Authentication: Types, Risks/ Attacks, Advice

[OcTradism]

People usually care about increasing their funds, their capital but do neither care about losses nor pay attention to protect their funds/ capital. There are some reasons why they don’t care about it.
-   Don’t aware of risks if they don’t protect their accounts.
-   Don’t have knowledge.
-   Being too lazy (aware of risks, have knowledge, but they don’t do anything to secure accounts).

How many types of authenticators?
-   SMS-based/ Email-based/ Voice-based/  Biometric-based authenticator
-   2-factor authenticators (2FA)
-   FIDO U2F hardware authenticators

Which one is recommended to use and should be your first priorities?
2-factor authenticator softwares. They are free and more secured. Try to use Yubikey if you actually want to secure better with some funds.
Don't use SMS-based authentication if you can do it. Unfortunately sometimes you don't have choice because service providers (like banks) don't only give you that type of authentication. As being said, whenever you can avoid this type, avoid it.

The first type is less secured and more risky because there are SIM swapping attacks (for SMS, voice code) and if you rely on email, your account will be compromised if hackers have access to your email.
[BEWARE] Sim Port Attack and SIM swapping protection
With SMS-based authenticator, you can secure it better by set up PIN code for your SIM card, deactivate lock-screen notifcations. More details in the guide from Kaspersky.

Biometric-based authenticator is risksy because if you pass away, your family members can not get access to your account.



The second type is more secured and is the one should be used. Most of them use the OATH TOTP (Time-based One-Time Password) algorithm.
There are some softwares for you. More details

Google Authenticator: Android, iOS
Duo Mobile: Android, iOS
Microsoft Authenticator: Android, iOS
Free OTP: Android, iOS
Authy: Android, iOS, Windows, macOS, Chrome
Yandex.key: Android, iOS
Aegis: Android
When using those apps, there are mandatory steps to do: backup 2FA codes (to recover later if your phones / devices broken and can not be prepaired), and test the validity of those backup codes (make sure that you make good backups and they can be used to recover).

Some people don't know these two important and vital steps. They activate 2FA on their accounts, enter 2FA codes to apps, but don't back those codes and don't test backup's validity. If their devices are stolen or broken, they get troubles.

Some advice for 2FA
- Make backups of 2FA codes before activating it
- Activating it by manually entering 2FA codes, don't scan QR code.
        Because when you entering 2FA code manually, you also check the validity of your code backup.
        If your code backup is not correct, you can not activate the code for your account.
- Retest code backup on another device if possible.
- Don't take a photo and store code backup on your device. There are risks that your devices can be compromised and photo or backup will be leaked.
- Install 2FA app on your another device, and it should mostly be offline. Don't store all eggs in one bag.

Remember that there are two layers of backup: backup codes, and 2FA secrect key (or bar code). I advise you to do backup for both of them, or if you choose only one to backup, it should be 2FA secret key, not barcode. With secret key, you will be easier to guess if character, figure are blurred a little bit but with bar code, it is almost nothing to do. Of course, saving 2FA secret key backups as best as possible is the must thing to do.

Store them offline.

Backup codes

2FA secret keys

FIDO U2F hardware authenticators: YubiKey and others

U2F hardware tokens are the darling of security specialists, primarily because, from a user perspective, they work very simply. To get started, simply connect the U2F token to your device and register it in a compatible service. The whole process takes just a couple of clicks.

It is not an exact comparison but you can imagine 2FA-app and Yubikey like non-custodial wallet softwares (Bitcoin Core, Electrum) and hardware wallets.

Buy at Yubico's store
Using your Yubikey with authenticator codes (from Yubico.com)
How to use a Yubikey (from wired.com)
2FA HW security keys, Yubikey&such



Sources:
Aegis Authenticator, a decent alternative to Google Authenticator and Authy
Traditional Authentication, 2FA and 2SV
[TUTORIAL] Generate 2FA with Keepass (instead of Authenticator App)
2FA practical guide and 2FA notification trap (from Kaspersky.com)
5 different two-step authentication methods to secure your online accounts and What is two-factor authentication and should I be using it (from howtogeek.com)
https://authy.com/what-is-2fa/
https://techlog360.com/two-factor-authentication-2fa/
Good topics on security and privacy
https://bitcasino.io/blog/cryptocurrency/what-is-2fa-and-why-is-it-so-important-


Updates

https://twofactorauth.org/

https://twofactorauth.org/  that listed plenty of entities (including  cryptocurrency) which implemented 2FA  and separated them through out realms like Banking, Betting, Finance, Email etc, 32 titles in all. Those realms can  be even filtered by Regions. It can be run nay locally https://github.com/2factorauth/twofactorauth

[1714819912]

1714819912

[1714819912]

1714819912

[Charles-Tim]

Some people screen shot the 2FA backup QR codes including the backup words and characters, some also store the back up on their phones note, this is a poor and a non recommended way to back up 2FA, instead, you should do the paper printing, laminate it and put it in a place safe from damage and intruders(hackers)

We need to also be careful of hackers. Any device our wallets or our 2FA apps are installed, we need to make it safe from malware, trojan horse is able to reveal the 2FA code, also are some malware like rootkit that can reveal detail informations stored on your device, in this way, it can steal the 2 FA backup screen shot.

