+Warwagon MVC Posted October 8, 2018 MVC Share Posted October 8, 2018 Obviously, this is a dummy card, grabbed a random QR code off the net and for the backup codes, I mashed the numeric pad. I use Two-Factor authentication via Google Authenticator whenever it is offered. As you know (or maybe not) that if your phone were to die or is reset you lose all of your authentication codes. What I normally do when I add a new site to Google authenticator is first add it to more than 1 device, usually 5 and then store the QR code from that site off the computer as well as print a laminated index card with all of the information needed. Most of the time you will never be given the same QR code twice, and even if you got the same QR code twice you would have to be able to log into the site to get it. This includes the name of the site, the QR code and any backup codes offered by the site. I store these in a safety deposit box. This allows me to easily without issue add codes back into either a new device or one which has been reset. Recently got the oreo update for my LG v20 and had to factory reset my phone (debloated a little too much. Then after the factory reset I debloated again and the 2nd screen kept crashing, so I just disabled the second screen). Lost all 15 codes in Google authenticator. Using the cards I had all 15 codes added back into Google Authenticator in about 1 min. I'm aware of the service authy but i'm not comfortable yet linking all of the two-factor codes to a single service. Thought this may help people so they don't' get locked out of their accounts. Jazmac 1 Share Link to comment Share on other sites More sharing options...
DConnell Member Posted October 8, 2018 Member Share Posted October 8, 2018 That code takes you to the Wikipedia page for Mark Oliphant, by the way. (Couldn't resist!) Brandon H 1 Share Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted October 8, 2018 Author MVC Share Posted October 8, 2018 7 minutes ago, DConnell said: That code takes you to the Wikipedia page for Mark Oliphant, by the way. (Couldn't resist!) Sweet at least it's not malicious, I guess I should have checked that first lol. DConnell 1 Share Link to comment Share on other sites More sharing options...
+InsaneNutter MVC Posted October 8, 2018 MVC Share Posted October 8, 2018 (edited) 1Password is really good for 2FA, you can store 2FA codes in your vault, allowing you to access them on any platform with a 1Password app available. What I like about 1Password is you can keep your data in an encrypted vault locally, then sync this to other devices how you desire (network share or Dropbox for example), so you are always fully in control of your data. I used to use Google Authenticator, however it gets a bit messy when you have 20+ sites in it. I used to back it up to an encrypted hard drive as I had root, in doing so I then realised Google Authenticators database stored your keys in plain text. Granted you shouldn't normally be able to access this, however its something to keep in mind if Google are still doing that. Brandon H 1 Share Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted October 8, 2018 Author MVC Share Posted October 8, 2018 55 minutes ago, InsaneNutter said: 1Password is really good for 2FA, you can store 2FA codes in your vault, allowing you to access them on any platform with a 1Password app available. What I like about 1Password is you can keep your data in an encrypted vault locally, then sync this to other devices how you desire (network share or Dropbox for example), so you are always fully in control of your data. I used to use Google Authenticator, however it gets a bit messy when you have 20+ sites in it. I used to back it up to an encrypted hard drive as I had root, in doing so I then realised Google Authenticators database stored your keys in plain text. Granted you shouldn't normally be able to access this, however its something to keep in mind if Google are still doing that. Yes, but all the keys are in the same spot. If your 1password gets PWNED, they have both the username, password AND the 2nd factor. I think lastpass has a similar option where you can use the lastpass authenticator and sync your authentication codes to your lastpass account but I don't want the second factor in the same spot as my passwords. Link to comment Share on other sites More sharing options...
Emn1ty Posted October 10, 2018 Share Posted October 10, 2018 I've been using Authy. It's nice to be able to use the authenticator on either my phone or desktop. tsupersonic 1 Share Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted October 10, 2018 Author MVC Share Posted October 10, 2018 9 hours ago, Emn1ty said: I've been using Authy. It's nice to be able to use the authenticator on either my phone or desktop. I have a question about Authy, What sort of two-factor authentication does authy offer for securing your authy account if it's the one storing your two-factor information? My other question is, what if someday authy just goes dark? Link to comment Share on other sites More sharing options...
Emn1ty Posted October 10, 2018 Share Posted October 10, 2018 57 minutes ago, warwagon said: I have a question about Authy, What sort of two-factor authentication does authy offer for securing your authy account if it's the one storing your two-factor information? My other question is, what if someday authy just goes dark? Well, if Authy goes dark I can simply switch to another system. Presently I've been storing my backup codes in encrypted notes in LastPass. Personally I don't like putting all my eggs in one basket, however honestly I've gotten to the point where it's worth it to reset everything/turn off two-factor and re-enable it when necessary because resetting passwords and remaking new two-factor accounts is more secure than storing stuff anywhere. For work purposes, I simply have our service desk reset the two-factor accounts when necessary. As far as two-factor for Authy itself, the only feature it has is a pin number. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted October 10, 2018 Author MVC Share Posted October 10, 2018 11 minutes ago, Emn1ty said: it's worth it to reset everything/turn off two-factor and re-enable it when necessary because resetting passwords and remaking new two-factor accounts is more secure than storing stuff anywhere. I'm confused, if I read that right, you said it's more secure to disable two-factor on sites and turn it on when you need it? How many accounts do you have stored in Lastpass? Link to comment Share on other sites More sharing options...
