Learn me on 2FA

[GoinAllTheWay]

Looks like I'm a bit behind on the curve with this. Currently only have it set up on my google and Shaw accounts and those are just in account settings of those two sites.

Did a search for top 2FA apps and the two top ones seem to be Lastpass and Google Authenticator according to most sites.

LP makes sense as I already use them as my PW manager. But then all my eggs in one basket. But looking at the app, it's got a ton of bad reviews.

So look at the Google Authenticator and it too has a ton of bad reviews.

On top of that, it sounds like things could become a major nightmare if I ever lost my phone or it was stolen. Even changing phones sounds like it could be a headache.

Before I jump into this, what are things someone new to this should be aware of. Tips/tricks? Advice? What are you folks using?

[TorqueDog]

I use the Microsoft Authenticator app. It works just like every other authenticator app, and I haven't had any issues with it myself.

[photon]

I've used Google Authenticator as well as Microsoft's Authenticator. I guess and Steam's and Battle.net's. They all have worked fine, but I've never lost my phone, and other than Microsoft's for work they're mostly used for game accounts and such.

My more important accounts still use either email or SMS for 2FA (depending).

I did read this article a while back and they recommend Authy or Duo Security, I should switch over to one of those.

https://arstechnica.com/information-...-dont-have-to/

[photon]

Also for the critical stuff like email I've setup one time use passwords so that if I lose the second factor completely I can still log in.

[Azure]

I like Authy.

Works great, and I can recover if needed. Might not be the most secure, but wrecking your phone and losing access to 30 accounts because the phone was the only thing providing 2FA isn't very fun.

What I've done is set it up on a couple devices, set them as allowed devices, and then uninstalled. If I lose my phone, I can set it up on my computer again, and it'll allow me to login.

No other system is allowed to have access because I have all other devices restricted. Works great.

[TorqueDog]

Quote:

Originally Posted by photon

My more important accounts still use either email or SMS for 2FA (depending).

SMS 2FA is probably the worst form of MFA.

https://blog.sucuri.net/2020/01/why-...-bad-idea.html

If you don't like that article, there are plenty more from plenty of other authors. But SMS 2FA is crap.

[photon]

Yeah good point, I had kept that ArsTechnica article as I was thinking of switching, but that's good motivation.

EDIT: What about hardware keys? Anyone use one?

[TorqueDog]

Quote:

Originally Posted by photon

Yeah good point, I had kept that ArsTechnica article as I was thinking of switching, but that's good motivation.

EDIT: What about hardware keys? Anyone use one?

I do for work. YubiKey is what we’ve standardized on for engineering (although we’re moving to SAWs with YubiKeys now). I know a couple security guys that have rolled them out at Calgary enterprises that love them.

They have personal versions that work with mobile and USB: https://www.yubico.com/why-yubico/for-individuals/

[Azure]

I use the YubiKey for my Bitwarden 2FA.

Works great, but not sure if necessary.

You have your phone with you all the time, and unless you carry around your YubiKey, you need to have a second one for more devices.

[Hack&Lube]

All I can contribute is that we are extremely lucky to have rolled out MFA right before covid and work from home became a reality. I can't imagine the risks several companies were exposed to when forced to allow remote work from him with unsecured environments.

From the press releases of CD Projekt Red, it sounded like they didn't have 2FA on their remote work VPN and part of their ransomware/data breach may have been caused by this.

I use Microsoft Authenticator for work and Google Authenticator for home.

[GoinAllTheWay]

Thanks for the info so far. Pretty sure I will go with Google Authenticator. Just a question regarding "backing up codes" I keep reading about. I guess this has more to do with the sites you are using GA on? Can someone expand on that part a bit? I thought I had backup codes figured out but think that has more to do with my google account vs the GA app. You can generate 10 b/u codes for your google account but not sure that helps me resolve losing my phone with the app on it.

[GoinAllTheWay]

Quote:

Originally Posted by Hack&Lube

From the press releases of CD Projekt Red, it sounded like they didn't have 2FA on their remote work VPN and part of their ransomware/data breach may have been caused by this.

I use Microsoft Authenticator for work and Google Authenticator for home.

Well that's interesting.....we currently RDP into work through a VPN but no MFA. I should bring this up ASAP. I assume that's the MS Authenticator you use for that? Is that an app or hardware based?

[TorqueDog]

Quote:

Originally Posted by GoinAllTheWay

Well that's interesting.....we currently RDP into work through a VPN but no MFA. I should bring this up ASAP. I assume that's the MS Authenticator you use for that? Is that an app or hardware based?

Microsoft Authenticator is app-based MFA.

[Sr. Mints]

I can't remember the details, but the only problem I ever encountered regarding 2FA was with twitter around Christmas. Either their system was screwy, or I was labelled as a Russian bot or what. But I had to authenticate myself, but just never received a code via text. Again and again. No explanation why, getting through to a human in customer support was hell.

Eventually I did get a response by creating a new account on a device that had never been used to access twitter by me or anyone, and from a VPN to mask my IP.

Really frustrating, and yes, yes, we all know Twitter is garbage, but it gave me pause regarding 2FA - What if it were, say, my gmail account? I'd be f'd.

[GoinAllTheWay]

Quote:

Originally Posted by Sr. Mints

Really frustrating, and yes, yes, we all know Twitter is garbage, but it gave me pause regarding 2FA - What if it were, say, my gmail account? I'd be f'd.

This is where the backup codes I mentioned earlier would bail you out. You can generate them in the security section of your profile. It will generate 10 codes for you. Best to write them down somewhere safe, maybe in a couple locations.

[Azure]

Quote:

Originally Posted by GoinAllTheWay

Thanks for the info so far. Pretty sure I will go with Google Authenticator. Just a question regarding "backing up codes" I keep reading about. I guess this has more to do with the sites you are using GA on? Can someone expand on that part a bit? I thought I had backup codes figured out but think that has more to do with my google account vs the GA app. You can generate 10 b/u codes for your google account but not sure that helps me resolve losing my phone with the app on it.

Google Authenticator is installed on your phone, so if you lose your phone, you lose your codes.

If you don't have backup codes for every account setup, it becomes a nightmare to deal with.

That is why I have been using Authy, as I can recover on a second device.

[GoinAllTheWay]

Quote:

Originally Posted by Azure

Google Authenticator is installed on your phone, so if you lose your phone, you lose your codes.

If you don't have backup codes for every account setup, it becomes a nightmare to deal with.

That is why I have been using Authy, as I can recover on a second device.

Ok, got it. If I'm understanding correctly...when you set up 2FA with a site, that site will give you a backup code right then and there, that's the code I want to keep in a safe place if my phone was lost/stolen?

If that's the case, I can easily handle that part.

I really only anticipate using GA for a handfull of sites.

[photon]

Related question then, where are people storing their backup codes? If I get a hardware key I think I'd want to get a 2nd key as a backup, so will be the same question.

I don't have a bolted down safe in my house, but that's an option. Are safety deposit boxes still a thing?

[TorqueDog]

Quote:

Originally Posted by Azure

That is why I have been using Authy, as I can recover on a second device.

You can recover Microsoft Authenticator too.

[Fuzz]

Quote:

Originally Posted by photon

Related question then, where are people storing their backup codes? If I get a hardware key I think I'd want to get a 2nd key as a backup, so will be the same question.

I don't have a bolted down safe in my house, but that's an option. Are safety deposit boxes still a thing?

Spoiler!