As per all my other videos, no I didn't delete your comment. UA-cam auto deletes comments all the time. If yours disappears, try posting again in various forms until it sticks, and good luck! 🙏 Also, since posting this video I've found out that google authenticator now allows you to back up all codes on another device! Have added that note to my video description.
2FAS Auth app is another really good one. I use both 2FAS Auth and Authy. The ONLY problem I have with Authy, is their android app consist of a 4 digit pin to log in. which is pretty insecure IMHO. I even tried to get them to implement a better password login with Alphanumeric, this was 4 years ago. still nothing was done and I have asked several times.
A good way to protect those accounts that ask common questions, like mother's maiden name, or name of your first pet, is to lie. If you type in an answer that has nothing to do with the questions, then someone who investigates you and your family will never guess it. Yes, it might be hard for you to remember that the answer you gave to the question of your first pet's name is "the Peloponnesian war", but it will be bloody impossible for someone else to guess, no matter how well they have studies you. Well, unless that actually was your pet's name. Yelling down the hall ... "Here, Pello"?
I use KeePassXC with NextCloud to keep the database sync'd on my devices. I also use Aegis on my Android phone. Cool thing about KeePassXC is that it displays QR code of the TOTP token so you can scan it with Aegis. Works pretty well.
Nearly every large financial institution uses SMS for 2FA, many of them exclusively. They move billions of dollars in transactions every day in an industry where security is critical. Maybe, just maybe, they know what they are doing? 2FA is supposed to be "something you know" and "something you have". An auth app is "something you know" (the seed) not "something you have". Hardware keys are good except there is almost always a backup way in. I'll bet it's more likely your hardware key gets stolen than your SIM swapped.
There are not many out there spending time to learn, AND spending time sharing that with others. It is very noble if you give your quality time and energy to do. For sure the definition of a good person without the intention to get something in return. You are one of them, thank you! As you can see English isn't my langue so I misunderstand or need some other way to explain please, 07:20 A lot of your friends use AndOTP and some Keypassxc, password manager with TOTP... 07:42 Some TOTP apps can also be integrated with your password manager but you would be very warry.... 07:20 & 07:42 =Password manager with TOTP /or TOTP integrated with your password manager...is not the same? If the same, both very warry, right? If not the same, 07:20 is the way to go?
Hi Naomi, I love your videos, they are so useful. I have a way of improving the security on iphones. In settings, scroll down to screen time. Open screen time and scroll down to "Content and Privacy Restrictions. Here you can toggle on or off Allow password changes and account changes to "don't allow. I have both of these set to "don't allow. Very useful.
8:40 Some would say someone typing in private login info on anything with that man's face on it, is a dead giveaway that you're going to lose everything. lmao
I think that this is your best wardrobe yet. You're always very fashionable, but today is my favorite of your styles. Oh, and thanks for the great info. I really was listening while admiring the embroidery.
While general consensus is that SMS 2FA is better than no 2FA, it may be the opposite in some ways. If I use SMS 2FA (even with a VOIP number), on multiple sites/apps/platforms, inevitable leaks can be cross-referenced with each other and a profile can be formed. This is particularly pernicious if any such leak includes your name, address, work, etc. Did your research for this video lead you to such claims, and either way, what are your thoughts on this? As you can tell from my username, I’ve been called paranoid once or twice :) But with all the automated data scraping and analysis going on, it doesn’t seem so far-fetched.
@@NaomiBrockwellTV True, but as you well know, security and privacy are somewhat intertwined. Anonymous SIM certainly helps. I use something similar. Phone numbers individualized to each service help even more, but somewhat expensive if you need dozens of them. Ultimately, phone number reuse (for an authentication factor) is similar to password reuse (also an authentication factor), just not AS dangerous.
One good open source OTP app for iOS that allows encrypted backup is Raivo OTP if anyone’s looking. It’s the only one I could find that met those requirements
For TOTP Codes... ALLWAYS have some Form of Backup / register to multiple Devices. But you've been told to do Backups for everything for the last 20 Years, if you didn't learn it allready - tough Luck. I have them stored on Yubikeys, which can't be recovered as well. Which I see as a Security Feautre. Realize the Plural - Key*s*. If I loose one, I'm still able to access everything and create new TOTPs.
TFA is great as long as you have an offline option without the Internet or phone service. It happens where I live but I still need to work on my laptop. I have that option with an online code and an offline code in rural travel locations. Thanks Naomi for the discussion and links.
Great video. Thank you! One thing you need to point out with security keys: you need more than one, in case you lose that one you’ve used. AND many websites allow only 1 security key so these should be supplemented with a secondary form of 2FA not dependent on that single key.
