What’s the Best Two-Factor Authentication Option?
Вставка
- Опубліковано 5 бер 2021
- ❓ The best two-factor authentication approach varies based on your needs, and what's offered by the service you're trying to use it with.
Dedicated hardware devices are typically the most secure two-factor authentication alternative, but also possibly the least convenient. Google Authenticator and compatible apps are more commonly supported and more flexible. SMS and voice messaging, as well as email notifications, are all viable alternatives as well if Google Authenticator compatible two-factor isn’t offered. What’s most important is that you use two-factor authentication whenever you can.
Updates, related links, and more discussion: askleo.com/23456
🔔 Subscribe to the Ask Leo! UA-cam channel for more tech videos & answers: go.askleo.com/ytsub
✅ Watch next ▶ - How Two-Factor Authentication Works, and Why You Should Use It to Keep Hackers Out - • How Two-Factor Authent...
❤️ My best articles: go.askleo.com/best
❤️ My Most Important Article: go.askleo.com/number1
More Ask Leo!
☑️ askleo.com to get your questions answered
☑️ newsletter.askleo.com to subscribe to the Confident Computing newsletter.
☑️ askleo.com/patron to help support Ask Leo!
☑️ askleo.com/all-the-different-... for even more!
#askleo #two-factor #authentication - Наука та технологія
The worst is none at all... but which one should you choose?
Leo, can the person who hacks your phone number cllick in "forgot passsword" and use the SMS to change the password?
@@marcosmcm86 It depends on the service, and what you mean by "hack your phone number". Just knowing your phone number isn't enough. They have to actually be able to recieve texts sent to that number, which is very difficult to do. Of course if they steal your phone physically, then they could get the SMS's. MOST services will require additional proof that they're authorized when a password is forgotten, but for others it's possible that getting the SMS could be enough.
What about now that Autry got hacked? Aegis? Only key? Solo key?
Your info is greatly appreciated Leo! So many gullible millennials get promoted because they assume "reputable companies" are are common
@@SmedleyButler1 I continue to recommend (and use) Authy. The hack affected Authy in a very limited way and was completely contained:
"the security team found out that only 93 Authy users out of 75 million were affected, with bad actors registering additional devices to the accounts. These unauthorized devices have since been removed from the accounts, and the targeted users in question were all contacted by the company." - via www.androidpolice.com/authy-hacked-what-to-know/
@Zarility Tech What I meant was please provide references to Auithy having been hacked. As I said, that's news to me. And why are Google and Microsoft no-goes for you?
A concern that always needs to be addressed is to also have available some recovery option or backup in case you lose your primary authentication method or device.
Absolutely. Most services will insist that you do so when you enable 2-factor. Often it's as simple as confirming your alternate email addres, sometimes it's downloading one-time use tokens, but there must always be a way to recover from losing your second factor. That alternative way may be more inconvenient, but it needs to be present.
Why can learn this it's been three weeks dumb.
I really like the authy desktop approach. The biggest resistance I get from employees is they don’t want a work related app on their private phones, I can’t blame them. This solution takes care of it.
This channel is a true gem and you're seriously defying the age stereotype with your sharp thought. Also thanks for the confidence. Often times I consume info about a given topic and at the end, there is a "well I am not sure if it's better though". Which makes the whole thing pretty much pointless.
Is he really defying the stereotype, though? He clearly doesn't fully understand what he's talking about and provides bad advice.
He calls the Authy app "Google Authenticator-compatible." Google Authenticator is not a protocol. It's just an app that implements the TOTP protocol. Authy also happens to implement TOTP.
He also recommends Authy, which no serious security professional would recommend because they're not open source and thus their storing of 2FA secrets can't be independently audited. Apparently his recommendation for Authy is because he likes that the app has logos... Please don't choose any security mechanism because it has... pictures. Authy was hacked in 2022. Imagine listening to this "true gem" (your words) only to have your account hacked.
I would recommend an authenticator app since sometimes with email or text message, it takes a long time and sometimes even never to get a text or email for the security code
Your video helps me a lot, amazing work!!!!! Thanks!!!!
