What is the most secure Two-Factor Authentication Solution?

iongchun

member

Activity: 75

Merit: 10

Quote from: dsattler on March 19, 2015, 02:17:51 AM

Quote from: phantomcircuit on March 18, 2015, 08:56:29 PM

yubikey neo with yubico authenticator

2fa codes are stored on the token

I wonder how that works. Is the neo the one with bluetooth and is it communicating with the authenticator app on your smartphone? Is it time-based?

The NEO has both USB and NFC interface.
You can use Yubico Authenticator desktop version (Windows/Mac/Linux) or the Android app.
Both time-based (TOTP) and event-based (HOTP) are supported, but since all Yubikeys including NEO has no clock on it,
Yubico Authenticator has to send time data to the Yubikey in order to get TOTP back.

dsattler

legendary

Activity: 924

Merit: 1000

Quote from: phantomcircuit on March 18, 2015, 08:56:29 PM

yubikey neo with yubico authenticator

2fa codes are stored on the token

I wonder how that works. Is the neo the one with bluetooth and is it communicating with the authenticator app on your smartphone? Is it time-based?

phantomcircuit

sr. member

Activity: 463

Merit: 252

yubikey neo with yubico authenticator

2fa codes are stored on the token

Vhawk23

full member

Activity: 153

Merit: 101

I got Authy with me, idk but it's good for me Grin

It can store many 2FA Accounts Grin

gentlemand

legendary

Activity: 2590

Merit: 3015

Welt Am Draht

I've had plenty of trouble with phone-based 2FA. If it's offered I go with printed one time codes. An oldie but a goldie.

oraclechain

newbie

Activity: 5

Merit: 0

CoinDaddy looks awesome Jdog

J-Dog

newbie

Activity: 7

Merit: 50

I actually just finished integrating Clef (https://getclef.com/) into one of my sites (https://CoinDaddy.io) to handle 2-factor authentications and it works great!

Previously I was using gauthify.com and paying like $25/mo for the service. The Clef service is 100% free for companies to use for login authentication... I think you only pay if you want some premium features. Also the fact that your able to register on a site, or login to a site simply by scanning the screen with your phone is way faster than typing out registration/login details. Not to mention the wave login page looks wicked cool... no more boring qrcodes or typing google authenticator codes.

The staff was also really friendly. I signed up as a developer and within a few minutes I had an email from a company staff member offering help with the integration, which only took a few minutes. They helped test the integration and have been nothing but highly professional.

If anyone is looking for some good/cheap/secure 2FA authentication for their website, I would highly suggest getclef.com

And no... this is not a paid shill account.. I just created this account a few minutes ago because I don't use this forum very often and can't remember the password to my old account.

J-Dog

CreationLayer

member

Activity: 101

Merit: 10

Quote from: EcuaMobi on March 12, 2015, 11:40:34 AM

Quote from: dsattler on March 12, 2015, 11:37:38 AM

Multi-sig verification relies on the blockchain. 2-factor verification only relies on a server granting access (like blockchain.info), so you have to give up the control over your precious bitcoins.

It seems we all agree here. We just need to know what exactly OP meant with this question, otherwise we're interpreting it differently.

Polling the community to see what people prefer to use for 2fa, I've been curious as to what the community thinks is their preferred solution, while there is no best persey, each situation is different just gauging what others think.

EcuaMobi

legendary

Activity: 1876

Merit: 1475

Quote from: domob on March 13, 2015, 01:53:22 AM

Quote from: funtotry on March 12, 2015, 06:05:45 PM

Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.

This is what NameID (see my signature) does, although with Namecoin addresses instead of Bitcoin (since Namecoin gives a natural correspondence between "usernames" and addresses).

I didn't know about this. I will definitely check it. Thanks for sharing.
I know Namecoin makes sense because of the name part but probably it'd be worth implementing it with bitcoin so it's more popular.

domob

legendary

Activity: 1135

Merit: 1166

Quote from: funtotry on March 12, 2015, 06:05:45 PM

Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.

This is what NameID (see my signature) does, although with Namecoin addresses instead of Bitcoin (since Namecoin gives a natural correspondence between "usernames" and addresses).

lucasjkr

hero member

Activity: 644

Merit: 500

It's impossible to say what the "best" TFA is.... It's a part of a system where if one part breaks, the whole thing is for nothing... To label one "the best" without looking at the other pieces is impossible... Moreso because we only see closed solutions (closed source apps, closed source hardware, etc), so we can only guess as to how good the RNG's involved are...

EcuaMobi

legendary

Activity: 1876

Merit: 1475

Quote from: funtotry on March 12, 2015, 06:05:45 PM

Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.

