2 Factor Authentication w/ Encrypted Backup and Device Sync - Bye Bye Google Authenticator

in security •  2 years ago 

Bye Bye Google Authenticator

image.png

Are you still using Google Authenticator? I was, but a few months ago I migrated everything off it. Google Authenticator has no backup, no device sync, and no recovery option if you lose your phone.

If you use 2FA (2-factor authentication) on your important sites (you should be!) then you can lose access to all of them at once if you lost your phone. The only solution is to backup the seed key when you set up the account (the key or the QR code) or have backup codes for each site. Many services that use 2FA do not offer backup codes and many only offer the QR code without the text code for easy backup.

One thing I don't think a lot of people know is that 1Password supports one-time passwords that are compatible with Google Authenticator. These are stored with AES256 encryption in your wallet storage, and can be synced across any device (mobile or desktop, and now even Linux).

Unfortunately, the one-time password support isn't very intuitive but it is extremely effective. 1Password is available as an online service or stand alone. Data is encrypted on your device prior to being transmitted to the cloud or whatever service you use to sync your devices (typically Dropbox if not using their online service).

1Password is the most open and transparent company about their security practices and has proven to be more secure than popular alternatives like LastPass and Roboforms.

How do you use one-time passwords in 1Password?

You will need to edit a Login for a website inside of the 1Password app or on the mobile app. Go into the section where you can set up labels and new fields.

In the new field section type in one-time password and you will see a new icon on the right side show up.

Click on that, and then go to one-time password

You will then get another icon to scan the one-time password.

I find adding new one-time passwords best from mobile as you can easily scan the code.

On a desktop, though you can use the clipboard screenshot of the QR code or from a file.

Just save it, and you are done.

When you go to fill in a login form, there will be a new option for one-time password.

This is synced to all devices you use 1Password on and is also encrypted. You are no longer dependent on device and you have real-time backups of your 2FA keys.

I know Authy does this as well but it is also tied to a phone number, cell phones are really bad 2FA devices as it is very easy to social engineer the provider to clone a SIM. It only takes 1-2 attempts to get an employee that would be happy to clone a third party SIM without proper authorization.

Any service that uses SMS as a second factor is doing you a disservice and are putting you at risk.

Why you should vote me as witness

Witness & Administrator of four full nodes

X48EJ

themarkymark.png

My recent popular posts

The truth and lies about 25% curation, why what you know is FAKE NEWS
WTF is a hardware wallet, and why should you have one?
GINABOT - The Secret to your Sanity on Steemit
How to calculate post rewards
Use SSH all the time? Time for a big boy SSH Client
How to change your recovery account
How curation rewards work and how to be a kick ass curator
Markdown 101 - How to make kick ass posts on Steemit
Work ON your business, not in your business! - How to succeed as a small business
You are not entitled to an audience, you need to earn it!
How to properly setup SSH Key Authentication - If you are logging into your server with root, you are doing it wrong!
Building a Portable Game Console

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

I am looking forward to FIDO being more popular since 2FA has the flaw that both sides need to keep the seed code encrypted and secure. There has been cases where the website did a poor job with this security.

FIDO uses a different process that supposedly eliminates this problem. Alas i do not know the tech behind it.

FIDO doesn't work on mobile, so you wouldn't be able to login to any sites using it while on your phone.

Well that sucks. Thanks for the info.

the more the improvement of the system more the security and more headache

2FA is really quite the revelation in privacy settings, but it seems like it's still early days for it. Most people still don't use it, and I started using it no longer than a year ago or so. When it works, it works, but when unusual things happen it can get messy. I don't think Google will let itself become obsolete in anything, but I wouldn't be surprised if they made big changes to their authenticator to keep up with better ideas.

I agree.

Got rid of using Google authenticator when i lost access to a crypto exchange account because i didn't save the seed key. Switched to Authy 2fa Authenticator ever since then and can't even dream of going back to google Aunthenticator because of the backup and sync feature it lacks.

Will give this 1password a trial. I just hope it has enough features to make me switch from Authy. 😁

and no recovery option if you lose your phone

the recovery option is sms text message to new phone with same number, get a new sim from phone provider and works fine

As a result, starting next week, SMS two-step verification users on Google will see an invitation to try out the new system, although anyone with a security key will not. On Android the system is built-in, but iOS device users will need to have the Google Search app installed.

i guess it is not available to all users idk

Nice contribution. I haven't tried the 2FA function in 1Pass yet.

