Hello, and thank you for the video sharing on 2FA. As a person who has used Google Authenticator to secure many things, most important being my online crypto accounts, this is not secure at all. I would like to know if you can share with us how this can be hacked from a person's iphone or window's 10 laptop if both these devices have never been compromised by loss or use of any other person? How can a hacker use these same confirmation codes that we are led to believe can only be generated by the phone they are installed on, or the laptop they are installed on? It makes be wonder why you can install these 2FA apps on a laptop if you have them on an iphone also, but they do give out the same code numberrs? I didn't have the time to listen to the whole video and maybe you explained that, but I had to get this question off first. In my very unfortunate circumstance where this Google Authenticator was somehow hacked from either of the devices mentioned above, hackers entered into my online exchange crypto accounts and stole all that was on them. It was not a large amount, but anything is too much. How could this be done, as the exchanges will not even talk to me about what happened. Not sure customers know this, but no exchange will divulge any information about how your account was hacked with subpoena order. Can you believe it, Not to mention they will not communicate by phone either, so if your account information was changed, you are literally locked out of your account, if email has been changed or password has been changed as there is nowhere to send new password link to. It is disgusting. So secure this by Yubikey only, using the Yubico Authenticator that cannot be hacked since it is not installed on any computer or smartphone but on the hardward device itself. This is extremely important to do. I will repeat one last time. Google Authenticator or any other online or on device authenticator for 2FA verification is not secure. It can be hacked and fairly easily. Do not leave any assets on any exchanges that cannot be secured by a Yubikey. As of this date, this is the only known100% safe device that will protect you from any hack. This happened to me, and I am trying to let all know to not depend or trust any other 2FA device that is supposedly top level secure, as it is not. I wish someone would explain to me how this was hacked from me, with absolute knowledge that the devices these were on were at all times in my physical control and never even left my house, let alone missing or shared to anyone. It happened and it was ugly when it did.
I would like to hear this guy's opinion on hardware firewalls. Do hardware firewalls give you an extra layer of security or would it be a counter productive investment?
This is still true for most people today. You’d think of all things, people would hold the companies handling their finances to higher security standards?
My stream accounts are better off than most of my bank accounts. It takes forever to disable 2FA on Steam. I have all the security protocols to disable it. Make it as hard as possible.
Henry's rants are not only entertaining, but you just know he is on our side here. It certainly beats certain other tech channels that spend the first ten minutes telling us how stupid WE are!
This was the perfect TOTP video for me. I had a really hard time finding something (text or video) that wasn't just the bare-bones basics or something that went into way too much into the nitty gritty technical details. Thanks for such a great introduction!
The most infuriating thing for me is that Authy was one of the recomendations from other privacy youtuber. I installed it based on that recomendation! Now I need to clean up this mess!
Thanks for making this. I just learned that Authy was shutting down its PC service. While looking for alternatives, I found your video. Down the rabbit hole.
Thank you for taking the time to do this video. I'll admit I'm gonna need some time to fully understand it and use it correctly, but it's worth the time and effort. Thanx again
I wish I watched this video yesterday before I removed all of 2FA from my old device in the same way you did. oh well. live and learn. great content. Yesterday I took the plunge and put CalyxOS on my device. (also been using Calyx MiFi 5G as my backup connection for internet, and it has worked beautifully. I'm data smart, but not tech smart and this channel has helped me out a ton.
@@zaynezachariasse9240 I recommend Tofu Authenticator or Authenticator for IOS (I use Tofu Authenticator but I found out that i can't get the TOTP from it...) Aegis for Android
So I was deliberating changing from Authy...now my paranoia shot through the roof. Guess what my weekend project is going to be? Thanks for all the information!
Wished I knew this 1 year ago and save those damn seeds! Awesome video going to be helpful for people who haven't save their seeds before needing them in case you lose or break your phone.
I almost lost access to all my 2fa when I realized that authy created an account for my gemini account. I was trying to fix the problem merging the two accounts and I end up in some kind of limbo for a while, luckily I was able to gain access in one of my old devices that was out of sync with the cloud.
