Traditional Authentication, 2FA and 2SV

[Luzin]

I create this from my tread in the local board:Here through several revisions and discussions.

Some exchange accounts, social media, and several other accounts, there are some differences authentication to log in. From this it can be concluded about the fundamental differences in the security system on several accounts that I made.
1. Traditional Authentication
Thi is only use a username / account email address combination password.

Source: https://paul.reviews/content/images/2014/10/understandingAuth_revised.jpg

2. Two Factor Authentication
This is Authentication used by many people in the crypto, Verification of ownership using OTP (one time password) additional authentication, or we usually call it 2fa. So in the authentication system using username password an then passcode or token from another device (Yubikey, GA / Authy or others), this process matches our code and the server.

Source: https://paul.reviews/content/images/2014/10/understandingAuth_revised.jpg

3. Two Step Verification
Almost similar 2fa. But I think this is different. The Two Step Verification use pasword/username and code or link Verification from server, this code was sent via short messages, emails or etc. The difference with 2fa the server gives us the code, this code only the server knows, whereas our 2fa has the same code and only needs to match.

Source: https://paul.reviews/content/images/2014/10/understandingAuth_revised.jpg

Of the three security when log in account, I found several other combinations >> username / password> 2FA> 2SV but this happens if the IP is different, example if you log in Indodax Exchange or Bittrex. I think this combinations security authentication is good, if applied to all websites relating crypto asset and other website relating to important data.

[1714614591]

1714614591

[1714614591]

1714614591

[1714614591]

1714614591

[1714614591]

1714614591

[1714614591]

1714614591

[jackg]

Sending authentication keys as an oto either on Google auth and sms are something used widely across the whole financial industry from what I've seen.

The ubikey/cryptographic signature part though is a well welcomed part here at increasing security, I've sedn a lot of sites using it but quite a few don't and it'd be nice if they did so hopefully they can notice this topic (or new devs might at least)...

[andriyana]

I think Two-Step Verification is very good to use for an exchange or email account
because when we log in to account the server send a secret code to enter, this may be very recommended

[o_e_l_e_o]

Using those definitions, then "Single Factor, 2 step verification" is insecure and shouldn't be used.

Many exchange accounts or web wallets which are hacked are hacked because the attacker gains access to the victims email account or phone number, and then uses that to reset the password on the relevant exchange or wallet account. If your two step verification involves entering a code sent by email or by SMS, then it achieves nothing since the attacker will already have access to these. The number of email account password which have been leaked in various database breaches is astronomical, and since people frequently reuse passwords, these can often be easily hacked. An attacker can transfer your phone number and therefore receive all your SMS messages with a little bit of knowledge from your social media profiles/online presence and a single phone call to your mobile provider. If they can log in to your exchange account and provide the two step code all from a single point of failure, then that set up is no more secure than just using a single password.

The whole point of 2FA is in the name - 2 factor verification. Your second factor needs to be something completely separate - at the very least an authenticator app, but even better if you use a hardware key like a Yubikey (many crypto hardware wallets can also be used as a 2FA hardware key).

[hatshepsut93]

Using those definitions, then "Single Factor, 2 step verification" is insecure and shouldn't be used.

If it's a matter of choice between "no 2 step verification" and "2 step verification", then it should obviously be picked. Hacking email would indeed bypass it, but there are many other attacks which can be mitigated with is - XSS, CSRF, session hijacking, phishing, password cracking.

It's better to always look for a services that use 2FA, but if there's no other way, then 2 step verification is better than nothing.

[Luzin]

Using those definitions, then "Single Factor, 2 step verification" is insecure and shouldn't be used.
The whole point of 2FA is in the name - 2 factor verification. Your second factor needs to be something completely separate - at the very least an authenticator app, but even better if you use a hardware key like a Yubikey (many crypto hardware wallets can also be used as a 2FA hardware key).

Yes, in many cases simswap or simjacking, the fraudster exploits the ability of cell phone service providers to port phone numbers to devices that contain other customer identity (SIM) modules. Fraudsters collect personal data about victims, usually by phishing emails or buying from identity thieves. But the 2SV 2FA combination authentication system seems to be quite good, although it is rather risky if the authentication is sent via short message or email. More than that, we must be careful.

[OcTradism]

Good topics on security and privacy.