Bitcoin Forum
March 19, 2024, 10:43:22 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: 2FA - Important Precautions with Google Authenticator  (Read 1098 times)
bitmover (OP)
Legendary
*
Offline Offline

Activity: 2240
Merit: 5783


Non-custodial BTC Wallet


View Profile WWW
March 22, 2018, 12:01:44 PM
Last edit: June 18, 2019, 04:00:57 PM by bitmover
Merited by Vod (5), dbshck (4), suchmoon (2), OmegaStarScream (2), Halab (2), LoyceV (1), krishnapramod (1), bill gator (1), BTCforJoe (1), risatrakib (1)
 #1

Hello everyone,

In this crypto universe most of us use 2FA (2 factor authentication) in many services, such as mails, exchanges and more.
It's strongly recommended to use 2FA. I use it on almost all my accounts. There are several apps that make 2FA, and the most used is Google Authenticator.

But one thing that many people do not know is the fact that Google Authenticator (GA) does not save your 2FA accounts in your google account. So if you lose your phone you lose access to all accounts linked to your GA (unless the site has some additional recovery mechanism).

So if you use GA it is worth taking at least one of these two precautions:
-You should always note the key when registering an 2FA account. Few people realize, but there is always a sequence of numbers below the QR code (or somewhere else on the website) when you register that account on your GA.
- Register the account on another device, such as a tablet.

An excellent alternative to GA is Authy app. This program works just like GA, but it saves your access accounts. That way, if you lose your cell phone, that's okay, as your data is backed up in the cloud.

Authy has an option to prohibit the registration of new devices. So if someone steals your Auth password, they can not add an additional device, unless if an authorized device allows the registration of new devices to your account.

In theory, GA is safer than Authy, because your data never leaves your phone. But for most cases it's more probable I lose my phone (or it breaks or whatever) than an attacker steals my passwords and my authy account and authorizes a new device. Anyway, using GA taking these precautions mentioned above is a great option.

Edit: Authy also has a google chrome extension, so you can use it on your desktop.

Edit 2:
You can also try Yubico, a USD stick authentication device. It is a more secure and better solution, however it has a cost (20-60 usd)
https://www.yubico.com/why-yubico/for-individuals/

.
.BLACKJACK ♠ FUN.
█████████
██████████████
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
████████████████
░██████████████
████████████
███████████████░██
██████████
CRYPTO CASINO &
SPORTS BETTING
▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
█████████
.
1710845002
Hero Member
*
Offline Offline

Posts: 1710845002

View Profile Personal Message (Offline)

Ignore
1710845002
Reply with quote  #2

1710845002
Report to moderator
1710845002
Hero Member
*
Offline Offline

Posts: 1710845002

View Profile Personal Message (Offline)

Ignore
1710845002
Reply with quote  #2

1710845002
Report to moderator
Even in the event that an attacker gains more than 50% of the network's computational power, only transactions sent by the attacker could be reversed or double-spent. The network would not be destroyed.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710845002
Hero Member
*
Offline Offline

Posts: 1710845002

View Profile Personal Message (Offline)

Ignore
1710845002
Reply with quote  #2

1710845002
Report to moderator
1710845002
Hero Member
*
Offline Offline

Posts: 1710845002

View Profile Personal Message (Offline)

Ignore
1710845002
Reply with quote  #2

1710845002
Report to moderator
keping1
Newbie
*
Offline Offline

Activity: 246
Merit: 0


View Profile WWW
March 22, 2018, 05:01:43 PM
 #2

if I myself prefer to enjoy not using GA. in my opinion there are many ways of securing akum other than GA lsilahkan you choose.
mithrim
Sr. Member
****
Offline Offline

Activity: 434
Merit: 436


View Profile
March 22, 2018, 05:11:45 PM
 #3

We had this same topic a week ago here in this board:
https://bitcointalk.org/index.php?topic=3118035.0
There have so many threads now with Google Authenticator vs. Authy that even the forum search capitulates Roll Eyes
DonaldHun
Newbie
*
Offline Offline

Activity: 112
Merit: 0


View Profile
March 22, 2018, 05:55:21 PM
 #4

- 2FA google is an important and necessary form of security because:
- wallets or exchange pages are a treasure trove of money and property. It is very sensitive to security issues from hackers.
Moneyversac
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
March 22, 2018, 06:02:40 PM
 #5

Thank you for this information!

