Bitcoin Forum

People usually care about increasing their funds, their capital but do neither care about losses nor pay attention to protect their funds/ capital. There are some reasons why they don’t care about it.
-   Don’t aware of risks if they don’t protect their accounts.
-   Don’t have knowledge.
-   Being too lazy (aware of risks, have knowledge, but they don’t do anything to secure accounts).

How many types of authenticators?
-   SMS-based/ Email-based/ Voice-based/  Biometric-based authenticator
-   2-factor authenticators (2FA)
-   FIDO U2F hardware authenticators

Which one is recommended to use and should be your first priorities?
2-factor authenticator softwares. They are free and more secured. Try to use Yubikey if you actually want to secure better with some funds.
Don't use SMS-based authentication if you can do it. Unfortunately sometimes you don't have choice because service providers (like banks) don't only give you that type of authentication. As being said, whenever you can avoid this type, avoid it.

The first type is less secured and more risky because there are SIM swapping attacks (for SMS, voice code) and if you rely on email, your account will be compromised if hackers have access to your email.
[BEWARE] Sim Port Attack (https://bitcointalk.org/index.php?topic=5146701.0) and SIM swapping protection (https://paxful.com/blog/bitcoin-sim-swapping-protection/)
With SMS-based authenticator, you can secure it better by set up PIN code for your SIM card, deactivate lock-screen notifcations. More details in the guide from Kaspersky. (https://www.kaspersky.com/blog/2fa-notification-trap/23819/)

Biometric-based authenticator is risksy because if you pass away, your family members can not get access to your account.



The second type is more secured and is the one should be used. Most of them use the OATH TOTP (Time-based One-Time Password) algorithm.
There are some softwares for you. More details (https://www.kaspersky.com/blog/2fa-practical-guide/24219/)

Google Authenticator: Android, iOS
Duo Mobile: Android, iOS
Microsoft Authenticator: Android, iOS
Free OTP: Android, iOS
Authy: Android, iOS, Windows, macOS, Chrome
Yandex.key: Android, iOS
Aegis (https://getaegis.app/): Android
When using those apps, there are mandatory steps to do: backup 2FA codes (to recover later if your phones / devices broken and can not be prepaired), and test the validity of those backup codes (make sure that you make good backups and they can be used to recover).

Some people don't know these two important and vital steps. They activate 2FA on their accounts, enter 2FA codes to apps, but don't back those codes and don't test backup's validity. If their devices are stolen or broken, they get troubles.

Some advice for 2FA
- Make backups of 2FA codes before activating it
- Activating it by manually entering 2FA codes, don't scan QR code.
        Because when you entering 2FA code manually, you also check the validity of your code backup.
        If your code backup is not correct, you can not activate the code for your account.
- Retest code backup on another device if possible.
- Don't take a photo and store code backup on your device. There are risks that your devices can be compromised and photo or backup will be leaked.
- Install 2FA app on your another device, and it should mostly be offline. Don't store all eggs in one bag.

Remember that there are two layers of backup: backup codes, and 2FA secrect key (or bar code). I advise you to do backup for both of them, or if you choose only one to backup, it should be 2FA secret key, not barcode. With secret key, you will be easier to guess if character, figure are blurred a little bit but with bar code, it is almost nothing to do. Of course, saving 2FA secret key backups as best as possible is the must thing to do.

Store them offline.

Backup codes

2FA secret keys


FIDO U2F hardware authenticators: YubiKey and others
It is not an exact comparison but you can imagine 2FA-app and Yubikey like non-custodial wallet softwares (Bitcoin Core, Electrum) and hardware wallets.

Buy at Yubico's store (https://www.yubico.com/store/)
Using your Yubikey with authenticator codes (from Yubico.com) (https://support.yubico.com/support/solutions/articles/15000006419-using-your-yubikey-with-authenticator-codes)
How to use a Yubikey (from wired.com) (https://www.wired.com/story/how-to-use-a-yubikey/)
2FA HW security keys, Yubikey&such (https://bitcointalk.org/index.php?topic=5223442.0)



