Authentication: Types, Risks/ Attacks, Advice

[o_e_l_e_o]

How can? many articles that discuss biometrics are the authentication of the future. Code theft will be difficult, although this can happen.

There are multiple problems with biometrics.

First, how easy they are to break. You leave your fingerprints on everything that you touch, including the very device you are using biometrics to unlock. An attacker can print a 3D model of your finger good enough to fool the most advanced fingerprint readers in a matter of minutes. Have a look at this: https://imgur.com/gallery/8aGqsSu. Face scanning on many phones can be beaten with a simple photo, like one of the ones most people have posted all over the internet and their social media accounts.

Second, if you are in the US (and some other jurisdictions - check your own), law enforcement can force you to unlock a device using your fingerprint or face. They cannot force you to hand over your passwords.

Third, biometrics can never be changed if they are hacked or compromised like a password can.

There is a reason that phones require you to enter your PIN or password after you reboot them before you can use your biometrics again. Biometrics are not secure.

[Luzin]

First, how easy they are to break. You leave your fingerprints on everything that you touch, including the very device you are using biometrics to unlock. An attacker can print a 3D model of your finger good enough to fool the most advanced fingerprint readers in a matter of minutes.

Yes you are right, get fingerprints from there. But I think this is also difficult and like in hollywod movies. This requires direct objects, so it is difficult to get fingerprints online, except for hacking database storage for authentication files.

Second, if you are in the US (and some other jurisdictions - check your own), law enforcement can force you to unlock a device using your fingerprint or face. They cannot force you to hand over your passwords.

I think about this coercion carried out by law as a result of illegal actions, other passwords can also be unlocked, if forced to be recognized by law and the owner gives it.

Sorry, this is just my opinion. Corrected me if I'm wrong.

[o_e_l_e_o]

This requires direct objects, so it is difficult to get fingerprints online, except for hacking database storage for authentication files.

Sure, but hardly anyone is using a fingerprint scanner directly connected to their home computer to unlock an account on an online website. Almost everyone is using a fingerprint scanner to unlock their phone which contains their 2FA app. If someone steals your phone then they can reconstruct your fingerprint from the fingerprints you have left on the phone itself and then use that to unlock it. Fingerprint scanners on phones are only one step above writing your PIN on a sticky note and attaching it to your bank card. Use passwords.

if forced to be recognized by law and the owner gives it.

"And the owner gives it" is the crucial point here. Law enforcement can physically restrain you and use your fingerprint or face to unlock your phone. They can't do that with passwords.

[tvplus006]

I find it easy to use 2FA because it's not stressful and easily understandable, the email and phone number security method are somehow open to hackers and many user had fall victim of such attack. Could rememeber when unknown users sent withdrawal request to my email due to the fact that I haven't set authentication method.

2FA and email address combined is a very good authentication method. But in this case, you need to be more responsible about the security of your phone. If it is lost, the fraudster can get access not only to 2FA, but also to your E-mail, that will help them get full control of your account.

[jerry0]

Which two factor is the best?  Google authenticator or just Authy?

[OcTradism]

Which two factor is the best?  Google authenticator or just Authy?

Try to use better apps that need to be open-source.

Most of these are not open source and do not allow proper encrypted back ups. Google Authenticator in particular is awful from the regard. FreeOTP is no longer in development. Here are the apps you should be using:
Android - Aegis or AndOTP
iOS - Tofu or Authenticator

[cryptowhitewalker]

This is a resourceful advice OP, i can't emphasize on how you will be appreciated by many for clearing this out. 2FA are always a better solution to any other digital authentication alternative out there. SMS has it risk as well as the Biometrics.

[masulum]

2FA and email address combined is a very good authentication method. But in this case, you need to be more responsible about the security of your phone. If it is lost, the fraudster can get access not only to 2FA, but also to your E-mail, that will help them get full control of your account.

I'm also thinking about this few times before, and I don't have any good option rather than my current ways. So basically I'm using Eset Mobile Security (not promoting them/affiliate with them, just sharing my way), that allow me to lock my phone in case lost with pairing to other phone number. the command also easy just send a sms from paired number to number on our lost phone.

I don't know how safe using this third party, at least I can locked my phone from other device easily without internet. And using this service i can locked our important application such as our 2FA. (DWYOR&DYOR)

about using open source 2FA, unfortunatelly, most of service currently using Google 2FA even no more updates for this service. How we can choose other 2FA if the site still using Google 2FA, maybe someone can give any explanation more about this, since lot of people says if Google 2FA not save etc, but exchange still prefer to use this service, how we (as user) can move to open source?

[o_e_l_e_o]

about using open source 2FA, unfortunatelly, most of service currently using Google 2FA even no more updates for this service. How we can choose other 2FA if the site still using Google 2FA, maybe someone can give any explanation more about this, since lot of people says if Google 2FA not save etc, but exchange still prefer to use this service, how we (as user) can move to open source?

