Bitcoin Forum

This is a question regarding security best practices:

When logging frequently onto exchanges that require 2FA for access, do you guys think it would be safe to use your go to 2FA app on desktop version rather than just using it always on a separate device e.g. mobile phone?

It seem like a bit of a convenience/security trade off to me. But I would like to have your opinion on the magnitude of possible security loss... Thank you!

Google Chrome has a 2fa plugin of them officially. But I never used it. I think 2fa should be in separate device always. It gives you more security.

Otherwise if a hacker hacks your pc or browser he can easily access your 2FA and you don't have any use of that 2FA security on that moment. So, I won't suggest you to use any 2FA app on your pc.

If you are using the same desktop to access your exchanges then you kill the purpose of 2FA. 2-Factor Authorization is meaningful when the authenticator app is on a different device and your exchange's account accessed through another. If anything goes wrong and the attacker accesses your desktop. He would try to sign in to your exchanges but won't be able to access your authenticator app which is in another device but if everything is in the same device. You are making everything easy for the attacker.

Most of the people here in the forum would not recommend this, I think only Microsoft has a 2FA authenticator as an application on windows.

Google chrome plug-ins as a google authenticator is a fake one, but I've never tried the google chrome official 2fa plugins not I will not recommend it because if your computer is already compromised 2fa could easily be bypassed. Personally, I would recommend Aegis but you could still use Google Authenticator if you want to just to have a second layer of protection.

Check here for more applications that you could use and recommendations.

https://bitcointalk.org/index.php?topic=5262689.0

This. It isn't a second factor if it is the same device. I bet the same computer you would have your 2FA app on also has your email username and password and your exchange accounts user names and passwords saved in a browser. If an attacker accesses your computer, they have both your factors rolled in to one.

It's similar to people who use a code sent to the same email address which they have used to sign up for that website/exchange/service as their 2FA. If an attacker accesses your email, they can reset your password with it and also receive your 2FA code with it. If both factors can be accessed by compromising a single system - your computer in the first example or your email in this second example - then it isn't 2FA.

Just use a mobile app (or even better, a hardware key) like is recommended.

Being a newbie I am studying these security related issues so its very helpful for me now I am going to do this as you already tip because I was also feeling to download on same desktop but now its really important to have this on other device for better security which will help in any serious issue regarding my wallets and exchange accounts.

Well, for me, both of them fine, but if you want to keep it safe and far from thieves, its the best to use a desktop because you can only use it in your home.

But phone much easier to use, and anytime anywhere you can use the 2Fa from your phone, unlike desktop.

For safety purposes, always backup the secret key in your desktop(a device that is always in your home) incase in the future, you can able to recover your 2FA.
Don't download or use unknown apps; always use the 2FA app, which has been tested by many uses like Google authenticator in Android/IOS.

This is good advice when it comes to anything relating to computing; compartmentalization is a brilliant foundation for security, whether that will be for files, Bitcoin, credentials or two factor authentication. Ideally, you want to have as many devices to isolate each piece of information as possible, and the same goes for 2 factor authentication. For example, if you have an exchange account which you access via your email, and 2 factor authentication through an app for both the exchange, and the email you would ideally have two devices for two different 2 factor authentication apps for the exchange, and the email.  Now, this can quickly become tedious, and sometimes unwarranted, and I understand that this is a more extreme measure to take, but you should take your security seriously when it comes to anything computing, and not just Bitcoin.

- Do not use the same device for access to your account & two factor authentication.
- Do not store credentials on the same device unless they're encrypted.
- Try to compartmentalize wherever possible.

Its good advice, but be sure to store this offline. I wouldn't even print it, and I would copy it out by hand. Verify that it works (most services offer a way to verify a backup seed securely). I'm not a big fan of Google run companies due to privacy issues, and the fact that I believe Google authentication is closed source. I would always recommend open source software whenever possible, unless its poorly coded to begin with, I would say that would be better than most "trusted" closed sourced applications.

This is what I've done. I have my authenticator on my phone while the backup is on my desktop but I've put it into a hidden folder. I've also made another backup through a flash drive just to be sure that I had enough backup.

I'm about to change my phone and been thinking of this. My thought is also telling me that it's fine but after reading all of those suggestions that it's way better to have it separately, I think I'll just keep the backups on my PC but the authenticator itself is on another device.

