As per all my other videos, no I didn't delete your comment. UA-cam auto deletes comments all the time. If yours disappears, try posting again in various forms until it sticks, and good luck! 🙏 Also, since posting this video I've found out that google authenticator now allows you to back up all codes on another device! Have added that note to my video description.
2FAS Auth app is another really good one. I use both 2FAS Auth and Authy. The ONLY problem I have with Authy, is their android app consist of a 4 digit pin to log in. which is pretty insecure IMHO. I even tried to get them to implement a better password login with Alphanumeric, this was 4 years ago. still nothing was done and I have asked several times.
I was thinking going back to original way paper and phone calls . Takes too long and phone calls navigating through automated systems and don’t like giving some info to a human .
A good way to protect those accounts that ask common questions, like mother's maiden name, or name of your first pet, is to lie. If you type in an answer that has nothing to do with the questions, then someone who investigates you and your family will never guess it. Yes, it might be hard for you to remember that the answer you gave to the question of your first pet's name is "the Peloponnesian war", but it will be bloody impossible for someone else to guess, no matter how well they have studies you. Well, unless that actually was your pet's name. Yelling down the hall ... "Here, Pello"?
Does anybody use true answers for those security questions? I personally have had about as many high school mascots as I have had security questions. My father was born in at least 30 countries that he was never born in.
Nearly every large financial institution uses SMS for 2FA, many of them exclusively. They move billions of dollars in transactions every day in an industry where security is critical. Maybe, just maybe, they know what they are doing? 2FA is supposed to be "something you know" and "something you have". An auth app is "something you know" (the seed) not "something you have". Hardware keys are good except there is almost always a backup way in. I'll bet it's more likely your hardware key gets stolen than your SIM swapped.
My email got hacked over a month ago and still dealing with other accounts being attempted to be logged into. Just received a yubikey and never going through that kind of stress again
One good open source OTP app for iOS that allows encrypted backup is Raivo OTP if anyone’s looking. It’s the only one I could find that met those requirements
Hi Naomi, I love your videos, they are so useful. I have a way of improving the security on iphones. In settings, scroll down to screen time. Open screen time and scroll down to "Content and Privacy Restrictions. Here you can toggle on or off Allow password changes and account changes to "don't allow. I have both of these set to "don't allow. Very useful.
all here mention is insecure in comparison to a method used some long time ago: certified cryptographic devices with verification process in place with connects to secure access module (special sim card) and then in return connects to verified cryptographic software. It was rolled out with ID cards in some countries but never got really activated (you had to pay to get access to the feature which was already on your ID-card) and some people didn't like it that all email is going to be securely encrypted even for the law enforcement.
The best way to NEVER GET HACKED is to have a physical yubikey without it not even you can sign into your account so if you lose it you screwed unless you have a backup code written down somewhere
google authenticator has a "transfer accounts" option now, so i just use that to sync all my auth codes to a retired air gapped phone - safer than keeping a copy of backup codes in your documents folder yeah keepassxc is nice with browser integration and cross platform support - but don't use it as your 2 factor method!
I use KeePassXC with NextCloud to keep the database sync'd on my devices. I also use Aegis on my Android phone. Cool thing about KeePassXC is that it displays QR code of the TOTP token so you can scan it with Aegis. Works pretty well.
I'm 2 minutes into the video and it isn't clear which 2-Factor method isn't secure. Knowing the history of 2FA, I'm gonna go with SMS-based 2FA, as it was deprecated by the NIST years ago. I wish the title wasn't so click-baity and got straight to the point without forcing me to skim-through the video to find what I actually want to know. After having skimmed through the video, a better title would be "Exploring Different 2FA Methods"
2 minutes and 14 seconds in would have given you the answer. :) Note: I'm sure that you have notice that all good video creators structure their video's in the way that Naomi has. It's entertaining and aimed at newbee's more than experts Note 2: If you are wanting to learn about an important subject like SECURITY, I would strongly advice for everyone NOT to skim through video's as you'll miss important info, which I can see you did. Having said that, I do suspect that you already know a fair bit about security and you were more interested in just picking on this (and probably many other) youtube clip.
