To Electrum 2FA wallet users and other bitcoin 2FA wallet users

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Wend on May 03, 2023, 09:43:37 AM

I wonder one thing, these open source applications do not collect any user data, which means they will not have the funds to maintain and develop the application in the long run. At some point, if it stops working, will our data still be safe?

There are thousands of completely free pieces of software with no steady income stream out there which survive just fine. There is also a donation link on the Aegis website if anyone is so inclined.

Still, even if development stops tomorrow, nothing changes with the app you have already downloaded and are running. And of course, you should utilize Aegis' ability to create encrypted exports of your database, so even if you can't install Aegis on a new device you can still import your 2FA codes in to a different app.

Wend

sr. member

Activity: 1400

Merit: 283

DGbet.fun - Crypto Sportsbook

Quote from: o_e_l_e_o on May 02, 2023, 10:25:17 AM

I'm not a fan of 2FAS because it harvests way more data than it needs to. (And actually, for a 2FA app, the amount of data it requires about you or your device is exactly zero. All it needs to do is scan QR codes and then combine them with the time and hash them. Zero data required.)

Take a look at its Privacy Policy here: https://2fas.com/privacy-policy/

They collect a lot of information about your device, your email address, records of your usage, drop cookies on you, share your data with Google Analytics, etc. Completely unnecessary and unwanted.

Compare this to the best in class privacy policy from Aegis: https://getaegis.app/aegis/privacy.html

5000 words for 2FAS, versus 10 for Aegis. "Aegis Authenticator does not collect any data from your device."

What you said is true, I have spent some time researching, and as far as I know, 2FAS is a closed source application, and they just switched to open source in the last 2 months. So it's unsurprising that they collect user data like Google or Authy. I didn't know this for a long time, I just installed Aegis and will moved all the data over the weekend.

I wonder one thing, these open source applications do not collect any user data, which means they will not have the funds to maintain and develop the application in the long run. At some point, if it stops working, will our data still be safe?

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

I'm not a fan of 2FAS because it harvests way more data than it needs to. (And actually, for a 2FA app, the amount of data it requires about you or your device is exactly zero. All it needs to do is scan QR codes and then combine them with the time and hash them. Zero data required.)

Take a look at its Privacy Policy here: https://2fas.com/privacy-policy/

They collect a lot of information about your device, your email address, records of your usage, drop cookies on you, share your data with Google Analytics, etc. Completely unnecessary and unwanted.

Compare this to the best in class privacy policy from Aegis: https://getaegis.app/aegis/privacy.html

5000 words for 2FAS, versus 10 for Aegis. "Aegis Authenticator does not collect any data from your device."

Wend

sr. member

Activity: 1400

Merit: 283

DGbet.fun - Crypto Sportsbook

Quote from: o_e_l_e_o on May 02, 2023, 12:53:21 AM

Quote from: Smack That Ace on May 01, 2023, 03:09:46 AM

By the way, I also wanted to ask if anyone has any suggestions for an open-source 2FA app for iOS, I saw o_e_l_e_o mentioning Tofu. I will try it, but I also want to experience a few other applications.

The only other one I am aware of is: https://github.com/raivo-otp/ios-application

Quote from: Crypt0Gore on May 01, 2023, 08:06:04 AM

If you don't like the latest Google 2fa update go to the settings and off linking to your google Gmail account, I've tested this and it works but I don't see anything bad with this

The fact remains that Google's 2FA app is closed source, difficult to actually back up locally, and since it is ran by Google will 100% be harvesting your data.

Currently, I am using 2FAS, and as far as I know, it is also an open-source application like Aegis, Tofu, or Raivo. The advantage I find superior to other applications is that they are available in 2 versions for both Android and IOS operating systems. The rest of the features are not too different. Do you know about it, and is it safe to use? I'm using it, but I don't know if it's safe for long-term use.
https://2fas.com/
https://github.com/twofas

BTCGalaxyA12

member

Activity: 111

Merit: 17

Quote from: _act_ on April 30, 2023, 04:50:07 PM

Let me tell you the negative effect.

Do you have chrome on your Android phone? Click on the dots at the upper right corner and click on settings. You will see password manager.

Assuming you have your 2FA on another device because you think it is safe like that. Some people that are using online accounts like custodial wallet, exchanges or anything that has to do with 2FA like Electrum 2FA wallet can be affected because what is called two factor authenticator is no more two factor authenticator if it is linked to the email on the phone. By just downloadimg the app on the device and use the email with it, you will see the OTPs generating. Some people can be very careless and synchronize their username, password and 2FA. What else do hackers need to hack successfully? Nothing. Those three are enough to steal from people.