There is nothing special about Google 2FA. Any 2FA app should work.

Very simply, when you set up 2FA, the site displays for you a shared secret. This is usually in the form of a QR code, but sometimes it is a string of characters. Ideally sites will show you both - a QR code you can scan with your app and a string of characters you can write down as a back up. When you need to enter the 2FA code in the future, your app will combine that shared secret with the current time (floored to the nearest 30 seconds), hash it, and use part of the result to generate your 6 digit 2FA code. The website will do the same thing, and check that what you have entered matches what they have calculated.

The process for combining the secret with the time and hashing it is standardized, and all 2FA apps and websites do it the same way. (There is more info here if you are interested: https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm). Given that, although the website says Google 2FA, any good open source 2FA app should work. See my post on the previous page of this thread for some good open source 2FA apps.

[masulum]

Thank you for your explanation how it works, but the main issue not about how it works, but how we can use open source 2FA if most of service currently just have Google 2FA on their services?. So far, I'm just seeing it on service i use no other 2FA options except SMS/email  verification.

[OcTradism]

Ideally sites will show you both - a QR code you can scan with your app and a string of characters you can write down as a back up.

To back up 2FA for recovery or installation on other devices, I'd prefer to choose the second method: write it down on the paper or save it in password managers like https://keepass.info/ or https://bitwarden.com/

When you need to enter the 2FA code in the future, your app will combine that shared secret with the current time (floored to the nearest 30 seconds), hash it, and use part of the result to generate your 6 digit 2FA code. The website will do the same thing, and check that what you have entered matches what they have calculated.

I got troubles with timer on my device a few times. 2FA works smooth but suddenly one day it was broken. Anytime I entered 2FA code to login account, it failed. I had to check and correct timer on my devices to help 2FA works again. I don't know reasons why timer was broken like that. Could you explain it, please.

[o_e_l_e_o]

if most of service currently just have Google 2FA on their services?. So far, I'm just seeing it on service i use no other 2FA options except SMS/email  verification.

I'm not entirely sure what you mean here, perhaps because I do not use any Google products so I'm not aware of what their 2FA options are. If a site such as a crypto exchange says "Scan this code with your Google Authenticator App", then you should be able to use any 2FA app. I have certainly done this in the past and it works fine.

If the service only offers SMS or email verification for 2FA, then you obviously can't use an app - you can only use what the site offers. Both of these are not great choices, but you can make it slightly better by using a different email address with a different password to the one you use to log in to the account, or by using a burner phone with a number you do not use for anything else and which you never use to access the services in question.

write it down on the paper or save it in password managers like https://keepass.info/ or https://bitwarden.com/

The issue with that is if you store the password to the service in question in the same password manager. If someone can access both your password and your 2FA by compromising a single source - in this case, your password manager - then your 2FA isn't really a second factor at all, it is both factors rolled in to one.

I had to check and correct timer on my devices to help 2FA works again. I don't know reasons why timer was broken like that. Could you explain it, please.

I can't explain the specifics, but the way that most 2FA apps work is to take the current time, round it down to the nearest 30 seconds, and use that along with the shared secret to generate a code. Therefore, the code will change every 30 seconds as the time updates every 30 seconds. If the clock on your device and the clock on the service are out of sync with each other by 30 seconds, then the code you generate will always be different to the code the service is generating, and so they will never match until you resync your timer.

[masulum]

If a site such as a crypto exchange says "Scan this code with your Google Authenticator App", then you should be able to use any 2FA app. I have certainly done this in the past and it works fine.

I understand now, the point is we can scan Google 2FA barcodes with other applications running 2FA. So far, I thought that if the choice of service was only Google 2FA, then we could only use Google 2FA. From your explanation, I tried to scan the 2FA key ^{(on the service mentioned Google 2FA)} using aegis on my phone and it worked. I just understood this today, and I was wrong all this time thinking that Google's 2FA can only use Google. Thank you very much for this knowledge

[xenon131]

[OcTradism]

Hi, could you add to OP this resource https://twofactorauth.org/  that listed plenty of entities (including  cryptocurrency) which implemented 2FA  and separated them through out realms like Banking, Betting, Finance, Email etc, 32 titles in all. Those realms can  be even filtered by Regions. It can be run nay locally https://github.com/2factorauth/twofactorauth

It is a new website and helpful for authentication on our devices. I did not know it if you don't tell me.

For newbies who use exchanges, merchants, marketplaces, set up your 2-factor authenticators is important to protect your account and money, prevent potential hacks. SMS code should not be used after your account registration, email verification and if you decide to activate 2FA for your account. Choose good 2FA app and backup the code for recovery.