Using 2FA to guard against Bitcoin theft. Do you back up your 2FA codes?

[Jerfer]

I use 2FA whenever I can and sometimes fear I'm relying too much on it. For example, I don't really care too much about my password being found out since it's not going to get a person access without the secondary auth, so I use fairly easy passwords for the sites that have 2FA and stronger passwords for those without. But there is a way in with just the password: through the use of my own devices in some way, either through hacking in or through interception of an sms. Still, it would be tough to do, so I can't help myself to not worry about it.

What I worry most about is losing the device itself or losing the data on it that allows 2FA to work in the first place. My phone. I have 17 accounts in Google Authenticator so if I lost those I'd be so screwed. If I lost them, I wouldn't have access to any of the accounts anymore without the serious headache of trying to get access to them again. I never realized this until I decided to upgrade to Android L on my Nexus 5, my only phone.

I didn't realize how hard it was to backup the Authenticator codes until I tried to do it. There's no way to back them up after closing out the page with the secret Authenticator code and QR barcode. You have to write that code down or store it somewhere, or be rooted and extract the Authenticator database. By the way, those secret codes are stored in plaintext so if you're rooted and install a rogue program - good luck.

I came across a Straight Talk phone at Walmart called the Optimus Fuel for $29 with Android 4.4 and a dual-core processor. I thought, this would be perfect as an offline device for storing Authenticator codes, but also for taking pictures of other important information such as backup login codes and Bitcoin Armory paper backups. Obviously, airplane mode would be activated as soon as it's turned on for the first time, followed by encrypting the phone itself. So the idea is every time I added an account to Authenticator, I'd use the backup phone's camera to securely and easily backup the 2FA information.

After playing with the phone for several days, it's actually a really great phone for the price, so I decided to just use it as an audio streamer and portable speaker. Today I bought a second one, that I'll be keeping totally offline and do just as I described above to store sensitive information on.

So am I stupid for doing this or is it a good idea? How do you backup your 2FA codes? I haven't opened the second one yet.

[scryptasicminer]

2FA only protect your account. The risk of theft usually come from exchange/wallet service or outright scam from these owners.

[ivonna]

I think you are over confident about 2FA. If an attacker personally knows you and knows that you control a large amount of bitcoin the they could steal your 2FA device and guess your simple password.

IMO a 2FA device should supplement your password not replace it  

[Jerfer]

2FA only protect your account. The risk of theft usually come from exchange/wallet service or outright scam from these owners.

Very true and there's not much we can do about that except to not have it all on one exchange but multiple to spread risk. For day traders I mean. There's a good amount of exchanges to do this these days.

[Jerfer]

I think you are over confident about 2FA. If an attacker personally knows you and knows that you control a large amount of bitcoin the they could steal your 2FA device and guess your simple password.

IMO a 2FA device should supplement your password not replace it  

The phone I'd do this on would get airplane mode enabled when it's first turned on, then the phone itself would be encrypted with a strong password. I don't know if you're familiar with Android's phone encryption, but you have to enter a password just to decrypt the phone itself before getting to the lock-screen, where you'd have to enter another combination. That'd be pretty hard to get pass.

I agree with 2FA being a supplement and not a replacement.

[Cicero2.0]

That is a pretty cool idea. I often think about what happens if I lose my iPhone and can't access the codes. I keep it backde up in iTunes so I feel pretty secure but it makes me a bit nervous to think about. I keep very little bitcoin online, but I do use 2FA to withdrawal my purchases from coinbase etc.

[Rum152]

I think you are over confident about 2FA. If an attacker personally knows you and knows that you control a large amount of bitcoin the they could steal your 2FA device and guess your simple password.

IMO a 2FA device should supplement your password not replace it  

The phone I'd do this on would get airplane mode enabled when it's first turned on, then the phone itself would be encrypted with a strong password. I don't know if you're familiar with Android's phone encryption, but you have to enter a password just to decrypt the phone itself before getting to the lock-screen, where you'd have to enter another combination. That'd be pretty hard to get pass.

I agree with 2FA being a supplement and not a replacement.

It would still be possible to steal your phone when you have it in your hand and unlocked. Or you could let someone borrow it to make a phone call and they steal it from you. Or they simply watch you put in your password when you unlock it

[LocalBTC]

I think you are over confident about 2FA. If an attacker personally knows you and knows that you control a large amount of bitcoin the they could steal your 2FA device and guess your simple password.

IMO a 2FA device should supplement your password not replace it  

The phone I'd do this on would get airplane mode enabled when it's first turned on, then the phone itself would be encrypted with a strong password. I don't know if you're familiar with Android's phone encryption, but you have to enter a password just to decrypt the phone itself before getting to the lock-screen, where you'd have to enter another combination. That'd be pretty hard to get pass.

I agree with 2FA being a supplement and not a replacement.

It would still be possible to steal your phone when you have it in your hand and unlocked. Or you could let someone borrow it to make a phone call and they steal it from you. Or they simply watch you put in your password when you unlock it

Yes.. But really how likely of a scenario is this / what can be done about it? And for the second two scenarios you mentioned, its as easy as not letting someone borrow it for a phone call and not letting someone easily watch over your shoulder as you put your password in.

