Authy fall into this category that should be avoided.

Smack That Ace

legendary

Activity: 1750

Merit: 1094

Assalamu Alekum

Quote from: o_e_l_e_o on May 02, 2023, 01:53:21 AM

Quote from: Smack That Ace on May 01, 2023, 04:09:46 AM

By the way, I also wanted to ask if anyone has any suggestions for an open-source 2FA app for iOS, I saw o_e_l_e_o mentioning Tofu. I will try it, but I also want to experience a few other applications.

The only other one I am aware of is: https://github.com/raivo-otp/ios-application

Yesterday, I also spent the whole evening looking for an alternative to my 2FA app, and I also found this Raivo app. I see Raivo's developers being more active and constantly releasing updated versions to make the application more and more complete. Since I'm not tech-savvy, I spent some time watching people on Reddit review these 2 apps(tofu and raivo). In the end, I will follow the majority and choose Raivo to replace GG authenticator. Thank you for suggesting me.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: Outhue on May 02, 2023, 02:06:52 AM

I don't get it, maybe someone should enlighten me more? 2FA works on paid-for services so it's not present in the blockchain, it makes sense to see such on centralized exchanges, but it doesn't make sense for a crypto wallet to have 2FA unless the wallet is an online crypto wallet or centralized wallet like Freewallet.

Electrum offers a 2FA wallet. It is a 2-of-3 multi-sig wallet, where a third party known as TrustedCoin holds one of your private keys, your wallet contains one private key, and the third is recoverable from your seed phrase back up. When you want to make a transaction, you enter your 2FA code which TrustedCoin use to confirm you are the real owner of the wallet before co-signing your transaction.

A better solution as I explained above is to just set up your own multi-sig wallet and not rely on a third party at all.

Outhue

sr. member

Activity: 686

Merit: 403

I don't get it, maybe someone should enlighten me more? 2FA works on paid-for services so it's not present in the blockchain, it makes sense to see such on centralized exchanges, but it doesn't make sense for a crypto wallet to have 2FA unless the wallet is an online crypto wallet or centralized wallet like Freewallet.

I will think twice before using any crypto wallet that has 2FA security of them, they are always centralized wallets.

I do have a ledger wallet and some coins on it, this wallet won't let me send out coins without confirming the correct codes, very simple to use and set up, a hardware wallet is very satisfying and I am glad I listened to some advice on here.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: Smack That Ace on May 01, 2023, 04:09:46 AM

By the way, I also wanted to ask if anyone has any suggestions for an open-source 2FA app for iOS, I saw o_e_l_e_o mentioning Tofu. I will try it, but I also want to experience a few other applications.

The only other one I am aware of is: https://github.com/raivo-otp/ios-application

Quote from: Crypt0Gore on May 01, 2023, 09:06:04 AM

If you don't like the latest Google 2fa update go to the settings and off linking to your google Gmail account, I've tested this and it works but I don't see anything bad with this

The fact remains that Google's 2FA app is closed source, difficult to actually back up locally, and since it is ran by Google will 100% be harvesting your data.

Crypt0Gore

sr. member

Activity: 812

Merit: 260

If you don't like the latest Google 2fa update go to the settings and off linking to your google Gmail account, I've tested this and it works but I don't see anything bad with this, and by the way who are those using 2fa for their Bitcoin wallet? I will never do such.

If your smartphone already have pin code and fingerprint lock then there is no need to activate the 2FA code on your Bitcoin wallet, unless you like giving people your phone to operate, which is stupid to do if you are a true Bitcoiner, I use Google 2FA for exchange trades only and I am satisfied with the cloud storage sync with Gmail account.

Many people still don't know that you can deactivate auto sync with Gmail under settings, Google isn't forcing anyone to sync with Gmail, a friend already go online to find the old Google 2FA update because he don't like the Gmail sync until I told him to deactive under settings.

Smack That Ace

legendary

Activity: 1750

Merit: 1094

Assalamu Alekum

Quote from: BitMaxz on April 30, 2023, 08:36:20 AM

Google 2FA is just an extra security layer for securing the wallet if it requires syncing online and I think it won't be a problem if you can able to disable the cloud service to sync 2FA backups.

There is option called "Use without an account" where you can use the Google authenticator offline.

And this is not the only authenticator app that we can use.

I also just updated my 2FA app, they don't force us to link with a Gmail account and sync online, this is just an option, and we can still use it without a connection with Gmail. We can still use it normally without any problems.

By the way, I also wanted to ask if anyone has any suggestions for an open-source 2FA app for iOS, I saw o_e_l_e_o mentioning Tofu. I will try it, but I also want to experience a few other applications.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: dzungmobile on April 30, 2023, 10:36:59 PM

Nothing negatively, except that you will have to pay additional fee by using 2FA provided by Trustedcoin.

The negative effect here is that his 2FA code is now stored on dozens of Google servers around the world, with unknown physical and digital security, transferred there by unknown methods, and which an unknown number of people can access. By having access to his 2FA codes, these people by proxy now have access to one set of private keys for his multi-sig wallet.

I agree with your suggestion about why he needs TrustedCoin at all, though. In my opinion, if you want the safety of a 2FA wallet, then it is cheaper and more secure to run your own multi-sig rather than rely on a third party. But if he wants to keep using a 2FA wallet, then he should create a new one where the 2FA comes from an open source app which doesn't send his shared secrets across the internet to other people's computers for storage.

dzungmobile

sr. member

Activity: 658

Merit: 354

I stand with Ukraine!