Think about it if ur using Google’s authentication app and it’s to do with your phone a unique code only matches ur phone u might as well just have a code sent to your phone more easier
Great video, you explained things so simply. THANKS
I recently watched a UA-cam video stating that Google Authenticator is one of the least secure authenticators out there
Well, then, if it's in a UA-cam video it must be true, right? (Would love to know what video that was.)
In 3:02 you said : "It [2FA] is usually done by having your device scan a QR code displayed or entering a special key that then associates your specific phone, your specific installation of the Google Authenticator with your account. No other Google Authenticator will do. it has to be your phone and your Google Authenticator that's used to authenticate you are who you say you are."
As of today, this is incorrect, I've just tried the special key on a friend phone and it generates the same six digit codes. So, it doesn't have to be your SPECIFIC phone and your SPECIFIC installation of GA app.
Authy is great, but the account is linked to your phone number. I prefer to use an application that doesn't do this. I installed 2FAS on my Android phone. It has an option to back-up to Google Drive, so your seeds can survive an app reinstall, and can be transferred to another Android device pretty simply.
Aegis -+ another awesome app which does the same stuff
Me too, it you loose the phone, you have to wait for sim replacement, plus if you travel it would complicate a lot
Agreed. I use 2fas too and it's awesome.
If you have 2 factor authentication do you have to enter the authentication coda every time you log in or can you just authenticate your device once to log into your application?
Generally you get to choose. In most cases it's once every 30 days (or until you clear cookies). You can also say "don't remember" so that a device you might lose - like a laptop - could still require it every time. It all depends on the service.
What about authenticators on the same computer, how secure is that? Unless your computer gets hijacked, there doesn't seem to be a problem. I use WinAuth with a password and a PowerShell script I found online for my work computer (no password).
It's admittedly less secure than having a separate device running your TOTP codes, but it's still much more secure than not using 2FA at all. I use KeepassXC on my computer to generate TOTP codes for my browser. Assuming an intruder has no access to my computer, it's as secure as any other TOTP setup. If they do have access to my computer, they will need to get past my computer's password (22 characters), as well as open my kdbx vault file with its password (37 characters). If I choose to set it up with a keyfile on a flash drive or a disc, then it's still secured, even if they have both passwords.
To do a simswap attack the attacker also needs your password so low risk, but if you use bad passwords risk goes way up
Great video, and 100% everyone should be using MFA, however you did not mention Microsoft Authenticator. This is way better and more secure than Google Authenticator, as you can backup codes to your MS account, lock the app with biometrics, and the same app is also a totaly free and really good password manager that synchronises up with MS Edge across ANY device you have, (Windows, MacOS, iOS, Android).
I WISH apps enabled 2FA with email. But they don't! They opt for SMS which is stupid if you're abroad with a local SIM card.
Outstanding video. Thank you.
QUESTION: How do I create a new QR code for an account I accidentally erased from my Google Authenticator app?
Turn off the 2FA on that account, and then turn it back on again to generate a new code.
What is the business email is it like being on the job i keep running into that when I ask for certain information
So I’m wondering why you would suggest to use google authentication when authy just sounds better.
My recommendation is "google authenticator compatible". In otherwords, Authy, or any of the others. I use Authy myself.
@@askleonotenboom okay so any is good I’ll stick with authy just seems more secure when you can use a passcode lock on app.
Use Aegis and so you can manage your totp secrets yourself.
The best one is fido keys such as yubikeys
My only authentication no longer works for some reason. They told me to delete my account and create a new one and connect it with a passid but they didnt telll me where i get one 😭
I recently formatted my phone and forgot to keep the backup codes that were saved in it. After formatting was done when i was setting up my account on the phone i couldn't sign in despite knowing my password bcoz i didn't have the backup codes so they didn't recognise me and this was the only device i was logged in. In such a case will Google authenticator be helpful?
I would use a Google Authenticator compatible option like Authy - it lets you set up two factor on more than one device, including your PC, and keeps the 2fa codes in sync.
It's not helpful after-the-fact. If you used Authy and had the backup codes saved, you could have had your codes set up on another device before reformatting the new phone.
@@neuideas That's why I so often tell people to set this stuff up BEFORE they need it. Many don't bother until it's too late.
are you still using Authy after they were hacked?
I am. From what I've read I'm not overly concerned.
nice video hi from COLOMBIA
I would love a key like that but so worried what will happen if I loose it...