Sources:
Aegis Authenticator, a decent alternative to Google Authenticator and Authy (https://bitcointalk.org/index.php?topic=5192978.0)
Traditional Authentication, 2FA and 2SV (https://bitcointalk.org/index.php?topic=5256264.0)
[TUTORIAL] Generate 2FA with Keepass (instead of Authenticator App)  (https://bitcointalk.org/index.php?topic=5248019.0)
2FA practical guide (https://www.kaspersky.com/blog/2fa-practical-guide/24219/) and 2FA notification trap (https://www.kaspersky.com/blog/2fa-notification-trap/23819/) (from Kaspersky.com)
5 different two-step authentication methods to secure your online accounts (https://www.howtogeek.com/232598/5-different-two-step-authentication-methods-to-secure-your-online-accounts/) and What is two-factor authentication and should I be using it (https://www.howtogeek.com/117047/htg-explains-what-is-two-factor-authentication-and-should-i-be-using-it/) (from howtogeek.com)
https://authy.com/what-is-2fa/
https://techlog360.com/two-factor-authentication-2fa/
Good topics on security and privacy (https://bitcointalk.org/index.php?topic=5239098.0)
https://bitcasino.io/blog/cryptocurrency/what-is-2fa-and-why-is-it-so-important-

---

Updates

https://twofactorauth.org/

Some people screen shot the 2FA backup QR codes including the backup words and characters, some also store the back up on their phones note, this is a poor and a non recommended way to back up 2FA, instead, you should do the paper printing, laminate it and put it in a place safe from damage and intruders(hackers)

We need to also be careful of hackers. Any device our wallets or our 2FA apps are installed, we need to make it safe from malware, trojan horse is able to reveal the 2FA code, also are some malware like rootkit that can reveal detail informations stored on your device, in this way, it can steal the 2 FA backup screen shot.

Make sure your device is free from malware, and do a paper printed 2 FA backup.

There is one also I will like you to include, andOTP 2 factor authenticator, it is also good and open source.

Another most important point is that the Authentication software or authentication should totally be on a separate device from the one you use to log into your accounts or APPs. Keeping the Authentication software in the same device you use to log into your accounts kills the purpose authentication
For example. If you usually use your computer to log into your accounts, your Authentication software/app should be in a separate device like your tab or mobile phone that you don't use for logging into your accounts.

For the first time, I tried to use Two-Factor-Authentications (2FA) I tried Google 2FA in my android phone and after few months I switched to Authy since Authy you can input your email address or phone number there.
Did anyone get ideas which is much better of these two? Or the difference between them? Google 2FA and Authy. I still didn't explore so much about Authy 2FA.

I am not sure about the difference but I saw mk4 commented with this post and I think he makes a point that storing private things yourself is better. It is not only about 2FA backups but generally also about synchronisation over devices. I don't want to sychronise everything I do over devices. If one of my devices is compromised, my data will be leaked. That's not good.

It's highly recommended that you put the safest and proven authentication on your emails and wallets, it's part of your education to understand how hackers attacks and what are the vulnerable point, in your online ventures, always get updates about security and the tools you are using and you are good to go and you can sleep soundly.

QR code backup is bad. Indeed, you should use secret code (in characters) for your backup, instead of QR code.

Im using it as back up for my some of my crypto asset wallet. How can you say QR code has likely more potential than in character type? When you use it for transaction, simply the confirmation would be guaranteed unlike character that you will used a copy paste method that have malware changing the address when you paste it.

I would be interested if you can expound the reason for this.

It is true. I never ever use qr code when storing 2FA secret codes. I'd rather use the code itself and write on a paper for example or store it on a flash drives then you can keep it safe from leaking. It seems you are using google authenticator. Is it because where you can sync your account from the current device to other device which in my opinion is good but it also have disadvantage where the company that create that platform may have access to your credentials which is bad. I have been using google auth and Authy for 2 years.

When the map is broken, you have nothing to recover your 2FA but with secret key, if one of characters is blurred or broken, you still can guess it from the leftover of broken character.

---

They are different things here: backup and transaction. What I meant is backup, not for transactions. For transactions, you should check a few first and last charaters. Checking a few in middle or whole characters if you want to do so.
How to lose your Bitcoins with CTRL-C CTRL-V (https://bitcointalk.org/index.php?topic=5190776.0)

Correct me if I am wrong (I could be wrong). Thanks.

You still do not give valid reason why QR code is not good for 2FA backup.

This method is not good enough, you can  write it down on a papar like you have ones said, you can laminate it for more safety.

When backing up QR code, the secret code is included.