D m vinethics he'll help you He fixed mine he has 90k followers account. UA-cam is not letting me to write to you in full make sure is the right account you Dm
Pretty happy with Microsoft Authenticator. Has a password lock on the app and backs up to your onedrive (imperfect but not terrible - it's encrypted at rest and in transit, at least on MS side).
[edit: I'm wrong. While there are many standards for time based one time passwords that have existed long before TOTP came around, TOTP itself refers to a specific standard.] 6:08 *Any Google-Authenticator-based TOTP app will work. There are many different TOTP formats, and only ones that are based on Google Authenticator's implementation are interchangeable with Google Authenticator.
My email got hacked over a month ago and still dealing with other accounts being attempted to be logged into. Just received a yubikey and never going through that kind of stress again
strong security Alpha . thank you . Nice Shiba shorts too . Love to know more about strengthening sim 2fa . Wondering if changing a sim card will cause totp rejection on same device 👀
You can lock the autentication app and any other with an App Lock app, these lock the apps themselves so when you want to open one you have to put in a seperate password in before the app loads as the App Lock app loads first.
Great episode! Already have a few security keys, but they are pretty old school. looking forward to the next episode you mentioned that will look into key differences in security keys!
The best way to NEVER GET HACKED is to have a physical yubikey without it not even you can sign into your account so if you lose it you screwed unless you have a backup code written down somewhere
Like many i am sure, my company requires us to have Microsoft Authenticator. However, I find it works very well. It is secured behind a password or biometrics and backups the data. Also, i think the tip to not use the same service as your password manager is sound.
Screwgle has burned me on 2FA. Forcing activation of 2FA on my chromebook, defaulting to using the paired phone as a security key, they broke login. Due to some kind of bug in the pairing software I have to reset pairing anytime either device restarts, which I can't do until I'm logged in on both devices. So I'm down to a choice of, at login time: - SMS as a second factor - generating one time keys - disabling 2FA using a device I can log into.
Very informative video. Maybe consider adding chapters so the more informed audience can quickly jump to the important points, especially if you use a clickbait title!
@@NaomiBrockwellTV The title suggests that there is one specific insecure 2FA method. So I clicked on it, thinking someone had discovered a new security flaw in a 2FA method. Instead, I got a video explaining various 2FA options and listing their pros and cons.
@@xXxJakobxXx3 The video is about how sms 2fa is not secure, and how OTP apps are not as secure as many people think, and I explain why. I don't think that's clickbait.
The problem with security keys is if someone physically steals your key then (and biometrics) their security is useless. I can see a cascading future of needing 3fa then 4fa, 5fa ect. Example, a key needs to be inserted into a device matching multiple specific hardware id's (tpm as an example among others) running on a specific internal network over a specific VPN. These right now would be people needing an extremely high degree opsec and are completely user unfriendly.
Generally, you still have to input a password. If one key is stolen you can remove it from the account with the backup key. If both are stolen you... for example with coinbase, I think you can have the account frozen and then provide extensive documentation such as id/passports to verify identity. Course, if you have 2fa to login to a computer you only manage or something you might be out of luck. People will have to start thinking of them as like house keys or a passport or driver's license that you need to audit for periodically and then take action if they are gone. When people used to steal check books (probably they still do) it was always a bit problematic.
I have the Yubico 5 NFC series, & I never use it for my Galaxy S20, as it doesn't really serve its purpose. The hold-it-to-your-phone feature doesn't work, & even when I plugged it into my phone & tried to log into my Google account, Google wouldn't recognize it. Just not seeing the whiz-bang effectiveness nor usefulness of it. & the number of companies that accept it are still quite limited. Meh.
Good luck with the police trying to get it to work first! LOL All joking aside, for me, the jury's still out using the fingerprint system, as I'm sure my Phillip K. Dick paranoid side believes they're all being collected into some shadow database for nefarious reasons. Strangely, it works near flawlessly on my pc, while using it in conjunction with Bitwarden. Also--thanks to Naomi's recommendation--I switched over to the DuckDuckGo browser, where I'm trying out their new app tracker blocker (in beta) & email tracker blocker. Anything to help keep from having my bank card being hacked (again).
all here mention is insecure in comparison to a method used some long time ago: certified cryptographic devices with verification process in place with connects to secure access module (special sim card) and then in return connects to verified cryptographic software. It was rolled out with ID cards in some countries but never got really activated (you had to pay to get access to the feature which was already on your ID-card) and some people didn't like it that all email is going to be securely encrypted even for the law enforcement.
Oh my God! You are so right on time! On the last President's Day someone tried to Hack my phone and Amazon account ! I called them the next day Tuesday and told them. My phone Security programs protected me ! So Amazon locked my account and I called my Bank to lock my Account! The caller ID said Amazon Sanfrancisco! It wasn't them but my phone didn't save the phone number! To give to them. Amazon Tech Support was Awesome!!!