I don't quite understand your statement at the end where you say that cell phones are bad 2FA devices.

In the case of 1Pass, if I understand correctly, both factors are secured in one place.

I use Authy myself and I am very satisfied with it.
In any case better than Google Authenticator :)

If sms is used as second factor, someone can call your mobile company and pretend to need a copy of the sim and they will sometimes get it. At that point they can get all your sms messages.

Yes that is right. Social Engeneering is an often used attack vector.
But I don’t think Authy can be restored only with sms. If this is so there is no need for Authy at all.

As you might know, some providers send the auth code via SMS instead of using a 2FA application. In theory, if you're planning to attack a single person, it's shockingly easy to call the provider and gain access to the SIM card. This technique is called "Social Engineering" and is actually pretty effective.

Google Authenticator and competitors use an encryption key which is shared with the device via the QR code you're scanning at initial setup. Therefore, the code is unique and device-bound, so there is no way for an attacker to gain access to it (unless he gets access to your device).

acá toca guardar la clave secreta de cada sitio para la configuración de 2FA.

I have had my phone fry and lost this before. Crypto sites are a bitch to get access back to. The only thing that saved me was being fully verified on certain sites. Still haven't gotten back into Kraken so that has just become a savings account for now. I do have the QR printed off somewhere, just haven't looked for it.

Thank you for info. When I activated 2FA on Bittrex I forgot to back up the key. Now I depend on Google Authenticator which is bad in so many ways.

Just disable it arausa, and then add it back on Bittrex...you will get the new code friend...make sure to delete the old data on your phone in the GA interface...then when you scan the new QR code the new password will be saved

Thank you very much for your advice. Well, not sure what do you mean by deleting old data in the GA interface I'm using iPhone 5, but I'll give it a try to find out.

Sorry for the late response arausa....what i meant was go to the GA app and delete the exchange you added before by holding your finger on it..it will show you a trash delete button....then press the + to add a new exchange and then scan the new QR code for the 2fa you re established...let me know if that makes sense friend...cheers

Thank you very much for explanation, yes, it worked! Cheers!

Oh my! Thanks for the heads up. I just didn't think. Glad to read this before I lose my phone. Personally, I'm going to switch to Authy, but thank you. I didn't realise how much it would affect me if I lost my phone!

There is a wayto extract seed in text form if the phone is rooted. I got mine extracted and stored somewhere else. But the combination you suggested is much more straight forward indeed.

yeah, I have looked into that, but it is much harder on iPhone and a lot of work just to move it.

In case of iphone it would be harder. Anyway this is the design flaw of the app in the first place.

This is a nice one from a frd and a boss. U have thought me something i will never have knew in just a second about google authenticator , i have it on my phone but i never knew. May the good Lord bless you @themarkymark

Nice work you're 100% right 2FA that relies on a phone number is very flaky and can be potentially disastrous if you loose your phone.

This looks to be a good solution if not a bit technically challenging for some :p

Thanks a lot my frd and my boss @themarkymark ur information as make me ro follow u knowing the benefit of knowledge i will gain from you. Stay cool and be blessed

I recommend not trading on any exchanges that dont provide you with a backup key when you add 2FA to your account.

2 Factor Authentication is one of the least utilized security measures we can employ. This is another layer of protection which will circumvent your information from getting hacked. Thanks for the share.

Why we must say good by to Google Authenticator... what the reason for it. Why ask?

Did you read the first paragraph?

Thank you for this @themarkymark. I've had my sad days of loosing cryptos unfairly due to theft. I'm currently using G Authentication for now..

Thank you for this information @themarkymark. I think it is a fantastic alternative to consider.
@cryptoexplode

Thanks for sharing ! I will use 1password ;-) !

Congratulations @themarkymark!
Your post was mentioned in the Steemit Hit Parade in the following category:

  • Pending payout - Ranked 9 with $ 252,09

With cryptocurrencies gaining more traction, 2FA is a must. This is the best solution I've come across so far. Great post @themarkymark

interesting information. But, I think Google is not going to become obsolete.

excellent thanks

What is the future of Cyber Technology? Feel free to read my post. Upvote and Reestem, thanks.

https://steemit.com/cyber/@orlendgreat/future-of-technology-cybersecurity-in-the-next-decades