Lately better alternatives than Google Auth have been made. I use for some months now Aegis Authenticator and that one has in-built export to make things easier.
Safe keeping backups for 2FA seeds or database is indeed a must.

It does not matter where you use your 2FA, they are relatively the same. Yes it looks secure in your phone but I think they have the same function. What we need is not a stronger authentication but a stronger security for the website we use. For which we do not have the control as it is up to the business to upgrade their security.

This. Though I'd say that using a 2FA app on your desktop is still miles better than not using 2FA at all because the 2FA authentication can still help you if a certain password database on a website you use gets leaked(please don't re-use passwords, use a password manager), I'd rather not have the 2FA on my desktop. I mean, there's a 99% chance that you personally own a smartphone anyway, so why not use a mobile 2FA instead?

It not looks secure, but it's more secure. At least doing the best to protect your funds rather than pave the way for the hackers.

No system is safe, each website always have vulnerability on their security. Since we're talking about an exchange, every exchange would get hacked even though they have good security. They only wait the time comes...

I have used the 2FA Authy mobile version app because it has a better design and convenience. Also, Google's 2FA app is good. As these apps are vital and provide you with the necessary security to carry out transactions, it is recommended that you keep your passwords in a safe place. You can always access all the 2FA that you have saved in the Authy app if you change devices just by entering your passwords.

for me just enough for mobile app 2fa because cellphone is holding you what ever you going and what ever you doing it is part of our personal use, but on desktop there's a lot of information technology experts to lost your private document even 2fa

I prefer to use another device such as a mobile phone, which is not used to install only the 2FA apps than to install on my desktop. That will be safer for me because if my desktop is crash or have a problem, I still have my 2FA in the other devices. But if you think that you will not have a problem installing on the same desktop, you can do that. We are free to use whatever we want, but please remember that we need to know the risk before we use it, so we don't feel too regretful.

2fa should always be on a separate device, thats the point. maybe it should have been called "2nd device authentication" instead.

something like a yubikey or its equivalent is the best option IMO. the client (or website, whatever) will prompt you to insert it into a usb port (some support NFC also, so can be used for phones too). associate at least two in case you lose one, and keep the 2nd (or multiple) off site somewhere in case of loss.

https://www.yubico.com/
(i am not affiliated in any way)

2FA is just a security addition to those users that preferred a much secured accounts especially in their crypto-space. No matter on what device you would use 2FA apps, you would still be vulnerable if you kept visiting untrusted websites or downloading from anonymous torrent links. But with regards to security, it would depend on what device and operatign system you are using, some OS such as Android (Mobile) and Microsoft (PC) are less secured hence no matter on what device you've installed your two-factor authenticator, you would still be vulnerable.

If you do not care about security, why do you enable this feature? The more you use it wisely, the more you will benefit from it. And using it carelessly is a restriction and a waste of your time.

You need to use it on another device that is not connected to the Internet or at least be sure that that device is safe. So, if you guarantee that your computer is safe, you are fine. The question is if your computer is secure then this feature is not required.

Addition to everything said before, ignore the convenience of using the go to 2FA app on the same desktop you use to sign into your exchange account cause it will make you vulnerable to attack and it better to always have your 2FA app on seperate device.

Meanwhile, If you're to use decentralized 2FA app like Aegis dont trust google anth app.

Agreed. The problem with 2FA is many people just see it is a second password. That is not what it is supposed to be. It is supposed to be 2 entirely different factors, ideally something you know (a password) and something you have (a physical device). Kind of like taking money out of an ATM - you need something you have (the physical card) and something you know (your PIN).

Something that a lot of people don't know is that you can use a hardware wallet for your 2FA. Both Ledger and Trezor devices support FIDO Universal 2nd Factor Authentication (links below). If you don't want to spend money on a YubiKey or similar, then you can use your hardware wallet instead.

Ledger: https://www.ledger.com/fido-u2f
Trezor: https://blog.trezor.io/secure-two-factor-authentication-with-trezor-u2f-e940fd5a60af

Wouldn't there be a risk if we've used our hardware wallet in two-factor authentication? I've seen that we still need to use the app then connect our hardware wallets to make the authenticator work, but are there no risks involved? It seems that this is really a better choice if someone wanted to have a much secured accounts, adding up the security level of both hardware wallet you've mentioned - making it like a physical key to your safe/accounts. But still for those who doesn't have any hardware wallets, YubiKeys are much cheaper if a user just wanted 2FA.