Negative. Don't make excuses for clickbait, but you're right, this content is aimed at noobies. I don't like to beat around the bush, and I don't encourage it either. Get to the point, and get in deep. 2 minutes and 14 seconds is arguably too long of a wait. This video would be better-titled "a broad look at 2FA"
@L. Kärkkäinen Nearly all of my 2FA is either yubikey or OTP-based, very few major companies still only do SMS-based. I do wish more vendors would support key-based auth.
@L. Kärkkäinen security is tough when banks, websites, groups, etc all have different levels of security logins and then some sites only allow short passwords and no symbols.
Pretty happy with Microsoft Authenticator. Has a password lock on the app and backs up to your onedrive (imperfect but not terrible - it's encrypted at rest and in transit, at least on MS side).
strong security Alpha . thank you . Nice Shiba shorts too . Love to know more about strengthening sim 2fa . Wondering if changing a sim card will cause totp rejection on same device 👀
This is so true. Banks are generally pretty horrendous in this regard. I'm not sure if it's still the case, but at least as recently as a couple years ago, passwords for Wells Fargo online accounts were case *insensitive*. Totally inexcusable.
I have not yet come across a security key with a signature counter. Just searching for options now. If anyone can recommend one, I'd appreciate you sharing. Thanks in advance.
I found out who the hacker is, but it turns out he works for the internet, and he has an army of hackers, they want Ransome amount of money to restore my UA-cam account.
Google might take security seriously, but I do not. I tried to log into youtube from another PC and it wanted to send me an SMS message. Dude, I don't have a cellphone and I want to watch snoopy. Give your high security thing to your military commanders. Not to a guy who watches snoopy. What if I want to create a throw away email account? It can't be done with 2fa non esense.
There are not many out there spending time to learn, AND spending time sharing that with others. It is very noble if you give your quality time and energy to do. For sure the definition of a good person without the intention to get something in return. You are one of them, thank you! As you can see English isn't my langue so I misunderstand or need some other way to explain please, 07:20 A lot of your friends use AndOTP and some Keypassxc, password manager with TOTP... 07:42 Some TOTP apps can also be integrated with your password manager but you would be very warry.... 07:20 & 07:42 =Password manager with TOTP /or TOTP integrated with your password manager...is not the same? If the same, both very warry, right? If not the same, 07:20 is the way to go?
While general consensus is that SMS 2FA is better than no 2FA, it may be the opposite in some ways. If I use SMS 2FA (even with a VOIP number), on multiple sites/apps/platforms, inevitable leaks can be cross-referenced with each other and a profile can be formed. This is particularly pernicious if any such leak includes your name, address, work, etc. Did your research for this video lead you to such claims, and either way, what are your thoughts on this? As you can tell from my username, I’ve been called paranoid once or twice :) But with all the automated data scraping and analysis going on, it doesn’t seem so far-fetched.
@@NaomiBrockwellTV True, but as you well know, security and privacy are somewhat intertwined. Anonymous SIM certainly helps. I use something similar. Phone numbers individualized to each service help even more, but somewhat expensive if you need dozens of them. Ultimately, phone number reuse (for an authentication factor) is similar to password reuse (also an authentication factor), just not AS dangerous.
For TOTP Codes... ALLWAYS have some Form of Backup / register to multiple Devices. But you've been told to do Backups for everything for the last 20 Years, if you didn't learn it allready - tough Luck. I have them stored on Yubikeys, which can't be recovered as well. Which I see as a Security Feautre. Realize the Plural - Key*s*. If I loose one, I'm still able to access everything and create new TOTPs.
8:40 Some would say someone typing in private login info on anything with that man's face on it, is a dead giveaway that you're going to lose everything. lmao
Keys that authenticate the URL... do they also check that the website SSL cert fingerprint has not changed or query other witnesses to said fingerprint? I hate those MItM (man -in-the-middle) attacks from my company or my church or my ISP or my devious friend, lol!
Well it seems like there's no hope even with two-factor Authentication so what's the point of being in cryptocurrency if you get hacked and all your money gets stolen all the time?
