Of course my approach to this is strongly twisted. But it is me and 99.99% of people would not do that.
Yes, having an additional authorization vector is always a step in the right direction.
Whether these will be codes from the application based on 2fa or the hardware key u2f is always something more than just a password.
Passwords, after all, would be good to keep in some password manager. This allows you to generate a different password for each account. Something that the human mind just won’t remember. And to protect such a database with passwords, one central password and possibly a key file.
Use 2fa but think over the entire procedure in case of an apocalypse! What do you do if the phone is damaged. What do you do when the phone is stolen. Because using 2fa and hope that you will always have a phone with codes available is a bit risky approach. If the loss of access to the phone causes permanent loss of access to your accounts then absolutely re-think the whole system using 2fa. Because in such a situation it’s just big no!
It will be like building a house of cards. You protect yourself against losing your account to a third party, but you can also deprive yourself if something happens to 2fa.
Well implemented 2fa allows you to generate backup codes, usually up to 10 codes. If you have these codes in a safe place then you can sleep peacefully. I also keep a copy of otpauth.
Thanks for the in-depth answer to my questions/concernes.
I did already stored in a safe place all the passwords and the one time codes to recover accounts in case of a catastrophic fail of one of my devices. But I surely have room to improve this mechanism to make it a bit more convenient to use without sacrificing much of the security that 2FA gives me.
Also there are some sites that don’t give recovery keys for accounts when you set up 2FA so in that case what would you suggest? Turn it off or keep a photo of the original QR code so that it can be scanned again? I really don’t get the meaning of this policy.
Places that do not give backup codes are imho garbage.
Personally, I don’t use QR, I always want txt and I will generate / add it myself. But I guess there are places that have no other option but QR. In this case, the ghetto type method keep the QR image. Or qr to text, generate it from an image and save to generate codes in pc in case of emergency in the future.
PS
Do you really need to have 2fa on your phone? If you don’t need a 2fa mobile version, always have it with you … maybe an additional device only for 2fa at home / work. Maybe even some sbc + lcd touch or second pc / laptop / tablet.
i see a lot of people on my facebook that get hacked. and its clear they were hacked because they send spam messages and make insanely outlandish posts. hasnt happened to me. because i have 2FA turned on. i have i think a dozen or so accounts with 2FA enabled. granted it is in google authenticator so as others have said when you get a new phone, its a royal PITA to migrate. also makes my phone VERY important because without it i lose access to a lot of accounts. i actually should get into all my 2FA accounts and get my recovery codes downloaded.
So they are victims of phishing? Or were they hit with malware?
One could argue to what extent 2fa protects the average user against phishing … Some say that it does not protect against this.
If the user gives the attacker their login details or enters fake websites in such a case … 2fa will not theoretically defend him. The average user will not pay attention to where and what he does and, as in the case of login / password, will enter the 2fa code. A much better security solution here would be a hardware u2f key like yubikey.
The weakest link in the chain is between the chair and the keyboard.
2FA would still work if the phishing site was bad. meaning it wasnt able to capture a 2FA code to then get in and remove the 2FA settings. plus even if they did capture a 2FA code, they would have to use it instantly since they expire after a few seconds or whatever. i think google authenticator is 30 seconds or so. ideally for 2FA to be turned off, the service would require a fresh 2FA code.
but yes, most likely victim of phishing since many of them dont have regular laptops and desktops anymore. not saying malware cant exist on mobile, just little less likely.
Demanding a firm approach but feasible. The world has already seen greater miracles.
The phishing attack reported by the FT worked through bogus Swiss domains that replicated ProtonMail’s interface and then accessed the real site in the background in real-time to “trick users into giving up their two-factor authentication codes.” Linking ProtonMail’s anonymized accounts to targeted individuals suggests a leak from a trusted source. “It seems clear that it is linked to our GRU investigations,” Bellingcat researcher Christo Grozev told the FT . “They have been trying to get into our regular email accounts for a long time now. But with ProtonMail, it was very odd and unexpected.”
This attack has a specific name, I’ve read about it. Do you think there’s a way to spot if someone is ridirecting your traffic? Like a browser extension or a program on PC?
I just skimmed this thread, so might already been recommended:
For 2FA i personally use Authy. It’s compatible with Google Authenticator and most other tbt systems. It backs up the tokens, syncs them accross devices and restores them. Pretty good.
