Yeah, I knew that and that’s why I was looking for something that would give me the peace of mind that if my phone breaks I can still log into my accounts from another device. But I think it’s better to redo all the 2FA tokens now rather then when something happens and I have to run around using one time keys to recover all my things.
One question: 1password has 2FA tokens built in for the free version or only for the paid one?
1password isn’t actually free. You’ve got just the 1 month free trial if you use the subscription AFAIK.
I would suggest you have a look at their support forums and google a few things.
Things like vault syncing have always only been available for paid versions.
You’ll have to download the app and have a look yourself.
1 Like
I use 2fa. And for some time I have been thinking about a sensible alternative to the phone. Something like a very small compact device with linux only for 2fa, something like RSA SecurID to carry with keys.
Currently, I just have the keys on my laptop and I log in from a PC, and I don’t have an Android phone.
But this method is not particularly mobile or convenient for 99.99% of people. 
I have all 2fa tokens exported as a plain, unencrypted text file added to the keepass database. Same with backup codes for accounts. The keepass database is protected by a password that I only have in my head and a key kept on the usb.
Account passwords are generated randomly, example of one of the passwords: ±¨.Üì{ÌâGÁ°þô8Ø)ôÓ®¬¿´ãíîõµ³±õò/ÄB,i=^e÷¦L?(/\vr6¨~ÌÙpo½»#ìrw)ýøéíì×òðOBòƱÏ39¹Á'ô£þ=^ÁG¶1Ýù°³Faë¾¾èînïêýOTµF6VæmoK&PSa<Á3µ@½IJ¬ã¬]©#¼ì¸ò^&K~:â·j£Ò%uÝCR\xS³[BþY;/,/},Sì²aÖwW¥qõmkÓItñr*I¢ÈÅÿDS¾øn)µ<¸ÇI¤ÑÈfRØc±)Á·Ç1zÒN-³@!ͧì2êÛ+´!o¤.$]Øÿs:¤îÉÞ´ÔË<ù×m
Comfortable? Probably not for everyone. The risk of losing 2fa tokens or backup codes in the event of machine loss is insignificant.
I will still have a copy of this data that can be opened on any other machine on request.
Stealing a keepass database? Without taking over the password and key file, only the brute force method will get to the content.
The next step would be to purchase hardware u2f.
1 Like
Your solution sounds really elaborate and maybe a bit too much for me. I wanted to find the happy medium between being secure online and not being worried that, at any moment, I could lose everything I have. I considered Keepass but it’s a bit too complicated to manage, I wanted something a bit easier to juggle around. So your comment summarizes the fact that 2FA is a good thing to have, just in case something happens right?
Yeah, I saw that isn’t a free service. I would like to use a free service because, for now, I can’t really afford to also pay for something like that. Saving up for other things right now.
Of course my approach to this is strongly twisted. But it is me and 99.99% of people would not do that. 
Yes, having an additional authorization vector is always a step in the right direction.
Whether these will be codes from the application based on 2fa or the hardware key u2f is always something more than just a password.
Passwords, after all, would be good to keep in some password manager. This allows you to generate a different password for each account. Something that the human mind just won’t remember. And to protect such a database with passwords, one central password and possibly a key file.
Use 2fa but think over the entire procedure in case of an apocalypse! What do you do if the phone is damaged. What do you do when the phone is stolen. Because using 2fa and hope that you will always have a phone with codes available is a bit risky approach. If the loss of access to the phone causes permanent loss of access to your accounts then absolutely re-think the whole system using 2fa. Because in such a situation it’s just big no!
It will be like building a house of cards. You protect yourself against losing your account to a third party, but you can also deprive yourself if something happens to 2fa.
Well implemented 2fa allows you to generate backup codes, usually up to 10 codes. If you have these codes in a safe place then you can sleep peacefully. I also keep a copy of otpauth.
In short, YES for 2fa. But make sure you have the option to regain access to your accounts in the event of the main device being lost. So you need backup codes and / or otpauth copies. With the phone and this GA it’s not all that easy …
https://forum.level1techs.com/t/google-authenticator-backup-for-new-phone/146496
If you have $ you can think about buying yubikey.
https://www.yubico.com
1 Like
Thanks for the in-depth answer to my questions/concernes.
I did already stored in a safe place all the passwords and the one time codes to recover accounts in case of a catastrophic fail of one of my devices. But I surely have room to improve this mechanism to make it a bit more convenient to use without sacrificing much of the security that 2FA gives me.
Also there are some sites that don’t give recovery keys for accounts when you set up 2FA so in that case what would you suggest? Turn it off or keep a photo of the original QR code so that it can be scanned again? I really don’t get the meaning of this policy.
Places that do not give backup codes are imho garbage.
Personally, I don’t use QR, I always want txt and I will generate / add it myself. But I guess there are places that have no other option but QR. In this case, the ghetto type method keep the QR image. Or qr to text, generate it from an image and save to generate codes in pc in case of emergency in the future.
otpauth://totp/Level1Techs?secret=***************************************Auth
PS
Do you really need to have 2fa on your phone? If you don’t need a 2fa mobile version, always have it with you … maybe an additional device only for 2fa at home / work. Maybe even some sbc + lcd touch or second pc / laptop / tablet.