Hey Naomi! So I’ve been careful to record all of 2FA setup keys for my google authenticator. That means that if I do lose my phone or access to the authenticator app I could set it all backup on a new phone or redownloaded google auth app using the setup keys, right?
Yes. Also the feature wasn't in the app at first, but now you can retroactively get the seeds, right from the app (which Naomi edited the description to mention)
Do not use Google Authenticator , use Apps with end-to-end encryption . GA sends the “seed key” over the network unencrypted. Seed key is the one contained in the QR code.
I was thinking going back to original way paper and phone calls . Takes too long and phone calls navigating through automated systems and don’t like giving some info to a human .
This is so true. Banks are generally pretty horrendous in this regard. I'm not sure if it's still the case, but at least as recently as a couple years ago, passwords for Wells Fargo online accounts were case *insensitive*. Totally inexcusable.
On the TOTP replay topic: I believe the relevant OWASP cheatsheet does highlight this, and strongly suggests the server stores the last OTP and does NOT let people re-use it. Whether implementers of said systems are following that practice, that's another interesting question...
The example they used of a phishing site isn't even a replay attack because they can use the code you entered to gain access with it being the first time it was used, not a replay
When will the UA-cam video be out comparing and contrasting security keys. This was a very informative video, and I want to purchase a security key but I don't know what are the best security keys for me.
Thanks for your reply. I followed the link that you sent, but it led me to the video that I watched this morning in which you indicated that another video will follow in which you will compare and contrast the various kinds of security keys. Thanks again.
I like how she has to apologize for privacy concerns every time she mentions a google product. As she mentioned, they're pretty darned good at security. Sure I would go with another option than google authenticator but I don't object to things simply on the basis that they come from google. I wonder if the privacy nuts have pushed the discussion in an illogical direction for most people. As for me, I think I will create a small circle of trust in google and take a chance with possibly receiving targeted ads and having my anonymized data shared to 3rd parties, rather then trusting a wider variety of 3rd parties to be involved in all my services and taking a chance having my critical accounts (like email and cloud storage) hacked.
We should absolutely not use google if concerned about privacy because they're atrocious. But for things that don't compromise your privacy so much, the security they offer can definitely be worth using certain services.
Anyone remember RSA's little mess from a few years ago with their 2FA tokens. Like anything - it is only as secure as much as you trust the companies products.
Securitykey does it have to be a separate device? I mean is it possible to have a securitkey on a different phone? Like when you have 2 phones for separate phonenumbers? 🇳🇱❤️🇺🇦
People fail to realize there is a difference between 2 Step Authentication and 2 Factor Authentication. SMS is 2 Step and can be man in the middle attacked. A phone clone etc. Google Auth works well but you point out some the exact issues that caused me to leave Google for another app.
I have not yet come across a security key with a signature counter. Just searching for options now. If anyone can recommend one, I'd appreciate you sharing. Thanks in advance.
Keys that authenticate the URL... do they also check that the website SSL cert fingerprint has not changed or query other witnesses to said fingerprint? I hate those MItM (man -in-the-middle) attacks from my company or my church or my ISP or my devious friend, lol!
I hate that the new iPhones have gotten rid of the touch and replaced it with the face recognition. I wear glasses and when Im in bed I don't wear glasses. In the past I could use my finger but they got rid of that. We need to get rid of SMS for 2FA. Also websites should go by the latest standards of NIST. All websites should allow you to past the passwords.
D m vinethics he'll help you He fixed mine he has 90k followers account. UA-cam is not letting me to write to you in full make sure is the right account you Dm
Yubikeys are pretty fantastic. I use them to authenticate SSH and Sudo for my linux desktops and servers. Be ready to do some chroot to recover a locked computer, if you mess up, though.
no backup is the reason why I ditched Google Authenticator and went with MS Authenticator. Now I can easily restore all my codes to any devices with my account.
I just would like that what you described as a replay attack is a man in the middle attack. (I would like to call that proxy attack but I'm not sure if this terminology is correct but it is essentially to just reroute the traffic like a proxy so you can usurp the real website but still have the green lock as the traffic is genuinely secured between you and the proxy) Replay attack is when you can reuse what the user send to someone else even if it is encrypted to bypass the authentication. One common use for example on old car keys is recording the signal send from the car key to the car. Then to open the car, you just "play" your record back. In case of TOTP it would mean for example if an evil extension copy the TOTP code sent to the good website, then send it to someone else to make it connect immediately with the same code. Normally websites should block a TOTP code from being using twice to connect. It is a best security practice, unfortunately that doesn't mean every website prevent it.
google authenticator has a "transfer accounts" option now, so i just use that to sync all my auth codes to a retired air gapped phone - safer than keeping a copy of backup codes in your documents folder yeah keepassxc is nice with browser integration and cross platform support - but don't use it as your 2 factor method!