Make sure your device is free from malware, and do a paper printed 2 FA backup.

There is one also I will like you to include, andOTP 2 factor authenticator, it is also good and open source.

[Bitcoin_Arena]

Another most important point is that the Authentication software or authentication should totally be on a separate device from the one you use to log into your accounts or APPs. Keeping the Authentication software in the same device you use to log into your accounts kills the purpose authentication
For example. If you usually use your computer to log into your accounts, your Authentication software/app should be in a separate device like your tab or mobile phone that you don't use for logging into your accounts.

[GreatArkansas]

For the first time, I tried to use Two-Factor-Authentications (2FA) I tried Google 2FA in my android phone and after few months I switched to Authy since Authy you can input your email address or phone number there.
Did anyone get ideas which is much better of these two? Or the difference between them? Google 2FA and Authy. I still didn't explore so much about Authy 2FA.

[OcTradism]

For the first time, I tried to use Two-Factor-Authentications (2FA) I tried Google 2FA in my android phone and after few months I switched to Authy since Authy you can input your email address or phone number there.
Did anyone get ideas which is much better of these two? Or the difference between them? Google 2FA and Authy. I still didn't explore so much about Authy 2FA.

I am not sure about the difference but I saw mk4 commented with this post and I think he makes a point that storing private things yourself is better. It is not only about 2FA backups but generally also about synchronisation over devices. I don't want to sychronise everything I do over devices. If one of my devices is compromised, my data will be leaked. That's not good.

Why not use Authy? If having your 2FA backups stored on a company's servers is fine with you, then by all means go with Authy. But if you prefer storing your 2FA backups yourself, through an encrypted flashdrive and such, then try out Aegis.

[smyslov]

For the first time, I tried to use Two-Factor-Authentications (2FA) I tried Google 2FA in my android phone and after few months I switched to Authy since Authy you can input your email address or phone number there.
Did anyone get ideas which is much better of these two? Or the difference between them? Google 2FA and Authy. I still didn't explore so much about Authy 2FA.

It's highly recommended that you put the safest and proven authentication on your emails and wallets, it's part of your education to understand how hackers attacks and what are the vulnerable point, in your online ventures, always get updates about security and the tools you are using and you are good to go and you can sleep soundly.

[OcTradism]

QR code backup is bad. Indeed, you should use secret code (in characters) for your backup, instead of QR code.

[minairia3]

QR code backup is bad. Indeed, you should use secret code (in characters) for your backup, instead of QR code.

Im using it as back up for my some of my crypto asset wallet. How can you say QR code has likely more potential than in character type? When you use it for transaction, simply the confirmation would be guaranteed unlike character that you will used a copy paste method that have malware changing the address when you paste it.

I would be interested if you can expound the reason for this.

[jademaxsuy]

QR code backup is bad. Indeed, you should use secret code (in characters) for your backup, instead of QR code.

It is true. I never ever use qr code when storing 2FA secret codes. I'd rather use the code itself and write on a paper for example or store it on a flash drives then you can keep it safe from leaking. It seems you are using google authenticator. Is it because where you can sync your account from the current device to other device which in my opinion is good but it also have disadvantage where the company that create that platform may have access to your credentials which is bad. I have been using google auth and Authy for 2 years.

[OcTradism]

Why ( real bewildered look on my face)? QR code is just a specific mapping of secret code expressed in characters. I can’t tell the difference between them when it’s a matter of choosing backup. But, at the same time, QR code ensures better  data security  when transferring across devices.

When the map is broken, you have nothing to recover your 2FA but with secret key, if one of characters is blurred or broken, you still can guess it from the leftover of broken character.

Remember that there are two layers of backup: backup codes, and 2FA secrect key (or bar code). I advise you to do backup for both of them, or if you choose only one to backup, it should be 2FA secret key, not barcode. With secret key, you will be easier to guess if character, figure are blurred a little bit but with bar code, it is almost nothing to do. Of course, saving 2FA secret key backups as best as possible is the must thing to do.

