2FA / two-factor authentication

Email
Comment *
File	Select/drop/paste files here
Password	(Randomized for file and post deletion; you may also set your own.)
* = required field	[▶ Show post options & limits] Confused? See the FAQ.

Flag
Oekaki	Show oekaki applet (replaces files and can be used instead)
Options	Do not bump (you can also write sage in the email field) Spoiler images (this replaces the thumbnails of your images with question marks)
Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf Max filesize is 16 MB. Max image dimensions are 15000 x 15000. You may upload 3 per post.

File (hide): df8e24253b15114⋯.jpg (59.33 KB, 650x650, 1:1, 3363-08.jpg) (h) (u)

File (hide): 9342be6b75f5851⋯.jpeg (109.62 KB, 2048x1366, 1024:683, th.jpeg) (h) (u)

File (hide): 9566029f83c601b⋯.jpg (30.36 KB, 632x506, 316:253, pgp-card.jpg) (h) (u)

▶2FA / two-factor authentication Anonymous 02/01/19 (Fri) 10:50:30 No.1025896>>1025973 [Watch Thread][Show All Posts]

I read around a bit and didn't come to a conclusive answer. What are your thoughts about it? In which cases would you refrain from using it? In what would your second factor of choice be? Is there something that you think is more secure/convenient/better than 2FA?

Some of the possible choices I found:

Smartcard & cardreader

There's various versions of the OpenPGP smartcard and enough manufacturers with various other specifications.

Cost: From what I gathered the cost for the card is about 18 eu and notmuch for a cheaply built reader.

Drivers: shouldn't be a problem

Possibilities: everything that involves gpg (pass passwordmanager, encryption, mail signing, whatever you can think of), but probably nothing that involves anything FIDO (e.g. online services mostly)

FIDO U2F etc.

There's FIDO and FIDO2. And U2F (usually involves inserting a small usb device and pressing on it when prompted, but I think there's also tiny fingerprint scanners satisfying the protocol) and whatnot.

Cost: The cheapest devices cost about 8 eu, but they don't have all the features that more expensive once have. I'm not sure what they're exposing to the computer and if you can use it for gpg. The most expensive ones are Yubikey - between 45 and 55 eu. Usually also support NFC for smartphone 2FA. These can do gpg via some writable HMAC slot or something and seem to be quite popular.

Drivers: most seem to expose hidraw, never read anybody couldn't get them to work

Possibilites: everything that supports the FIDO U2F protocol, which is mostly online services (dropbox, google services, github, gitlab, microsoft services, facebook, twitter, protonmail, paypal in some countries, visa, mastercard..). In case of the Yubikeys also everything gpg. For the cheaper ones I'm not sure.

▶Anonymous 02/01/19 (Fri) 14:57:32 No.1025973

>>1025896 (OP)

>in which cases would you refrain from using it?

When the implementation is so shit that it's not actually 2 factor authentication but rather getting access to the "2nd authentication" method allows taking over the account. AT&T had a thing where you could walk to a store and do a sim swap by saying you lost your phone and they just allowed you to take over someone elses number, for example people used this to take over popular youtube accounts for and some dude stole $23m in bitcoin by doing sim swap. On many services you are better of not linking your phone and not using this "2 factor authentication".

I like 2 factor authentication as a concept but most implementations are retarded to the point where they make things worse or are just snake oil such as passing a security code for bank transaction through the same browser you just used to login with your passwords, few lines of javascript displaying false transaction info can defeat this kind of snakeoil.

Not all implementations suck though, eg. storing bitcoin wallets or private keys on separate device is cool and good.

>In what would your second factor of choice be?

A second device which displays the transaction data with some parts redacted and asks to confirm transactions/login but doesn't allow taking over the account. A unique token for the verification device should be registered instead of having to enter/store password on the device. This could be just smartphone with special app or any device really.

▶Anonymous 02/01/19 (Fri) 18:11:22 No.1026004>>1026006

Have been using a Yubikey for some time now, and it's a definite step up from (((google authenticator))). They are not cheap but the peace of mind is worth it. There are probably other models but Yubikey is the one that the big corporations with lots of sensitive data use most of the time from what I have read. You should honestly buy 2, and program the second as a backup in case anything were to happen to the first. And if you do, make sure they're the same model, I didn't and ended up with one mini and one regular, and while I can use the mini for my main password manager, it won't work for sites that don't use the touch/tap. Their authenticator app works for anything that doesn't support U2F.

▶Anonymous 02/01/19 (Fri) 18:14:21 No.1026006

>>1026004

Oh and the authenticator app is protected by the key itself, so it won't even start if you don't have the key plugged in and know the password. Pretty neat.

▶Anonymous 02/01/19 (Fri) 22:03:32 No.1026070>>1026121 >>1026149

2FA is a meme at best botnet at worst

▶Anonymous 02/01/19 (Fri) 22:37:36 No.1026081

>In what would your second factor of choice be?

Not a fan of having to plug in the key every time to authenticate. I've grown vary of arbitrary physical contact, especially if I have to use a computer that belongs to someone else. So I like the idea of two factor authentication apps (TOTP) stored on a seperate, offline device that is dedicated to handling this kind of data. It should have a keyboard I can input the secret rather than a camera to read the qr code. An airgapped laptop with Keepass2 is the closest thing to I'm describing here but it is not ideally portable. An offline smartphone with Google/LastPass/Microsoft/Authy Authenticator could also work but then the unremovable wireless chips pose a security threat.

▶Anonymous 02/02/19 (Sat) 02:13:24 No.1026121

File (hide): 16af023e7e1e17b⋯.jpg (174.8 KB, 1920x1079, 1920:1079, 8cb4e1732ccf2597c00eeb459a….jpg) (h) (u)

>>1026070

50+ char password master race

▶Anonymous 02/02/19 (Sat) 04:01:43 No.1026149

>>1026070

this. a secure password is enough but normies will never do that so they waste money on these things

/tech/ - Technology★

General

WebM

Theme

User JS

Do not paste code here unless you absolutely trust the source or have read it yourself!

Favorites

Customize Formatting

Filters