Bitcoin Forum

Bitcoin => Bitcoin Technical Support => Topic started by: 8m_zk on November 09, 2020, 12:20:24 PM



Title: 2FA Google authentication
Post by: 8m_zk on November 09, 2020, 12:20:24 PM
Hi tech guys,
Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.


Title: Re: 2FA Google authentication
Post by: OcTradism on November 09, 2020, 12:59:17 PM
You can get secret code and import it into any 2FA app. It works universally.

Authentication: Types, Risks/ Attacks, Advice (https://bitcointalk.org/index.php?topic=5258244.msg54686832#msg54686832). The clarification from o_e_l_e_o  is perfect.
if most of service currently just have Google 2FA on their services?. So far, I'm just seeing it on service i use no other 2FA options except SMS/email  verification.
I'm not entirely sure what you mean here, perhaps because I do not use any Google products so I'm not aware of what their 2FA options are. If a site such as a crypto exchange says "Scan this code with your Google Authenticator App", then you should be able to use any 2FA app. I have certainly done this in the past and it works fine.

If the service only offers SMS or email verification for 2FA, then you obviously can't use an app - you can only use what the site offers. Both of these are not great choices, but you can make it slightly better by using a different email address with a different password to the one you use to log in to the account, or by using a burner phone with a number you do not use for anything else and which you never use to access the services in question.

You can choose open source 2FA apps to use.
Most of these are not open source and do not allow proper encrypted back ups. Google Authenticator in particular is awful from the regard. FreeOTP is no longer in development. Here are the apps you should be using:
Android - Aegis (https://getaegis.app/) or AndOTP (https://github.com/andOTP/andOTP)
iOS - Tofu (https://www.tofuauth.com/) or Authenticator (https://mattrubin.me/authenticator/)


Title: Re: 2FA Google authentication
Post by: BrewMaster on November 09, 2020, 03:35:26 PM
it depends on the reason why you are using 2FA (through Google Authenticator). for example for an account that you must have and there is no other ways around it (like your exchange account) it is an excellent additional security and you must have it. but for your wallet account (of custodial type), you should rethink using that wallet because your money is already not-safe since you don't control it, adding the 2FA will secure your account not your money.

Then Google will have my security code, right?
as far as i know the software does not broadcast anything unless you explicitly create a backup of your keys. so Google won't know your codes.


Title: Re: 2FA Google authentication
Post by: Abdussamad on November 09, 2020, 05:36:03 PM
the shared secret is also not the same as your bitcoin private keys or seed. it is only used to generate one time passwords for authentication purposes.


Title: Re: 2FA Google authentication
Post by: mysterious1998 on November 09, 2020, 05:39:35 PM
I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved and i then i realized that i am unable to access my google account even my phone number was registered in gmail . I've lost all my data and trust me It sucks.


Title: Re: 2FA Google authentication
Post by: coupable on November 09, 2020, 06:21:20 PM
I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved and i then i realized that i am unable to access my google account even my phone number was registered in gmail . I've lost all my data and trust me It sucks.
All of your logins protected by 2FA google authenticator have each a backup code that can be used in another device. And if you are looking for a more secure option, try Authy ; it's a nice alternative for google authenticator and can be secured by a single code backup which can be used to recover the app with all the accounts within if your device gets compromised or you accidentally erase the app.
About 2FA google authenticator, i didn't face problems using it but i remember hearing that it has been somehow compromised and some hackers succeeded to login users accounts using it. Not sure about this info so maybe someone could correct it .


Title: Re: 2FA Google authentication
Post by: Charles-Tim on November 09, 2020, 06:45:00 PM
About 2FA google authenticator, i didn't face problems using it but i remember hearing that it has been somehow compromised and some hackers succeeded to login users accounts using it. Not sure about this info so maybe someone could correct it .
I still remember of a news I read on cointelegraph this year about google 2fa being compromised. It is not the fault of the app itself, the hackers used tricks to make victims download a trojan horse that was installed on the devices. If someone can not handle anything about malware, how can he use bitcoin wallet successfully or using 2fa app successfully.

Although, I am not a fan to any google products, because google are privacy invaders. Also I can not use Authy, although it is much simple to use by synchronizing the backup on cloud, of which I do not believe in such. I prefer to keep my backups offline which is the safest.