Do not save your username, password and 2FA codes on Google cloud, it is very dangerous.

Luckily I don't save my passwords in the Google cloud even though a prompt appears above the right side of the android.
Coin theft can be done by hackers through the process you convey.
I was surprised and thought that couldn't be the case with Electrum because Electrum is a very good wallet that has been proven.

Thanks OP.
Users who choose to allow passwords, usernames are stored automatically via synchronization with email, assuming that this makes it easier the next time they replace a new Android or iPhone. Though it is very risky.

_act_

legendary

Activity: 1064

Merit: 1298

Lightning network is good with small amount of BTC

Quote from: Smack That Ace on May 02, 2023, 05:01:05 AM

Yesterday, I also spent the whole evening looking for an alternative to my 2FA app, and I also found this Raivo app. I see Raivo's developers being more active and constantly releasing updated versions to make the application more and more complete. Since I'm not tech-savvy, I spent some time watching people on Reddit review these 2 apps(tofu and raivo). In the end, I will follow the majority and choose Raivo to replace GG authenticator. Thank you for suggesting me.

The developers claimed that the source code is reproducible. If that is true, it would be a good authentication app. I will still prefer Aegis for Android. Tofu for iOS is good too. The authenticators that I can tell people not to use are the close source authentications and those that are having online backups which makes it not safe to use. Google and Authy fall into this category that should be avoided.

Smack That Ace

legendary

Activity: 1974

Merit: 1108

Free Free Palestine

Quote from: o_e_l_e_o on May 02, 2023, 12:53:21 AM

Quote from: Smack That Ace on May 01, 2023, 03:09:46 AM

By the way, I also wanted to ask if anyone has any suggestions for an open-source 2FA app for iOS, I saw o_e_l_e_o mentioning Tofu. I will try it, but I also want to experience a few other applications.

The only other one I am aware of is: https://github.com/raivo-otp/ios-application

Yesterday, I also spent the whole evening looking for an alternative to my 2FA app, and I also found this Raivo app. I see Raivo's developers being more active and constantly releasing updated versions to make the application more and more complete. Since I'm not tech-savvy, I spent some time watching people on Reddit review these 2 apps(tofu and raivo). In the end, I will follow the majority and choose Raivo to replace GG authenticator. Thank you for suggesting me.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Outhue on May 02, 2023, 01:06:52 AM

I don't get it, maybe someone should enlighten me more? 2FA works on paid-for services so it's not present in the blockchain, it makes sense to see such on centralized exchanges, but it doesn't make sense for a crypto wallet to have 2FA unless the wallet is an online crypto wallet or centralized wallet like Freewallet.

Electrum offers a 2FA wallet. It is a 2-of-3 multi-sig wallet, where a third party known as TrustedCoin holds one of your private keys, your wallet contains one private key, and the third is recoverable from your seed phrase back up. When you want to make a transaction, you enter your 2FA code which TrustedCoin use to confirm you are the real owner of the wallet before co-signing your transaction.

A better solution as I explained above is to just set up your own multi-sig wallet and not rely on a third party at all.

Outhue

sr. member

Activity: 686

Merit: 403

I don't get it, maybe someone should enlighten me more? 2FA works on paid-for services so it's not present in the blockchain, it makes sense to see such on centralized exchanges, but it doesn't make sense for a crypto wallet to have 2FA unless the wallet is an online crypto wallet or centralized wallet like Freewallet.

I will think twice before using any crypto wallet that has 2FA security of them, they are always centralized wallets.

I do have a ledger wallet and some coins on it, this wallet won't let me send out coins without confirming the correct codes, very simple to use and set up, a hardware wallet is very satisfying and I am glad I listened to some advice on here.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Smack That Ace on May 01, 2023, 03:09:46 AM

By the way, I also wanted to ask if anyone has any suggestions for an open-source 2FA app for iOS, I saw o_e_l_e_o mentioning Tofu. I will try it, but I also want to experience a few other applications.

The only other one I am aware of is: https://github.com/raivo-otp/ios-application

Quote from: Crypt0Gore on May 01, 2023, 08:06:04 AM

If you don't like the latest Google 2fa update go to the settings and off linking to your google Gmail account, I've tested this and it works but I don't see anything bad with this

The fact remains that Google's 2FA app is closed source, difficult to actually back up locally, and since it is ran by Google will 100% be harvesting your data.