Does anybody use true answers for those security questions? I personally have had about as many high school mascots as I have had security questions. My father was born in at least 30 countries that he was never born in.
Great advice. Btw, for "security questions" you absolutely do not need to answer the actual questions. "What's your favorite pet?" "Chocolate Cookies" is a lot harder to guess. Just make something up that you can remember down the line :)
@@NaomiBrockwellTV I'm wary of password managers myself, though I use one - sorta. It's on a repurposed old phone without Internet or WiFi (it's also in airplane mode). Offline storage is the only safe storage, IMO.
Nice review. For Fido, need to disable other recovery options such as phone,. Also most phones, mobile devices have Fido chips built in and could use this method for a factor. The ultimate goal is to get rid of passwords.
Would you please do a video for security for journalists and dissidents?How does a security key protect accounts, if providers share info with corrupt law enforcement who falsify records to get warrants?
Well it seems like there's no hope even with two-factor Authentication so what's the point of being in cryptocurrency if you get hacked and all your money gets stolen all the time?
Hi. great content. I activate the backup of my totp, I have forget this. About SMS, I don’t have one on my phone. I have a virtual one. Is it more secure ? or the same as having a real one ? external device are interesting. is it more secure than biometric auth ?
As per all my other videos, no I didn't delete your comment. UA-cam auto deletes comments all the time. If yours disappears, try posting again in various forms until it sticks, and good luck! 🙏 Also, since posting this video I've found out that google authenticator now allows you to back up all codes on another device! Have added that note to my video description.
Do you have a podcast by any chance?
@@brandonfarley5297 yep! everything linked on my website www.nbtv.media/episodes/this-2-factor-authentication-method-is-not-secure
Naomi my apologies? Where is the link to google auth. back up codes info?
@@cryptowealthonyt there is no link. the info is in the video description.
2FAS Auth app is another really good one. I use both 2FAS Auth and Authy.
The ONLY problem I have with Authy, is their android app consist of a 4 digit pin to log in. which is pretty insecure IMHO.
I even tried to get them to implement a better password login with Alphanumeric, this was 4 years ago. still nothing was done and I have asked several times.
i have been using a yubikey for about a year now and have been loving it. Great video
Yubikey is the key to proper 2fa security
I've been Yubikey for 2 years now. Very happy. I would recommend the NFC Yubikey to anyone.
Unfortunately a lot of phones don't have NFC.
@@brodriguez11000 I’d also recommend phones with NFC. :) . You can buy one that plugs into your phone otherwise.
That crocheted top girl you’re rocking it💃🏽💃🏽
A good way to protect those accounts that ask common questions, like mother's maiden name, or name of your first pet, is to lie. If you type in an answer that has nothing to do with the questions, then someone who investigates you and your family will never guess it. Yes, it might be hard for you to remember that the answer you gave to the question of your first pet's name is "the Peloponnesian war", but it will be bloody impossible for someone else to guess, no matter how well they have studies you. Well, unless that actually was your pet's name. Yelling down the hall ... "Here, Pello"?
I use KeePassXC with NextCloud to keep the database sync'd on my devices. I also use Aegis on my Android phone. Cool thing about KeePassXC is that it displays QR code of the TOTP token so you can scan it with Aegis. Works pretty well.
Nearly every large financial institution uses SMS for 2FA, many of them exclusively. They move billions of dollars in transactions every day in an industry where security is critical. Maybe, just maybe, they know what they are doing? 2FA is supposed to be "something you know" and "something you have". An auth app is "something you know" (the seed) not "something you have". Hardware keys are good except there is almost always a backup way in. I'll bet it's more likely your hardware key gets stolen than your SIM swapped.
Been using a yubi for 4 years, love it
There are not many out there spending time to learn, AND spending time sharing that with others. It is very noble if you give your quality time and energy to do. For sure the definition of a good person without the intention to get something in return. You are one of them, thank you!
As you can see English isn't my langue so I misunderstand or need some other way to explain please,
07:20 A lot of your friends use AndOTP and some Keypassxc, password manager with TOTP...
07:42 Some TOTP apps can also be integrated with your password manager but you would be very warry....
07:20 & 07:42 =Password manager with TOTP /or TOTP integrated with your password manager...is not the same?
If the same, both very warry, right? If not the same, 07:20 is the way to go?
Hi Naomi, I love your videos, they are so useful. I have a way of improving the security on iphones. In settings, scroll down to screen time. Open screen time and scroll down to "Content and Privacy Restrictions. Here you can toggle on or off Allow password changes and account changes to "don't allow. I have both of these set to "don't allow. Very useful.