Keep in mind that, every convenience you add, subtracts security in some way. I personally am now moving from LastPass to keypass as it’s more flexible in management of Passwords. I need to worry about sync myself though. Other than that, i make sure to use proper 16-30 character Random passwords, and enable 2FA where Possible. If at all possible i also disable SMS as a fallback option.
All of this might not be necesarry, as i doubt i’m a valuable target, but it at least keeps my accounts from being hijacked by some scriptkiddy when another company screws up with storing passwords.
Ideally, i’d like to switch out most Time-Based Tokens for a yubikey, but i haven’t gotten one yet. It’s on my shopping list.
Also, i’m closely watching where sqrl goes, as this can potentially replace passwords for good on certain sites.
The general consense is that 2FA is good. But still my worry is to lose everything if something goes wrong. I almost got f**** by Arenanet that, for whatever reason, took more than 24h to register on their site that 2FA was enabled and doesen’t have any way to recover your account other than going through them which is insanity if you ask me. That’s what’s making me doubt about using it or, at least, is pushing me to find a solution that would allow me to recover my data in case of a catastrophic failure.
Well, as i said security <-> convenience. The fact that YOU can recover your Account means that there is SOME way for an attacker to do so too. Phone Companies are known for not properly checking your identity on phone and handing out secondary SIM’s, SMS is interceptable, Recovery questions can be guessed etc.
You already have to manage your Passwords somehow. If you loose those, you’re in similar trouble.
My personal approach is making screenshots of the QR code that i get when setting up the 2FA. Those get saved on disk. That way, i always have a local backup of what i need to restore the second factor. But as said, Authy does what a password manager does for 2FA.
For Recovery you can either do backups or weaken your security. Pick your Poison. You alone can decide if the added “hassle” in terms of access and management is worth the added security for you. For me, it is on most sites i regularly use.
Well I’ve never seen here any carrier handing out secondary sim or data to anyone. Also, as I said, some sites don’t even give recovery codes so I won’t enable 2FA on those.
I don’t mind some complexity, but it shouldn’t completly ruin my online experience. If I wanted an insane amount of security I won’t be on the internet or even have a phone haha
Anything that i can pay with: 2FA, No Backup if possible, no saved sessions or such
Any stores that process payment information: 2FA if possible and no SMS Backup
Sites that hold a lot of data from me (Mail, Google, Forums is use often etc.): 2FA if possible SMS Backup only if no other option is available
Everything else gets a secure password. 2FA only, if i use them more than once a week.
That way, i protect most really important stuff, keep management to a minimum and only have one instance that’s a real hassle to recover. But i WANT my Password Manager to be a hassle to recover. It holds all the information to every site i use. Making it easy to access when i loose data to it would also make that information easy to get to by someone who wanted it.
But those are only my personal trade-offs. I can see why someone else wouldn’t want to deal with that. It takes a bit of management and setup for sure.
That’s a really sensible setup. Thanks for sharing it! I’m new when it comes to improve my online security beyond secure passwords that’s why I came to you people that know a ton more than I do. I appreciate the help a lot.
I have a lot of them screenshot and those back up to iCloud. Which my iMac syncs with. So that sort of helps but it’s not perfect at all. Just gotta get more time to do it. Life of a driver.
Definitely use Authy, not Google’s authenticator. It saves your seeds to the cloud and is end-to-end encrypted so they’re secure. You just install Authy on multiple devices, authenticate, and all your 2FA codes are there.
Don’t take screenshots of the QR codes and store them in an insecure area. That’s insane.
Don’t use your desktop password manager to store 2FA codes. That’s keeping both forms of authentication in the same spot, which kills a lot of the reason you’re doing 2FA in the first place. Also if you secure your password manager with 2FA (which you absolutely should do) you could be caught in a catch-22.
I probably didn’t make myself clear. Excuse me.
I meant not using the qr image, only the pure textual form of the code. All my accounts allow you to make a qr image to txt and then I do the usual copy / paste to WinAuth which allows me to add accounts and provide a token in text form per account.
But in your case if you can’t turn a qr image into txt then just save yourself a qr image and that’s enough. The mass of the application that if necessary will give you a qr image to txt. I just don’t need a qr image because I don’t use a camera phone. I do everything on computers so the text form is simply more convenient for me to use and save as a backup.
Hmm, rather difficult, phishing with man-in-middle is a deep topic.
In this situation with protonmail, many people from the security industry complained about the proton that they do not have u2f implemented. Because such an attack in the case of a hardware key would not be theoretically effective. Proton plans to introduce yubikey by the end of the year.