Oh my God! You are so right on time! On the last President's Day someone tried to Hack my phone and Amazon account ! I called them the next day Tuesday and told them. My phone Security programs protected me ! So Amazon locked my account and I called my Bank to lock my Account! The caller ID said Amazon Sanfrancisco! It wasn't them but my phone didn't save the phone number! To give to them. Amazon Tech Support was Awesome!!!
You did not meantion Apple Has the iCloud Keychain now that supports 2FA so if you loose your phone you can still get back in your account by the Mac or iPad or backup phone on same Apple ID plus iCloud Keychain is the most reliable I found so far for pretty much any iPhone user I have tested the heck out of it to make it work well by giving Apple feedback over the years to improve it
Screwgle has burned me on 2FA. Forcing activation of 2FA on my chromebook, defaulting to using the paired phone as a security key, they broke login. Due to some kind of bug in the pairing software I have to reset pairing anytime either device restarts, which I can't do until I'm logged in on both devices. So I'm down to a choice of, at login time: - SMS as a second factor - generating one time keys - disabling 2FA using a device I can log into.
no backup is the reason why I ditched Google Authenticator and went with MS Authenticator. Now I can easily restore all my codes to any devices with my account.
Yubikeys are pretty fantastic. I use them to authenticate SSH and Sudo for my linux desktops and servers. Be ready to do some chroot to recover a locked computer, if you mess up, though.
FYI I have tried using a Google number I've had for a few years and gotten the message that it must be a cell phone number. so some places like twitch for example seems to know.
Hi. great content. I activate the backup of my totp, I have forget this. About SMS, I don’t have one on my phone. I have a virtual one. Is it more secure ? or the same as having a real one ? external device are interesting. is it more secure than biometric auth ?
People fail to realize there is a difference between 2 Step Authentication and 2 Factor Authentication. SMS is 2 Step and can be man in the middle attacked. A phone clone etc. Google Auth works well but you point out some the exact issues that caused me to leave Google for another app.
Like many i am sure, my company requires us to have Microsoft Authenticator. However, I find it works very well. It is secured behind a password or biometrics and backups the data. Also, i think the tip to not use the same service as your password manager is sound.
I hate that the new iPhones have gotten rid of the touch and replaced it with the face recognition. I wear glasses and when Im in bed I don't wear glasses. In the past I could use my finger but they got rid of that. We need to get rid of SMS for 2FA. Also websites should go by the latest standards of NIST. All websites should allow you to past the passwords.
D m vinethics he'll help you He fixed mine he has 90k followers account. UA-cam is not letting me to write to you in full make sure is the right account you Dm
what if 2fa locks out a legitimate account holder and somebody hacks the legitimate account holder's account and that legitimate account holder has no idea it happened because they are locked out?
I have the Yubico 5 NFC series, & I never use it for my Galaxy S20, as it doesn't really serve its purpose. The hold-it-to-your-phone feature doesn't work, & even when I plugged it into my phone & tried to log into my Google account, Google wouldn't recognize it. Just not seeing the whiz-bang effectiveness nor usefulness of it. & the number of companies that accept it are still quite limited. Meh.
Good luck with the police trying to get it to work first! LOL All joking aside, for me, the jury's still out using the fingerprint system, as I'm sure my Phillip K. Dick paranoid side believes they're all being collected into some shadow database for nefarious reasons. Strangely, it works near flawlessly on my pc, while using it in conjunction with Bitwarden. Also--thanks to Naomi's recommendation--I switched over to the DuckDuckGo browser, where I'm trying out their new app tracker blocker (in beta) & email tracker blocker. Anything to help keep from having my bank card being hacked (again).
Anyone remember RSA's little mess from a few years ago with their 2FA tokens. Like anything - it is only as secure as much as you trust the companies products.
D m vinethics he'll help you He fixed mine he has 90k followers account. UA-cam is not letting me to write to you in full make sure is the right account you Dm
Very informative video. Maybe consider adding chapters so the more informed audience can quickly jump to the important points, especially if you use a clickbait title!
@@NaomiBrockwellTV The title suggests that there is one specific insecure 2FA method. So I clicked on it, thinking someone had discovered a new security flaw in a 2FA method. Instead, I got a video explaining various 2FA options and listing their pros and cons.
@@xXxJakobxXx3 The video is about how sms 2fa is not secure, and how OTP apps are not as secure as many people think, and I explain why. I don't think that's clickbait.