Superb, Naomi. Really well done.
Thanks - I really appreciate that
The Queen is blessing us with more uploads, we must continue to behave well for more!
wtf dude
LOL
Ta Naomi, great update on digital security!
Most welcome - thanks for watching!
8:40 Some would say someone typing in private login info on anything with that man's face on it, is a dead giveaway that you're going to lose everything. lmao
I love that you cite helpful articles for further reading. 😊
I have a pair of Yubikeys, and tried to start using them, but support is just not quite there, yet, so I have disabled them for now.
yeah platforms are increasingly using yubikeys, keep an eye out as they add support, and you can switch in yubikeys as they do
I think that this is your best wardrobe yet. You're always very fashionable, but today is my favorite of your styles. Oh, and thanks for the great info. I really was listening while admiring the embroidery.
🙏💛🧵
While general consensus is that SMS 2FA is better than no 2FA, it may be the opposite in some ways. If I use SMS 2FA (even with a VOIP number), on multiple sites/apps/platforms, inevitable leaks can be cross-referenced with each other and a profile can be formed. This is particularly pernicious if any such leak includes your name, address, work, etc. Did your research for this video lead you to such claims, and either way, what are your thoughts on this? As you can tell from my username, I’ve been called paranoid once or twice :) But with all the automated data scraping and analysis going on, it doesn’t seem so far-fetched.
Well 2fa is security measure not a privacy measure, if you want both then an anonymous sim might be your best bet!
@@NaomiBrockwellTV True, but as you well know, security and privacy are somewhat intertwined. Anonymous SIM certainly helps. I use something similar. Phone numbers individualized to each service help even more, but somewhat expensive if you need dozens of them. Ultimately, phone number reuse (for an authentication factor) is similar to password reuse (also an authentication factor), just not AS dangerous.
One good open source OTP app for iOS that allows encrypted backup is Raivo OTP if anyone’s looking. It’s the only one I could find that met those requirements
For TOTP Codes... ALLWAYS have some Form of Backup / register to multiple Devices. But you've been told to do Backups for everything for the last 20 Years, if you didn't learn it allready - tough Luck.
I have them stored on Yubikeys, which can't be recovered as well. Which I see as a Security Feautre. Realize the Plural - Key*s*. If I loose one, I'm still able to access everything and create new TOTPs.
5:50 actually the old code is still valid for slightly a bit of time for user experience sake
TFA is great as long as you have an offline option without the Internet or phone service. It happens where I live but I still need to work on my laptop. I have that option with an online code and an offline code in rural travel locations. Thanks Naomi for the discussion and links.
Great video. Thank you! One thing you need to point out with security keys: you need more than one, in case you lose that one you’ve used. AND many websites allow only 1 security key so these should be supplemented with a secondary form of 2FA not dependent on that single key.
I haven't come across any websites that only allow one key, that's a super annoying practice! Thanks for the heads up!
can confirm, paypal only allows one key 🤦♀
@2FAS is open source, private, cloud backups, no account required, community driven 2FA app.
D m vinethics he'll help you He fixed mine he has 90k followers account. UA-cam is not letting me to write to you in full make sure is the right account you Dm
ON Instagram
Thank you. Very good information. BTW - nice sweater!
Glad you like it!
Pretty happy with Microsoft Authenticator. Has a password lock on the app and backs up to your onedrive (imperfect but not terrible - it's encrypted at rest and in transit, at least on MS side).
Always helping us with great content. Thanks Naomi!
Thanks Marco!
[edit: I'm wrong. While there are many standards for time based one time passwords that have existed long before TOTP came around, TOTP itself refers to a specific standard.]
6:08 *Any Google-Authenticator-based TOTP app will work. There are many different TOTP formats, and only ones that are based on Google Authenticator's implementation are interchangeable with Google Authenticator.
My email got hacked over a month ago and still dealing with other accounts being attempted to be logged into. Just received a yubikey and never going through that kind of stress again
The fact that Google can’t recover you 2fa codes is a feature not a bug.
I add them to two devices when ever I sign up for a new service.
strong security Alpha . thank you . Nice Shiba shorts too . Love to know more about strengthening sim 2fa .
Wondering if changing a sim card will cause totp rejection on same device 👀
@@mirrorneurongirl Neat . many banks for some reason don't have totp and your findings are a good extra layer via an isolated google voice number .
You can lock the autentication app and any other with an App Lock app, these lock the apps themselves so when you want to open one you have to put in a seperate password in before the app loads as the App Lock app loads first.