I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved and i then i realized that i am unable to access my google account even my phone number was registered in gmail . I've lost all my data and trust me It sucks.
If because you lose your code is the reason you do not recommend any 2fa, you are then wrong. The best you can do is to make a backup of the 2fa backup code and safely store it somewhere safe from attackers and damages and yet also still accessible to you.  Authy can the best for you then, but I can not recommend it due to what I mentioned above about synchronizing with online cloud which makes backup recovery easier. 

The best 2fa I have known and that I can recommend are Aegis, authenticator and andOTP.


Title: Re: 2FA Google authentication
Post by: masulum on November 09, 2020, 10:08:11 PM
You can get secret code and import it into any 2FA app. It works universally.

Yes I know it now, you can ceck my last comments. Here, my misunderstanding is because the service just mentioned G2FA only, so i think if it only works for google 2FA only.


Title: Re: 2FA Google authentication
Post by: HCP on November 10, 2020, 02:34:23 AM
Yes I know it now, you can ceck my last comments. Here, my misunderstanding is because the service just mentioned G2FA only, so i think if it only works for google 2FA only.
Yeah, it's a common misconception that "Google Authenticator" is a "Google Only" service... you're not the first (and won't be the last) person to get confused by that. I certainly was when I first started using Google Authenticator several years ago. The sites that have implemented the 2FA service are partly to blame by calling it "Google 2FA" etc...

And Google really should implement a "proper" (encrypted) backup solution for Google Authenticator. Relying on users to safely store the individual "secrets" themselves is messy and prone to error. Authy, Aegis and Authenticator (Plus) (and others) have all been able to come up with solutions, I'm not sure why Google can't? ???


Title: Re: 2FA Google authentication
Post by: tin.crypto0714 on November 10, 2020, 02:41:14 AM
Hi tech guys,
Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

Yes, it's essential. 2FA will help you secure your account including your crypto on hackers. I'm Actually using it and my account is secured.


Title: Re: 2FA Google authentication
Post by: NeuroticFish on November 10, 2020, 09:45:31 AM
Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

No, Google should not have your security code. Actually if you lose your phone and didn't back up properly the seed for the authenticator (when you created/set up the 2FA) you'll probably lose it.
This being said there are better alternatives than Google Authenticator, which do the same job but also allows you keep a safe copy somewhere.

It works well, but you may have surprises in the future, because the generated code is based on timestamp. And if your phone, the auth app or the website where you try to enter don't have the time set well, the code will not be accepted. (Usually a sync of your phone fixes this).

About losing crypto. If you use the 2FA on the same phone as you access the web services, you weaken the security by a great deal and if the phone is lost, stolen or compromised you may lose funds also with 2FA.


Imho the main rule is to keep the funds you don't need "now" safely offline on a wallet you and only you control. This means no web wallet, no big money on exchanges, no cloud, desktop or e-mail backup of the seed/private keys (use paper, steel, whatever). And/or make use of hardware wallet.


Title: Re: 2FA Google authentication
Post by: 8m_zk on November 10, 2020, 12:15:12 PM
Yeah, that's what I meant if I don't back up the seed for the authenticator. Thanks for the information, I'll check the alternatives to Google 2FA


Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

No, Google should not have your security code. Actually if you lose your phone and didn't back up properly the seed for the authenticator (when you created/set up the 2FA) you'll probably lose it.
This being said there are better alternatives than Google Authenticator, which do the same job but also allows you keep a safe copy somewhere.

It works well, but you may have surprises in the future, because the generated code is based on timestamp. And if your phone, the auth app or the website where you try to enter don't have the time set well, the code will not be accepted. (Usually a sync of your phone fixes this).

About losing crypto. If you use the 2FA on the same phone as you access the web services, you weaken the security by a great deal and if the phone is lost, stolen or compromised you may lose funds also with 2FA.


Imho the main rule is to keep the funds you don't need "now" safely offline on a wallet you and only you control. This means no web wallet, no big money on exchanges, no cloud, desktop or e-mail backup of the seed/private keys (use paper, steel, whatever). And/or make use of hardware wallet.