TFA is great as long as you have an offline option without the Internet or phone service. It happens where I live but I still need to work on my laptop. I have that option with an online code and an offline code in rural travel locations. Thanks Naomi for the discussion and links.
They want me to use two factor authentication on my Facebook account but so far my account is still locked. I tried using Duo and Google Authenticator and neither works and when I try having a code sent to me via text I never received it.
Hey Naomi! So I’ve been careful to record all of 2FA setup keys for my google authenticator. That means that if I do lose my phone or access to the authenticator app I could set it all backup on a new phone or redownloaded google auth app using the setup keys, right?
Yes. Also the feature wasn't in the app at first, but now you can retroactively get the seeds, right from the app (which Naomi edited the description to mention)
Do not use Google Authenticator , use Apps with end-to-end encryption . GA sends the “seed key” over the network unencrypted. Seed key is the one contained in the QR code.
Great episode! Already have a few security keys, but they are pretty old school. looking forward to the next episode you mentioned that will look into key differences in security keys!
As per all my other videos, no I didn't delete your comment. UA-cam auto deletes comments all the time. If yours disappears, try posting again in various forms until it sticks, and good luck! 🙏 Also, since posting this video I've found out that google authenticator now allows you to back up all codes on another device! Have added that note to my video description.
Do you have a podcast by any chance?
@@brandonfarley5297 yep! everything linked on my website www.nbtv.media/episodes/this-2-factor-authentication-method-is-not-secure
Naomi my apologies? Where is the link to google auth. back up codes info?
@@cryptowealthonyt there is no link. the info is in the video description.
2FAS Auth app is another really good one. I use both 2FAS Auth and Authy.
The ONLY problem I have with Authy, is their android app consist of a 4 digit pin to log in. which is pretty insecure IMHO.
I even tried to get them to implement a better password login with Alphanumeric, this was 4 years ago. still nothing was done and I have asked several times.
The only security measure against hacking is to not use technology.
I was thinking going back to original way paper and phone calls . Takes too long and phone calls navigating through automated systems and don’t like giving some info to a human .
A good way to protect those accounts that ask common questions, like mother's maiden name, or name of your first pet, is to lie. If you type in an answer that has nothing to do with the questions, then someone who investigates you and your family will never guess it. Yes, it might be hard for you to remember that the answer you gave to the question of your first pet's name is "the Peloponnesian war", but it will be bloody impossible for someone else to guess, no matter how well they have studies you. Well, unless that actually was your pet's name. Yelling down the hall ... "Here, Pello"?
Yubikey is the key to proper 2fa security
Does anybody use true answers for those security questions? I personally have had about as many high school mascots as I have had security questions. My father was born in at least 30 countries that he was never born in.
Nearly every large financial institution uses SMS for 2FA, many of them exclusively. They move billions of dollars in transactions every day in an industry where security is critical. Maybe, just maybe, they know what they are doing? 2FA is supposed to be "something you know" and "something you have". An auth app is "something you know" (the seed) not "something you have". Hardware keys are good except there is almost always a backup way in. I'll bet it's more likely your hardware key gets stolen than your SIM swapped.
i use bitwarden with bitwarden totp and on my phone i use authenticator pro for protecting my bitwarden account
My email got hacked over a month ago and still dealing with other accounts being attempted to be logged into. Just received a yubikey and never going through that kind of stress again
One good open source OTP app for iOS that allows encrypted backup is Raivo OTP if anyone’s looking. It’s the only one I could find that met those requirements
I love my yubikeys everyone should have them
I've been Yubikey for 2 years now. Very happy. I would recommend the NFC Yubikey to anyone.
Unfortunately a lot of phones don't have NFC.
@@brodriguez11000 I’d also recommend phones with NFC. :) . You can buy one that plugs into your phone otherwise.
Hi Naomi, I love your videos, they are so useful. I have a way of improving the security on iphones. In settings, scroll down to screen time. Open screen time and scroll down to "Content and Privacy Restrictions. Here you can toggle on or off Allow password changes and account changes to "don't allow. I have both of these set to "don't allow. Very useful.