@@thestreamreader Aegis And Keepass Xc For Android And Then Keepass DX For PC I Know Its Password Manager But U Can Make Separate Database For Just Totp
I came here from a "best apps for Linux" where the comment was "authy! yikes!" with the link to this video, and let me tell you when I saw the kind of shitty lighting and a vaguely scruffy dude in a hoodie with the hood up I was getting strapped in for a conspiracy rant video, needless to say I was very pleasantly surprised, so much so I have now subscribed. I used to use lastpass for a bunch of things, but the difficulty to use put me off, so I'm glad I made a good choice
Man... You have showed this aging man how silly he's been time and time again. Former LastPass user and tomorrow I'll be a former Authy user. I thought I was doing great with Authy. I wonder what else you'll be informing me what I'm doing wrong. I look forward to it.
Services like Google Voice have better protection from account-takeover attempts which have infamously happened with traditional carriers who fell victim to simple phone-based social engineering attacks. So yes, small security improvement just for this reason alone. However, it comes at the cost of needing a Google (or other VOIP) account, and each service’s security/privacy practices will wildly vary. Another complication is many accounts online will flag the VOIP number and not allow you to use it. No right answer here, just some things to think about.
@@techlore thanks for the response! For the services that only do text-message 2fa, I’ve been using a VOIP number. Might be a small decrease in privacy for an increase in security, so that’s what I do.
@@LandSurfer96 I forgot to reference the fact that I’m referring to using these for 2fa. Seems VoIP might be more secure if the account you have with the VoIP provider is properly secured with its own 2fa. Google voice has the option of TOTP / hardware keys for example.
even though i'm fairly tech savy and care about privacy and security, i wasn't really sure how to use apps like aegis i just knew they are good for privacy. this video was really simple to grasp and i'm able to use 2FA quite easily now. thanks :)
3:32 maybe the codes should be sent via signal. I know Facebook are planning on sending login codes via WhatsApp. (I guess also to get more people to use WhatsApp due to the rise in signal users).
Also I can't recommend Bitwarden enough. My threat level: I am not wealthy, famous, or politically/publically/militarily relevant Bitwarden has: 1) zero knowledge encryption 2) Cloud Syncing 3) Extensions for all browsers 4) Android, iOS, Windows, Linux, and MacOS apps 5) Built in TOTP authenticator 6) Built in password generator 7) Option to download all passwords and seeds 8) Auditing tools to check for weak, reused, and compromised passwords 9) It is open source 10) Regularly audited by 3rd parties & findings are publically accessible It is $10 dollars a year to get premium. It is one of the only pieces of software I have bought. It really is a great product.
Really enjoyed the presentation. Informative, with many valid points. I also steer people away from Authy just based on the requirement for a phone number. But in fairness, what authentication apps export the seed keys? I don't mean allow you to transfer to another device, but generate the actual original secret key that was registered at the time of adding the account? Excellent Mate! Thank you
Be sure to save your keys (seeds) in a secure location. I store mine in an encrypted text file that I save on a flash drive stored in a safe. That way I can switch to a different authenticator app. It's tedious to add the keys, but gives the most flexibility.
I've got a somewhat unrelated question...I am interested in using the Trezor as a Fido key. Usually when you use something like a yubikey it is recommended to use multiple ones to make sure that you can still log into your accounts when one of them breaks (because apparently there is no way to recover a broken ones seed ???). Is the same thing true for the Trezor? If your Trezor breaks you can recover your wallet with the seed words but would that also recover my U2F or is that something different?
Amazing video...... I left Auty about a month ago (Desktop version and IOS version were not syncing property and Auty admitted that their desktop version has many flaws) and went to Microsoft Authenticator but I had to disable 2FA for all my 26 accounts when I was changing from Authy to Microsoft Authenticator....... :( :( :( .......
This video finally game me motivation to move away from Authy. I have literally had other open source totp app on my phone for a year, but since there no export option it's just going to be so pain in the ass. Gotta also remember to send them message to delete all my data.
Good video. Unfortunate phrasing when you said “enter it before the thirty second timer runs-out.” The little bit of wiggle-room you get by being able to use the code before or after the one for the current time is very nice (and sensible ‘cause you know, not everyone has an atomic clock). I’ve personally heard people being annoyed they “have to” wait until the timer runs-out and they have time to enter the code. Sometimes this annoyance is even _the_ blocker for them (it sounds silly, but if you’re a really slow typer, have a disability or whatever else, it can be very hard to enter something within ten seconds).
