Bitcoin Forum

In few of the exchanges or wallets there is a privilege to set SMS or Mail as 2FA. But, I would like to mention that SMS and E-mail are not the correct 2FA to use.

The brutal fact that I wanted to say is the info that is being sent(like SMS or Email) to you is never a proper 2FA it is highly vulnerable. There are apps like authy, Google authenticator which operate offline and are not sent by third party.

This does not mean that Authy or google authenticator can not be hacked. But are more safer than SMS or email authentication.

The above details for those who already know what is 2FA. Rest can read about it below:

What is 2FA?
Two-factor authentication is a form of multifactor authentication. That is you need 2 different factors to login to any of your portal one can be password the other can be a a text message or a one time code etc.,

Why 2FA?
It increases the security of your account. That is even if someone guesses your password it is had to get access to the other factor.

Please enable the 2FA to increase the security of your account. And please do remember that it is better to keep a second factor for which only you have access to.

So if SMS or Email isn't the correct 2FA to use (Which I agree with somewhat) What do you recommend people to use? Google Auth? Even Google Auth can be hacked and it did happen in the past if you look up on Google. A good 2FA to me is to have a physical device with buttons like a hardware wallet that only you should own to confirm access when you logging.It already exists such devices but they are not implemented in most services unfortunately.

I doubt this ever happened. Ga keys are not store online. Your phone may be hacked and the hacker got access to the installed app somehow, but the ga service was not.

The biggest problem with Google authenticator is that if you lose your phone and you didn't backed up the keys , your login is lost forever. This is why many people recommend using Authy instead.
Take a look here
https://bitcointalk.org/index.php?topic=3178131

Sms and email are far less secure, just as op said. Phone service providers are not paid to keep so high security level, and a hacker can receive an sms that should be directed to you.

It did happen in the past. And yes, the hacker most likely hacked the victim's phone to get into his app which is something that anyone can be exposed to if not being careful or they performed a phishing attack directly to get the 2FA code look:Article (https://www.techworm.net/2016/06/hackers-bypass-googles-two-factor-authentication.html)
As I said,as long as it has to do with something that is installed in a device connected (Like GA in a phone connected to Internet) it is vulnerable, that's why I prefer a physical device for 2FA.

Edit:Speaking of Authy, a vulnerability was also found on it years ago by Sakurity. See more: Authy Vulnerability  (http://sakurity.com/blog/2015/03/15/authy_bypass.html)

The point of 2-fa wasn't to make an account bullet-proof, but to significantly improve security without being huge inconvenience.

For the average person, 2-fa is sufficient security. In order to login to one of your accounts, the hacker would have:

     [1] Your password

     [2] Your username

     [3] The website

     [4] Your phone

So unless you are worried about your roommate stealing phone and knowing all of this stuff, you are pretty safe.


Edit: As the post above me says: be careful with your TOTP codes. Even though a lot of people think they are harmless because they expire, they don't expire immediately. Often you can still use the code for up to 30 minutes, giving the hacker plenty of time to login and disable 2-fa + anything else.


Most important thing to realize: You are probably the biggest threat to your own security, always double check.

Many people use the same password for their email as they do for their exchange accounts, and some exchanges will allow password reset emails to be sent to the same email which is being used to 2FA. Therefore you are reducing the security of your exchange account from 2 factors to 1, since both factors can be compromised with access to your email.

Using SMS is a poor choice, not only because of old style intercepting or hacking your communications, but because it is pretty easy to social engineer access to your phone number. Scammers will phone up your mobile provider, and with a few details about you (details which most people will have openly shared on their social media accounts), they can transfer your number to a new SIM under their control.

Google Authenticator will work offline, so if this is your concern, then run it on an air gapped device.

Simply saying that something can be hacked doesn't discredit it, because with enough money and determination anything can be hacked. What you should be looking at is the probabilities hacks and how hard it is for hackers to do so.
This is why OP is correct when they say that Google Auth is better than SMS and Email - mobile numbers get hijacked with social engineering, emails get hacked when passwords are weak or being reused, but mobile devices have much better security, they don't allow problems to read/write anything they want, which makes it very hard for malware to steal some sensitive data. Google Auth is good for most users, unless they are whales who move millions in and out of exchanges.

It is not the best choice to do by using email or your phone number (SMS) to activate 2FA security feature when there is another way which most of the time it is what they have used to have 2FA in your account by using authenticators like Authy or Google Authenticator. I have created a thread before on how to activate 2FA in your account using google auth or authy which I did use both authenticators to activate 2fa in an site where there is a feature that you can enable 2FA to increase your security. Using email or sms will help them know about your email and the number that you are using.

