Bitcoin Forum

Hi tech guys,
Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

You can get secret code and import it into any 2FA app. It works universally.

Authentication: Types, Risks/ Attacks, Advice (https://bitcointalk.org/index.php?topic=5258244.msg54686832#msg54686832). The clarification from o_e_l_e_o  is perfect.

You can choose open source 2FA apps to use.

it depends on the reason why you are using 2FA (through Google Authenticator). for example for an account that you must have and there is no other ways around it (like your exchange account) it is an excellent additional security and you must have it. but for your wallet account (of custodial type), you should rethink using that wallet because your money is already not-safe since you don't control it, adding the 2FA will secure your account not your money.

as far as i know the software does not broadcast anything unless you explicitly create a backup of your keys. so Google won't know your codes.

the shared secret is also not the same as your bitcoin private keys or seed. it is only used to generate one time passwords for authentication purposes.

I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved and i then i realized that i am unable to access my google account even my phone number was registered in gmail . I've lost all my data and trust me It sucks.

All of your logins protected by 2FA google authenticator have each a backup code that can be used in another device. And if you are looking for a more secure option, try Authy ; it's a nice alternative for google authenticator and can be secured by a single code backup which can be used to recover the app with all the accounts within if your device gets compromised or you accidentally erase the app.
About 2FA google authenticator, i didn't face problems using it but i remember hearing that it has been somehow compromised and some hackers succeeded to login users accounts using it. Not sure about this info so maybe someone could correct it .

I still remember of a news I read on cointelegraph this year about google 2fa being compromised. It is not the fault of the app itself, the hackers used tricks to make victims download a trojan horse that was installed on the devices. If someone can not handle anything about malware, how can he use bitcoin wallet successfully or using 2fa app successfully.

Although, I am not a fan to any google products, because google are privacy invaders. Also I can not use Authy, although it is much simple to use by synchronizing the backup on cloud, of which I do not believe in such. I prefer to keep my backups offline which is the safest.

If because you lose your code is the reason you do not recommend any 2fa, you are then wrong. The best you can do is to make a backup of the 2fa backup code and safely store it somewhere safe from attackers and damages and yet also still accessible to you.  Authy can the best for you then, but I can not recommend it due to what I mentioned above about synchronizing with online cloud which makes backup recovery easier. 

The best 2fa I have known and that I can recommend are Aegis, authenticator and andOTP.

Yes I know it now, you can ceck my last comments. Here, my misunderstanding is because the service just mentioned G2FA only, so i think if it only works for google 2FA only.

Yeah, it's a common misconception that "Google Authenticator" is a "Google Only" service... you're not the first (and won't be the last) person to get confused by that. I certainly was when I first started using Google Authenticator several years ago. The sites that have implemented the 2FA service are partly to blame by calling it "Google 2FA" etc...

And Google really should implement a "proper" (encrypted) backup solution for Google Authenticator. Relying on users to safely store the individual "secrets" themselves is messy and prone to error. Authy, Aegis and Authenticator (Plus) (and others) have all been able to come up with solutions, I'm not sure why Google can't? ???

Yes, it's essential. 2FA will help you secure your account including your crypto on hackers. I'm Actually using it and my account is secured.

No, Google should not have your security code. Actually if you lose your phone and didn't back up properly the seed for the authenticator (when you created/set up the 2FA) you'll probably lose it.
This being said there are better alternatives than Google Authenticator, which do the same job but also allows you keep a safe copy somewhere.

It works well, but you may have surprises in the future, because the generated code is based on timestamp. And if your phone, the auth app or the website where you try to enter don't have the time set well, the code will not be accepted. (Usually a sync of your phone fixes this).

About losing crypto. If you use the 2FA on the same phone as you access the web services, you weaken the security by a great deal and if the phone is lost, stolen or compromised you may lose funds also with 2FA.


Imho the main rule is to keep the funds you don't need "now" safely offline on a wallet you and only you control. This means no web wallet, no big money on exchanges, no cloud, desktop or e-mail backup of the seed/private keys (use paper, steel, whatever). And/or make use of hardware wallet.

Yeah, that's what I meant if I don't back up the seed for the authenticator. Thanks for the information, I'll check the alternatives to Google 2FA

Thank you for your reply, I'll be checking alternatives you mentioned to Google 2FA

yes, that's exactly what I'm afraid of and it definitley sucks when it happens, I will be checking the alternatives that many helpful fellows recommended

That is your fault, smart boy didn't save the backup code on the same phone. Backup code is just number, you can easily write it on paper and keep it far away from your phone. Or if you lazy to write the code, first time set up Google Authenticator, simply make a screenshot of the barcode and print it.

Just because someone doing bad or makes a mistake, it doesn't mean he/she not a smart person. thousand people learning new knowledge everyday. From the case, people will learn to be a better person. Now he makes a mistake storing key in the same device, because he is new about this.

In an occasion where security is top priority, the backup code should only be screenshot and print only through an airgap computer or write it down instead. However, there have been an occasion where attacker are able to bypass google authenticator and I will advise the OP to you use open source and decentralized authenticator like Aegis.

I agree with the suggestion to introduce encrypted backups, but not with the second part of your statement. At least we Bitcoiners should be well accustomed with storing weird strings (private keys) or a bunch of word combinations (the seed). I have a written copy of each of my 2FA codes that I use for exchanges and other services. It came in handy a few years ago when my old phone suddenly died. 