When I got the TOTP from Microsoft, I pasted it in a note, and pasted the same text file into an authenticator. A few days later, I pasted the same text string into a different authenticator, and it gives the same numbers, but not with exactly the same time. Why are they not changing at exactly the same time?
I used to have Authy, and I learned all your disadvantages the hard way. Thanks for that script! I'm using Aegis on my phone now. By the way, is there a TOTP app for computers?
I love your videos! Major fan! I've been watching your videos for almost 2 years now and you have taught me so much and actually gave me the inspiration to pursue a career in cybersercurity. I love your videos on going incognito from Google. Everyone thought I was crazy when I was doing my research and when I found out what all Google can do on my devices as well as Samsung in my opinion. Lol. But anyway you have let me know I'm not so crazy and I'm on the right track. Your awesome please keep making all these videos you do
If you could do a video on how Chrome uses my phone as a sercurity key and how I'm suppose to link it with a QR code. I found it in settings in Chrome and it was saying my tablet could be used as a sercurity key. I've never set this up. But there was a button there saying clear linked devices in Chrome settings. I never use Chrome and I'm so confused how that would have gotten set up or it's like that cause my boyfriend said it's already set up but wouldn't I have had to have scanned QR codes to make a device to clear one. Yeah I really hope you understand what I'm asking. Google Chrome sercurity key involving the QR code and it said it would link device to use device to sign in or unlock other device I'm thinking
Hey Juli! We're love to hear that we assisted you in your life with your career and everything privacy related! That's amazing! Now, onto your question: Unfortunately, there are time constraints so we cannot assist people with technical questions. We have a community full of people that would be willing to assist you on Matrix, Discord and even a new forum we launched! We hope you can find the assistance you need.
I had a conversation with my bank about how I can’t use there rsa key for there banking app and the lady said to me why don’t I use sms 2fa and I said cause you can clone or intercept sms. Her response was if the bank thought it could be down they would change.
I will push back gently on the idea that multi device sync is not important - maybe in your life, you have plenty of people that don't switch devices (or lose them) but to the layman, that stuff happens all the time. I wish the FOSS authenticators did what bitwarden does and have multi-device sync. Usability is important if we want non-technically minded folks to use these things - that's why authy has the reputation (despite the other flaws you rightfully point out)
Fortunately, banks in Germany have their own type of 2FA method, with which you need a reader (a small device with a camera and a screen and a keypad) and your bank debit card. The smartcard processor on the debit card does the crypto, while the reader device just is the interface between your screen, you and the smartcard processor on your debit card. It's really secure, much better than SMS 2FA or their newest clown idea, a 2FA app for your spyphone...
Google Authenticator also does not allow you to reclaim the seed for the accounts! Wonder how you missed that point! One can only transfer it to another Google account with a QR code which can only be read by Google...
I am confused with this scenario and not able to find a proper answer Let's say i have 2FA on for all my account and have backed up all the seeds in case i need them I lose my device , since i have the backups i can easily setup my 2FA in my new device But what about the old device ? It still has the 2FA running on it , what if someone somehow manages to get to the 2FA app and then they have access to my seed and 6 digit 2FA codes
Wow I didn't know about that Twitch Authy thing! This video is a year old and it's still valid because Twitch STILL uses Authy. I just checked and there's no mention of Authy in the Terms of Service but users are still reporting issues with it on Reddit!
When everyone covers most secure TOTP apps, no one ever mentions Yubikey's. With their app the keys are on the Yubikey hardware key to store the seed. The app supplies the screen to show the code and the timer. The app can't be used without the hardware key. And the hardware key needs the app. So it seems like that adds another layer of protection in case your phone gets hacked. You can have two keys so you have a back up. And if you switch devices, all you have to do is install the Yubikey authenticator on the new device. Then connect your key when you need a code. It seems like the only down side to it would be the cost of the keys. But since no one ever talks about it, I don't know for sure. Any thoughts?
Could you make a guide on the safest cloud backup services? A little more in depth than the Go Incognito lesson would be greatly appreciated. Thanks for the info!
