06-14-2021, 04:23 PM
|
#1
|
Franchise Player
Join Date: Apr 2003
Location: Not sure
|
Learn me on 2FA
Looks like I'm a bit behind on the curve with this. Currently only have it set up on my google and Shaw accounts and those are just in account settings of those two sites.
Did a search for top 2FA apps and the two top ones seem to be Lastpass and Google Authenticator according to most sites.
LP makes sense as I already use them as my PW manager. But then all my eggs in one basket. But looking at the app, it's got a ton of bad reviews.
So look at the Google Authenticator and it too has a ton of bad reviews.
On top of that, it sounds like things could become a major nightmare if I ever lost my phone or it was stolen. Even changing phones sounds like it could be a headache.
Before I jump into this, what are things someone new to this should be aware of. Tips/tricks? Advice? What are you folks using?
|
|
|
06-14-2021, 05:10 PM
|
#2
|
Franchise Player
Join Date: Jul 2010
Location: Calgary - Centre West
|
I use the Microsoft Authenticator app. It works just like every other authenticator app, and I haven't had any issues with it myself.
__________________
-James
GO FLAMES GO.
|
|
|
The Following User Says Thank You to TorqueDog For This Useful Post:
|
|
06-14-2021, 05:17 PM
|
#3
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
I've used Google Authenticator as well as Microsoft's Authenticator. I guess and Steam's and Battle.net's. They all have worked fine, but I've never lost my phone, and other than Microsoft's for work they're mostly used for game accounts and such.
My more important accounts still use either email or SMS for 2FA (depending).
I did read this article a while back and they recommend Authy or Duo Security, I should switch over to one of those.
https://arstechnica.com/information-...-dont-have-to/
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
06-14-2021, 05:19 PM
|
#4
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
Also for the critical stuff like email I've setup one time use passwords so that if I lose the second factor completely I can still log in.
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
06-14-2021, 05:34 PM
|
#5
|
Had an idea!
|
I like Authy.
Works great, and I can recover if needed. Might not be the most secure, but wrecking your phone and losing access to 30 accounts because the phone was the only thing providing 2FA isn't very fun.
What I've done is set it up on a couple devices, set them as allowed devices, and then uninstalled. If I lose my phone, I can set it up on my computer again, and it'll allow me to login.
No other system is allowed to have access because I have all other devices restricted. Works great.
|
|
|
06-14-2021, 06:26 PM
|
#6
|
Franchise Player
Join Date: Jul 2010
Location: Calgary - Centre West
|
Quote:
Originally Posted by photon
My more important accounts still use either email or SMS for 2FA (depending).
|
SMS 2FA is probably the worst form of MFA.
https://blog.sucuri.net/2020/01/why-...-bad-idea.html
If you don't like that article, there are plenty more from plenty of other authors. But SMS 2FA is crap.
__________________
-James
GO FLAMES GO.
|
|
|
The Following 2 Users Say Thank You to TorqueDog For This Useful Post:
|
|
06-14-2021, 08:01 PM
|
#7
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
Yeah good point, I had kept that ArsTechnica article as I was thinking of switching, but that's good motivation.
EDIT: What about hardware keys? Anyone use one?
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
06-14-2021, 10:17 PM
|
#8
|
Franchise Player
Join Date: Jul 2010
Location: Calgary - Centre West
|
Quote:
Originally Posted by photon
Yeah good point, I had kept that ArsTechnica article as I was thinking of switching, but that's good motivation.
EDIT: What about hardware keys? Anyone use one?
|
I do for work. YubiKey is what we’ve standardized on for engineering (although we’re moving to SAWs with YubiKeys now). I know a couple security guys that have rolled them out at Calgary enterprises that love them.
They have personal versions that work with mobile and USB: https://www.yubico.com/why-yubico/for-individuals/
__________________
-James
GO FLAMES GO.
|
|
|
The Following User Says Thank You to TorqueDog For This Useful Post:
|
|
06-15-2021, 02:43 PM
|
#9
|
Had an idea!
|
I use the YubiKey for my Bitwarden 2FA.
Works great, but not sure if necessary.
You have your phone with you all the time, and unless you carry around your YubiKey, you need to have a second one for more devices.
|
|
|
06-15-2021, 06:27 PM
|
#10
|
Atomic Nerd
Join Date: Jul 2004
Location: Calgary
|
All I can contribute is that we are extremely lucky to have rolled out MFA right before covid and work from home became a reality. I can't imagine the risks several companies were exposed to when forced to allow remote work from him with unsecured environments.
From the press releases of CD Projekt Red, it sounded like they didn't have 2FA on their remote work VPN and part of their ransomware/data breach may have been caused by this.