I wonder how secure that is if it just hides or really encrypts -- stupid that google doesn't lock the app themselves
Great episode! Already have a few security keys, but they are pretty old school. looking forward to the next episode you mentioned that will look into key differences in security keys!
The best way to NEVER GET HACKED is to have a physical yubikey without it not even you can sign into your account so if you lose it you screwed unless you have a backup code written down somewhere
I have two yubikeys. I just register both. One yubikey is on my keychain and the other is hidden somewhere.
Like many i am sure, my company requires us to have Microsoft Authenticator. However, I find it works very well. It is secured behind a password or biometrics and backups the data.
Also, i think the tip to not use the same service as your password manager is sound.
Screwgle has burned me on 2FA. Forcing activation of 2FA on my chromebook, defaulting to using the paired phone as a security key, they broke login. Due to some kind of bug in the pairing software I have to reset pairing anytime either device restarts, which I can't do until I'm logged in on both devices. So I'm down to a choice of, at login time:
- SMS as a second factor
- generating one time keys
- disabling 2FA using a device I can log into.
thank you! Looking forward to your advice on the keys.....
Coming soon!
@@NaomiBrockwellTV and just so that you know: you are brilliant, fantastic, and great!!!!
3:46 there's poop on my screen... oh wait, it's just Klaus Schwab
I absolutely love every single blouse you use. They are so pretty!
Totally off topic, I know, but oh my, they are beautiful.
This was brilliant. VERY well done. Shared!
Thanks Troy
Great show 🇨🇦🖖🇨🇦
Very informative video. Maybe consider adding chapters so the more informed audience can quickly jump to the important points, especially if you use a clickbait title!
please define clickbait for me
@@NaomiBrockwellTV The title suggests that there is one specific insecure 2FA method. So I clicked on it, thinking someone had discovered a new security flaw in a 2FA method. Instead, I got a video explaining various 2FA options and listing their pros and cons.
I am sorry, I should have read the description!
@@xXxJakobxXx3 The video is about how sms 2fa is not secure, and how OTP apps are not as secure as many people think, and I explain why. I don't think that's clickbait.
The problem with security keys is if someone physically steals your key then (and biometrics) their security is useless. I can see a cascading future of needing 3fa then 4fa, 5fa ect. Example, a key needs to be inserted into a device matching multiple specific hardware id's (tpm as an example among others) running on a specific internal network over a specific VPN. These right now would be people needing an extremely high degree opsec and are completely user unfriendly.
Generally, you still have to input a password. If one key is stolen you can remove it from the account with the backup key. If both are stolen you... for example with coinbase, I think you can have the account frozen and then provide extensive documentation such as id/passports to verify identity. Course, if you have 2fa to login to a computer you only manage or something you might be out of luck. People will have to start thinking of them as like house keys or a passport or driver's license that you need to audit for periodically and then take action if they are gone. When people used to steal check books (probably they still do) it was always a bit problematic.
*Merci pour cette montagne d'informations !!*
So if my phone is stolen along with my sim card with my personal number' can I still open my google account on another device?
I have the Yubico 5 NFC series, & I never use it for my Galaxy S20, as it doesn't really serve its purpose. The hold-it-to-your-phone feature doesn't work, & even when I plugged it into my phone & tried to log into my Google account, Google wouldn't recognize it. Just not seeing the whiz-bang effectiveness nor usefulness of it. & the number of companies that accept it are still quite limited. Meh.
Great point!
Good luck with the police trying to get it to work first! LOL All joking aside, for me, the jury's still out using the fingerprint system, as I'm sure my Phillip K. Dick paranoid side believes they're all being collected into some shadow database for nefarious reasons. Strangely, it works near flawlessly on my pc, while using it in conjunction with Bitwarden. Also--thanks to Naomi's recommendation--I switched over to the DuckDuckGo browser, where I'm trying out their new app tracker blocker (in beta) & email tracker blocker. Anything to help keep from having my bank card being hacked (again).
The hardware key should support more than one standard.
No issues with my Yubikey 5 NFC and a OnePlus Nord N10 5G using the Yubico Authenticator app. 🤷♂️
Excellent @Naomi Brockwell, cant wait for that Security Keys video!!! Thank you!!!
Thanks KJ - stay tuned!
@@NaomiBrockwellTV As always, Sure!!!
Thanks Naomi.....That was enlightening :)
Most welcome Ombima
Love your content, and the fact it is always unique and useful. Thank you
Thanks Michelle
all here mention is insecure in comparison to a method used some long time ago: certified cryptographic devices with verification process in place with connects to secure access module (special sim card) and then in return connects to verified cryptographic software. It was rolled out with ID cards in some countries but never got really activated (you had to pay to get access to the feature which was already on your ID-card) and some people didn't like it that all email is going to be securely encrypted even for the law enforcement.