The password manager was mentioned as a less secure option for TOTP, than a dedicated app... Is This relation stil stands if it is two seperate database, file, account whatever, with seperately strong masterpasswords?
2FA is great, i use it all the time. But I also hate the implementation of it. If it is set up you may not been able to log in to the service without the code. I know that this is the intention for 2FA. For example on Steam you can't that easy play any game you installed. On banking one bank for needs the code for everything the other is more reasonable and only require the second factor for money transfer. No one offers me a setting for when the code should be required.
If TOTP is a standard, does this mean I can use a windows program to login to my google account? (I don't see the seed code on my Google authenticator)
What about keeping 2FA authenticator app and password manager in the same device? For example keepass+aegis in the same android device. There is a single point o f failure because if the device gets hacked the attackers has 2 databases (keepass and aegis) to crack.
Options: - Use Authy just for those services - Use Authy, but export the seeds unofficially and use your normal TOTP client day-to-day. Then keep your Authy account active but unused. - Stick with only SMS 2FA on services like Twitch (They do allow SMS) - While it is an option, I struggle to even shed light on the possibility of opting-out of 2FA altogether for these services. However, it really is the only option if you’re trying to avoid Authy AND avoid handing over a phone number for SMS. Musts: - Email twitch support and express your disgust.
We receive so many questions about 2FA, so we went all out on this guide--enjoy it! (Screw Authy!)
00:00 Section 1 - Introduction
00:38 Section 2 - 2FA Explained
02:01 Section 2.1 - SMS 2FA Explained
04:05 Section 2.2 - Ecosystem 2FA Explained
06:34 Section 2.3 - TOTP Explained (Simple)
09:42 Section 2.4 - Hardware 2FA Explained
10:01 Section 2.5 - Outlier Services
10:24 Section 2.6 - The Best Method
10:49 Section 3 - TOTP Explained
11:01 Section 3.1 - TOTP Clients
12:07 Section 3.2 - TOTP Seeds Explained
13:50 Section 3.3 - TOTP Real-World Usage
15:13 Section 3.4 - TOTP Backups
17:40 Section 3.5 - TOTP Pro-Tip & Story Time
19:07 Section 3.6 - Enemies of TOTP (F*** Authy!)
24:08 Section 3.7 - Full TOTP Recap & Summary
26:50 Section 4 - Conclusion
Hello, and thank you for the video sharing on 2FA. As a person who has used Google Authenticator to secure many things, most important being my online crypto accounts, this is not secure at all. I would like to know if you can share with us how this can be hacked from a person's iphone or window's 10 laptop if both these devices have never been compromised by loss or use of any other person? How can a hacker use these same confirmation codes that we are led to believe can only be generated by the phone they are installed on, or the laptop they are installed on? It makes be wonder why you can install these 2FA apps on a laptop if you have them on an iphone also, but they do give out the same code numberrs?
I didn't have the time to listen to the whole video and maybe you explained that, but I had to get this question off first. In my very unfortunate circumstance where this Google Authenticator was somehow hacked from either of the devices mentioned above, hackers entered into my online exchange crypto accounts and stole all that was on them. It was not a large amount, but anything is too much. How could this be done, as the exchanges will not even talk to me about what happened. Not sure customers know this, but no exchange will divulge any information about how your account was hacked with subpoena order. Can you believe it, Not to mention they will not communicate by phone either, so if your account information was changed, you are literally locked out of your account, if email has been changed or password has been changed as there is nowhere to send new password link to. It is disgusting. So secure this by Yubikey only, using the Yubico Authenticator that cannot be hacked since it is not installed on any computer or smartphone but on the hardward device itself. This is extremely important to do.
I will repeat one last time. Google Authenticator or any other online or on device authenticator for 2FA verification is not secure. It can be hacked and fairly easily. Do not leave any assets on any exchanges that cannot be secured by a Yubikey. As of this date, this is the only known100% safe device that will protect you from any hack. This happened to me, and I am trying to let all know to not depend or trust any other 2FA device that is supposedly top level secure, as it is not. I wish someone would explain to me how this was hacked from me, with absolute knowledge that the devices these were on were at all times in my physical control and never even left my house, let alone missing or shared to anyone. It happened and it was ugly when it did.