Yes that was my first suggestion. It's a hassle as things are now. But it could work with some changes. For example:

- User has the private key stored on the mobile on an app with QR Code scanning capabilities
- The website shows a QR Code with the user's username and date, plus a base URL (https://example.com/2fa/?session=sessionID&signature=)
- The user scans that QR Code with the app.
- The app signs the message (optionally asks for the password if the private key is encrypted) and calls the provided URL (https://example.com/2fa/?session=sessionID&signature=abcSignatureHere[/b])
- The website detects username posted his signature and let's the user log in

This is just a basic idea. But this way there would be no typing required, would be very fast and the actual private key would never be sent anywhere.

funtotry

sr. member

Activity: 420

Merit: 250

Ever wanted to run your own casino? PM me for info

Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Quote from: DeathAndTaxes on March 12, 2015, 09:45:15 AM

It would be nice if there was an open source equivelent for the mobile app. Maybe one exists? I am not sure.

FreeOTP (which is OSS) is available for both Android and iOS: https://fedorahosted.org/freeotp/. I've been using it for a little less than a year now with no problems.

It is maintained by a Red Hat employee (I'm not clear if it's actually sponsored by Red Hat, not that it matters to me).

laurentmt

sr. member

Activity: 384

Merit: 258

Quote from: EcuaMobi on March 11, 2015, 10:45:37 PM

At the moment I use Google Authenticator. I think it's good enough.

However I would like to see a non-centralized solution.
For example having a BTC private key on the mobile, have the website or site generate a random text and signing it with the mobile.
Of course a modification would be required to keep the final signature short.

You may be interested by this demo.
It's a PoC for 2FA implemented with BitId as a second factor (login/password as first factor).

Note that we could also have a schema in which all credentials are Bitid (and get rid of the login/password)

EcuaMobi

legendary

Activity: 1876

Merit: 1475

Quote from: dsattler on March 12, 2015, 11:37:38 AM

Multi-sig verification relies on the blockchain. 2-factor verification only relies on a server granting access (like blockchain.info), so you have to give up the control over your precious bitcoins.

It seems we all agree here. We just need to know what exactly OP meant with this question, otherwise we're interpreting it differently.

dsattler

legendary

Activity: 924

Merit: 1000

Quote from: EcuaMobi on March 12, 2015, 11:32:13 AM

Quote from: dsattler on March 12, 2015, 11:30:20 AM

Quote from: DeathAndTaxes on March 12, 2015, 09:45:15 AM

It depends on what you mean by 'decentralized'. There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly. I assume you mean without a third party. Google authenticator is based on an open standard. The app is simply a 'OTP calculator'. It doesn't communicate with any third party server. Likewise the website or service which is using google authenticator also doesn't need to use any third party service. They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.

It would be nice if there was an open source equivelent for the mobile app. Maybe one exists? I am not sure.

"Decentralized" means for me "on the blockchain".
Someone has to verify my google authenticator code, that's the server involved here.

We're talking about 2FA to log-in to a server, right? And that same server is the one verifying whether our 2FA code is OK.
How could that be prevented? How can the server know if the code is OK without verifying it itself?

Multi-sig verification relies on the blockchain. 2-factor verification only relies on a server granting access (like blockchain.info), so you have to give up the control over your precious bitcoins.

EcuaMobi

legendary

Activity: 1876

Merit: 1475

Quote from: dsattler on March 12, 2015, 11:30:20 AM

Quote from: DeathAndTaxes on March 12, 2015, 09:45:15 AM

It depends on what you mean by 'decentralized'. There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly. I assume you mean without a third party. Google authenticator is based on an open standard. The app is simply a 'OTP calculator'. It doesn't communicate with any third party server. Likewise the website or service which is using google authenticator also doesn't need to use any third party service. They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.

It would be nice if there was an open source equivelent for the mobile app. Maybe one exists? I am not sure.

"Decentralized" means for me "on the blockchain".
Someone has to verify my google authenticator code, that's the server involved here.

We're talking about 2FA to log-in to a server, right? And that same server is the one verifying whether our 2FA code is OK.
How could that be prevented? How can the server know if the code is OK without verifying it itself?

dsattler

legendary

Activity: 924

Merit: 1000

Quote from: DeathAndTaxes on March 12, 2015, 09:45:15 AM

It depends on what you mean by 'decentralized'. There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly. I assume you mean without a third party. Google authenticator is based on an open standard. The app is simply a 'OTP calculator'. It doesn't communicate with any third party server. Likewise the website or service which is using google authenticator also doesn't need to use any third party service. They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.

It would be nice if there was an open source equivelent for the mobile app. Maybe one exists? I am not sure.

"Decentralized" means for me "on the blockchain".
Someone has to verify my google authenticator code, that's the server involved here.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

It depends on what you mean by 'decentralized'. There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly. I assume you mean without a third party. Google authenticator is based on an open standard. The app is simply a 'OTP calculator'. It doesn't communicate with any third party server. Likewise the website or service which is using google authenticator also doesn't need to use any third party service. They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.

It would be nice if there was an open source equivelent for the mobile app. Maybe one exists? I am not sure.

Topic: What is the most secure Two-Factor Authentication Solution? (Read 2402 times)