Crypt0Gore

sr. member

Activity: 952

Merit: 275

If you don't like the latest Google 2fa update go to the settings and off linking to your google Gmail account, I've tested this and it works but I don't see anything bad with this, and by the way who are those using 2fa for their Bitcoin wallet? I will never do such.

If your smartphone already have pin code and fingerprint lock then there is no need to activate the 2FA code on your Bitcoin wallet, unless you like giving people your phone to operate, which is stupid to do if you are a true Bitcoiner, I use Google 2FA for exchange trades only and I am satisfied with the cloud storage sync with Gmail account.

Many people still don't know that you can deactivate auto sync with Gmail under settings, Google isn't forcing anyone to sync with Gmail, a friend already go online to find the old Google 2FA update because he don't like the Gmail sync until I told him to deactive under settings.

Smack That Ace

legendary

Activity: 1974

Merit: 1108

Free Free Palestine

Quote from: BitMaxz on April 30, 2023, 07:36:20 AM

Google 2FA is just an extra security layer for securing the wallet if it requires syncing online and I think it won't be a problem if you can able to disable the cloud service to sync 2FA backups.

There is option called "Use without an account" where you can use the Google authenticator offline.

And this is not the only authenticator app that we can use.

I also just updated my 2FA app, they don't force us to link with a Gmail account and sync online, this is just an option, and we can still use it without a connection with Gmail. We can still use it normally without any problems.

By the way, I also wanted to ask if anyone has any suggestions for an open-source 2FA app for iOS, I saw o_e_l_e_o mentioning Tofu. I will try it, but I also want to experience a few other applications.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: dzungmobile on April 30, 2023, 09:36:59 PM

Nothing negatively, except that you will have to pay additional fee by using 2FA provided by Trustedcoin.

The negative effect here is that his 2FA code is now stored on dozens of Google servers around the world, with unknown physical and digital security, transferred there by unknown methods, and which an unknown number of people can access. By having access to his 2FA codes, these people by proxy now have access to one set of private keys for his multi-sig wallet.

I agree with your suggestion about why he needs TrustedCoin at all, though. In my opinion, if you want the safety of a 2FA wallet, then it is cheaper and more secure to run your own multi-sig rather than rely on a third party. But if he wants to keep using a 2FA wallet, then he should create a new one where the 2FA comes from an open source app which doesn't send his shared secrets across the internet to other people's computers for storage.

dzungmobile

sr. member

Activity: 854

Merit: 424

I stand with Ukraine!

Quote from: BTCGalaxyA12 on April 30, 2023, 02:05:40 PM

If in case someone uses Electrum as a Bitcoin wallet on android and chooses the address Wallet with two-factor authentication, then he installs Electrum windows Portable version on the computer by choosing to enter the seed that was obtained when making it on android and entering the google authenticator code, say someone that's me.

If you use the same seed to import your two wallets: with 2FA and without 2FA, you will have a same wallet. Only the 2FA wallet will require 2FA code to sign your transaction. However, you won't lose your coins if you lose 2FA backup code or that device is broken, as said you can get a same wallet by importing from seed, without 2FA.

Quote

Can it have a negative effect on me like this case?

Nothing negatively, except that you will have to pay additional fee by using 2FA provided by Trustedcoin.

Why do you need Trustedcoin with paid fee when you can have your multi-sign wallet without such fee?

_act_

legendary

Activity: 1064

Merit: 1298

Lightning network is good with small amount of BTC

Quote from: Potato Chips on April 30, 2023, 10:06:49 AM

I would lean towards the safe side and regenerate another secret key for each account involved since I doubt your data will be deleted on their servers.

It will be better for people to change their secret codes entirely just as you said. It is a good advice.

Quote from: hugeblack on April 30, 2023, 10:41:12 AM

That's bad news, I have a lot of accounts and trading platforms that connect to the google 2FA app, why did they decide that? Or what is the wisdom of that, given that you can extract the private key and save it yourself, why do they need to keep it in a server or cloud.

You mean to extract the secret code? That is true. Also that on every site or wallet like Electrum, before you can use the OTP, the secret code would first be generated and you can do the manual backup.