How is Google different with regards to privacy vs security? I don't see the difference?
Oh my God! You are so right on time! On the last President's Day someone tried to Hack my phone and Amazon account ! I called them the next day Tuesday and told them. My phone Security programs protected me ! So Amazon locked my account and I called my Bank to lock my Account! The caller ID said Amazon Sanfrancisco! It wasn't them but my phone didn't save the phone number! To give to them. Amazon Tech Support was Awesome!!!
Hey Naomi! So I’ve been careful to record all of 2FA setup keys for my google authenticator. That means that if I do lose my phone or access to the authenticator app I could set it all backup on a new phone or redownloaded google auth app using the setup keys, right?
Yes.
Also the feature wasn't in the app at first, but now you can retroactively get the seeds, right from the app (which Naomi edited the description to mention)
Do not use Google Authenticator , use Apps with end-to-end encryption . GA sends the “seed key” over the network unencrypted. Seed key is the one contained in the QR code.
The only security measure against hacking is to not use technology.
I was thinking going back to original way paper and phone calls . Takes too long and phone calls navigating through automated systems and don’t like giving some info to a human .
Thx for this info as I need it ✊🏽✊🏽💃🏽💥
i use bitwarden with bitwarden totp and on my phone i use authenticator pro for protecting my bitwarden account
Ironically, banks are often the worst safety offenders by offering 2FA by SMS ONLY.
This is so true. Banks are generally pretty horrendous in this regard.
I'm not sure if it's still the case, but at least as recently as a couple years ago, passwords for Wells Fargo online accounts were case *insensitive*. Totally inexcusable.
They move billions of dollars in transactions every day in an industry where security is critical. Maybe, just maybe, they know what they are doing?
On the TOTP replay topic: I believe the relevant OWASP cheatsheet does highlight this, and strongly suggests the server stores the last OTP and does NOT let people re-use it. Whether implementers of said systems are following that practice, that's another interesting question...
The example they used of a phishing site isn't even a replay attack because they can use the code you entered to gain access with it being the first time it was used, not a replay
You didn't mention AEGIS for TOTP
I am remiss!
Is microsoft authenticator or authy better for security and preventing haching? (Although authy needs the mobile number)
ua-cam.com/video/JHIAIzOPz3I/v-deo.html
This was a timely video for me regarding security keys. Thanks Naomi!
Microsoft Authenticator works really well as you can set it up to require authentication from the user before it even opens.
When will the UA-cam video be out comparing and contrasting security keys. This was a very informative video, and I want to purchase a security key but I don't know what are the best security keys for me.
Last month! ua-cam.com/video/UhANsAtvLN0/v-deo.html
Thanks for your reply. I followed the link that you sent, but it led me to the video that I watched this morning in which you indicated that another video will follow in which you will compare and contrast the various kinds of security keys. Thanks again.
I like how she has to apologize for privacy concerns every time she mentions a google product. As she mentioned, they're pretty darned good at security. Sure I would go with another option than google authenticator but I don't object to things simply on the basis that they come from google. I wonder if the privacy nuts have pushed the discussion in an illogical direction for most people. As for me, I think I will create a small circle of trust in google and take a chance with possibly receiving targeted ads and having my anonymized data shared to 3rd parties, rather then trusting a wider variety of 3rd parties to be involved in all my services and taking a chance having my critical accounts (like email and cloud storage) hacked.
We should absolutely not use google if concerned about privacy because they're atrocious. But for things that don't compromise your privacy so much, the security they offer can definitely be worth using certain services.
Actually I would like to use One of the 2FA keys you shown goes into usb can use it on Bluetooth it’s handy !
Anyone remember RSA's little mess from a few years ago with their 2FA tokens. Like anything - it is only as secure as much as you trust the companies products.
What about session hijack does key protect from them
session hijack or phishing?
Really appreciate the info Naomi thx 💖
Glad it was helpful!
Securitykey does it have to be a separate device? I mean is it possible to have a securitkey on a different phone? Like when you have 2 phones for separate phonenumbers? 🇳🇱❤️🇺🇦
@Sissel yes it is the flag from The Netherlands with love and solidarity to Ukraine. Peace 2 the world
People fail to realize there is a difference between 2 Step Authentication and 2 Factor Authentication. SMS is 2 Step and can be man in the middle attacked. A phone clone etc. Google Auth works well but you point out some the exact issues that caused me to leave Google for another app.
I cant imagine people who's not interested in security watching this video... hahahaha too much info!!!!
I have not yet come across a security key with a signature counter. Just searching for options now. If anyone can recommend one, I'd appreciate you sharing. Thanks in advance.
So much damn info…I feel more lost after watching the video, than before.
It’s like…the safest thing to do, is to just use the internet as little as possible.