Holy S…t. I’m throwing my phone in the trash and going back to a Day Runner.
i have been using a yubikey for about a year now and have been loving it. Great video
all here mention is insecure in comparison to a method used some long time ago: certified cryptographic devices with verification process in place with connects to secure access module (special sim card) and then in return connects to verified cryptographic software. It was rolled out with ID cards in some countries but never got really activated (you had to pay to get access to the feature which was already on your ID-card) and some people didn't like it that all email is going to be securely encrypted even for the law enforcement.
The best way to NEVER GET HACKED is to have a physical yubikey without it not even you can sign into your account so if you lose it you screwed unless you have a backup code written down somewhere
I have two yubikeys. I just register both. One yubikey is on my keychain and the other is hidden somewhere.
That crocheted top girl you’re rocking it💃🏽💃🏽
Actually I would like to use One of the 2FA keys you shown goes into usb can use it on Bluetooth it’s handy !
google authenticator has a "transfer accounts" option now, so i just use that to sync all my auth codes to a retired air gapped phone - safer than keeping a copy of backup codes in your documents folder
yeah keepassxc is nice with browser integration and cross platform support - but don't use it as your 2 factor method!
So much damn info…I feel more lost after watching the video, than before.
It’s like…the safest thing to do, is to just use the internet as little as possible.
¯\_(ツ)_/¯
Take a deep breath and ask me any question :)
Indeed as JJ said, you can now export you google authenticator seed to another device, I didn't realize it when making the video!
I use KeePassXC with NextCloud to keep the database sync'd on my devices. I also use Aegis on my Android phone. Cool thing about KeePassXC is that it displays QR code of the TOTP token so you can scan it with Aegis. Works pretty well.
I'm 2 minutes into the video and it isn't clear which 2-Factor method isn't secure. Knowing the history of 2FA, I'm gonna go with SMS-based 2FA, as it was deprecated by the NIST years ago. I wish the title wasn't so click-baity and got straight to the point without forcing me to skim-through the video to find what I actually want to know. After having skimmed through the video, a better title would be "Exploring Different 2FA Methods"
2 minutes and 14 seconds in would have given you the answer. :)
Note: I'm sure that you have notice that all good video creators structure their video's in the way that Naomi has. It's entertaining and aimed at newbee's more than experts
Note 2: If you are wanting to learn about an important subject like SECURITY, I would strongly advice for everyone NOT to skim through video's as you'll miss important info, which I can see you did.
Having said that, I do suspect that you already know a fair bit about security and you were more interested in just picking on this (and probably many other) youtube clip.
Negative. Don't make excuses for clickbait, but you're right, this content is aimed at noobies. I don't like to beat around the bush, and I don't encourage it either. Get to the point, and get in deep. 2 minutes and 14 seconds is arguably too long of a wait. This video would be better-titled "a broad look at 2FA"
@L. Kärkkäinen Nearly all of my 2FA is either yubikey or OTP-based, very few major companies still only do SMS-based. I do wish more vendors would support key-based auth.
@L. Kärkkäinen Banks are notoriously behind on the times, indeed -_-
@L. Kärkkäinen security is tough when banks, websites, groups, etc all have different levels of security logins and then some sites only allow short passwords and no symbols.
I have a pair of Yubikeys, and tried to start using them, but support is just not quite there, yet, so I have disabled them for now.
yeah platforms are increasingly using yubikeys, keep an eye out as they add support, and you can switch in yubikeys as they do
The fact that Google can’t recover you 2fa codes is a feature not a bug.
I add them to two devices when ever I sign up for a new service.
Pretty happy with Microsoft Authenticator. Has a password lock on the app and backs up to your onedrive (imperfect but not terrible - it's encrypted at rest and in transit, at least on MS side).
Thx for this info as I need it ✊🏽✊🏽💃🏽💥
So if my phone is stolen along with my sim card with my personal number' can I still open my google account on another device?
strong security Alpha . thank you . Nice Shiba shorts too . Love to know more about strengthening sim 2fa .
Wondering if changing a sim card will cause totp rejection on same device 👀
@@mirrorneurongirl Neat . many banks for some reason don't have totp and your findings are a good extra layer via an isolated google voice number .