Title: Re: 2FA Google authentication
Post by: 8m_zk on November 10, 2020, 12:17:05 PM
Thank you for your reply, I'll be checking alternatives you mentioned to Google 2FA


Yes I know it now, you can ceck my last comments. Here, my misunderstanding is because the service just mentioned G2FA only, so i think if it only works for google 2FA only.
Yeah, it's a common misconception that "Google Authenticator" is a "Google Only" service... you're not the first (and won't be the last) person to get confused by that. I certainly was when I first started using Google Authenticator several years ago. The sites that have implemented the 2FA service are partly to blame by calling it "Google 2FA" etc...

And Google really should implement a "proper" (encrypted) backup solution for Google Authenticator. Relying on users to safely store the individual "secrets" themselves is messy and prone to error. Authy, Aegis and Authenticator (Plus) (and others) have all been able to come up with solutions, I'm not sure why Google can't? ???


Title: Re: 2FA Google authentication
Post by: 8m_zk on November 10, 2020, 12:20:35 PM
yes, that's exactly what I'm afraid of and it definitley sucks when it happens, I will be checking the alternatives that many helpful fellows recommended



I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved and i then i realized that i am unable to access my google account even my phone number was registered in gmail . I've lost all my data and trust me It sucks.


Title: Re: 2FA Google authentication
Post by: Chikito on November 10, 2020, 01:32:45 PM
I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved
That is your fault, smart boy didn't save the backup code on the same phone. Backup code is just number, you can easily write it on paper and keep it far away from your phone. Or if you lazy to write the code, first time set up Google Authenticator, simply make a screenshot of the barcode and print it.


Title: Re: 2FA Google authentication
Post by: masulum on November 10, 2020, 10:04:50 PM

That is your fault, smart boy didn't save the backup code on the same phone.
Just because someone doing bad or makes a mistake, it doesn't mean he/she not a smart person. thousand people learning new knowledge everyday. From the case, people will learn to be a better person. Now he makes a mistake storing key in the same device, because he is new about this.


Title: Re: 2FA Google authentication
Post by: suzanne5223 on November 10, 2020, 11:59:57 PM
I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved
That is your fault, smart boy didn't save the backup code on the same phone. Backup code is just number, you can easily write it on paper and keep it far away from your phone. Or if you lazy to write the code, first time set up Google Authenticator, simply make a screenshot of the barcode and print it.
In an occasion where security is top priority, the backup code should only be screenshot and print only through an airgap computer or write it down instead. However, there have been an occasion where attacker are able to bypass google authenticator and I will advise the OP to you use open source and decentralized authenticator like Aegis.


Title: Re: 2FA Google authentication
Post by: Pmalek on November 11, 2020, 11:56:32 AM
And Google really should implement a "proper" (encrypted) backup solution for Google Authenticator. Relying on users to safely store the individual "secrets" themselves is messy and prone to error.
I agree with the suggestion to introduce encrypted backups, but not with the second part of your statement. At least we Bitcoiners should be well accustomed with storing weird strings (private keys) or a bunch of word combinations (the seed). I have a written copy of each of my 2FA codes that I use for exchanges and other services. It came in handy a few years ago when my old phone suddenly died. 


Title: Re: 2FA Google authentication
Post by: NeuroticFish on November 11, 2020, 12:04:11 PM
And Google really should implement a "proper" (encrypted) backup solution for Google Authenticator. Relying on users to safely store the individual "secrets" themselves is messy and prone to error.
I agree with the suggestion to introduce encrypted backups, but not with the second part of your statement. At least we Bitcoiners should be well accustomed with storing weird strings (private keys) or a bunch of word combinations (the seed). I have a written copy of each of my 2FA codes that I use for exchanges and other services. It came in handy a few years ago when my old phone suddenly died. 

I've done the same during the years. But also during the years I had (1 or 2) weird surprises: no seed was provided so I can save, only the QR code.
And in such cases proper software that can do proper backup it's not "a solution for the lazy", it's actually the better solution.

I've migrated away from Google Authenticator (many months ago) and I am since then a happy Aegis user  :D


Title: Re: 2FA Google authentication
Post by: Pmalek on November 11, 2020, 12:11:17 PM
But also during the years I had (1 or 2) weird surprises: no seed was provided so I can save, only the QR code.
I know what you mean. I noticed this on an exchange I was forced to use occasionally many years ago. 