Emn1ty Posted October 10, 2018 Share Posted October 10, 2018 (edited) 11 minutes ago, warwagon said: I'm confused, if I read that right, you said it's more secure to disable two-factor on sites and turn it on when you need it? I mean more along the lines of, say you buy a new phone. You can either use the recovery codes to add the two-factor to the new device, or log in on a desktop computer (google, facebook and I think amazon all work this way) and disable and re-enable two factor to restart the two factor registration process. Scan the new code on the new device and move on. Not only do you not have any recovery codes that someone can find and abuse, but hopefully also invalidate old instances of the two-factor codes. I've yet to have an issue with this beyond not having access to the two-factor controls on the website (which only happens for me with work). I just find that trying to recover old two-factor codes is like trying to recover an old password you forgot. Forget the old password, just make a new one. Quote How many accounts do you have stored in Lastpass? I store whatever makes sense there. Primary accounts have their own passwords (Google, Facebook, Microsoft, Amazon, Bank, etc). But the benefits of a system like LastPass is that even if that account gets compromised it works the same way as Google or Facebook. Reset the password, and clean up any linked accounts. The nice thing about it is I have a catalogue of every site that may have been effected, and can easily go and reset all those passwords in the case of a breach of a single account or my entire LastPass account. That said, I've been pretty lucky as I've only ever had an account compromised directly once and that was due to a fishing site for XBox Live. Personally though, I have been wanting to develop a better password management system that can every month automatically reach out and reset your passwords without your interaction. But websites don't implement a standard, secure set of API's for password resets to make that easy. Otherwise you do what LastPass does and directly manipulate the web-pages, which breaks whenever the layout or html changes. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted October 10, 2018 Author MVC Share Posted October 10, 2018 11 minutes ago, Emn1ty said: I mean more along the lines of, say you buy a new phone. You can either use the recovery codes to add the two-factor to the new device, or log in on a desktop computer (google, facebook and I think amazon all work this way) and disable and re-enable two factor to restart the two factor registration process. Scan the new code on the new device and move on. Not only do you not have any recovery codes that someone can find and abuse, but hopefully also invalidate old instances of the two-factor codes. 1 That's assuming you have a trusted signed in session on a web browser (which doesn't require two-factor) to turn off two-factor. What if your phone and computers and devices get destroyed in a fire? I just really hope SQRL takes off like a rocket once it's released. Link to comment Share on other sites More sharing options...
Xenon Posted October 10, 2018 Share Posted October 10, 2018 11 minutes ago, warwagon said: That's assuming you have a trusted signed in session on a web browser (which doesn't require two-factor) to turn off two-factor. What if your phone and computers and devices get destroyed in a fire? I just really hope SQRL takes off like a rocket once it's released. SQRL really looks interesting. I was just digging into it and I cant find a fault with it. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted October 10, 2018 Author MVC Share Posted October 10, 2018 4 minutes ago, Xenon said: SQRL really looks interesting. I was just digging into it and I cant find a fault with it. Gotta love Check recheck and do it all over again Gibson. Xenon 1 Share Link to comment Share on other sites More sharing options...
Emn1ty Posted October 10, 2018 Share Posted October 10, 2018 3 hours ago, warwagon said: That's assuming you have a trusted signed in session on a web browser (which doesn't require two-factor) to turn off two-factor. What if your phone and computers and devices get destroyed in a fire? Yes this does assume that, but I've found that typically signing in via a web-portal they will allow you an alternative two-factor method (email or phone number) to recover the account. But the chances that my desktop, laptop and phone all get destroyed is very low. And even if they did, in most cases (where it actually matters) you can work with customer support to regain access to the account. 3 hours ago, warwagon said: I just really hope SQRL takes off like a rocket once it's released. It's interesting yeah, but the issue isn't security with login; it's getting traction to use alternatives. Two-factor exists only because it's another layer on top of traditional login. Even though we all know passwords and such are probably the most insecure way to secure your accounts (insecure because they're constantly misused) they stick around. This is why it would be nice to abstract password management away entirely. SQRL kind of does that, but the user is still directly involved with having to scan it or interact with it. Regardless, at this point I'd love for passwords to go away and for such keys to become the norm. The primary reason is because in the event of a security breach on your side or the service's side it's a matter of just invalidating the key pairs and forcing a new pair be generated. Link to comment Share on other sites More sharing options...
.thumb.jpg.958469f789995895cc0de1fb3c106d00.jpg)
Recommended Posts