Pages:
Author

Topic: What is the most secure Two-Factor Authentication Solution? (Read 2409 times)

member
Activity: 75
Merit: 10
yubikey neo with yubico authenticator

2fa codes are stored on the token

I wonder how that works. Is the neo the one with bluetooth and is it communicating with the authenticator app on your smartphone? Is it time-based?

The NEO has both USB and NFC interface.
You can use Yubico Authenticator desktop version (Windows/Mac/Linux) or the Android app.
Both time-based (TOTP) and event-based (HOTP) are supported, but since all Yubikeys including NEO has no clock on it,
Yubico Authenticator has to send time data to the Yubikey in order to get TOTP back.
legendary
Activity: 924
Merit: 1000
yubikey neo with yubico authenticator

2fa codes are stored on the token

I wonder how that works. Is the neo the one with bluetooth and is it communicating with the authenticator app on your smartphone? Is it time-based?
sr. member
Activity: 463
Merit: 252
yubikey neo with yubico authenticator

2fa codes are stored on the token
full member
Activity: 153
Merit: 101
I got Authy with me, idk but it's good for me Grin
It can store many 2FA Accounts Grin
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
I've had plenty of trouble with phone-based 2FA. If it's offered I go with printed one time codes. An oldie but a goldie.
newbie
Activity: 5
Merit: 0
CoinDaddy looks awesome Jdog
newbie
Activity: 7
Merit: 50
I actually just finished integrating Clef (https://getclef.com/) into one of my sites (https://CoinDaddy.io) to handle 2-factor authentications and it works great!

Previously I was using gauthify.com and paying like $25/mo for the service. The Clef service is 100% free for companies to use for login authentication... I think you only pay if you want some premium features. Also the fact that your able to register on a site, or login to a site simply by scanning the screen with your phone is way faster than typing out registration/login details. Not to mention the wave login page looks wicked cool... no more boring qrcodes or typing google authenticator codes.

The staff was also really friendly. I signed up as a developer and within a few minutes I had an email from a company staff member offering help with the integration, which only took a few minutes. They helped test the integration and have been nothing but highly professional.

If anyone is looking for some good/cheap/secure 2FA authentication for their website, I would highly suggest getclef.com

And no... this is not a paid shill account.. I just created this account a few minutes ago because I don't use this forum very often and can't remember the password to my old account. Smiley

J-Dog
member
Activity: 101
Merit: 10
Multi-sig verification relies on the blockchain. 2-factor verification only relies on a server granting access (like blockchain.info), so you have to give up the control over your precious bitcoins.

It seems we all agree here. We just need to know what exactly OP meant with this question, otherwise we're interpreting it differently.


Polling the community to see what people prefer to use for 2fa, I've been curious as to what the community thinks is their preferred solution, while there is no best persey, each situation is different just gauging what others think.
legendary
Activity: 1876
Merit: 1475
Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.
This is what NameID (see my signature) does, although with Namecoin addresses instead of Bitcoin (since Namecoin gives a natural correspondence between "usernames" and addresses).

I didn't know about this. I will definitely check it. Thanks for sharing.
I know Namecoin makes sense because of the name part but probably it'd be worth implementing it with bitcoin so it's more popular.
legendary
Activity: 1135
Merit: 1166
Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.
This is what NameID (see my signature) does, although with Namecoin addresses instead of Bitcoin (since Namecoin gives a natural correspondence between "usernames" and addresses).
hero member
Activity: 644
Merit: 500
It's impossible to say what the "best" TFA is.... It's a part of a system where if one part breaks, the whole thing is for nothing... To label one "the best" without looking at the other pieces is impossible... Moreso because we only see closed solutions (closed source apps, closed source hardware, etc), so we can only guess as to how good the RNG's involved are...
legendary
Activity: 1876
Merit: 1475
Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.