I've migrated away from Google Authenticator (many months ago) and I am since then a happy Aegis user  :D
Google Authenticator now allows users to create and download a backup of their codes. Were you able to import this backup into Aegis or did you add the 2FA codes manually? Also, can Aegis be used all over the place same as Google Authenticator or does it come with some limitations? I am considering using Aegis myself, so it might be good to know. 


Title: Re: 2FA Google authentication
Post by: NeuroticFish on November 11, 2020, 12:31:10 PM
Google Authenticator now allows users to create and download a backup of their codes. Were you able to import this backup into Aegis or did you add the 2FA codes manually? Also, can Aegis be used all over the place same as Google Authenticator or does it come with some limitations? I am considering using Aegis myself, so it might be good to know. 

I am almost certain that back then Google Authenticator didn't have any kind of export/backup (I am surprised it has now!); however, I've imported them manually.
I am not sure what you mean by limitations for Aegis. It's an Android (5+) application and I think that's the only platform it was made for (at least until now). So it cannot be used "all over the place". (But that doesn't affect me, really).
The only thing I've missed in Aegis (and it happened only once) was the time sync Google Authenticator used to offer.


Title: Re: 2FA Google authentication
Post by: cabron on November 11, 2020, 12:44:20 PM

About google having our code is just something to also worry but just in case you can't sleep about it, don't store millions to your account. Send them to your personal wallet.

Google Authenticator now allows users to create and download a backup of their codes. Were you able to import this backup into Aegis or did you add the 2FA codes manually? Also, can Aegis be used all over the place same as Google Authenticator or does it come with some limitations? I am considering using Aegis myself, so it might be good to know. 

I am almost certain that back then Google Authenticator didn't have any kind of export/backup (I am surprised it has now!); however, I've imported them manually.
I am not sure what you mean by limitations for Aegis. It's an Android (5+) application and I think that's the only platform it was made for (at least until now). So it cannot be used "all over the place". (But that doesn't affect me, really).
The only thing I've missed in Aegis (and it happened only once) was the time sync Google Authenticator used to offer.

I didn't do this 2 years ago and when I lost my phone, I have to submit a ticket to binance and perform the KYC again which they end up wanting me to blink on the camera and the documents needed.  It's better to just have it backed up manually and then whenever you lost your phone, you can just scan the code again.



Title: Re: 2FA Google authentication
Post by: Pmalek on November 13, 2020, 11:14:30 AM
I am almost certain that back then Google Authenticator didn't have any kind of export/backup (I am surprised it has now!); however, I've imported them manually.
You can now export all your codes but in an unencrypted format if I remember correctly.

I am not sure what you mean by limitations for Aegis.
Can you use it on every exchange that accepts Google Authenticator, for example. Or are there certain exchanges where Aegis can't be used, and you have to use an alternative?
 
The only thing I've missed in Aegis (and it happened only once) was the time sync Google Authenticator used to offer.
Sorry, what is the time sync ???


Title: Re: 2FA Google authentication
Post by: NeuroticFish on November 13, 2020, 03:46:33 PM
You can now export all your codes but in an unencrypted format if I remember correctly.

Nice, but late. I won't go back  :D

Can you use it on every exchange that accepts Google Authenticator, for example. Or are there certain exchanges where Aegis can't be used, and you have to use an alternative?

I have 29 2FA services in my Aegis, I didn't encounter any issues.
Basically from one seed (text or qr) and current time some calculation is made and a number is shown. It's not rocket science and I see no reason to implement it (slightly) different.
And having so many services supported (OK, I no longer actually use 3/4 of them), I think it's a good test it's fine.
 
Sorry, what is the time sync ???

I had a couple times in the past this issue. As I wrote, the result is based on the current time. If the time is off (on my phone or on the target web service) the result/number will not be accepted.
It happened to me especially when I traveled abroad and back, I don't know of other things that triggered this. However, Google Auth had (has!) "Time correction for codes", which I think it's some sort of time sync with an atomic clock. After such a sync the codes were accepted again.
Aegis, afaik, doesn't have this.
Of course, one needs it seldom and can sync the phone's time by hand to atomic clock or install Google Auth shortly just for that. (I still have it installed for that sole reason, with only one dummy 2FA in it).