I always wondered if they store your accounts..
Well lucky me i noted every information in a texbook which i keep at a safe place.

What about 2Step mobile verification?
Is it not secure enough?   Huh
bitmover (OP)
Legendary
*
Offline Offline

Activity: 2240
Merit: 5783


Non-custodial BTC Wallet


View Profile WWW
March 22, 2018, 06:35:12 PM
 #6

Thank you for this information!

I always wondered if they store your accounts..
Well lucky me i noted every information in a texbook which i keep at a safe place.

What about 2Step mobile verification?
Is it not secure enough?   Huh


There had been reports of hacks in mobile verification.
2FA are safer.
https://www.cnet.com/how-to/why-you-are-at-risk-if-you-use-sms-for-two-step-verification/
Quote
So, why the move away from SMS?

For the simple fact that receiving 2SV codes via SMS is less secure than using an authentication app. Hackers have been able to trick carriers into porting a phone number to a new device in a move called a SIM swap. It could be as easy as knowing your phone number and the last four digits of your social security number, data that tends to get leaked from time to time from banks and large corporations. Once a hacker has redirected your phone number, they no longer need your phone in order to gain access to your 2SV codes.

.
.BLACKJACK ♠ FUN.
█████████
██████████████
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
████████████████
░██████████████
████████████
███████████████░██
██████████
CRYPTO CASINO &
SPORTS BETTING
▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
█████████
.
TryNinja
Legendary
*
Offline Offline

Activity: 2772
Merit: 6850



View Profile WWW
March 22, 2018, 06:59:10 PM
 #7

+1 don't use any SMS-based 2FA.

This is what happened last year when a user decided to protect his Coinbase account with text message verifications:
https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
BitMaxz
Legendary
*
Offline Offline

Activity: 3192
Merit: 2880


Block halving is coming.


View Profile WWW
March 22, 2018, 07:56:48 PM
 #8

This is only for mobile and I think better to add the windows devices.

I am using winauth in windows 7 as of now this authenticator tool still best for me for Desktop and Laptops because you can backup all account added in Google's KeyUriFormat that could be imported to other devices or other authenticator apps.

Google's KeyUriFormat includes all of your secret keys that you can use for recovery or import to other authenticator app or devices.

I use WinAuth as my main authenticator and scan the QR code of the master key from WinAuth to google authenticator. (Never tried authy as my authenticator) and you can now use your phone as your authenticator. If ever your phone is gone you can still have the backup from your laptop or desktop anytime soon you can recover and import again your secret key from WinAuth to a new device.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Saverenergy
Full Member
***
Offline Offline

Activity: 728
Merit: 100


View Profile
March 22, 2018, 09:02:09 PM
 #9

Completely agreed with the author of the topic, using two-factor authentication from Google is quite unsafe. If you use it on your everyday phone. If you lose your phone, you lose access to all your accounts with enabled two-factor authentication.
charlie137
Full Member
***
Offline Offline

Activity: 1204
Merit: 220


(ノಠ益ಠ)ノ


View Profile WWW
March 22, 2018, 11:19:22 PM
 #10

i noticed that you can recover fully working google auth app on ios. there is a difference in backup encryption between icloud backup and regular sync backup. successfully erased iphone and recover google auth app with all the codes in it like nothing happened. for me it worked over icloud. mbp sync got clean google auth app. so you might want to try to restore from icloud without connecting to the computer

/__      ___ (  /    
\\--`-'-|`---\\ |      AXErunners
 |' _/   ` __/ / 
 '._  W    ,--'     
    |_:_._/
baguetter
Newbie
*
Offline Offline

Activity: 126
Merit: 0


View Profile
March 22, 2018, 11:30:57 PM
 #11

WOW this is really helpful. Before I even realized it, most things that I log into prompt me to get my phone out to proceed. Will add my tablet and my second phone to these sites now, just to be safe. Had my phone stolen last year but thankfully didn't have any authenticators on it back then.

Good post
figmentofmyass
Legendary
*
Offline Offline

Activity: 1652
Merit: 1483



View Profile
March 22, 2018, 11:49:32 PM
 #12

But one thing that many people do not know is the fact that Google Authenticator (GA) does not save your 2FA accounts in your google account. So if you lose your phone you lose access to all accounts linked to your GA

that's sort of the point. your 2-factor is supposed to be "something you have" in addition to "something you know" (the password). if your 2FA token was recoverable via your google account, a hacker could compromise your google account to override your 2FA protection. this is similar to the porting attack with SMS 2-factor authentication.