That's why it is important to have a backup - another security key or an authenticator app.
iam using the google one n every code i get does not work when trying to log in facebook, what do i do?
Follow Google's account recovery process.
Leo, this one concerns me regarding TOTP seeds: How does the website handle the seed file? Passwords are best handled by hashing and salting them, and never storing in plaintext or encrypted form. This means that your passwords should never be known by the website. If there's a breach, then the salted hashes are revealed, but this alone doesn't compromise anyone's account, unless they use weak passwords. TOTP seeds are referred to as a "shared secret," which implies that the website has a copy of this file, either in plaintext or encrypted, but not salted or hashed. If this is true, if a user loses his seed, he could at least theoretically request a new copy from the website. Also, this means the seed is vulnerable to a breach. Do you have any insights?
This has a good overview of how it's handled: www.freecodecamp.org/news/how-time-based-one-time-passwords-work-and-why-you-should-use-them-in-your-app-fdd2b9ed43c3/
@@askleonotenboom The article was helpful, but not complete. It does not address secure handling of the TOTP secret server-side. I appreciate the link, though. Thank you.
Of course all methods of 2 factor are good some better then others but in my opinion geting a code sent to your phone is the best
TOTP is better imo. SMS is not as secure imo
Look up sim swapping, getting a text is far from the best
If a SIM swapper can get your SMS 2FA, why wouldn't they also be able to get you Google authenticator codes?
No. Google Authenticator is unrelated to your SIM and phone number.
What if someone steals your phone ?
askleo.com/lose-my-second-factor/ and ua-cam.com/video/wbXSdHZDW8A/v-deo.html
Has Google updated their authenticator with end to end encryption?
Another obstacles scanning QRCode can't figure out especially when qrcode is on a billboard
What is service provider actually provides.
Is 2 step vertification different from two factor authenticator
They're typically the same, yes.
Two step verification sounds like the generic description of 2 step or multi-factor authentication. Two factor authenticator sounds like it is referring to the authenticator app, which is one of the means of doing multi-factor authentication. Security keys are the best level, authenticator apps are next, SMS, email and voice are on down the line. But as Leo says, USE SOMETHING TO DO MFA - NOTHING IS THE WORST.
Is there textbooks on this subject I can screammmmmm😂😂😂😂😂😂😂I got a feel. 😊
Thanks for your video, If I lost Yubikey what should I do?
Use one of the recovery methods you set up for the account in question, and disassociate the YubiKey you lost.
@@askleonotenboom Thank you.
That's why I use 3 YubiKeys for my password manager. I put 1 in my car, 1 in the house, and the third one is in my keychain.
@@manny7886 To be clear, YubiKey is not a password manager, it's a two-factor-authentication device. It doesn't do anything with respect to passwords, specifically.
@@askleonotenboom - Understood, password manager has nothing to do with Yubikey or any 2FA devices. I use Yubikey as a 2FA to my BitWarden password manager.
Thank you for this video, I'm now changing my authentication method from SMS to Authy.
Microsoft authenticator is best. Linked with email backup your data.
2fas is the best hands down.
Why am I not comprehending this something wrong.
the best 2 factor authenticator is none , 2 step verification is one of the most annoying things on the face of this planet , what if i wanna just trust people , plus if i wanna verify my identity i will go and look in the mirror , boom im done , i know im me.
Yep. It's definitely WAY WAY easier to let your account get hacked. Totally agree.
This is a very hard task I admit I am a hard learner.
I so mad can remember.
what's wrong with sms?
It's theoretically hackable.
@@askleonotenboom I see
I tend to prefer GAuth
Having problems comprehending very afraid
I can scream
leoooooo
SMS is the worst option.
It's still better than no two-factor at all.
Immediate dislike when you said you prefer Google authentication
¯\_(ツ)_/¯
Agreed.
Great breakdown!
Recommending a Google product in 2021? Cringe
You realize UA-cam is a Google product, yes? And that there are compatible alternatives to Google Authenticator like Authy? (And yes, I often recommend Google products in 2021. No cringing here.)
"Authy" is the Opposite of security
Why do you say that?
Care to explain?
Ask a boomer why dont ycha