Yes that was my first suggestion. It's a hassle as things are now. But it could work with some changes. For example:

- User has the private key stored on the mobile on an app with QR Code scanning capabilities
- The website shows a QR Code with the user's username and date, plus a base URL (https://example.com/2fa/?session=sessionID&signature=)
- The user scans that QR Code with the app.
- The app signs the message (optionally asks for the password if the private key is encrypted) and calls the provided URL (https://example.com/2fa/?session=sessionID&signature=abcSignatureHere[/b])
- The website detects username posted his signature and let's the user log in

This is just a basic idea. But this way there would be no typing required, would be very fast and the actual private key would never be sent anywhere.
sr. member
Activity: 420
Merit: 250
Ever wanted to run your own casino? PM me for info
Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.
hero member
Activity: 672
Merit: 504
a.k.a. gurnec on GitHub
It would be nice if there was an open source equivelent for the mobile app.  Maybe one exists?  I am not sure.

FreeOTP (which is OSS) is available for both Android and iOS: https://fedorahosted.org/freeotp/. I've been using it for a little less than a year now with no problems.

It is maintained by a Red Hat employee (I'm not clear if it's actually sponsored by Red Hat, not that it matters to me).
sr. member
Activity: 384
Merit: 258
At the moment I use Google Authenticator. I think it's good enough.

However I would like to see a non-centralized solution.
For example having a BTC private key on the mobile, have the website or site generate a random text and signing it with the mobile.
Of course a modification would be required to keep the final signature short.
You may be interested by this demo.
It's a PoC for 2FA implemented with BitId as a second factor (login/password as first factor).

Note that we could also have a schema in which all credentials are Bitid (and get rid of the login/password)
legendary
Activity: 1876
Merit: 1475
Multi-sig verification relies on the blockchain. 2-factor verification only relies on a server granting access (like blockchain.info), so you have to give up the control over your precious bitcoins.

It seems we all agree here. We just need to know what exactly OP meant with this question, otherwise we're interpreting it differently.
legendary
Activity: 924
Merit: 1000
It depends on what you mean by 'decentralized'.  There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly.  I assume you mean without a third party.  Google authenticator is based on an open standard.  The app is simply a 'OTP calculator'.  It doesn't communicate with any third party server.  Likewise the website or service which is using google authenticator also doesn't need to use any third party service.  They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.

It would be nice if there was an open source equivelent for the mobile app.  Maybe one exists?  I am not sure.

"Decentralized" means for me "on the blockchain".
Someone has to verify my google authenticator code, that's the server involved here.

We're talking about 2FA to log-in to a server, right? And that same server is the one verifying whether our 2FA code is OK.
How could that be prevented? How can the server know if the code is OK without verifying it itself?


Multi-sig verification relies on the blockchain. 2-factor verification only relies on a server granting access (like blockchain.info), so you have to give up the control over your precious bitcoins.
legendary
Activity: 1876
Merit: 1475
It depends on what you mean by 'decentralized'.  There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly.  I assume you mean without a third party.  Google authenticator is based on an open standard.  The app is simply a 'OTP calculator'.  It doesn't communicate with any third party server.  Likewise the website or service which is using google authenticator also doesn't need to use any third party service.  They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.

It would be nice if there was an open source equivelent for the mobile app.  Maybe one exists?  I am not sure.

"Decentralized" means for me "on the blockchain".
Someone has to verify my google authenticator code, that's the server involved here.

We're talking about 2FA to log-in to a server, right? And that same server is the one verifying whether our 2FA code is OK.
How could that be prevented? How can the server know if the code is OK without verifying it itself?
legendary
Activity: 924
Merit: 1000
It depends on what you mean by 'decentralized'.  There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly.  I assume you mean without a third party.  Google authenticator is based on an open standard.  The app is simply a 'OTP calculator'.  It doesn't communicate with any third party server.  Likewise the website or service which is using google authenticator also doesn't need to use any third party service.  They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.

It would be nice if there was an open source equivelent for the mobile app.  Maybe one exists?  I am not sure.

"Decentralized" means for me "on the blockchain".
Someone has to verify my google authenticator code, that's the server involved here.
donator
Activity: 1218
Merit: 1079
Gerald Davis
It depends on what you mean by 'decentralized'.  There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly.  I assume you mean without a third party.  Google authenticator is based on an open standard.  The app is simply a 'OTP calculator'.  It doesn't communicate with any third party server.  Likewise the website or service which is using google authenticator also doesn't need to use any third party service.  They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.

It would be nice if there was an open source equivelent for the mobile app.  Maybe one exists?  I am not sure.
Pages:
Jump to: