2FA - Important Precautions with Google Authenticator

[bitmover]

Hello everyone,

In this crypto universe most of us use 2FA (2 factor authentication) in many services, such as mails, exchanges and more.
It's strongly recommended to use 2FA. I use it on almost all my accounts. There are several apps that make 2FA, and the most used is Google Authenticator.

But one thing that many people do not know is the fact that Google Authenticator (GA) does not save your 2FA accounts in your google account. So if you lose your phone you lose access to all accounts linked to your GA (unless the site has some additional recovery mechanism).

So if you use GA it is worth taking at least one of these two precautions:
-You should always note the key when registering an 2FA account. Few people realize, but there is always a sequence of numbers below the QR code (or somewhere else on the website) when you register that account on your GA.
- Register the account on another device, such as a tablet.

An excellent alternative to GA is Authy app. This program works just like GA, but it saves your access accounts. That way, if you lose your cell phone, that's okay, as your data is backed up in the cloud.

Authy has an option to prohibit the registration of new devices. So if someone steals your Auth password, they can not add an additional device, unless if an authorized device allows the registration of new devices to your account.

In theory, GA is safer than Authy, because your data never leaves your phone. But for most cases it's more probable I lose my phone (or it breaks or whatever) than an attacker steals my passwords and my authy account and authorizes a new device. Anyway, using GA taking these precautions mentioned above is a great option.

Edit: Authy also has a google chrome extension, so you can use it on your desktop.

Edit 2:
You can also try Yubico, a USD stick authentication device. It is a more secure and better solution, however it has a cost (20-60 usd)
https://www.yubico.com/why-yubico/for-individuals/

[1715405468]

1715405468

[1715405468]

1715405468

[keping1]

if I myself prefer to enjoy not using GA. in my opinion there are many ways of securing akum other than GA lsilahkan you choose.

[mithrim]

We had this same topic a week ago here in this board:
https://bitcointalk.org/index.php?topic=3118035.0
There have so many threads now with Google Authenticator vs. Authy that even the forum search capitulates

[DonaldHun]

- 2FA google is an important and necessary form of security because:
- wallets or exchange pages are a treasure trove of money and property. It is very sensitive to security issues from hackers.

[Moneyversac]

Thank you for this information!

I always wondered if they store your accounts..
Well lucky me i noted every information in a texbook which i keep at a safe place.

What about 2Step mobile verification?
Is it not secure enough?   

[bitmover]

Thank you for this information!

I always wondered if they store your accounts..
Well lucky me i noted every information in a texbook which i keep at a safe place.

What about 2Step mobile verification?
Is it not secure enough?   

There had been reports of hacks in mobile verification.
2FA are safer.
https://www.cnet.com/how-to/why-you-are-at-risk-if-you-use-sms-for-two-step-verification/

So, why the move away from SMS?

For the simple fact that receiving 2SV codes via SMS is less secure than using an authentication app. Hackers have been able to trick carriers into porting a phone number to a new device in a move called a SIM swap. It could be as easy as knowing your phone number and the last four digits of your social security number, data that tends to get leaked from time to time from banks and large corporations. Once a hacker has redirected your phone number, they no longer need your phone in order to gain access to your 2SV codes.

[TryNinja]

+1 don't use any SMS-based 2FA.

This is what happened last year when a user decided to protect his Coinbase account with text message verifications:
https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac

[BitMaxz]

This is only for mobile and I think better to add the windows devices.

I am using winauth in windows 7 as of now this authenticator tool still best for me for Desktop and Laptops because you can backup all account added in Google's KeyUriFormat that could be imported to other devices or other authenticator apps.

Google's KeyUriFormat includes all of your secret keys that you can use for recovery or import to other authenticator app or devices.

I use WinAuth as my main authenticator and scan the QR code of the master key from WinAuth to google authenticator. (Never tried authy as my authenticator) and you can now use your phone as your authenticator. If ever your phone is gone you can still have the backup from your laptop or desktop anytime soon you can recover and import again your secret key from WinAuth to a new device.

[Saverenergy]

Completely agreed with the author of the topic, using two-factor authentication from Google is quite unsafe. If you use it on your everyday phone. If you lose your phone, you lose access to all your accounts with enabled two-factor authentication.

[charlie137]

i noticed that you can recover fully working google auth app on ios. there is a difference in backup encryption between icloud backup and regular sync backup. successfully erased iphone and recover google auth app with all the codes in it like nothing happened. for me it worked over icloud. mbp sync got clean google auth app. so you might want to try to restore from icloud without connecting to the computer

[baguetter]

WOW this is really helpful. Before I even realized it, most things that I log into prompt me to get my phone out to proceed. Will add my tablet and my second phone to these sites now, just to be safe. Had my phone stolen last year but thankfully didn't have any authenticators on it back then.

Good post

[figmentofmyass]

But one thing that many people do not know is the fact that Google Authenticator (GA) does not save your 2FA accounts in your google account. So if you lose your phone you lose access to all accounts linked to your GA

that's sort of the point. your 2-factor is supposed to be "something you have" in addition to "something you know" (the password). if your 2FA token was recoverable via your google account, a hacker could compromise your google account to override your 2FA protection. this is similar to the porting attack with SMS 2-factor authentication.

So if you use GA it is worth taking at least one of these two precautions:
-You should always note the key when registering an 2FA account. Few people realize, but there is always a sequence of numbers below the QR code (or somewhere else on the website) when you register that account on your GA.
- Register the account on another device, such as a tablet.

good advice. i always have my tokens backed up on two devices, with a copy written down in a safe place.

[jseverson]

+1 don't use any SMS-based 2FA.

This is what happened last year when a user decided to protect his Coinbase account with text message verifications:
https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac

That's ridiculous. It looks more like a problem with Verizon's protocols than with SMS verification as a medium though. Still, this shows that there's more that could go wrong with it, and that you shouldn't use it when you have better alternatives available. I'd still say it's more secure than nothing though. Just remember that it's far from bullet proof as a security option.

As an extension, you should never keep your money on exchanges either. People seem to refuse to listen though. Exchanges bypass the cryptographic security built in with crypto by taking control of your private key, so it's just a bad idea no matter how you look at it.

[gawer33]

it seems your knowledgeable about 2authy can you please teach us with the picture if possible on how to do a backup. I have tried to press all the menu still can not find it.

edit: also on how to restore it. thanks in advance

[TryNinja]

it seems your knowledgeable about 2authy can you please teach us with the picture if possible on how to do a backup. I have tried to press all the menu still can not find it.

edit: also on how to restore it. thanks in advance

After a simple "Authy backup" Google search:

https://authy.com/features/backup/
https://authy.com/blog/how-the-authy-two-factor-backups-work/

Everything is stored in the cloud, so you don't need to save any files.

[Trollinator]

2FA is a must. I also recommend to use an app over t xrp messaging, as your phone can be hacked.

[Cryptosandy1987]

The problem with Google authenticator is the inability to recover your account if you lost your phone. I there always prefer the use of SMS as verification to my account

You can recover your account having GA,if you lost your phone
Without backup up..read here
https://bitcointalk.org/index.php?topic=4401590.msg39156414#msg39156414

[jarcel777]

I have two mobile. One for normal using and one for google authenticator - this one is still offline and without internet. This is a godd queue from me, stay safe guys.

[Hagmonar]

What if I didn't saved or copied the sequence of numbers before enabling the 2FA in any account?

Is there a possible way to review it again? Cause I don't want to use Authy due to some possible hacking intrusion issues.

[bitmover]

What if I didn't saved or copied the sequence of numbers before enabling the 2FA in any account?

Is there a possible way to review it again? Cause I don't want to use Authy due to some possible hacking intrusion issues.

Then, you cannot lose your phone.

You should copy the number sequence.

[Marialabo316]

How to Reset 2fa my phone was broke and i never write down the words that given it to me? anyone could help me please

[baobao2000]

How to Reset 2fa my phone was broke and i never write down the words that given it to me? anyone could help me please

For reset 2FA you need to login your account first, go to your account security and click on Reset Two Factor Authentication, then entre your new 2FA code for reset, remember to write down your QR code.
If you lost your phone you can use QR code to restore your 2FA, but if you also lost the QR code, then there are not much you can do, the only solution is to contact exchange support, and see if they can help to login your account. Sometime they refused to do that, that why is very important to write down the QR code and keep it in a safe place.

[@JANIYAA]

Hi

Is Google Authenticator is a legal one for transactions?

[DdmrDdmr]

There have been a couple of recent threads on the matter lately, and the key element to understand is what @bitmover points out in the OP: one needs to be concerned about the security of the 2FA itself, in terms of either making sure that they have kept all the backup codes to each site protected by 2FA, or use an alternative such Authy, instead of Google Authenticator (for a better set of recovery options).

Recently, I encountered a case of a forum member that has his phone stolen, and was having a hell of a rough time deactivating 2FA an reactivating it through a new device on every site that he has protected by the 2FA that resided on his stolen phone.
Not only is the procedure time consuming without the backup codes, but there are some specific sites where the procedure can take weeks to months. Specifically, the forum member took various weeks to recover access to his HitBTC account, having to prove his ID via photographs,videos, details of recent TXs indicating the amounts, coin/tokens and dates involved. He also had to provide the date when he signed-up on HitBTC, current balance of each crypto, TX hashes, etc. A nightmare of details.

Better safe than sorry …

Note: Authy enables you to have an encrypted  backup of your 2FA on the cloud, and install it on multiple devices sharing the same access codes. That for me is a deal breaker in relation to Google Authenticator.

[onirecon2018]

What if I didn't saved or copied the sequence of numbers before enabling the 2FA in any account?

Is there a possible way to review it again? Cause I don't want to use Authy due to some possible hacking intrusion issues.

If you do not back up that number you can hardly recover if you lose or break your phone. If you have not saved then you can disable 2FA in your account and reset.

[erikoy]

Definitely OP, I do not even recommend Google Authenticator in securing account. Gmail has already its own 2FA and there were different types on how to enable 2FA to access gmail account which is more way better. As stated above if one will going to lose his Smartphone then definitely it will be a pain to access your own account unless you just use the 2FA which gmail has feature to all gmail account holder. Besides, other accounts has offer the same way 2FA so better check all the settings if you created an account and then look for 2FA if available.

[ronnis.gomes]

So if you use GA it is worth taking at least one of these two precautions:
-You should always note the key when registering an 2FA account. Few people realize, but there is always a sequence of numbers below the QR code (or somewhere else on the website) when you register that account on your GA.
- Register the account on another device, such as a tablet.

It is a great advice, I have a colleague who had problems with his Google Authenticator and he was unable to recover his account. It is terrible to discover that you can have trouble like this one.

[bitmover]

Authy enables you to have an encrypted  backup of your 2FA on the cloud, and install it on multiple devices sharing the same access codes. That for me is a deal breaker in relation to Google Authenticator.[/i]

For me too.
I think Google authenticator should at least  warn its users about the limitations and the risks involved when you lose your device and didn't backed up the keys properly.

Maybe it's time for GA to inovate itself. Competition is always good, and Authy is the best option by far, without good competitors.

[bustedsynx]

I already have a long printed list of 2FA keys and the list is encrypted with a password. In case I need recovery, all I have to do is scan the QR-coded encrypted key and then decrypt with the password. And then import into whatever 2FA app available to me.

[bitmover]

I already have a long printed list of 2FA keys and the list is encrypted with a password. In case I need recovery, all I have to do is scan the QR-coded encrypted key and then decrypt with the password. And then import into whatever 2FA app available to me.

That's an excellent solution.
The only downside is that you need to be extra careful with those 2fakeys, as if they are stolen you may lose money

[nakamura12]

That's an excellent solution.
The only downside is that you need to be extra careful with those 2fakeys, as if they are stolen you may lose money

You are right. I also have a back up of 2FA keys myself. I also use two authenticators and that is google authenticator which doesn't have a feature of backing up secret keys so I also use authy that has a feature that you can back up your secret keys and for further security or back up that is why I also write it down.

[naska21]

snip

There is a better 2fa  solution pioneered by FIDO alliance (Microsoft, Google, Yubico etc..)  who invented a special  protocol for authentication via U2F USB   sticks (currently, widely available on the market, arguably the most advanced is Yubico 5)  . It sets an extra layer of protection to your account on sites that support that technique. Google services support it and as far as I know  there are a few new exchanges which brought it to bear.

[jademaxsuy]

I have two mobile. One for normal using and one for google authenticator - this one is still offline and without internet. This is a godd queue from me, stay safe guys.

Good that you have overlook this one because this really a pain to a user using the 2fa google authenticator. As the phone using the 2fa gets lost you will also lost your account and will not be able to access it anymore. This is one disadvantage on using a 2FA authenticator once you losses your phone then you will also lose your account. But, there are good authenticator too and that is by using email address to which code will be sent through email address you link for the account.

[bitmover]

snip

There is a better 2fa  solution pioneered by FIDO alliance (Microsoft, Google, Yubico etc..)  who invented a special  protocol for authentication via U2F USB   sticks (currently, widely available on the market, arguably the most advanced is Yubico 5)  . It sets an extra layer of protection to your account on sites that support that technique. Google services support it and as far as I know  there are a few new exchanges which brought it to bear.

This solution is really good, and is better indeed. However it has a cost (from $20 to 60), and it is not available everywhere in the world.
It´s much more expensive to ship to Brazil for example, because we have to pay additional taxes here.

I added this to the OP, as it is a really good solution for those who wants to invest an additional $20-60.

[DdmrDdmr]

<...>

Ledger Nano S and Blue (not Ledger Nano X though - yet) devices have the option of installing a FIDO U2F app, so effectively the Ledger device can be used in addition for these purposes. There are some drawbacks though, like the fact a firmware update will require you to log into your FIDO U2F protected account, remove the method of authentication, and re-associate it. That may be rather a drag, since firmware should kind of be kept up-to-date.

See: https://support.ledger.com/hc/en-us/articles/115005198545-FIDO-U2F

Trezor seems to have it too: https://wiki.trezor.io/User_manual:Two-factor_Authentication_with_U2F

[naska21]

snip

There is a better 2fa  solution pioneered by FIDO alliance (Microsoft, Google, Yubico etc..)  who invented a special  protocol for authentication via U2F USB   sticks (currently, widely available on the market, arguably the most advanced is Yubico 5)  . It sets an extra layer of protection to your account on sites that support that technique. Google services support it and as far as I know  there are a few new exchanges which brought it to bear.

This solution is really good, and is better indeed. However it has a cost (from $20 to 60), and it is not available everywhere in the world.
It´s much more expensive to ship to Brazil for example, because we have to pay additional taxes here.

I added this to the OP, as it is a really good solution for those who wants to invest an additional $20-60.

Well, If you are technically savvy guy then there is a DIY approach (with reference to detailed instruction)  that reduces the  cost involved into  U2F ownership .  The key point in that  approach is that you can  assembly (by soldering   and programming) for yourself not one but  two U2F-USB sticks, one of them to be used as the primary while the second as backup. The last is the need for extra reliability of your 2FA, therefore, cannot be overemphasized.

[dragonvslinux]

An excellent alternative to GA is Authy app. This program works just like GA, but it saves your access accounts. That way, if you lose your cell phone, that's okay, as your data is backed up in the cloud.

I just started using this one on my phone, had no idea it backs up your data to a cloud. That sounds tragic to be honest. I prefer the chromium extension which doesn't make copies of your totp secret keys to insecure locations (ironically almost never with 2FA!!). I much prefer to make my own offline vera-crypted backups of my keys and keyrings, rather than trust some corporate cloud to do it for me personally.  In summary relying on a form of 3fa authentication for new devices via email/phone is a senseless vulnerability.

If someone has hacked your shitty corporate cloud account and got your keys in the process, you can be sure they've probably already used your credentials to change your phone number to another sim or simply access your emails I really hate this mentality, having a so-called 3rd factor "backup", effectively leaving an insecurity in your 2fa - that you can control access to if you chose to. You don't own your phone number or email address, but you can own private keys. End rant.

People need to stop trusting this spof centralized server backup bullshit business if they care about their op sec.
I definitely agree with the sentiment of avoiding Google-owned 2FA software, that sounds like an awful idea for your security measures.

[bitmover]

If someone has hacked your shitty corporate cloud account and got your keys in the process, you can be sure they've probably already used your credentials to change your phone number to another sim or simply access your emails

No, you cannot login anywhere with only the 2FA code. They also need your password to login. So the hacker will need to hack my e-mail and authy.

You don't own your phone number or email address, but you can own private keys. End rant.

Backing up the private key for dozens of different services is a pain in the ass. If you back it up in a computer, or in a cloud service, it is the same to use authy. If you print everything... man, thats just crazy imo.
Security must be convenient. Excess security will lead to low security in long term, imo.

People need to stop trusting this spof centralized server backup bullshit business if they care about their op sec.
I definitely agree with the sentiment of avoiding Google-owned 2FA software, that sounds like an awful idea for your security measures.

Security has nothing to with centralization imo. Google 2FA is secure. It is so secure that even you may be unable to login in your account forever if you lose your phone and you didn't back up the key.

[dragonvslinux]

If someone has hacked your shitty corporate cloud account and got your keys in the process, you can be sure they've probably already used your credentials to change your phone number to another sim or simply access your emails

No, you cannot login anywhere with only the 2FA code. They also need your password to login. So the hacker will need to hack my e-mail and authy.

Hang on, real world scenario here based on the "average" user that only bothers with crap "convenient" security.

• Either the user uses the same password for everything and never changes it, they were pwned years ago and don't even realise it.
• The user is smarter and uses a different password for each login, but obviously can't remember them all, so they are backed up in a cloud. .

The first user is a small snack for hackers and phishers, the second user is smarter but their 2fa is still backed up in "the cloud", and therefore likely so are their unique passwords.
Consider the second user when their cloud gets hacked a full course meal compared to snacking on dumb users that haven't changed a password once in their life.

You don't own your phone number or email address, but you can own private keys. End rant.

Backing up the private key for dozens of different services is a pain in the ass. If you back it up in a computer, or in a cloud service, it is the same to use authy. If you print everything... man, thats just crazy imo.
Security must be convenient. Excess security will lead to low security in long term, imo.

Each to their own, I respect your opinion but in mine if security is convenient it's because it's probably crap.
It's also overlooking the convenience of merely backing up your 2fa keyring, not necessarily each individual key one by one. It's far from a pain in the ass imo.
This mentality for me is part of the "yale lock theory". A small analogy to follow here.

Nightlatches are so convenient as locks: you don't have to turn a key to close them, they even close on their own. They are cheap, affordable, everyone knows how to use them and people rarely have a problem with them. The reality is you can pick these locks in minutes, that's why it's suggested to have a mortis or euro barrel-based lock. The latter aren't as convenient, they take more time to use, require more maintenance, but they are much more likely to secure your property. Ever noticed how locksmiths can pick your yale lock within minutes and without any brute force? This is what 2fa cloud backups remind me of, relying on a third party to secure your property for you, while they retain access for others.

Ever wondered why banks use vaults and time-consuming multi-login procedures, why cold storage exists etc? For me it's the same principles that apply here. But again this is just me who likes to secure my personal data with banking level security [edit: as in keybanks], as I do with cryptoassets. I don't feel the values are so different to me at least.

Security has nothing to with centralization imo. Google 2FA is secure. It is so secure that even you may be unable to login in your account forever if you lose your phone and you didn't back up the key.

Yes this is the sort of security I like. If you don't have the key, you don't have access to my data. Period.

[bitmover]

People need to stop trusting this spof centralized server backup bullshit business if they care about their op sec.

