Return to Level1Techs.com

Two factor authentication: is it worth?

#1

Hello everyone! So I decided to take my safety online more seriously and enabled 2FA on every possible account I have. Now comes the question that’s in the title: is it worth it? I’m using Google Authenticator and if my phone breaks or I lose it it’s going to be a big hassle going through every single account and re-do all the 2FA codes. I’m not gonna lie about the fact that, even if I obtained all the recovery keys for my accounts and stored them safely, I’m kinda scared of losing all my accounts on the internet.
What lightened even more my worries is the fact that, for whatever reason, I can get into my GW2 account without any problem with the 2FA but I can’t log into the site because it’s asking me for a 5 digit code.
What’s your take on the matter?

1 Like

#2

Life is easier if you let the big G into your life.
As it wraps you in it’s warm embrace, let it gently enter all online parts of you.
It will remember for you, help you up, hold you tight and not let you forget.
As you let it enter you, remember to ask for a reach around while it’s at it too…

/s/s/s/s/s

No seriously, would you rather a faceless corporation look after you, or be vulnerable to smart people that might at any time violate your accounts and take your stuff?

I would just say to remember the google passwords carefully so you can set up a new phone when the current one dies (all phones die) as it might be a pain to convince them that you are you.
With good reason. If it was easy, it wouldn;t be doing it’s job…

4 Likes

#3

Alternatively, passwords manager like 1password can store your 2FA tokens. You can then use them from the desktop app.

2 Likes

#4

Well moving the Google Authenticator from one phone to the other is not really that useful if it doesen’t back up any tokens. But still I have all my passwords stored safely “the old fashion way” so it shouldn’t be a problem if something happens (?).
What would you use instead of Google Authenticator? I looked at Authy but it looks kinda sketchy to me.

1 Like

#5

Lastpass is the current best and also has 2 factor to login to it as a whole. I use 2FA on everything along with 24 character unique passwords

Peace of mind is a priceless value

2 Likes

#6

1password requires a monthly (or yearly) fee to have access to 2FA backups? Also it should be able to interface with the same tokens Google uses which are really common.

0 Likes

#7

I’m still choosing a password manager and Last Pass is not on my list since it has been breached in the past and their policy on prices can vary at any time. I don’t think it’s for me, maybe I’m thinking too much about it.

0 Likes

#8

I looked into that breach. Nobody was compromised. They only took locally salted blobs which cant be hacked into to our knowledge. I just run the free variant

1 Like

#9

The free version can run on one device only, right? That would also solve all my worries about losing the 2FA keys I guess.

0 Likes

#10

No Ive got it running on my laptop my desktop and my android. Your other option is to use google :slight_smile:

1 Like

#11

I’ve been using 1password for a while. I’m storing my 2FA tokens in it without any Issue (except for twitch but that’s another story).
If you are just on Mac or Windows it should (according to their forums) be possible to get a standalone license but I haven’t found it.
For Linux, you would need the subscription.

1 Like

#12

So then I guess Last Pass it is since it’s the most recommended and widely compatible with every device. Thanks for the suggestion.
P.S. does it do the magic of importing tokens from the Google Authenticator? haha

0 Likes

#13

No worries and the breach did not get any of the local salts used to salt someones individual passwords so without those its useless to guess them

0 Likes

#14

I’ll wieght out which one is the best between 1password and Last Pass. Thanks a lot for the suggestion!

0 Likes

#15

BTW if you want to move your 2FA tokens, it won’t be as easy as you think, you will need the initial QR code or token to put it on your password manager.
You will have to deactivate and reactivate 2FA on each site.

1 Like

#16

Yeah, I knew that and that’s why I was looking for something that would give me the peace of mind that if my phone breaks I can still log into my accounts from another device. But I think it’s better to redo all the 2FA tokens now rather then when something happens and I have to run around using one time keys to recover all my things.
One question: 1password has 2FA tokens built in for the free version or only for the paid one?

0 Likes

#17

1password isn’t actually free. You’ve got just the 1 month free trial if you use the subscription AFAIK.
I would suggest you have a look at their support forums and google a few things.
Things like vault syncing have always only been available for paid versions.
You’ll have to download the app and have a look yourself.

1 Like

#18

I use 2fa. And for some time I have been thinking about a sensible alternative to the phone. Something like a very small compact device with linux only for 2fa, something like RSA SecurID to carry with keys.
Currently, I just have the keys on my laptop and I log in from a PC, and I don’t have an Android phone.
But this method is not particularly mobile or convenient for 99.99% of people. :wink:

I have all 2fa tokens exported as a plain, unencrypted text file added to the keepass database. Same with backup codes for accounts. The keepass database is protected by a password that I only have in my head and a key kept on the usb.
Account passwords are generated randomly, example of one of the passwords: ±¨.Üì{ÌâGÁ°þô8Ø)ôÓ®¬¿´ãíîõµ³±õò/ÄB,i=^e÷¦L?(/\vr6¨~ÌÙpo½»#ìrw)ýøéíì×òðOBòƱÏ39¹Á'ô£þ=^ÁG¶1Ýù°³Faë¾¾èînïêýOTµF6VæmoK&PSa<Á3µ@½IJ¬ã¬]©#¼ì¸ò^&K~:â·j£Ò%uÝCR\xS³[BþY;/,/},Sì²aÖwW¥qõmkÓItñr*I¢ÈÅÿDS¾øn)µ<¸ÇI¤ÑÈfRØc±)Á·Ç1zÒN-³@!ͧì2êÛ+´!o¤.$]Øÿs:¤îÉÞ´ÔË<ù×m

Comfortable? Probably not for everyone. The risk of losing 2fa tokens or backup codes in the event of machine loss is insignificant.
I will still have a copy of this data that can be opened on any other machine on request.
Stealing a keepass database? Without taking over the password and key file, only the brute force method will get to the content.

The next step would be to purchase hardware u2f.

1 Like

#19

Your solution sounds really elaborate and maybe a bit too much for me. I wanted to find the happy medium between being secure online and not being worried that, at any moment, I could lose everything I have. I considered Keepass but it’s a bit too complicated to manage, I wanted something a bit easier to juggle around. So your comment summarizes the fact that 2FA is a good thing to have, just in case something happens right?

0 Likes

#20

Yeah, I saw that isn’t a free service. I would like to use a free service because, for now, I can’t really afford to also pay for something like that. Saving up for other things right now.

0 Likes