Im using it as back up for my some of my crypto asset wallet. How can you say QR code has likely more potential than in character type? When you use it for transaction, simply the confirmation would be guaranteed unlike character that you will used a copy paste method that have malware changing the address when you paste it.

They are different things here: backup and transaction. What I meant is backup, not for transactions. For transactions, you should check a few first and last charaters. Checking a few in middle or whole characters if you want to do so.
How to lose your Bitcoins with CTRL-C CTRL-V

Correct me if I am wrong (I could be wrong). Thanks.

[Charles-Tim]

It is true. I never ever use qr code when storing 2FA secret codes. I'd rather use the code itself and write on a paper for example or store it on a flash drives then you can keep it safe from leaking. It seems you are using google authenticator. Is it because where you can sync your account from the current device to other device which in my opinion is good but it also have disadvantage where the company that create that platform may have access to your credentials which is bad. I have been using google auth and Authy for 2 years.

You still do not give valid reason why QR code is not good for 2FA backup.

or store it on a flash drives then you can keep it safe from leaking

This method is not good enough, you can  write it down on a papar like you have ones said, you can laminate it for more safety.

When the map is broken, you have nothing to recover your 2FA but with secret key, if one of characters is blurred or broken, you still can guess it from the leftover of broken character.

When backing up QR code, the secret code is included.

[o_e_l_e_o]

Google Authenticator: Android, iOS
Duo Mobile: Android, iOS
Microsoft Authenticator: Android, iOS
Free OTP: Android, iOS
Authy: Android, iOS, Windows, macOS, Chrome
Yandex.key: Android, iOS
Aegis: Android

Most of these are not open source and do not allow proper encrypted back ups. Google Authenticator in particular is awful from the regard. FreeOTP is no longer in development. Here are the apps you should be using:
Android - Aegis or AndOTP
iOS - Tofu or Authenticator

authy makes backup easier, it has a secure cloud for the backup

Cloud storage is frequently hacked, and should not be used for sensitive data or back ups. A better option is to use one of the apps I listed to make an encrypted back up locally.

[libert19]

I relate to type 3 (being too lazy lmao), anyway I used to use Google authenticator but the access of codes on app open, no encryption and hassle of backup made me switch to Aegis. It's much better.

[o_e_l_e_o]

Google Authentication is basically good there's no problem here

Except it isn't open source and it doesn't allow you to make secure, encrypted back ups. Not to mention it's owned and operated by Google, the worst company on the planet when it comes to respecting users' privacy.

Choose one of the free and open source alternatives I listed above.

[Luzin]

The first type is less secured and more risky because there are SIM swapping attacks (for SMS, voice code) and if you rely on email, your account will be compromised if hackers have access to your email.

Some exchanges combine email and 2fa. My experience when logging in to bittrex or indodax I have to confirm the email, after that enter the 2fa code. Make it longer but it looks safer. It takes 2 steps to confirm that it is the legal owner of the account. Unfortunately this is done when the IP address changes, if every time log in must be confirm email and 2fa, I think that's good.

[OcTradism]

Some exchanges combine email and 2fa. My experience when logging in to bittrex or indodax I have to confirm the email, after that enter the 2fa code. Make it longer but it looks safer. It takes 2 steps to confirm that it is the legal owner of the account. Unfortunately this is done when the IP address changes, if every time log in must be confirm email and 2fa, I think that's good.

It will be required if you log in your account on a new device or with a new IP address. Log in on same device and same IP address don't force you to confirm the login activity by email confirmation.

Binance has a similar requirement too.

[o_e_l_e_o]

If someone is scared of Google then Authentication can be installed on the old smartphone and used when radio-module is deactivated.

True, but I still think it's a better option to just avoid Google products altogether. Further, if you use a device with no connectivity, you will have to manually make sure the clock is accurate, as any drift from the real time can result in incorrect codes being generated.

The data it holds  can be sealed by biometrics

Biometrics are one of the least secure forms of protecting data, with many fingerprint and facial scanners being fairly easy to fool or bypass. Better to secure your 2FA with a strong password.

[Lordhermes]

I find it easy to use 2FA because it's not stressful and easily understandable, the email and phone number security method are somehow open to hackers and many user had fall victim of such attack. Could rememeber when unknown users sent withdrawal request to my email due to the fact that I haven't set authentication method.

[Luzin]

, with many fingerprint and facial scanners being fairly easy to fool or bypass. Better to secure your 2FA with a strong password.

How can? many articles that discuss biometrics are the authentication of the future. Code theft will be difficult, although this can happen.

[chinedu4210]

I highly recommend google authentication for your encryption, u have a total control of your account without intruder gaining access to your account.
The QP code backup can be compromised and your data forever lost.