Two factor authentication: is it worth?

Print and store in a safe.

Separate database with a different password / key. Kept separately. Maybe on usb / other machine …

I wrote about it in another topic. Triple separation.

Password on device No. 1.
2FA on device No. 2.
U2F in your pocket.

I’ve looked and received conflicting informations about Authy in the last 48h. Also the reviews on store are not the greatest. Many claim that it doesen’t work all the time and I believe them since the Authy server might have some delay sometimes I think.

I don’t have them and didn’t even think about doing it. I didn’t even print them out.

This is the next point I was worried about. If I use 2FA on the password manager it might be a really bad time to recover the passwords. Also none of the passowrds manager I’m considering (it’s basically a battle between Bitwarden, Keepass and Last Pass for me atm) offer 2FA integrated in the password manager so I’m fine from that point of view.

Yeah not all the sites I set up 2FA to have the option of inserting a text key. Maybe if I move to another authenticator soon I’ll back up the 2FA original keys and store them safely together with all the other stuff I printed out so that I can recover more easely my accounts.

Sure, as long as the two factors are stored in separate secure spots, you’re good.

Authy is fine. I’ve used it for many, many years and it never failed me. Of course that’s a sample size of 1 so YMMV, but this is the first I’ve heard of anyone having problems with it. Once it retrieves your seeds everything is run local on your phone anyway.

As I have already mentioned, my approach to the subject is not for 99.99% of people. For many reasons.

Universal textbook rules may not always be perfect for everyone.
In general, always remember to separate security segments and secure them in the event of a need to recover.

What is 2FA really supposed to protect against?
-Physically stealing your device and using it to log into your account?
-To protect against taking over communication when your computer is infected?
-Or just secure your account in the event of a password leak/phishing?

How many door locks do you have at home? And do you have all the keys for these locks on one keychain in one pocket? What happens if someone steals these keys from you? Suddenly he has everything he needs to open all your locks.

People go to extremes when they want to be according to the textbook … And life requires some flexibility!

Personally, I do not own a smartphone and do not plan to own it! So 2FA using such a device is not possible for me. But instead of a smartphone, I have a dedicated offline machine that acts as a device for 2FA.
-Is it mobile? Yes and no.
-Is this convenient? For me it’s ok but not for 99.99% of people.
Does it lower the level of security? Imho no, a dedicated offline machine with encrypted hdd to which no unauthorized persons have physical access.

Only my style of using my accounts does not require access to them anywhere at any time. I just need access from home and work. And such an access model allows me to control the environment.
I have passwords in the keepass database protected by a password and a key file.
I have 2FA codes and tokens in the second keepass database protected by a different password and a different key file.
I have both passwords in my head. I keep my keys separate on two separate usb devices.
I keep the most important backups of everything in a safes. Both in digital and paper form.

Statistically, I’m more likely to be shot on the street than someone steals these accounts.

You are a most unusual gentleman, to be sure.

Probably some people would say crazy but I prefer extravagant.

If you look at it well, nothing is so different. I just slightly modify the typical approach.
Instead of a phone I just use a dedicated laptop. Instead of having access always and everywhere I have it only in certain places.

But at the end of the day the rules are the same. Separation of individual parts of the security system and having the ability to recover key elements if necessary.

2FA annoys me, I find it irritating to have to grab my phone just so I can type in some random code I receive on my phone. First thing I do when I get home is to put it on silent mode, and have it with my car keys, wallet and passport in the kitchen. Besides, I would go far to not put my phone number online, those I want to have it, I personally give it to.

In essence, don’t put anything online in any form, if you don’t want the world to see. The passwords I use won’t get cracked any time soon seeing they are 30+ characters, if it’s a service I care about or really need.

I don’t use any login with Google, Microsoft, Apple and several others, since my data is, well, mine. If the companies want it, they’d have to pay me. Since I’m not interesting enough for them to mine data on anyways, so nothing would ever change on that matter.

I will never use a single service to store my passwords in a single place, that is in my opinion, to put it nicely, beyond stupid. Instead, remember them or write them on a piece of paper in your home. For a hacker to get them, they’d have to know where you live. Which is less likely than “single service password storage” getting hacked.

I do consider 2FA better than not for some things, it’s all about making it just a bit more cumbersome for a hacker to get in than its worth for them to spend time on you. Therefore, by adding a small personalized step along the way, they will go for someone who does like everyone else.

At the end of the day, nothing is safe from a determined hacker. So make yourself invisible, lean back, have a beer and watch everyone else getting phone calls from India pretending to be Microsoft and consider what value the shared data has, if leaked, before you hit enter.

This is an approach I can use. Take control of your own security, don’t give it to Google or “single service password storage”.

That’s right Although I always force myself to look at things in a broad context and not just through the prism of my own. What will be ok for me may be unbearable for someone else.

Personally, I try to avoid storing sensitive data on the network.
My keepass databases have never seen the outside world. And some password managers keep copies in the cloud. I avoid it very much. I store myself.
My Auth for 2FA only works locally and stores everything locally. 100% offline, I also keep backups myself.

Let’s be honest. Most often, security penetration occurs not on the home user’s side but on the service provider’s side. I skip this group of people who just don’t care about systems and have massive infections as well as those who can be fooled into simple scams.
2FA is definitely a step in the right direction and the u2f hardware is even better but it also costs a lot.
The whole concept of using the phone as a 2FA device is as solid as the user’s approach to security.
Many times I have seen absurd situations where people used the phone to perform paypal transactions and at the same time the same phone was generating 2fa. To make things worse, the password was permanently saved …
Take over the phone and unlock it and you have access to $. Yes, the question will be whether it will be easy to unlock the phone.