Ironically, banks are often the worst safety offenders by offering 2FA by SMS ONLY.
This is so true. Banks are generally pretty horrendous in this regard.
I'm not sure if it's still the case, but at least as recently as a couple years ago, passwords for Wells Fargo online accounts were case *insensitive*. Totally inexcusable.
They move billions of dollars in transactions every day in an industry where security is critical. Maybe, just maybe, they know what they are doing?
I have not yet come across a security key with a signature counter. Just searching for options now. If anyone can recommend one, I'd appreciate you sharing. Thanks in advance.
How do you copy and paste passwords safely and typing in master password for your password vault. Can anyone help please
I found out who the hacker is, but it turns out he works for the internet, and he has an army of hackers, they want Ransome amount of money to restore my UA-cam account.
Great show 🇨🇦🖖🇨🇦
first off your operating software must be secure. no use to discuss anything else until this question is answered
What sucks with google is that i am unable to lock my account. Why i use Microsoft.
HI Naomi, Same great channel...same pretty lady! Thank you great job! 😊👍👍
Thanks for being here!
So true been fighting a hacker since 2022 October I know now.
Can you teach Australian businesses about how weak sms 2fa is…
Google might take security seriously, but I do not. I tried to log into youtube from another PC and it wanted to send me an SMS message. Dude, I don't have a cellphone and I want to watch snoopy.
Give your high security thing to your military commanders. Not to a guy who watches snoopy.
What if I want to create a throw away email account? It can't be done with 2fa non esense.
There are not many out there spending time to learn, AND spending time sharing that with others. It is very noble if you give your quality time and energy to do. For sure the definition of a good person without the intention to get something in return. You are one of them, thank you!
As you can see English isn't my langue so I misunderstand or need some other way to explain please,
07:20 A lot of your friends use AndOTP and some Keypassxc, password manager with TOTP...
07:42 Some TOTP apps can also be integrated with your password manager but you would be very warry....
07:20 & 07:42 =Password manager with TOTP /or TOTP integrated with your password manager...is not the same?
If the same, both very warry, right? If not the same, 07:20 is the way to go?
Always helping us with great content. Thanks Naomi!
Thanks Marco!
While general consensus is that SMS 2FA is better than no 2FA, it may be the opposite in some ways. If I use SMS 2FA (even with a VOIP number), on multiple sites/apps/platforms, inevitable leaks can be cross-referenced with each other and a profile can be formed. This is particularly pernicious if any such leak includes your name, address, work, etc. Did your research for this video lead you to such claims, and either way, what are your thoughts on this? As you can tell from my username, I’ve been called paranoid once or twice :) But with all the automated data scraping and analysis going on, it doesn’t seem so far-fetched.
Well 2fa is security measure not a privacy measure, if you want both then an anonymous sim might be your best bet!
@@NaomiBrockwellTV True, but as you well know, security and privacy are somewhat intertwined. Anonymous SIM certainly helps. I use something similar. Phone numbers individualized to each service help even more, but somewhat expensive if you need dozens of them. Ultimately, phone number reuse (for an authentication factor) is similar to password reuse (also an authentication factor), just not AS dangerous.
Microsoft Authenticator + 2 Secure Keys 🗝️
Make sure you cover crypto hardware wallets like KeepKey that have FIDO webauth implemented so it can be used as a security key.
Yeah. Trezor and ledger have it too
How is you I key authentication works I don’t get it got keys
For TOTP Codes... ALLWAYS have some Form of Backup / register to multiple Devices. But you've been told to do Backups for everything for the last 20 Years, if you didn't learn it allready - tough Luck.
I have them stored on Yubikeys, which can't be recovered as well. Which I see as a Security Feautre. Realize the Plural - Key*s*. If I loose one, I'm still able to access everything and create new TOTPs.
Sub'd after a literal lol at 4:43
I love that you cite helpful articles for further reading. 😊
Ta Naomi, great update on digital security!
Most welcome - thanks for watching!
8:40 Some would say someone typing in private login info on anything with that man's face on it, is a dead giveaway that you're going to lose everything. lmao
*Merci pour cette montagne d'informations !!*
How About this, I just not exist and don't use anything
Keys that authenticate the URL... do they also check that the website SSL cert fingerprint has not changed or query other witnesses to said fingerprint? I hate those MItM (man -in-the-middle) attacks from my company or my church or my ISP or my devious friend, lol!
