To Electrum 2FA wallet users and other bitcoin 2FA wallet users

[_act_]

Google is making security to become the thing of the past.

This topic was moved to off-topic and no replies and it was left alone because off-topic board is seen as trash board. I do not want to move the topic back to beginners and help because moderator moved it to off-topic.

It is about bitcoin users that are using google 2FA app. If you update to this recent update, your 2FA will synchronized with google cloud and your 2FA codes are no more offline.

We can see how many bitcoin users and other crypto users have lost their money through Google Cloud and  iCloud, what is online is not secure like offline.

This is about letting other people that do not want online 2FA to know.

I will lock the old topic. If this topic is moved to off-topic again, I have nothing else to do. I hope you have all seen it.

[1714543052]

1714543052

[1714543052]

1714543052

[1714543052]

1714543052

[1714543052]

1714543052

[dzungmobile]

It is about bitcoin users that are using google 2FA app. If you update to this recent update, your 2FA will synchronized with google cloud and your 2FA codes are no more offline.

Is all Bitcoin software wallet provide 2FA feature which is provided by Google? I doubt about it.

Example is Electrum wallet which provides 2FA feature but it is from Trustedcoin, not from Google. Electrum 2FA.

Electrum offers two-factor authenticated wallets, with a remote server acting to co-sign transactions, adding another level of security in the event of your computer being compromised.

The remote server in question is a service offered by TrustedCoin. Here is a guide on how it works.

2FA will cost you more fee for Trusted Coin which is unnecessary in my opinion. You can use either cold wallet or multi-sig wallet with Electrum without additional fee to a third party provider like Trustedcoin.

[Nwada001]

I noticed this on my Android phone. When I updated my Authenticator app, I received a notification of my account being recently imported. When I checked, it was my 2 marked accounts to 2 exchanges, which I shared weeks ago.

Noticing this, I have to move and change all my 2FAC on the connected device to the one on my iPhone, which has no email connected to it, just a few other apps. I guess it's safer there since I don't have any intention to connect any mail to it, and I barely use the device as well.

[o_e_l_e_o]

2FA is unnecessary on a wallet like Electrum. If you want the safety of multi-sig, then just set up your own multi-sig. It is safer and cheaper to do so, as well as giving you more redundancy in your back ups.

However, 2FA should be mandatory for any and all online accounts which use it. If you can, use a hardware key. If you can't, then use a good open source 2FA app such as Aegis for Android or Tofu for iOS. You should try to avoid any and all Google products under all circumstances - they are notorious for harvesting your data, they are generally closed source, poor security, and just love sending all your sensitive data to random servers around the world of "safe keeping". Google's 2FA app is no different. Avoid it.

[BitMaxz]

Google 2FA is just an extra security layer for securing the wallet if it requires syncing online and I think it won't be a problem if you can able to disable the cloud service to sync 2FA backups.

There is option called "Use without an account" where you can use the Google authenticator offline.

And this is not the only authenticator app that we can use.

[_act_]

Is all Bitcoin software wallet provide 2FA feature which is provided by Google? I doubt about it.

This is what I am talking about, they should stop using google authenticator. Better ones like Aegis can be used.

2FA is unnecessary on a wallet like Electrum. If you want the safety of multi-sig, then just set up your own multi-sig. It is safer and cheaper to do so, as well as giving you more redundancy in your back ups.

I like it that you said this for people to know that cold wallet and multisig is better and nothing like third party. But I am just saying that people should know about the present app update of google, that it will synchronize 2FA code to google cloud. This is how I created it before, but it was moved to off-topic. I only just look for ways it will be on a board that more people will visit.

However, 2FA should be mandatory for any and all online accounts which use it. If you can, use a hardware key. If you can't, then use a good open source 2FA app such as Aegis for Android or Tofu for iOS. You should try to avoid any and all Google products under all circumstances - they are notorious for harvesting your data, they are generally closed source, poor security, and just love sending all your sensitive data to random servers around the world of "safe keeping". Google's 2FA app is no different. Avoid it.

This is what I want people to be aware of. Some people will save their username, password, 2FA code on google cloud, what then remain if such people's device are compromised.

2FA may be on another device, but if it synchronized with google and the email used is on the device that has been compromised, all the hacker needs is to download google 2FA app and get access to the OTPs.

[Aikidoka]

I noticed a few days ago that after updating my Google Authenticator, it began to synchronize with my Google cloud account, so it's no longer offline. I am considering deleting the app soon and switching to an open-source 2FA app, as o_e_l_e_o suggested. Honestly I was thinking about that a while ago but I didn't find the good alternative/or more likely I was making decision to which one should I try next.