Quote from: BTCGalaxyA12 on April 30, 2023, 02:05:40 PM

If in case someone uses Electrum as a Bitcoin wallet on android and chooses the address Wallet with two-factor authentication, then he installs Electrum windows Portable version on the computer by choosing to enter the seed that was obtained when making it on android and entering the google authenticator code, say someone that's me. Can it have a negative effect on me like this case?

Let me tell you the negative effect.

Do you have chrome on your Android phone? Click on the dots at the upper right corner and click on settings. You will see password manager.

Assuming you have your 2FA on another device because you think it is safe like that. Some people that are using online accounts like custodial wallet, exchanges or anything that has to do with 2FA like Electrum 2FA wallet can be affected because what is called two factor authenticator is no more two factor authenticator if it is linked to the email on the phone. By just downloadimg the app on the device and use the email with it, you will see the OTPs generating. Some people can be very careless and synchronize their username, password and 2FA. What else do hackers need to hack successfully? Nothing. Those three are enough to steal from people.

Do not save your username, password and 2FA codes on Google cloud, it is very dangerous.

BTCGalaxyA12

member

Activity: 111

Merit: 17

Quote from: _act_ on April 30, 2023, 08:12:00 AM

Quote from: dzungmobile on April 30, 2023, 07:16:17 AM

Is all Bitcoin software wallet provide 2FA feature which is provided by Google? I doubt about it.

This is what I am talking about, they should stop using google authenticator. Better ones like Aegis can be used.

If in case someone uses Electrum as a Bitcoin wallet on android and chooses the address Wallet with two-factor authentication, then he installs Electrum windows Portable version on the computer by choosing to enter the seed that was obtained when making it on android and entering the google authenticator code, say someone that's me. Can it have a negative effect on me like this case?

tranthidung

legendary

Activity: 2310

Merit: 4085

Farewell o_e_l_e_o

Quote from: _act_ on April 30, 2023, 08:12:00 AM

they should stop using google authenticator. Better ones like Aegis can be used.

Correct! Aegis is an open source 2FA application.

hugeblack

legendary

Activity: 2702

Merit: 4002

That's bad news, I have a lot of accounts and trading platforms that connect to the google 2FA app, why did they decide that? Or what is the wisdom of that, given that you can extract the private key and save it yourself, why do they need to keep it in a server or cloud.

If your wallet is linked in one way or another to Google, it is better to stop using it, if the reason is not security, then privacy will be the reason. Google has a bad record of handling user data.

Potato Chips

hero member

Activity: 2786

Merit: 902

yesssir! 🫡

Quote from: Aikidoka on April 30, 2023, 08:16:47 AM

I noticed a few days ago that after updating my Google Authenticator, it began to synchronize with my Google cloud account, so it's no longer offline. I am considering deleting the app soon and switching to an open-source 2FA app, as o_e_l_e_o suggested. Honestly I was thinking about that a while ago but I didn't find the good alternative/or more likely I was making decision to which one should I try next.

Sadly, once it has finished syncing, you're now sharing your secret keys with google and potentially to loads of people if a data breach happens.

Quote from: https://www.bleepingcomputer.com/news/google/google-will-add-end-to-end-encryption-to-google-authenticator/

"We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted," reads a tweet from Mysk.

"As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user."

I would lean towards the safe side and regenerate another secret key for each account involved since I doubt your data will be deleted on their servers.

Aikidoka

sr. member

Activity: 1078

Merit: 342

Sinbad Mixer: Mix Your BTC Quickly

I noticed a few days ago that after updating my Google Authenticator, it began to synchronize with my Google cloud account, so it's no longer offline. I am considering deleting the app soon and switching to an open-source 2FA app, as o_e_l_e_o suggested. Honestly I was thinking about that a while ago but I didn't find the good alternative/or more likely I was making decision to which one should I try next.

Anyway, since most of the time I use an Apple device, I plan to try Tofu and link it to my accounts for an extra layer of security. It's an open source 2FA as well as it doesn't require being online, so you can use it on an airplane mode.

_act_

legendary

Activity: 1064

Merit: 1298

Lightning network is good with small amount of BTC

Quote from: dzungmobile on April 30, 2023, 07:16:17 AM

Is all Bitcoin software wallet provide 2FA feature which is provided by Google? I doubt about it.

This is what I am talking about, they should stop using google authenticator. Better ones like Aegis can be used.