Most of these are not open source and do not allow proper encrypted back ups. Google Authenticator in particular is awful from the regard. FreeOTP is no longer in development. Here are the apps you should be using:
Android - Aegis (https://getaegis.app/) or AndOTP (https://github.com/andOTP/andOTP)
iOS - Tofu (https://www.tofuauth.com/) or Authenticator (https://mattrubin.me/authenticator/)

Cloud storage is frequently hacked, and should not be used for sensitive data or back ups. A better option is to use one of the apps I listed to make an encrypted back up locally.

I relate to type 3 (being too lazy lmao), anyway I used to use Google authenticator but the access of codes on app open, no encryption and hassle of backup made me switch to Aegis. It's much better.

Except it isn't open source and it doesn't allow you to make secure, encrypted back ups. Not to mention it's owned and operated by Google, the worst company on the planet when it comes to respecting users' privacy.

Choose one of the free and open source alternatives I listed above.

Some exchanges combine email and 2fa. My experience when logging in to bittrex or indodax I have to confirm the email, after that enter the 2fa code. Make it longer but it looks safer. It takes 2 steps to confirm that it is the legal owner of the account. Unfortunately this is done when the IP address changes, if every time log in must be confirm email and 2fa, I think that's good.

It will be required if you log in your account on a new device or with a new IP address. Log in on same device and same IP address don't force you to confirm the login activity by email confirmation.

Binance has a similar requirement too.

True, but I still think it's a better option to just avoid Google products altogether. Further, if you use a device with no connectivity, you will have to manually make sure the clock is accurate, as any drift from the real time can result in incorrect codes being generated.

Biometrics are one of the least secure forms of protecting data, with many fingerprint and facial scanners being fairly easy to fool or bypass. Better to secure your 2FA with a strong password.

I find it easy to use 2FA because it's not stressful and easily understandable, the email and phone number security method are somehow open to hackers and many user had fall victim of such attack. Could rememeber when unknown users sent withdrawal request to my email due to the fact that I haven't set authentication method.

How can? many articles that discuss biometrics are the authentication of the future. Code theft will be difficult, although this can happen.

I highly recommend google authentication for your encryption, u have a total control of your account without intruder gaining access to your account.
The QP code backup can be compromised and your data forever lost.

There are multiple problems with biometrics.

First, how easy they are to break. You leave your fingerprints on everything that you touch, including the very device you are using biometrics to unlock. An attacker can print a 3D model of your finger good enough to fool the most advanced fingerprint readers in a matter of minutes. Have a look at this: https://imgur.com/gallery/8aGqsSu. Face scanning on many phones can be beaten with a simple photo, like one of the ones most people have posted all over the internet and their social media accounts.

Second, if you are in the US (and some other jurisdictions - check your own), law enforcement can force you to unlock a device using your fingerprint or face. They cannot force you to hand over your passwords.

Third, biometrics can never be changed if they are hacked or compromised like a password can.

There is a reason that phones require you to enter your PIN or password after you reboot them before you can use your biometrics again. Biometrics are not secure.

Yes you are right, get fingerprints from there. But I think this is also difficult and like in hollywod movies. This requires direct objects, so it is difficult to get fingerprints online, except for hacking database storage for authentication files.

I think about this coercion carried out by law as a result of illegal actions, other passwords can also be unlocked, if forced to be recognized by law and the owner gives it.

Sorry, this is just my opinion. Corrected me if I'm wrong.

Sure, but hardly anyone is using a fingerprint scanner directly connected to their home computer to unlock an account on an online website. Almost everyone is using a fingerprint scanner to unlock their phone which contains their 2FA app. If someone steals your phone then they can reconstruct your fingerprint from the fingerprints you have left on the phone itself and then use that to unlock it. Fingerprint scanners on phones are only one step above writing your PIN on a sticky note and attaching it to your bank card. Use passwords.

"And the owner gives it" is the crucial point here. Law enforcement can physically restrain you and use your fingerprint or face to unlock your phone. They can't do that with passwords.

2FA and email address combined is a very good authentication method. But in this case, you need to be more responsible about the security of your phone. If it is lost, the fraudster can get access not only to 2FA, but also to your E-mail, that will help them get full control of your account.

Which two factor is the best?  Google authenticator or just Authy?

Try to use better apps that need to be open-source.