I can't wait that both Ledger and Trezor hardware wallet would soon be adopted to be a key in opening desktops/laptops as an additional security measure - like a key to boot it up. ;D But AFAIK there are already programs that can make your flash drives to be a key, but it has a lot of loopholes for a security of a device.

A risk will always be there, for example a zero-day bug or something similar. But it is definitely better than other options such as using an old 2FA plugin on the web browser that is no longer updated by the developer. In short, the question should be whether the risk is smaller or not.

There are no known vulnerabilities to using it for 2FA from a device point of view. The whole point of a hardware wallet is that you can plug it in to the most malware infected and insecure computer in the world, and your private keys will remain safely stored on the device. There is certainly a risk if you are carrying your hardware wallet around with you to use as a 2FA key in a public place, however. With both Ledger and Trezor you advertise that you own crypto and potentially make yourself a target, and with Trezor devices, if you lose it or it is stolen the seed phrase can be extracted.

Cheaper and simpler.

yubikeys are also easier to explain as to why you have one. could be for work, for logging into a bank etc as they are used that way too. nothing related to crypto in other words.

That is not necessarily safe, what if our PC is infected with a virus.

yubikeys are read only devices. they are immune to badusb (which can infect many general purpose usb based devices) and other such malware. so they are safe to use even if the computer its plugged into tries to compromise it.

U2F keys and 2fa are just additional layer for the security of your files/money/account/etc.. It doesn't protect you from being attacked and being careless. If you think the device has a malware then don't use or make a proper action to get rid of it.

Indeed. Well, apparently, viruses are just an altered codes attached on to programs that makes various activities depending on what it is made for. But in fact, computer viruses wasn't really that made to do something that can compromise one's security, especially if they would user hardware authenticators as well. Also, viruses cannot simply be infecting on a person's device without him doing unsafe and unsecured activities, both online and offline.

Therefore, you can be "safe" if and only if you have genuine antivirus and programs installed on your device, and not downloading cracked nor patched applications. Lastly, most legitimate antivirus nowadays do tend to be updating their system daily as people keeps making dozens of virus online, making them instantly blacklisting any suspicious programs that may or might have been infected. Hence, 2FA is still the best safety precaution - regardless of your device's protection.

zeroday exploits and custom written virus/malware are a thing and can catch even the most seasoned and safety conscious IT people unaware.


having AV doesnt gaurentee safely. custom written virus and  malware plus zerodays get by easily. it helps but it is a combination of awareness, knowledge and safe computing practices thats best. and even then you can get a virus.

the name of the game is layered security to reduce the risk. and for that education goes a long ways.

Anti viruses guard against already known malicious code, and likely malicious code it is by no means a necessary program to have, and I would estimate most technical users opt not to use anti virus software, and simply follow a security protocol. I follow my own protocol that I've continually developed throughout the years, and two factor authentication is included that. However, I'm definitely vulnerable to more heinous attacks, as is everyone.  New malicious code is being developed every day, and it isn't going to slow down any time soon. What you have to do, is stay up to date, and adjust your habits accordingly. Even then, no one is ever 100% safe, and there will always be associated risks when connected to the internet. Two factor authentication on a dedicated device just for that would alleviate some of the problems, and as long as the network isn't compromised would be a decent way of doing it,  but in truth not many people are willing to go to that lengths, and that's exactly how people get compromised.

I personally use the Authy desktop app and it is super easy to use. From the security side, you can encrypt the app data in order to prevent the attacker to gain access to backup keys. Otherwise, the master password function is available for the Authy app, this is important to get rid of third-party access in any case. The only vulnerability is hackers can get into PC with remote access which can do anything with admin rights, unfortunately.

Agreed. There are people that tends to be 'safe' yet haven't noticed their device was already infected by a virus or already had backdoor in his computer. Nonetheless, some 2FA programs do have a strong security, as none of them cannot be published without taking the security of their program as their main priority. Though they can be hacked through network being compromised (especially 2FA that requires texting your phone), I think people would go that far just to get your credentials or account. I've seen a lot of dark hacking activities online yet there are still more ethical hackers than the blackhats (hopefully).

Using 2FA app on same computer through which you are accessing your exchanges, wallets or any other sites then it is relly not safe at all.

Use mobile phone instead of using in PC.  Also you should try to avoid use of email address at two devices (desktop and mobile). Email accounts are vulnerable and hackers may hack your mobile using your email.