Well it seems like there's no hope even with two-factor Authentication so what's the point of being in cryptocurrency if you get hacked and all your money gets stolen all the time?
hmmmm I don't think the takeaway was that all 2fa is insecure! auth apps and security keys are great, highly recommend
Oh my God! You are so right on time! On the last President's Day someone tried to Hack my phone and Amazon account ! I called them the next day Tuesday and told them. My phone Security programs protected me ! So Amazon locked my account and I called my Bank to lock my Account! The caller ID said Amazon Sanfrancisco! It wasn't them but my phone didn't save the phone number! To give to them. Amazon Tech Support was Awesome!!!
You did not meantion Apple Has the iCloud Keychain now that supports 2FA so if you loose your phone you can still get back in your account by the Mac or iPad or backup phone on same Apple ID plus iCloud Keychain is the most reliable I found so far for pretty much any iPhone user I have tested the heck out of it to make it work well by giving Apple feedback over the years to improve it
Screwgle has burned me on 2FA. Forcing activation of 2FA on my chromebook, defaulting to using the paired phone as a security key, they broke login. Due to some kind of bug in the pairing software I have to reset pairing anytime either device restarts, which I can't do until I'm logged in on both devices. So I'm down to a choice of, at login time:
- SMS as a second factor
- generating one time keys
- disabling 2FA using a device I can log into.
Wow dear God I quit
HAVE FAITH!!! There are ways to protect yourself, take a deep breath and jump back in!
Great Video except for the Brandon will Save Us part!
lolol thanks for watching :)
How about using MSFT/google authentication for your email and use google voice number for mobile.
But Twilio told me SMS was secure. Why would Twilio ever hire a person who didn't know what they were talking about?
Oi tell me this is pre recorded😳 if not u should be out with ya man/woman/anonymous🤦🏽♂️✊🏽😋
I cant imagine people who's not interested in security watching this video... hahahaha too much info!!!!
no backup is the reason why I ditched Google Authenticator and went with MS Authenticator. Now I can easily restore all my codes to any devices with my account.
Yubikeys are pretty fantastic. I use them to authenticate SSH and Sudo for my linux desktops and servers. Be ready to do some chroot to recover a locked computer, if you mess up, though.
FYI I have tried using a Google number I've had for a few years and gotten the message that it must be a cell phone number. so some places like twitch for example seems to know.
Thank you. Very good information. BTW - nice sweater!
Glad you like it!
Hi. great content. I activate the backup of my totp, I have forget this.
About SMS, I don’t have one on my phone. I have a virtual one. Is it more secure ? or the same as having a real one ?
external device are interesting. is it more secure than biometric auth ?
thank you! Looking forward to your advice on the keys.....
Coming soon!
@@NaomiBrockwellTV and just so that you know: you are brilliant, fantastic, and great!!!!
People fail to realize there is a difference between 2 Step Authentication and 2 Factor Authentication. SMS is 2 Step and can be man in the middle attacked. A phone clone etc. Google Auth works well but you point out some the exact issues that caused me to leave Google for another app.
Thanks Naomi
Authy and google . A perfect combo. Oh yeah use blokada to censor big tech
Like many i am sure, my company requires us to have Microsoft Authenticator. However, I find it works very well. It is secured behind a password or biometrics and backups the data.
Also, i think the tip to not use the same service as your password manager is sound.
Thanks Naomi.....That was enlightening :)
Most welcome Ombima
I absolutely love every single blouse you use. They are so pretty!
Totally off topic, I know, but oh my, they are beautiful.
I hate that the new iPhones have gotten rid of the touch and replaced it with the face recognition. I wear glasses and when Im in bed I don't wear glasses. In the past I could use my finger but they got rid of that. We need to get rid of SMS for 2FA. Also websites should go by the latest standards of NIST. All websites should allow you to past the passwords.