Quote from: o_e_l_e_o on April 30, 2023, 07:30:26 AM

2FA is unnecessary on a wallet like Electrum. If you want the safety of multi-sig, then just set up your own multi-sig. It is safer and cheaper to do so, as well as giving you more redundancy in your back ups.

I like it that you said this for people to know that cold wallet and multisig is better and nothing like third party. But I am just saying that people should know about the present app update of google, that it will synchronize 2FA code to google cloud. This is how I created it before, but it was moved to off-topic. I only just look for ways it will be on a board that more people will visit.

Quote from: o_e_l_e_o on April 30, 2023, 07:30:26 AM

However, 2FA should be mandatory for any and all online accounts which use it. If you can, use a hardware key. If you can't, then use a good open source 2FA app such as Aegis for Android or Tofu for iOS. You should try to avoid any and all Google products under all circumstances - they are notorious for harvesting your data, they are generally closed source, poor security, and just love sending all your sensitive data to random servers around the world of "safe keeping". Google's 2FA app is no different. Avoid it.

This is what I want people to be aware of. Some people will save their username, password, 2FA code on google cloud, what then remain if such people's device are compromised.

2FA may be on another device, but if it synchronized with google and the email used is on the device that has been compromised, all the hacker needs is to download google 2FA app and get access to the OTPs.

BitMaxz

legendary

Activity: 3374

Merit: 3095

Playbet.io - Crypto Casino and Sportsbook

Google 2FA is just an extra security layer for securing the wallet if it requires syncing online and I think it won't be a problem if you can able to disable the cloud service to sync 2FA backups.

There is option called "Use without an account" where you can use the Google authenticator offline.

And this is not the only authenticator app that we can use.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

2FA is unnecessary on a wallet like Electrum. If you want the safety of multi-sig, then just set up your own multi-sig. It is safer and cheaper to do so, as well as giving you more redundancy in your back ups.

However, 2FA should be mandatory for any and all online accounts which use it. If you can, use a hardware key. If you can't, then use a good open source 2FA app such as Aegis for Android or Tofu for iOS. You should try to avoid any and all Google products under all circumstances - they are notorious for harvesting your data, they are generally closed source, poor security, and just love sending all your sensitive data to random servers around the world of "safe keeping". Google's 2FA app is no different. Avoid it.

Nwada001

hero member

Activity: 700

Merit: 673

I noticed this on my Android phone. When I updated my Authenticator app, I received a notification of my account being recently imported. When I checked, it was my 2 marked accounts to 2 exchanges, which I shared weeks ago.

Noticing this, I have to move and change all my 2FAC on the connected device to the one on my iPhone, which has no email connected to it, just a few other apps. I guess it's safer there since I don't have any intention to connect any mail to it, and I barely use the device as well.

dzungmobile

sr. member

Activity: 854

Merit: 424

I stand with Ukraine!

Quote from: _act_ on April 30, 2023, 06:53:20 AM

It is about bitcoin users that are using google 2FA app. If you update to this recent update, your 2FA will synchronized with google cloud and your 2FA codes are no more offline.

Is all Bitcoin software wallet provide 2FA feature which is provided by Google? I doubt about it.

Example is Electrum wallet which provides 2FA feature but it is from Trustedcoin, not from Google. Electrum 2FA.

Quote

Electrum offers two-factor authenticated wallets, with a remote server acting to co-sign transactions, adding another level of security in the event of your computer being compromised.

The remote server in question is a service offered by TrustedCoin. Here is a guide on how it works.

2FA will cost you more fee for Trusted Coin which is unnecessary in my opinion. You can use either cold wallet or multi-sig wallet with Electrum without additional fee to a third party provider like Trustedcoin.

_act_

legendary

Activity: 1064

Merit: 1298

Lightning network is good with small amount of BTC

Google is making security to become the thing of the past.

This topic was moved to off-topic and no replies and it was left alone because off-topic board is seen as trash board. I do not want to move the topic back to beginners and help because moderator moved it to off-topic.

It is about bitcoin users that are using google 2FA app. If you update to this recent update, your 2FA will synchronized with google cloud and your 2FA codes are no more offline.

We can see how many bitcoin users and other crypto users have lost their money through Google Cloud and iCloud, what is online is not secure like offline.

This is about letting other people that do not want online 2FA to know.

I will lock the old topic. If this topic is moved to off-topic again, I have nothing else to do. I hope you have all seen it.

Topic: To Electrum 2FA wallet users and other bitcoin 2FA wallet users (Read 371 times)