¯\_(ツ)_/¯
Take a deep breath and ask me any question :)
Indeed as JJ said, you can now export you google authenticator seed to another device, I didn't realize it when making the video!
Def looking forward to the upcoming video on security keys! thanks
HI Naomi, Same great channel...same pretty lady! Thank you great job! 😊👍👍
Thanks for being here!
Definitely looking forward to your next video. Thanks Naomi!
Keys that authenticate the URL... do they also check that the website SSL cert fingerprint has not changed or query other witnesses to said fingerprint? I hate those MItM (man -in-the-middle) attacks from my company or my church or my ISP or my devious friend, lol!
I hate that the new iPhones have gotten rid of the touch and replaced it with the face recognition. I wear glasses and when Im in bed I don't wear glasses. In the past I could use my finger but they got rid of that. We need to get rid of SMS for 2FA. Also websites should go by the latest standards of NIST. All websites should allow you to past the passwords.
D m vinethics he'll help you He fixed mine he has 90k followers account. UA-cam is not letting me to write to you in full make sure is the right account you Dm
ON Instagram
Yubikeys are pretty fantastic. I use them to authenticate SSH and Sudo for my linux desktops and servers. Be ready to do some chroot to recover a locked computer, if you mess up, though.
no backup is the reason why I ditched Google Authenticator and went with MS Authenticator. Now I can easily restore all my codes to any devices with my account.
Can you recommend any alternative to Boxcryptor, now that they've been taken over by Dropbox?
your channel is so ... useful. thank you.
Thanks Harvey .. I'm glad it was useful
Excellent review ! Thanks so much! I’ve been wondering about a security key! 🔐
I just would like that what you described as a replay attack is a man in the middle attack. (I would like to call that proxy attack but I'm not sure if this terminology is correct but it is essentially to just reroute the traffic like a proxy so you can usurp the real website but still have the green lock as the traffic is genuinely secured between you and the proxy)
Replay attack is when you can reuse what the user send to someone else even if it is encrypted to bypass the authentication.
One common use for example on old car keys is recording the signal send from the car key to the car. Then to open the car, you just "play" your record back.
In case of TOTP it would mean for example if an evil extension copy the TOTP code sent to the good website, then send it to someone else to make it connect immediately with the same code.
Normally websites should block a TOTP code from being using twice to connect. It is a best security practice, unfortunately that doesn't mean every website prevent it.
google authenticator has a "transfer accounts" option now, so i just use that to sync all my auth codes to a retired air gapped phone - safer than keeping a copy of backup codes in your documents folder
yeah keepassxc is nice with browser integration and cross platform support - but don't use it as your 2 factor method!
Phone 2FA used to be trivially overcome vía SS7 exploits.
How about using MSFT/google authentication for your email and use google voice number for mobile.
This is a really good video. Thank you.
🙏
Does anybody use true answers for those security questions? I personally have had about as many high school mascots as I have had security questions. My father was born in at least 30 countries that he was never born in.
Great advice.
Btw, for "security questions" you absolutely do not need to answer the actual questions. "What's your favorite pet?" "Chocolate Cookies" is a lot harder to guess. Just make something up that you can remember down the line :)
I’d recommend using randomly generated strings for those and storing in a password manager!
@@NaomiBrockwellTV I'm wary of password managers myself, though I use one - sorta.
It's on a repurposed old phone without Internet or WiFi (it's also in airplane mode). Offline storage is the only safe storage, IMO.
Thank you for the awesome content.
Thanks for watching!
How do you copy and paste passwords safely and typing in master password for your password vault. Can anyone help please
Nice review. For Fido, need to disable other recovery options such as phone,. Also most phones, mobile devices have Fido chips built in and could use this method for a factor. The ultimate goal is to get rid of passwords.
Would you please do a video for security for journalists and dissidents?How does a security key protect accounts, if providers share info with corrupt law enforcement who falsify records to get warrants?
Freedom of the press foundation is a great resource for that
Holy S…t. I’m throwing my phone in the trash and going back to a Day Runner.
Well it seems like there's no hope even with two-factor Authentication so what's the point of being in cryptocurrency if you get hacked and all your money gets stolen all the time?
hmmmm I don't think the takeaway was that all 2fa is insecure! auth apps and security keys are great, highly recommend
Hi. great content. I activate the backup of my totp, I have forget this.
About SMS, I don’t have one on my phone. I have a virtual one. Is it more secure ? or the same as having a real one ?
external device are interesting. is it more secure than biometric auth ?
Make sure you cover crypto hardware wallets like KeepKey that have FIDO webauth implemented so it can be used as a security key.
Yeah. Trezor and ledger have it too
How is you I key authentication works I don’t get it got keys