Quote from: BTCGalaxyA12 on April 30, 2023, 03:05:40 PM

If in case someone uses Electrum as a Bitcoin wallet on android and chooses the address Wallet with two-factor authentication, then he installs Electrum windows Portable version on the computer by choosing to enter the seed that was obtained when making it on android and entering the google authenticator code, say someone that's me.

If you use the same seed to import your two wallets: with 2FA and without 2FA, you will have a same wallet. Only the 2FA wallet will require 2FA code to sign your transaction. However, you won't lose your coins if you lose 2FA backup code or that device is broken, as said you can get a same wallet by importing from seed, without 2FA.

Quote

Can it have a negative effect on me like this case?

Nothing negatively, except that you will have to pay additional fee by using 2FA provided by Trustedcoin.

Why do you need Trustedcoin with paid fee when you can have your multi-sign wallet without such fee?

_act_

hero member

Activity: 868

Merit: 1094

Quote from: Potato Chips on April 30, 2023, 11:06:49 AM

I would lean towards the safe side and regenerate another secret key for each account involved since I doubt your data will be deleted on their servers.

It will be better for people to change their secret codes entirely just as you said. It is a good advice.

Quote from: hugeblack on April 30, 2023, 11:41:12 AM

That's bad news, I have a lot of accounts and trading platforms that connect to the google 2FA app, why did they decide that? Or what is the wisdom of that, given that you can extract the private key and save it yourself, why do they need to keep it in a server or cloud.

You mean to extract the secret code? That is true. Also that on every site or wallet like Electrum, before you can use the OTP, the secret code would first be generated and you can do the manual backup.

Quote from: BTCGalaxyA12 on April 30, 2023, 03:05:40 PM

If in case someone uses Electrum as a Bitcoin wallet on android and chooses the address Wallet with two-factor authentication, then he installs Electrum windows Portable version on the computer by choosing to enter the seed that was obtained when making it on android and entering the google authenticator code, say someone that's me. Can it have a negative effect on me like this case?

Let me tell you the negative effect.

Do you have chrome on your Android phone? Click on the dots at the upper right corner and click on settings. You will see password manager.

Assuming you have your 2FA on another device because you think it is safe like that. Some people that are using online accounts like custodial wallet, exchanges or anything that has to do with 2FA like Electrum 2FA wallet can be affected because what is called two factor authenticator is no more two factor authenticator if it is linked to the email on the phone. By just downloadimg the app on the device and use the email with it, you will see the OTPs generating. Some people can be very careless and synchronize their username, password and 2FA. What else do hackers need to hack successfully? Nothing. Those three are enough to steal from people.

Do not save your username, password and 2FA codes on Google cloud, it is very dangerous.

BTCGalaxyA12

member

Activity: 111

Merit: 17

Quote from: _act_ on April 30, 2023, 09:12:00 AM

Quote from: dzungmobile on April 30, 2023, 08:16:17 AM

Is all Bitcoin software wallet provide 2FA feature which is provided by Google? I doubt about it.

This is what I am talking about, they should stop using google authenticator. Better ones like Aegis can be used.

If in case someone uses Electrum as a Bitcoin wallet on android and chooses the address Wallet with two-factor authentication, then he installs Electrum windows Portable version on the computer by choosing to enter the seed that was obtained when making it on android and entering the google authenticator code, say someone that's me. Can it have a negative effect on me like this case?

tranthidung

legendary

Activity: 2170

Merit: 3858

Farewell o_e_l_e_o

Quote from: _act_ on April 30, 2023, 09:12:00 AM

they should stop using google authenticator. Better ones like Aegis can be used.

Correct! Aegis is an open source 2FA application.

hugeblack

legendary

Activity: 2506

Merit: 3645

Buy/Sell crypto at BestChange

That's bad news, I have a lot of accounts and trading platforms that connect to the google 2FA app, why did they decide that? Or what is the wisdom of that, given that you can extract the private key and save it yourself, why do they need to keep it in a server or cloud.

If your wallet is linked in one way or another to Google, it is better to stop using it, if the reason is not security, then privacy will be the reason. Google has a bad record of handling user data.

Potato Chips

hero member

Activity: 2674

Merit: 865

yesssir! 🫡

Quote from: Aikidoka on April 30, 2023, 09:16:47 AM

I noticed a few days ago that after updating my Google Authenticator, it began to synchronize with my Google cloud account, so it's no longer offline. I am considering deleting the app soon and switching to an open-source 2FA app, as o_e_l_e_o suggested. Honestly I was thinking about that a while ago but I didn't find the good alternative/or more likely I was making decision to which one should I try next.

Sadly, once it has finished syncing, you're now sharing your secret keys with google and potentially to loads of people if a data breach happens.

Quote from: https://www.bleepingcomputer.com/news/google/google-will-add-end-to-end-encryption-to-google-authenticator/

"We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted," reads a tweet from Mysk.

"As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user."

I would lean towards the safe side and regenerate another secret key for each account involved since I doubt your data will be deleted on their servers.

Aikidoka

sr. member

Activity: 1078

Merit: 342

Sinbad Mixer: Mix Your BTC Quickly

I noticed a few days ago that after updating my Google Authenticator, it began to synchronize with my Google cloud account, so it's no longer offline. I am considering deleting the app soon and switching to an open-source 2FA app, as o_e_l_e_o suggested. Honestly I was thinking about that a while ago but I didn't find the good alternative/or more likely I was making decision to which one should I try next.

Anyway, since most of the time I use an Apple device, I plan to try Tofu and link it to my accounts for an extra layer of security. It's an open source 2FA as well as it doesn't require being online, so you can use it on an airplane mode.

Topic: To Electrum 2FA wallet users and other bitcoin 2FA wallet users (Read 310 times)