Just remember that none of this helps if you don't backup your backup passphrase to restore the F2A if you lose access to your phone. People always seem to forget to mention this and it is just too important not to.
I lost some funds because I lost access to a phone and I did nt realize they have me a phrase I should have backed up. I didn't understand how it quite worked so don't do what I did. Make sure when you open an account or edit it that you can restore it. This goes with all wallets, websites, the phone unlocks and whatever else. If you cannot restore your account you cannot get it back. So when you implement security measures make sure you do not lock yourself out in doing so

Point being made, your sms can be hijacked by hackers. It is possible to clone your phone number, cdma are more vulnerable in this regard. G.A offer better security

Some sites are using 3FA ( three factors ), it isn't as convenient, but it does add another layer of security. Some also register access devices, and require extra authentication if you use a new device. I have a small card reader for my bank account, and this generates a one time access code for my account if the card reader, bank card, and PIN are all matching the account details.

It's a tough call to take, weather to go with GA, for 2FA, or choose a hardware wallet, In case of google authenticator, if you lose your phone and you have not backed up your keys, you may not be able to access the accounts for which you have set up 2FA. In case of hardware devices for 2FA. Even they can be hacked. What I mean is it is actually a Brutal Truth, everything is hackable. You just have to trust on the companies like google who claim to be hack proof.

You do not explain why these options are useless:
It is easy to hack your text messages using what is known as SIM swapping ----> https://en.wikipedia.org/wiki/SIM_swap_scam.
Any virus of your phone may cost you a lot.

All these options will be useless if you are neglected, so primitive advice may be useful.
Avoid downloading software randomly
Avoid Clicking on all links.
and so on.

Just remember Authy and Google authenticator is also a third part in this scenario and are also prone to vulnerabilities. We have seen this before, with https://shahmeeramir.com/4-methods-to-bypass-two-factor-authentication-2b0075d9eb5f and https://99bitcoins.com/which-cryptocurrency-sites-are-impacted-by-authy-2fa-security-exploit/

Also remember that Google is one of the companies working with the 3 letter agencies to provide sensitive information to governments.  ::)  Big brother creates their own tools to spy on people.  ::)

Yea I agree with the "you are probably the biggest threat to your own security" statement for sure. The most common incident I hear related to 2-fa is about someone losing or breaking their phone when they didn't backup their TOTP codes.

This is why I always recommend to use Authy (as some others have mentioned) because it is based on your phone number and you can always recover your codes. It is pretty secure, and at least you don't have to worry about backups which are a real hassle for the average person and they are likely to just forget about it.

I do fined it difficult to operate with google authentication. I do fined it confusing cos not everyone knows how to operate on it when asked to fill in your google authentication number. That's why so many people don't know or make use of it

Just on the topic of Authy, I wanted to make a point here:

Authy is great, but if you plan to use your TOTP codes in other places, please consider the absolute PAIN it is to access your own codes. Authy probably does this more as a security measure, but it's seriously annoying.

For example, in my case I use Bitwarden, and wanted to store my TOTP codes in there (for the autofill 2fa, which is super convenient), little did I know though, it's not that simple.

I did find a GitHub page explaining how to extract the "keys" from Authy via Chrome (weird) but the time I tried it, it never worked. It's most likely possible but it's a huge pain and a lot of people don't know about it.

SO don't use Authy if you want access to your TOTP codes, you'll thank me later.

Google authenticathor doesn't support this as well. I didn't knew bitwarden allowed.

But you can always check the keys on the origina website where you activated the 2fa, and with Authy you won't have problems accessing those accounts.

They do in their pro version (only $10/year).

99% of the websites don’t let you see your 2FA code (for obvious reasons). So you will actually need to disable it and enable again on Bitwarden, which is boring af. Some even have limitations for when you restart your 2FA (e.g Steam with the trade limitations).

I honestly don’t see any reasons why anyone would use an 2FA app like this when there are so many better open source alternatives that let you export your codes.

I would suggest you to give it a try. When I comes to fund security investing some time is worth it. Also, the time you take out to know authy or google authenticator is not a waste it is an investment of time to secure your funds.

Thanks for quoting the above lines. It is actually risky thing to keep same password to exchange and gmail or having same password to multiple account. If the password is hacked or know then all of the accounts are gone(I mean as you said reduced to one factor authentication). And in this case if we have a weak second FA like SMS or email confirmation then it is like we have risked our accounts.