Ever wondered why banks use vaults and time-consuming multi-login procedures, why cold storage exists etc? For me it's the same principles that apply here. But again this is just me who likes to secure my personal data with banking level security, as I do with cryptoassets. I don't feel the values are so different to me at least.

You were saying that centralized services were insecure, now "banking level security" is the best standard?
"Banking level security" is a cloud. There is no cold storage. (maybe in a few banks, but not most of them)

You just need an email and password and that is it. Sometimes a SMS or something like that through mobile, which is far less secure than 2FA or cold storage.

[dragonvslinux]

People need to stop trusting this spof centralized server backup bullshit business if they care about their op sec.

Ever wondered why banks use vaults and time-consuming multi-login procedures, why cold storage exists etc? For me it's the same principles that apply here. But again this is just me who likes to secure my personal data with banking level security, as I do with cryptoassets. I don't feel the values are so different to me at least.

You were saying that centralized services were insecure, now "banking level security" is the best standard?
"Banking level security" is a cloud. There is no cold storage. (maybe in a few banks, but not most of them)

You just need an email and password and that is it. Sometimes a SMS or something like that through mobile, which is far less secure than 2FA or cold storage.

I mean banking in the conceptual sense, "to bank something". In this sense a keybank, similar to a sperm bank or blood bank (ignoring the securities or said examples as unrelated). Nothing to do with financial institutions known confusingly and generically as "banks". Banking your data and private information as you would bank your bitcoin: securely and through ownership. Some call it self-banking, but it's still banking. Apologies for the confusion through use of words.

A bank of something, such as blood or human organs for medical use, is a place that stores these things for later use.

Source: https://dictionary.cambridge.org/dictionary/english/bank#cald4-1-5

[royalfestus]

Google Authenticator's cloud sync feature is not end-to-end encrypted, and poses a high security risk if you use it.

🔑 Google Authenticator stores your private keys used to generate one-time codes every 30 seconds, and is used for two-factor authentication.

☁️ When the cloud sync feature is turned on, Google backs up your private keys without encrypting them behind an additional passphrase.

💥 This means that a malicious attack on your Google account will not only leave your passwords vulnerable, but your private key too.

💻 This allows hackers to log in to all your accounts with two-factor verification.
https://www.pcworld.com/article/1800132/google-authenticator-finally-got-cloud-backups-for-2fa-secrets-but-you-should-hold-off.html
🔒 Strongly recommend turning off the cloud sync feature.

1) On your device, open the Google Authenticator app.
2) Tap your profile photo.
3) Hit Use without an account.
4) Tap Continue.

I am unable to comprehend the suggestion to disable the cloud synchronization functionality.

[bitmover]

Google Authenticator's cloud sync feature is not end-to-end encrypted, and poses a high security risk if you use it.

🔑 Google Authenticator stores your private keys used to generate one-time codes every 30 seconds, and is used for two-factor authentication.

☁️ When the cloud sync feature is turned on, Google backs up your private keys without encrypting them behind an additional passphrase.

💥 This means that a malicious attack on your Google account will not only leave your passwords vulnerable, but your private key too.

💻 This allows hackers to log in to all your accounts with two-factor verification.
https://www.pcworld.com/article/1800132/google-authenticator-finally-got-cloud-backups-for-2fa-secrets-but-you-should-hold-off.html
🔒 Strongly recommend turning off the cloud sync feature.

1) On your device, open the Google Authenticator app.
2) Tap your profile photo.
3) Hit Use without an account.
4) Tap Continue.

I am unable to comprehend the suggestion to disable the cloud synchronization functionality.

Google authenticator now has a cloud sync feature.
Many people are telling it is not safe, including binance.

My suggestion is that you move your keys to another authenticator,  such as aegis

[Velemir Sava]

That's right, the authenticator code works when logging into a platform and when processing withdrawal transactions from main account to the platform we are going to, be it an investment or trading account. and if it's gone like the case you said there must be a way out, namely confirmation on the relevant platform and directed to their technical team and just follow it to reset again. But if you are proficient, it is normal and back it up. so just re-enter the 2fa code.