I think its a good idea. There may be vulnerabilities, there usually are, I guess its all about acceptable risk.

[The00Dustin]

I often think about what happens if I lose my iPhone and can't access the codes. I keep it backde up in iTunes so I feel pretty secure.

I'd think twice about keeping it backed up in iTunes in case this is true on Apple devices, too:

By the way, those secret codes are stored in plaintext so if you're rooted and install a rogue program - good luck.

[NiceSoft12]

My question is, say someone keylogged the smartphone (is this even possible?) you use to log in to an exchange.  Is there a malware they may use to also get the code from the google authenticator that is also on the phone?

[DjPxH]

That is a pretty cool idea. I often think about what happens if I lose my iPhone and can't access the codes. I keep it backde up in iTunes so I feel pretty secure but it makes me a bit nervous to think about. I keep very little bitcoin online, but I do use 2FA to withdrawal my purchases from coinbase etc.

Are you aware that 2FA codes aren't stored in iTunes backups unless they're set to be encrypted? The 2FA information are stored in the iOS keychain, which isn't stored in unencrypted backups for obvious reasons. So you should either encrypt your backups (checkbox in iTunes) or write your codes down!

[The00Dustin]

My question is, say someone keylogged the smartphone (is this even possible?) you use to log in to an exchange.  Is there a malware they may use to also get the code from the google authenticator that is also on the phone?

There is nothing technical to prevent malware from capturing clipboard contents or screenshots on computers or mobile phones.  Whether or not such malware exists is always up for debate considering that the best malware can go undetected for long periods of time.  Regarding the second question, it would depend on how Google authenticator works.  For instance, if it uses direct communication over an encrypted channel and a deterministic rolling code, then perhaps there is no malware that can take advantage of that without Google's encryption first being hacked (for instance, by way of a stolen SSL certificate).  On the other hand, based on this:

By the way, those secret codes are stored in plaintext so if you're rooted and install a rogue program - good luck.

I'd say malware that could get the GA codes on a rooted phone could certainly exist (assuming that quote is accurate).  Malware that could get it on an factory phone may exist as well if there are any flaws that allow apps to access data that is supposed to be secured to other apps.

[Ron~Popeil]

That is a pretty cool idea. I often think about what happens if I lose my iPhone and can't access the codes. I keep it backde up in iTunes so I feel pretty secure but it makes me a bit nervous to think about. I keep very little bitcoin online, but I do use 2FA to withdrawal my purchases from coinbase etc.

Are you aware that 2FA codes aren't stored in iTunes backups unless they're set to be encrypted? The 2FA information are stored in the iOS keychain, which isn't stored in unencrypted backups for obvious reasons. So you should either encrypt your backups (checkbox in iTunes) or write your codes down!

I use an iPhone myself and wasn't aware of that. Thanks for the helpful tip. I am doing an encrypted back up right now.

[Baitty]

If you do use 2 factor auth then you should back up your codes no matter what otherwise the app or what ever you are using could be wiped etc and you will not be able to access the account again. 2 factor is really helpful but can be a right pain too.

[TheGame]

I don't think I need to write any codes down with text 2-factor. If I lose my phone I can get access back to my old number pretty quickly.

[Harley997]

My question is, say someone keylogged the smartphone (is this even possible?) you use to log in to an exchange.  Is there a malware they may use to also get the code from the google authenticator that is also on the phone?

Generally speaking it is not possible to install a keylogger on an iPhone as it is sandboxed. Androids on the other hand, in theory could be keylogged.

I think the question that you should really be asking is can phone automatically capture and send screenshots to an attacker as 2FA displays a "password" to a user who inputs the "password" on the site they are trying to log into.

[DjPxH]

I don't think I need to write any codes down with text 2-factor. If I lose my phone I can get access back to my old number pretty quickly.

We're talking about the Google authenticator, which is an app that creates a new 2FA code every 30 seconds (synced to universal time). You need that code to log into some service. If you lose the secret code needed for Google authenticator to generate those 2FA codes, you're screwed. You can't restore them unless you ask all your services to disable 2FA for you, which is a pain.

[Cryptopher]

I need to take a back up of some of my 2FA setups. I have become so reliant on it and yet I have only backed up a couple. Losing your device would be a nightmare.

Some people opt for text codes which is particularly useful if you lose your device - you can simply have your number changed over, or remove your SIM card from your phone if it broke.

Has anybody sent their device with Google authenticator (or similar) for repair? What steps did you take to protect yourself?

[BigBoy89]

yes i always backup my 2FA QR. by take a screenshot on it
because i usually try new ROM in my phone, sometimes bad things happen and i can't access my phone
i recommend you to backup when you set a new 2FA

[DjPxH]

yes i always backup my 2FA QR. by take a screenshot on it
because i usually try new ROM in my phone, sometimes bad things happen and i can't access my phone
i recommend you to backup when you set a new 2FA

So you use custom/rooted software to run your phone and keep screenshots of 2FA codes? That basically calls for an accident to happen!