D m vinethics he'll help you He fixed mine he has 90k followers account. UA-cam is not letting me to write to you in full make sure is the right account you Dm
ON Instagram
The Queen is blessing us with more uploads, we must continue to behave well for more!
wtf dude
LOL
what if 2fa locks out a legitimate account holder and somebody hacks the legitimate account holder's account and that legitimate account holder has no idea it happened because they are locked out?
I have the Yubico 5 NFC series, & I never use it for my Galaxy S20, as it doesn't really serve its purpose. The hold-it-to-your-phone feature doesn't work, & even when I plugged it into my phone & tried to log into my Google account, Google wouldn't recognize it. Just not seeing the whiz-bang effectiveness nor usefulness of it. & the number of companies that accept it are still quite limited. Meh.
Great point!
Good luck with the police trying to get it to work first! LOL All joking aside, for me, the jury's still out using the fingerprint system, as I'm sure my Phillip K. Dick paranoid side believes they're all being collected into some shadow database for nefarious reasons. Strangely, it works near flawlessly on my pc, while using it in conjunction with Bitwarden. Also--thanks to Naomi's recommendation--I switched over to the DuckDuckGo browser, where I'm trying out their new app tracker blocker (in beta) & email tracker blocker. Anything to help keep from having my bank card being hacked (again).
The hardware key should support more than one standard.
No issues with my Yubikey 5 NFC and a OnePlus Nord N10 5G using the Yubico Authenticator app. 🤷♂️
I use a dedicated Protonmail email account ( used only for authentication) AND protect that email account with an authenticator app.
Anyone remember RSA's little mess from a few years ago with their 2FA tokens. Like anything - it is only as secure as much as you trust the companies products.
How is Google different with regards to privacy vs security? I don't see the difference?
@2FAS is open source, private, cloud backups, no account required, community driven 2FA app.
D m vinethics he'll help you He fixed mine he has 90k followers account. UA-cam is not letting me to write to you in full make sure is the right account you Dm
ON Instagram
Very informative video. Maybe consider adding chapters so the more informed audience can quickly jump to the important points, especially if you use a clickbait title!
please define clickbait for me
@@NaomiBrockwellTV The title suggests that there is one specific insecure 2FA method. So I clicked on it, thinking someone had discovered a new security flaw in a 2FA method. Instead, I got a video explaining various 2FA options and listing their pros and cons.
I am sorry, I should have read the description!
@@xXxJakobxXx3 The video is about how sms 2fa is not secure, and how OTP apps are not as secure as many people think, and I explain why. I don't think that's clickbait.
Can you recommend any alternative to Boxcryptor, now that they've been taken over by Dropbox?
3:46 there's poop on my screen... oh wait, it's just Klaus Schwab
Superb, Naomi. Really well done.
Thanks - I really appreciate that
Also when unscribing from Google Gmail Ads your address does Get Sold!
Google plus HBAR/Hedera network equals security
TFA is great as long as you have an offline option without the Internet or phone service. It happens where I live but I still need to work on my laptop. I have that option with an online code and an offline code in rural travel locations. Thanks Naomi for the discussion and links.
Etherium is Bank Coin JP Morgan Ownership in Inferium
I just stick with a KeePassXC database (TOTP included).
Ma'am please make a video on Authentication cookies, and how to reset them.
They want me to use two factor authentication on my Facebook account but so far my account is still locked. I tried using Duo and Google Authenticator and neither works and when I try having a code sent to me via text I never received it.
Hope the Sheep are watching you !!!!
Phone 2FA used to be trivially overcome vía SS7 exploits.
Hey Naomi! So I’ve been careful to record all of 2FA setup keys for my google authenticator. That means that if I do lose my phone or access to the authenticator app I could set it all backup on a new phone or redownloaded google auth app using the setup keys, right?
Yes.
Also the feature wasn't in the app at first, but now you can retroactively get the seeds, right from the app (which Naomi edited the description to mention)
Do not use Google Authenticator , use Apps with end-to-end encryption . GA sends the “seed key” over the network unencrypted. Seed key is the one contained in the QR code.
3:45 LOL :)
Great episode! Already have a few security keys, but they are pretty old school. looking forward to the next episode you mentioned that will look into key differences in security keys!
Microsoft Authenticator works really well as you can set it up to require authentication from the user before it even opens.