So if you use GA it is worth taking at least one of these two precautions:
-You should always note the key when registering an 2FA account. Few people realize, but there is always a sequence of numbers below the QR code (or somewhere else on the website) when you register that account on your GA.
- Register the account on another device, such as a tablet.

good advice. i always have my tokens backed up on two devices, with a copy written down in a safe place.

jseverson
Hero Member
*****
Offline Offline

Activity: 1834
Merit: 757


View Profile
April 02, 2018, 05:21:23 AM
 #13

+1 don't use any SMS-based 2FA.

This is what happened last year when a user decided to protect his Coinbase account with text message verifications:
https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac

That's ridiculous. It looks more like a problem with Verizon's protocols than with SMS verification as a medium though. Still, this shows that there's more that could go wrong with it, and that you shouldn't use it when you have better alternatives available. I'd still say it's more secure than nothing though. Just remember that it's far from bullet proof as a security option.

As an extension, you should never keep your money on exchanges either. People seem to refuse to listen though. Exchanges bypass the cryptographic security built in with crypto by taking control of your private key, so it's just a bad idea no matter how you look at it.

gawer33
Jr. Member
*
Offline Offline

Activity: 309
Merit: 5


View Profile
April 18, 2018, 04:18:05 PM
 #14

it seems your knowledgeable about 2authy can you please teach us with the picture if possible on how to do a backup. I have tried to press all the menu still can not find it.

edit: also on how to restore it. thanks in advance

STOP eating Oreo save the orangutans
https://www.orangutan.org.au/about-orangutans/orangutan-threats/
TryNinja
Legendary
*
Offline Offline

Activity: 2772
Merit: 6850



View Profile WWW
April 18, 2018, 04:27:04 PM
 #15

it seems your knowledgeable about 2authy can you please teach us with the picture if possible on how to do a backup. I have tried to press all the menu still can not find it.

edit: also on how to restore it. thanks in advance
After a simple "Authy backup" Google search:

https://authy.com/features/backup/
https://authy.com/blog/how-the-authy-two-factor-backups-work/

Everything is stored in the cloud, so you don't need to save any files.

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
Trollinator
Member
**
Offline Offline

Activity: 238
Merit: 15


View Profile
April 19, 2018, 05:06:25 AM
 #16

2FA is a must. I also recommend to use an app over t xrp messaging, as your phone can be hacked.
Cryptosandy1987
Jr. Member
*
Offline Offline

Activity: 84
Merit: 6


View Profile
June 06, 2018, 06:47:31 PM
 #17

The problem with Google authenticator is the inability to recover your account if you lost your phone. I there always prefer the use of SMS as verification to my account

You can recover your account having GA,if you lost your phone
Without backup up..read here
https://bitcointalk.org/index.php?topic=4401590.msg39156414#msg39156414

Netscouters.com ⌁[ Decentralized football investments
–––––––––––––––––––––––––––––––––––––––––––––––––––  and funding Eco-System ]⌁
jarcel777
Newbie
*
Offline Offline

Activity: 11
Merit: 0


View Profile
June 12, 2018, 09:12:22 PM
 #18

I have two mobile. One for normal using and one for google authenticator - this one is still offline and without internet. This is a godd queue from me, stay safe guys.
Hagmonar
Full Member
***
Offline Offline

Activity: 406
Merit: 100



View Profile
November 12, 2018, 01:25:44 AM
 #19

What if I didn't saved or copied the sequence of numbers before enabling the 2FA in any account?

Is there a possible way to review it again? Cause I don't want to use Authy due to some possible hacking intrusion issues. Huh
bitmover (OP)
Legendary
*
Offline Offline

Activity: 2240
Merit: 5783


Non-custodial BTC Wallet


View Profile WWW
November 12, 2018, 05:41:39 AM
 #20

What if I didn't saved or copied the sequence of numbers before enabling the 2FA in any account?

Is there a possible way to review it again? Cause I don't want to use Authy due to some possible hacking intrusion issues. Huh

Then, you cannot lose your phone.

You should copy the number sequence.

.
.BLACKJACK ♠ FUN.
█████████
██████████████
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
████████████████
░██████████████
████████████
███████████████░██
██████████
CRYPTO CASINO &
SPORTS BETTING
▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
█████████
.
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!