1 Like
i see a lot of people on my facebook that get hacked. and its clear they were hacked because they send spam messages and make insanely outlandish posts. hasnt happened to me. because i have 2FA turned on. i have i think a dozen or so accounts with 2FA enabled. granted it is in google authenticator so as others have said when you get a new phone, its a royal PITA to migrate. also makes my phone VERY important because without it i lose access to a lot of accounts. i actually should get into all my 2FA accounts and get my recovery codes downloaded.
1 Like
So they are victims of phishing? Or were they hit with malware?
One could argue to what extent 2fa protects the average user against phishing … Some say that it does not protect against this.
If the user gives the attacker their login details or enters fake websites in such a case … 2fa will not theoretically defend him. The average user will not pay attention to where and what he does and, as in the case of login / password, will enter the 2fa code. A much better security solution here would be a hardware u2f key like yubikey.
The weakest link in the chain is between the chair and the keyboard.
1 Like
2FA would still work if the phishing site was bad. meaning it wasnt able to capture a 2FA code to then get in and remove the 2FA settings. plus even if they did capture a 2FA code, they would have to use it instantly since they expire after a few seconds or whatever. i think google authenticator is 30 seconds or so. ideally for 2FA to be turned off, the service would require a fresh 2FA code.
but yes, most likely victim of phishing since many of them dont have regular laptops and desktops anymore. not saying malware cant exist on mobile, just little less likely.
1 Like
Demanding a firm approach but feasible. The world has already seen greater miracles.
The phishing attack reported by the FT worked through bogus Swiss domains that replicated ProtonMail’s interface and then accessed the real site in the background in real-time to “trick users into giving up their two-factor authentication codes.” Linking ProtonMail’s anonymized accounts to targeted individuals suggests a leak from a trusted source. “It seems clear that it is linked to our GRU investigations,” Bellingcat researcher Christo Grozev told the FT . “They have been trying to get into our regular email accounts for a long time now. But with ProtonMail, it was very odd and unexpected.”
2 Likes
Oh wow, I’ve never thought of that! I guess you could generate codes with a synced clock. But what kind of program do you use to do that on your own?
Yeah, I know but I can’t do anything about it unfortunately. Hard to swallow pill for sure if you’re looking for security.
Dude get all your recovery keys asap! But yeah, social media and emails are the most attractive targets for an hacker. I agree with you.
This attack has a specific name, I’ve read about it. Do you think there’s a way to spot if someone is ridirecting your traffic? Like a browser extension or a program on PC?
I just skimmed this thread, so might already been recommended:
For 2FA i personally use Authy. It’s compatible with Google Authenticator and most other tbt systems. It backs up the tokens, syncs them accross devices and restores them. Pretty good.
Keep in mind that, every convenience you add, subtracts security in some way. I personally am now moving from LastPass to keypass as it’s more flexible in management of Passwords. I need to worry about sync myself though. Other than that, i make sure to use proper 16-30 character Random passwords, and enable 2FA where Possible. If at all possible i also disable SMS as a fallback option.
All of this might not be necesarry, as i doubt i’m a valuable target, but it at least keeps my accounts from being hijacked by some scriptkiddy when another company screws up with storing passwords.
Ideally, i’d like to switch out most Time-Based Tokens for a yubikey, but i haven’t gotten one yet. It’s on my shopping list.
Also, i’m closely watching where sqrl goes, as this can potentially replace passwords for good on certain sites.
2 Likes
The general consense is that 2FA is good. But still my worry is to lose everything if something goes wrong. I almost got f**** by Arenanet that, for whatever reason, took more than 24h to register on their site that 2FA was enabled and doesen’t have any way to recover your account other than going through them which is insanity if you ask me. That’s what’s making me doubt about using it or, at least, is pushing me to find a solution that would allow me to recover my data in case of a catastrophic failure.
Well, as i said security <-> convenience. The fact that YOU can recover your Account means that there is SOME way for an attacker to do so too. Phone Companies are known for not properly checking your identity on phone and handing out secondary SIM’s, SMS is interceptable, Recovery questions can be guessed etc.
You already have to manage your Passwords somehow. If you loose those, you’re in similar trouble.
My personal approach is making screenshots of the QR code that i get when setting up the 2FA. Those get saved on disk. That way, i always have a local backup of what i need to restore the second factor. But as said, Authy does what a password manager does for 2FA.
For Recovery you can either do backups or weaken your security. Pick your Poison. You alone can decide if the added “hassle” in terms of access and management is worth the added security for you. For me, it is on most sites i regularly use.
2 Likes
Well I’ve never seen here any carrier handing out secondary sim or data to anyone. Also, as I said, some sites don’t even give recovery codes so I won’t enable 2FA on those.
I don’t mind some complexity, but it shouldn’t completly ruin my online experience. If I wanted an insane amount of security I won’t be on the internet or even have a phone haha
I personally handle it based on site
- Password manager: 2FA, No Backup, Geoblocking
- Anything that i can pay with: 2FA, No Backup if possible, no saved sessions or such
- Any stores that process payment information: 2FA if possible and no SMS Backup
- Sites that hold a lot of data from me (Mail, Google, Forums is use often etc.): 2FA if possible SMS Backup only if no other option is available
- Everything else gets a secure password. 2FA only, if i use them more than once a week.
That way, i protect most really important stuff, keep management to a minimum and only have one instance that’s a real hassle to recover. But i WANT my Password Manager to be a hassle to recover. It holds all the information to every site i use. Making it easy to access when i loose data to it would also make that information easy to get to by someone who wanted it.
But those are only my personal trade-offs. I can see why someone else wouldn’t want to deal with that. It takes a bit of management and setup for sure.
1 Like