Title: Re: 2FA Google authentication
Post by: HCP on November 14, 2020, 01:11:28 AM
Google Authenticator now allows users to create and download a backup of their codes. Were you able to import this backup into Aegis or did you add the 2FA codes manually?
That's not quite correct... GA now allows you to create a single "QR Code" on screen that you're supposed to scan with Google Authenticator on a "new" device and it will import all your codes for you... but there is no option to "save" that QR code and screenshot is disabled within the app. As far as I can tell, the idea is that you go directly from GA on Device 1 to "authenticator app" on Device 2 etc... Aegis does seem to be able to read and import this single QR Code tho.


Quote
Also, can Aegis be used all over the place same as Google Authenticator or does it come with some limitations? I am considering using Aegis myself, so it might be good to know. 
I have not found any GA code that is not compatible with Aegis... again, the only issue I've had is the occasional "time sync" error, where it won't accept the code, but doing the sync in GA seems to fix that issue.


Title: Re: 2FA Google authentication
Post by: Pmalek on November 14, 2020, 08:00:55 AM
That's not quite correct... GA now allows you to create a single "QR Code" on screen that you're supposed to scan with Google Authenticator on a "new" device and it will import all your codes for you... but there is no option to "save" that QR code and screenshot is disabled within the app. As far as I can tell, the idea is that you go directly from GA on Device 1 to "authenticator app" on Device 2 etc... Aegis does seem to be able to read and import this single QR Code tho.
Great, thanks for clarifying that. I have never tested their latest "backup" method, I guess I memorized it wrongly. The method you described is safer than having to save a unique unencrypted file that some users would surely end up losing, misplacing, or leaking to third parties. From your and NeuroticFish's answer I can conclude that you are both using multiple 2FA apps. Is it possible to have authentication codes of the same site across two or more 2FA apps at the same time? 


Title: Re: 2FA Google authentication
Post by: HCP on November 14, 2020, 08:16:28 AM
Is it possible to have authentication codes of the same site across two or more 2FA apps at the same time?
Yes, it is... I have Google Authenticator, Authenticator Plus and Aegis installed and running... I have the codes for several sites in either 2 or all three of the apps without any issues.

NOTE: I mainly use Aegis these days... the other 2 are "leftovers" ;) I stopped using Authenticator Plus because it stopped getting updates (last update Dec 2018).


Title: Re: 2FA Google authentication
Post by: bob123 on November 16, 2020, 05:55:34 PM
Google Authenticator now allows users to create and download a backup of their codes. Were you able to import this backup into Aegis or did you add the 2FA codes manually?
That's not quite correct... GA now allows you to create a single "QR Code" on screen that you're supposed to scan with Google Authenticator on a "new" device and it will import all your codes for you... but there is no option to "save" that QR code and screenshot is disabled within the app.


This exact QR can still be used as a backup.
While the application does not allow screenshots to be taken, other applications which have the permission to add an overlay over other apps, still can save that QR, so it can act as a form of backup.

Then, whenever needed, a scan with GA or other authenticator apps who support the format, will restore the saved seeds.


Title: Re: 2FA Google authentication
Post by: BITDV on December 07, 2020, 04:46:41 PM
Hi tech guys,
Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

Google 2FA work very well to secure access to your private area. Actually we can not know google will have your security code or not, because ethically Google shouldn't have it.

I've forgotten / lost google 2FA on an exchange, and resetting old data is quite difficult. Those exchange can not send me backup my last security code but they can delete my last 2FA configuration. I really sure that every platform have diffrent rules about this.

It's better to have and organize your backup key


Title: Re: 2FA Google authentication
Post by: NotATether on December 07, 2020, 05:34:45 PM
Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

No, Google should not have your security code.

This is not correct. Authenticator codes are a function of the secret key and the current time, so the only way for Google to make the same code as the one you typed in Authenticator for verification purposes is if they also have the secret key. And they do, for precisely this reason. It's the only way to verify if the code you typed is correct.

That being said, other people should not be able to know the secret key, unless those people saw your screen when the secret key was first shown (because you're supposed to have only one chance to see the secret key to put it in Authenticator - when the login is first created, but then again, a site could violate this important assumption, which would allow any hacker already logged in to the account to get the secret key)

If the site in question is not Google, then of course they don't know your key - the TOTP process doesn't send anything to Google's servers.