This is a resourceful advice OP, i can't emphasize on how you will be appreciated by many for clearing this out. 2FA are always a better solution to any other digital authentication alternative out there. SMS has it risk as well as the Biometrics.

I'm also thinking about this few times before, and I don't have any good option rather than my current ways. So basically I'm using Eset Mobile Security (not promoting them/affiliate with them, just sharing my way), that allow me to lock my phone in case lost with pairing to other phone number. the command also easy just send a sms from paired number to number on our lost phone.

I don't know how safe using this third party, at least I can locked my phone from other device easily without internet. And using this service i can locked our important application such as our 2FA. (DWYOR&DYOR)

---

about using open source 2FA, unfortunatelly, most of service currently using Google 2FA even no more updates for this service. How we can choose other 2FA if the site still using Google 2FA, maybe someone can give any explanation more about this, since lot of people says if Google 2FA not save etc, but exchange still prefer to use this service, how we (as user) can move to open source?

There is nothing special about Google 2FA. Any 2FA app should work.

Very simply, when you set up 2FA, the site displays for you a shared secret. This is usually in the form of a QR code, but sometimes it is a string of characters. Ideally sites will show you both - a QR code you can scan with your app and a string of characters you can write down as a back up. When you need to enter the 2FA code in the future, your app will combine that shared secret with the current time (floored to the nearest 30 seconds), hash it, and use part of the result to generate your 6 digit 2FA code. The website will do the same thing, and check that what you have entered matches what they have calculated.

The process for combining the secret with the time and hashing it is standardized, and all 2FA apps and websites do it the same way. (There is more info here if you are interested: https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm). Given that, although the website says Google 2FA, any good open source 2FA app should work. See my post on the previous page of this thread (https://bitcointalk.org/index.php?topic=5258244.msg54692249#msg54692249) for some good open source 2FA apps.

Thank you for your explanation how it works, but the main issue not about how it works, but how we can use open source 2FA if most of service currently just have Google 2FA on their services?. So far, I'm just seeing it on service i use no other 2FA options except SMS/email  verification.

To back up 2FA for recovery or installation on other devices, I'd prefer to choose the second method: write it down on the paper or save it in password managers like https://keepass.info/ or https://bitwarden.com/

I got troubles with timer on my device a few times. 2FA works smooth but suddenly one day it was broken. Anytime I entered 2FA code to login account, it failed. I had to check and correct timer on my devices to help 2FA works again. I don't know reasons why timer was broken like that. Could you explain it, please.

I'm not entirely sure what you mean here, perhaps because I do not use any Google products so I'm not aware of what their 2FA options are. If a site such as a crypto exchange says "Scan this code with your Google Authenticator App", then you should be able to use any 2FA app. I have certainly done this in the past and it works fine.

If the service only offers SMS or email verification for 2FA, then you obviously can't use an app - you can only use what the site offers. Both of these are not great choices, but you can make it slightly better by using a different email address with a different password to the one you use to log in to the account, or by using a burner phone with a number you do not use for anything else and which you never use to access the services in question.

The issue with that is if you store the password to the service in question in the same password manager. If someone can access both your password and your 2FA by compromising a single source - in this case, your password manager - then your 2FA isn't really a second factor at all, it is both factors rolled in to one.

I can't explain the specifics, but the way that most 2FA apps work is to take the current time, round it down to the nearest 30 seconds, and use that along with the shared secret to generate a code. Therefore, the code will change every 30 seconds as the time updates every 30 seconds. If the clock on your device and the clock on the service are out of sync with each other by 30 seconds, then the code you generate will always be different to the code the service is generating, and so they will never match until you resync your timer.

I understand now, the point is we can scan Google 2FA barcodes with other applications running 2FA. So far, I thought that if the choice of service was only Google 2FA, then we could only use Google 2FA. From your explanation, I tried to scan the 2FA key ^{(on the service mentioned Google 2FA)} using aegis on my phone and it worked. I just understood this today, and I was wrong all this time thinking that Google's 2FA can only use Google. Thank you very much for this knowledge

It is a new website and helpful for authentication on our devices. I did not know it if you don't tell me.

For newbies who use exchanges, merchants, marketplaces, set up your 2-factor authenticators is important to protect your account and money, prevent potential hacks. SMS code should not be used after your account registration, email verification and if you decide to activate 2FA for your account. Choose good 2FA app and backup the code for recovery.