Anyway, since most of the time I use an Apple device, I plan to try Tofu and link it to my accounts for an extra layer of security. It's an open source 2FA as well as it doesn't require being online, so you can use it on an airplane mode.

[Potato Chips]

I noticed a few days ago that after updating my Google Authenticator, it began to synchronize with my Google cloud account, so it's no longer offline. I am considering deleting the app soon and switching to an open-source 2FA app, as o_e_l_e_o suggested. Honestly I was thinking about that a while ago but I didn't find the good alternative/or more likely I was making decision to which one should I try next.

Sadly, once it has finished syncing, you're now sharing your secret keys with google and potentially to loads of people if a data breach happens.

"We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted," reads a tweet from Mysk.

"As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user."

I would lean towards the safe side and regenerate another secret key for each account involved since I doubt your data will be deleted on their servers.

[hugeblack]

That's bad news, I have a lot of accounts and trading platforms that connect to the google 2FA app, why did they decide that? Or what is the wisdom of that, given that you can extract the private key and save it yourself, why do they need to keep it in a server or cloud.

If your wallet is linked in one way or another to Google, it is better to stop using it, if the reason is not security, then privacy will be the reason. Google has a bad record of handling user data.

[tranthidung]

they should stop using google authenticator. Better ones like Aegis can be used.

Correct! Aegis is an open source 2FA application.

• Aegis Authenticator, a decent alternative to Google Authenticator and Authy
• Website: https://getaegis.app/
• Github: https://github.com/beemdevelopment/Aegis

[BTCGalaxyA12]

Is all Bitcoin software wallet provide 2FA feature which is provided by Google? I doubt about it.

This is what I am talking about, they should stop using google authenticator. Better ones like Aegis can be used.

If in case someone uses Electrum as a Bitcoin wallet on android and chooses the address Wallet with two-factor authentication, then he installs Electrum windows Portable version on the computer by choosing to enter the seed that was obtained when making it on android and entering the google authenticator code, say someone that's me. Can it have a negative effect on me like this case?

[_act_]

I would lean towards the safe side and regenerate another secret key for each account involved since I doubt your data will be deleted on their servers.

It will be better for people to change their secret codes entirely just as you said. It is a good advice.

That's bad news, I have a lot of accounts and trading platforms that connect to the google 2FA app, why did they decide that? Or what is the wisdom of that, given that you can extract the private key and save it yourself, why do they need to keep it in a server or cloud.

You mean to extract the secret code? That is true. Also that on every site or wallet like Electrum, before you can use the OTP, the secret code would first be generated and you can do the manual backup.

If in case someone uses Electrum as a Bitcoin wallet on android and chooses the address Wallet with two-factor authentication, then he installs Electrum windows Portable version on the computer by choosing to enter the seed that was obtained when making it on android and entering the google authenticator code, say someone that's me. Can it have a negative effect on me like this case?

Let me tell you the negative effect.

Do you have chrome on your Android phone? Click on the dots at the upper right corner and click on settings. You will see password manager.

Assuming you have your 2FA on another device because you think it is safe like that. Some people that are using online accounts like custodial wallet, exchanges or anything that has to do with 2FA like Electrum 2FA wallet can be affected because what is called two factor authenticator is no more two factor authenticator if it is linked to the email on the phone. By just downloadimg the app on the device and use the email with it, you will see the OTPs generating. Some people can be very careless and synchronize their username, password and 2FA. What else do hackers need to hack successfully? Nothing. Those three are enough to steal from people.

Do not save your username, password and 2FA codes on Google cloud, it is very dangerous.

[dzungmobile]

If in case someone uses Electrum as a Bitcoin wallet on android and chooses the address Wallet with two-factor authentication, then he installs Electrum windows Portable version on the computer by choosing to enter the seed that was obtained when making it on android and entering the google authenticator code, say someone that's me.

If you use the same seed to import your two wallets: with 2FA and without 2FA, you will have a same wallet. Only the 2FA wallet will require 2FA code to sign your transaction. However, you won't lose your coins if you lose 2FA backup code or that device is broken, as said you can get a same wallet by importing from seed, without 2FA.

Can it have a negative effect on me like this case?

Nothing negatively, except that you will have to pay additional fee by using 2FA provided by Trustedcoin.

Why do you need Trustedcoin with paid fee when you can have your multi-sign wallet without such fee?

[o_e_l_e_o]

Nothing negatively, except that you will have to pay additional fee by using 2FA provided by Trustedcoin.

The negative effect here is that his 2FA code is now stored on dozens of Google servers around the world, with unknown physical and digital security, transferred there by unknown methods, and which an unknown number of people can access. By having access to his 2FA codes, these people by proxy now have access to one set of private keys for his multi-sig wallet.

I agree with your suggestion about why he needs TrustedCoin at all, though. In my opinion, if you want the safety of a 2FA wallet, then it is cheaper and more secure to run your own multi-sig rather than rely on a third party. But if he wants to keep using a 2FA wallet, then he should create a new one where the 2FA comes from an open source app which doesn't send his shared secrets across the internet to other people's computers for storage.

[Smack That Ace]

Google 2FA is just an extra security layer for securing the wallet if it requires syncing online and I think it won't be a problem if you can able to disable the cloud service to sync 2FA backups.

There is option called "Use without an account" where you can use the Google authenticator offline.

And this is not the only authenticator app that we can use.

I also just updated my 2FA app, they don't force us to link with a Gmail account and sync online, this is just an option, and we can still use it without a connection with Gmail. We can still use it normally without any problems.

By the way, I also wanted to ask if anyone has any suggestions for an open-source 2FA app for iOS, I saw o_e_l_e_o mentioning Tofu. I will try it, but I also want to experience a few other applications.

[Crypt0Gore]

If you don't like the latest Google 2fa update go to the settings and off linking to your google Gmail account, I've tested this and it works but I don't see anything bad with this, and by the way who are those using 2fa for their Bitcoin wallet? I will never do such.

If your smartphone already have pin code and fingerprint lock then there is no need to activate the 2FA code on your Bitcoin wallet, unless you like giving people your phone to operate, which is stupid to do if you are a true Bitcoiner, I use Google 2FA for exchange trades only and I am satisfied with the cloud storage sync with Gmail account.

Many people still don't know that you can deactivate auto sync with Gmail under settings, Google isn't forcing anyone to sync with Gmail, a friend already go online to find the old Google 2FA update because he don't like the Gmail sync until I told him to deactive under settings.

[o_e_l_e_o]

By the way, I also wanted to ask if anyone has any suggestions for an open-source 2FA app for iOS, I saw o_e_l_e_o mentioning Tofu. I will try it, but I also want to experience a few other applications.

The only other one I am aware of is: https://github.com/raivo-otp/ios-application

If you don't like the latest Google 2fa update go to the settings and off linking to your google Gmail account, I've tested this and it works but I don't see anything bad with this

The fact remains that Google's 2FA app is closed source, difficult to actually back up locally, and since it is ran by Google will 100% be harvesting your data.

[Outhue]

I don't get it, maybe someone should enlighten me more? 2FA works on paid-for services so it's not present in the blockchain, it makes sense to see such on centralized exchanges, but it doesn't make sense for a crypto wallet to have 2FA unless the wallet is an online crypto wallet or centralized wallet like Freewallet.

I will think twice before using any crypto wallet that has 2FA security of them, they are always centralized wallets.

I do have a ledger wallet and some coins on it, this wallet won't let me send out coins without confirming the correct codes, very simple to use and set up, a hardware wallet is very satisfying and I am glad I listened to some advice on here.

[o_e_l_e_o]

I don't get it, maybe someone should enlighten me more? 2FA works on paid-for services so it's not present in the blockchain, it makes sense to see such on centralized exchanges, but it doesn't make sense for a crypto wallet to have 2FA unless the wallet is an online crypto wallet or centralized wallet like Freewallet.

Electrum offers a 2FA wallet. It is a 2-of-3 multi-sig wallet, where a third party known as TrustedCoin holds one of your private keys, your wallet contains one private key, and the third is recoverable from your seed phrase back up. When you want to make a transaction, you enter your 2FA code which TrustedCoin use to confirm you are the real owner of the wallet before co-signing your transaction.

A better solution as I explained above is to just set up your own multi-sig wallet and not rely on a third party at all.

[Smack That Ace]

By the way, I also wanted to ask if anyone has any suggestions for an open-source 2FA app for iOS, I saw o_e_l_e_o mentioning Tofu. I will try it, but I also want to experience a few other applications.

The only other one I am aware of is: https://github.com/raivo-otp/ios-application

Yesterday, I also spent the whole evening looking for an alternative to my 2FA app, and I also found this Raivo app. I see Raivo's developers being more active and constantly releasing updated versions to make the application more and more complete. Since I'm not tech-savvy, I spent some time watching people on Reddit review these 2 apps(tofu and raivo). In the end, I will follow the majority and choose Raivo to replace GG authenticator. Thank you for suggesting me.