I use Microsoft Authenticator for work and Google Authenticator for home.
|
|
|
06-16-2021, 09:59 AM
|
#11
|
Franchise Player
Join Date: Apr 2003
Location: Not sure
|
Thanks for the info so far. Pretty sure I will go with Google Authenticator. Just a question regarding "backing up codes" I keep reading about. I guess this has more to do with the sites you are using GA on? Can someone expand on that part a bit? I thought I had backup codes figured out but think that has more to do with my google account vs the GA app. You can generate 10 b/u codes for your google account but not sure that helps me resolve losing my phone with the app on it.
|
|
|
06-16-2021, 10:07 AM
|
#12
|
Franchise Player
Join Date: Apr 2003
Location: Not sure
|
Quote:
Originally Posted by Hack&Lube
From the press releases of CD Projekt Red, it sounded like they didn't have 2FA on their remote work VPN and part of their ransomware/data breach may have been caused by this.
I use Microsoft Authenticator for work and Google Authenticator for home.
|
Well that's interesting.....we currently RDP into work through a VPN but no MFA. I should bring this up ASAP. I assume that's the MS Authenticator you use for that? Is that an app or hardware based?
|
|
|
06-16-2021, 10:33 AM
|
#13
|
Franchise Player
Join Date: Jul 2010
Location: Calgary - Centre West
|
Quote:
Originally Posted by GoinAllTheWay
Well that's interesting.....we currently RDP into work through a VPN but no MFA. I should bring this up ASAP. I assume that's the MS Authenticator you use for that? Is that an app or hardware based?
|
Microsoft Authenticator is app-based MFA.
__________________
-James
GO FLAMES GO.
|
|
|
The Following User Says Thank You to TorqueDog For This Useful Post:
|
|
06-16-2021, 11:19 AM
|
#14
|
First Line Centre
|
I can't remember the details, but the only problem I ever encountered regarding 2FA was with twitter around Christmas. Either their system was screwy, or I was labelled as a Russian bot or what. But I had to authenticate myself, but just never received a code via text. Again and again. No explanation why, getting through to a human in customer support was hell.
Eventually I did get a response by creating a new account on a device that had never been used to access twitter by me or anyone, and from a VPN to mask my IP.
Really frustrating, and yes, yes, we all know Twitter is garbage, but it gave me pause regarding 2FA - What if it were, say, my gmail account? I'd be f'd.
|
|
|
06-16-2021, 11:44 AM
|
#15
|
Franchise Player
Join Date: Apr 2003
Location: Not sure
|
Quote:
Originally Posted by Sr. Mints
Really frustrating, and yes, yes, we all know Twitter is garbage, but it gave me pause regarding 2FA - What if it were, say, my gmail account? I'd be f'd.
|
This is where the backup codes I mentioned earlier would bail you out. You can generate them in the security section of your profile. It will generate 10 codes for you. Best to write them down somewhere safe, maybe in a couple locations.
|
|
|
The Following User Says Thank You to GoinAllTheWay For This Useful Post:
|
|
06-16-2021, 11:45 AM
|
#16
|
Had an idea!
|
Quote:
Originally Posted by GoinAllTheWay
Thanks for the info so far. Pretty sure I will go with Google Authenticator. Just a question regarding "backing up codes" I keep reading about. I guess this has more to do with the sites you are using GA on? Can someone expand on that part a bit? I thought I had backup codes figured out but think that has more to do with my google account vs the GA app. You can generate 10 b/u codes for your google account but not sure that helps me resolve losing my phone with the app on it.
|
Google Authenticator is installed on your phone, so if you lose your phone, you lose your codes.
If you don't have backup codes for every account setup, it becomes a nightmare to deal with.
That is why I have been using Authy, as I can recover on a second device.
|
|
|
06-16-2021, 12:28 PM
|
#17
|
Franchise Player
Join Date: Apr 2003
Location: Not sure
|
Quote:
Originally Posted by Azure
Google Authenticator is installed on your phone, so if you lose your phone, you lose your codes.
If you don't have backup codes for every account setup, it becomes a nightmare to deal with.
That is why I have been using Authy, as I can recover on a second device.
|
Ok, got it. If I'm understanding correctly...when you set up 2FA with a site, that site will give you a backup code right then and there, that's the code I want to keep in a safe place if my phone was lost/stolen?
If that's the case, I can easily handle that part.
I really only anticipate using GA for a handfull of sites.
|
|
|
06-16-2021, 01:36 PM
|
#18
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
Related question then, where are people storing their backup codes? If I get a hardware key I think I'd want to get a 2nd key as a backup, so will be the same question.
I don't have a bolted down safe in my house, but that's an option. Are safety deposit boxes still a thing?
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
06-16-2021, 01:37 PM
|
#19
|
Franchise Player
Join Date: Jul 2010
Location: Calgary - Centre West
|
Quote:
Originally Posted by Azure
That is why I have been using Authy, as I can recover on a second device.
|
You can recover Microsoft Authenticator too.
__________________
-James
GO FLAMES GO.
|
|
|
06-16-2021, 01:47 PM
|
#20
|
Franchise Player
|
Quote:
Originally Posted by photon
Related question then, where are people storing their backup codes? If I get a hardware key I think I'd want to get a 2nd key as a backup, so will be the same question.
I don't have a bolted down safe in my house, but that's an option. Are safety deposit boxes still a thing?
|
|
|
|
The Following 2 Users Say Thank You to Fuzz For This Useful Post:
|
|
Thread Tools |
Search this Thread |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -6. The time now is 02:30 AM.
|
|