I've done the same during the years. But also during the years I had (1 or 2) weird surprises: no seed was provided so I can save, only the QR code.
And in such cases proper software that can do proper backup it's not "a solution for the lazy", it's actually the better solution.

I've migrated away from Google Authenticator (many months ago) and I am since then a happy Aegis user  :D

I know what you mean. I noticed this on an exchange I was forced to use occasionally many years ago. 

Google Authenticator now allows users to create and download a backup of their codes. Were you able to import this backup into Aegis or did you add the 2FA codes manually? Also, can Aegis be used all over the place same as Google Authenticator or does it come with some limitations? I am considering using Aegis myself, so it might be good to know. 

I am almost certain that back then Google Authenticator didn't have any kind of export/backup (I am surprised it has now!); however, I've imported them manually.
I am not sure what you mean by limitations for Aegis. It's an Android (5+) application and I think that's the only platform it was made for (at least until now). So it cannot be used "all over the place". (But that doesn't affect me, really).
The only thing I've missed in Aegis (and it happened only once) was the time sync Google Authenticator used to offer.

About google having our code is just something to also worry but just in case you can't sleep about it, don't store millions to your account. Send them to your personal wallet.


I didn't do this 2 years ago and when I lost my phone, I have to submit a ticket to binance and perform the KYC again which they end up wanting me to blink on the camera and the documents needed.  It's better to just have it backed up manually and then whenever you lost your phone, you can just scan the code again.

You can now export all your codes but in an unencrypted format if I remember correctly.

Can you use it on every exchange that accepts Google Authenticator, for example. Or are there certain exchanges where Aegis can't be used, and you have to use an alternative?
 
Sorry, what is the time sync ???

Nice, but late. I won't go back  :D


I have 29 2FA services in my Aegis, I didn't encounter any issues.
Basically from one seed (text or qr) and current time some calculation is made and a number is shown. It's not rocket science and I see no reason to implement it (slightly) different.
And having so many services supported (OK, I no longer actually use 3/4 of them), I think it's a good test it's fine.
 

I had a couple times in the past this issue. As I wrote, the result is based on the current time. If the time is off (on my phone or on the target web service) the result/number will not be accepted.
It happened to me especially when I traveled abroad and back, I don't know of other things that triggered this. However, Google Auth had (has!) "Time correction for codes", which I think it's some sort of time sync with an atomic clock. After such a sync the codes were accepted again.
Aegis, afaik, doesn't have this.
Of course, one needs it seldom and can sync the phone's time by hand to atomic clock or install Google Auth shortly just for that. (I still have it installed for that sole reason, with only one dummy 2FA in it).

That's not quite correct... GA now allows you to create a single "QR Code" on screen that you're supposed to scan with Google Authenticator on a "new" device and it will import all your codes for you... but there is no option to "save" that QR code and screenshot is disabled within the app. As far as I can tell, the idea is that you go directly from GA on Device 1 to "authenticator app" on Device 2 etc... Aegis does seem to be able to read and import this single QR Code tho.


I have not found any GA code that is not compatible with Aegis... again, the only issue I've had is the occasional "time sync" error, where it won't accept the code, but doing the sync in GA seems to fix that issue.

Great, thanks for clarifying that. I have never tested their latest "backup" method, I guess I memorized it wrongly. The method you described is safer than having to save a unique unencrypted file that some users would surely end up losing, misplacing, or leaking to third parties. From your and NeuroticFish's answer I can conclude that you are both using multiple 2FA apps. Is it possible to have authentication codes of the same site across two or more 2FA apps at the same time? 

Yes, it is... I have Google Authenticator, Authenticator Plus and Aegis installed and running... I have the codes for several sites in either 2 or all three of the apps without any issues.

NOTE: I mainly use Aegis these days... the other 2 are "leftovers" ;) I stopped using Authenticator Plus because it stopped getting updates (last update Dec 2018).

This exact QR can still be used as a backup.
While the application does not allow screenshots to be taken, other applications which have the permission to add an overlay over other apps, still can save that QR, so it can act as a form of backup.

Then, whenever needed, a scan with GA or other authenticator apps who support the format, will restore the saved seeds.

Google 2FA work very well to secure access to your private area. Actually we can not know google will have your security code or not, because ethically Google shouldn't have it.

I've forgotten / lost google 2FA on an exchange, and resetting old data is quite difficult. Those exchange can not send me backup my last security code but they can delete my last 2FA configuration. I really sure that every platform have diffrent rules about this.

It's better to have and organize your backup key

This is not correct. Authenticator codes are a function of the secret key and the current time, so the only way for Google to make the same code as the one you typed in Authenticator for verification purposes is if they also have the secret key. And they do, for precisely this reason. It's the only way to verify if the code you typed is correct.

That being said, other people should not be able to know the secret key, unless those people saw your screen when the secret key was first shown (because you're supposed to have only one chance to see the secret key to put it in Authenticator - when the login is first created, but then again, a site could violate this important assumption, which would allow any hacker already logged in to the account to get the secret key)

If the site in question is not Google, then of course they don't know your key - the TOTP process doesn't send anything to Google's servers.