The point is, the more offline things and physical separation, the better imho.

True. I can only agree with your approach. If it works for you, and it’s outside the norm, it is a lot safer.

In the end, the weakest link is at fault, this link is located 50 or so cm in front of the screen.

For me, your approach would be too cumbersome, mainly because I don’t really share anything anywhere, and I honestly can’t be arsed, I don’t care if a Russian hacker gets my Facebook account, my credit card is insured by the bank. Phishing, which is the easiest way in, doesn’t work on me. Have never had a virus in 35 years of using computers. I do however enjoy the laugh, when it reaches the news that “A very dangerous email is in circulation. Do not click the link and give them your account information”

My default, day to day setup, is very difficult to track me, if I want to hide more, I add 5+ hops proxy chains that change on every new site connection if I want to hide, via vpns with three different providers not linkable to me, which also changes on every new connection

I stopped giving friends and family advice 5 or so years ago, it simply doesn’t sink in for them. My mother had her card emptied, think twice this year alone.

Of course services like lastpass and bitwarden can be hacked. They’re probably hacked right this moment. That doesn’t matter, because everything is end-to-end encrypted.

If you really use different passwords for every service and keep them written down in a physical notebook, that’s perfectly fine. Most people aren’t willing to go to that much effort, which is why password managers exist, and telling people not to use them is dangerously bad advice.

I can see why you would go to that extent and your approach is surely a . 1% type of. I have all my unique passwords written down but I can’t realistically memorize all of them since I access more sites more frequently than others.
Not using a password manager, to me, is like asking someone to not use a key ring because if you drop a key you’re going to lose the whole bunch attached.
I didn’t know about 2FA code generators on desktop that allows to back up keys. A good answer is using a Keepass DB and maybe have it backed up on an external encrypted drive.

I “fear” that this, in it self, might weaken your security. Every time my PW Manager doesn’t work, it’s a MAJOR hassle to input the Passwords. If you have to write them every time you need them, you will inherently choose shorter and easier to type Passwords. And those are weaker than what could be done with a Password Manager.
An example of a common Password setup i use: w@YItC9PUE9a#3&j5I*4^FH4
Writing this down and typing it every time is really not easy. So you will probably default to 1. keeping sessions with cookies or such 2. Use shorter Passwords and 3. use less entropy, as a lot of Symbols aren’t that easy to type on a Phone or such.

I personally still use Lastpass, but i don’t care which service or App you use. But any Password Manager will strengthen your security and make it MUCH easier to use strong passwords. I like the sync that lastpass offers and it’s extension just works, but you could also use Keepass, if you want total control.
Writing Passwords down on Paper is only a solution for Passwords you don’t use often… m2c

My passwords are all around the 90 bits of entropy so I should be good. They’re decent to type, not too difficult typing them all the time to be honest. But they’re not as complex as the ones you’re using.

I’m going to setup one. Still undecided about which one to use.

Just use a password manager and have generated passwords for all your accounts. I only remember 2 or 3 accounts passwords. The rest on my online accounts are stored inside KeePass, each having a different password made of <more than 12 characters> (I’m not telling you the number of characters I’m using, lol). And it has all the good stuff, like special characters that no sane person can remember. It is a pain in the butt to type-in the password, but that’s why I’m syncing my KeePass DB on my Android phone, Windows tablet and Windows laptop, 2 Linux PCs and 1 Windows VM and copy-pasting into the login form.

Setting up 2FA would be a little overkill - and frankly, I’m too lazy to do it, it was already painful to reset all my accounts password to something random a few years ago when I started doing this.

And I’d rather not trust those online 2FA services, I’d rather go with something offline, like an open source TOTP or HOTP generator.

It’s not really that much of an effort, since once I was done configuring my setup, that was about it. Then it’s just to remember 12-15 passwords. As passwords, I tend to use sentences/phrases, since they are easier to remember. One example could be “Lur! Ruler of the planet Omicron Persei 8” or “If only I had twelve camels, then I’d be rich” or some other bullshit.

I agree with you, password manager is better than no password manager, as long as it’s local and not hosted somewhere. I simply don’t trust the ones making the software to be thorough enough, nor do I trust some spying government to snoop around in my private things, online or not. Not saying there aren’t any services that are very secure, I simply can’t be arsed with looking into it.

Yup, that was part of the idea. It’s impossible to be safe online, therefore, make it as cumbersome as possible for anyone to snoop, steal or whatever, and they’ll go elsewhere before they are done.

I personally trust someone whos entire business it is to keep Passwords safe to do a much better job than i could.
And it’s certainly much easier for someone to hack my PC at home than a Server at Lastpass. It’s easy to fck up and assuming you are perfect is probably a bad idea.
But that’s a decision everyone has to make for themselves. Ideally we wouldn’t need passwords anymore. As long as we do, a hosted Password manager with proper end-to-end encryption is the right tradeoff in security vs convenience for me.

Most important is to do what’s comfortable and which works for ones situation.

My issues aren’t as much with hackers/scammers. Passwords, 2FA and general encryption is secure enough to keep most out these days. My issue is more with governments sticking their nose where it doesn’t belong. Which is also why I prefer obfuscation over standardized methods.

Google Authenticator is offline, it just sincs to get the correct time and that’s it. But I don’t know if I’ll keep using it or not for the many reasons I expressed before. Most important if something happens to my device and I’ll spend the next week changing all my 2FA configurations.