I would like to hear this guy's opinion on hardware firewalls. Do hardware firewalls give you an extra layer of security or would it be a counter productive investment?
I'm looking for a good 2fa app.
Incredible job! Karma coming
For a number of years my steam account was better secured than my bank account.
This is still true for most people today. You’d think of all things, people would hold the companies handling their finances to higher security standards?
Steam accounts hold more money than Banks
For some of us, our steam accounts have more value than our bank accounts XD
Yea, sucks that we can all say that.
My stream accounts are better off than most of my bank accounts.
It takes forever to disable 2FA on Steam. I have all the security protocols to disable it. Make it as hard as possible.
Valeu!
woah is that a donation in the form of a comment? ive never seen this before on a not-livestream video
honestly wouldn't be mad if Techlore just has a video (or multiple videos) where he just rants about companies that claim theselves as "private"
Yes yes yes
No company is private no matter the encryption there’s always a way for someone to get access to your stuff. Nothing is hack proof
Henry's rants are not only entertaining, but you just know he is on our side here. It certainly beats certain other tech channels that spend the first ten minutes telling us how stupid WE are!
@@cowwy3130 nice try but you can't hack the secret piece of toilet paper I keep my passwords on
@@Robbie-mw5uu I mean if someone hacked the maple syrup place I wouldn’t trust that 🤣🥶
This was the perfect TOTP video for me. I had a really hard time finding something (text or video) that wasn't just the bare-bones basics or something that went into way too much into the nitty gritty technical details. Thanks for such a great introduction!
Thank You Techlore for sharing this amazing guide for TOTP. Waiting for your U2F guide. Sharing this guide in my whole circle. Keep up the great work!
The most infuriating thing for me is that Authy was one of the recomendations from other privacy youtuber. I installed it based on that recomendation! Now I need to clean up this mess!
Thanks for making this. I just learned that Authy was shutting down its PC service. While looking for alternatives, I found your video. Down the rabbit hole.
proton pass just released a desktop app and supports super easy 2fa
The information about making TOTP backups was what I exactly needed. Thank you so much.
Thank you for taking the time to do this video. I'll admit I'm gonna need some time to fully understand it and use it correctly, but it's worth the time and effort. Thanx again
I wish I watched this video yesterday before I removed all of 2FA from my old device in the same way you did. oh well. live and learn.
great content. Yesterday I took the plunge and put CalyxOS on my device. (also been using Calyx MiFi 5G as my backup connection for internet, and it has worked beautifully.
I'm data smart, but not tech smart and this channel has helped me out a ton.
This was definitely good info. Watched the whole thing and took notes! Thanks, Henry!
(And Techlore team. I see you!) ❤️
I just transitioned from Authy to Raivo OTP. Thank you @Techlore
I finally transferred out of Authy.
I had it on my list anyway. You just gave the push I needed.
What app do you use instead of authy?
@@zaynezachariasse9240 I recommend Tofu Authenticator or Authenticator for IOS (I use Tofu Authenticator but I found out that i can't get the TOTP from it...)
Aegis for Android
@@zaynezachariasse9240 I am experimenting with a bunch of them. Here are the ones I am using right now.
andOTP
Aegis
FreeOTP Authenticator
Preach, Henry! I was going to get Authy before I watched this.
Your channel is gold. Thank you so much.
So I was deliberating changing from Authy...now my paranoia shot through the roof. Guess what my weekend project is going to be? Thanks for all the information!
Wished I knew this 1 year ago and save those damn seeds! Awesome video going to be helpful for people who haven't save their seeds before needing them in case you lose or break your phone.
I almost lost access to all my 2fa when I realized that authy created an account for my gemini account. I was trying to fix the problem merging the two accounts and I end up in some kind of limbo for a while, luckily I was able to gain access in one of my old devices that was out of sync with the cloud.
So, the main takeaways here are that everyone should use 2FA (ideally TOTP when available) where they can, and Henry really isn't Authy's biggest fan.
It’s like the world just GETS us 😭
What was the best app to use for this?
@@thestreamreader Aegis And Keepass Xc For Android And Then Keepass DX For PC I Know Its Password Manager But U Can Make Separate Database For Just Totp
@@thestreamreader I still dont know :-(
I didn't think I'd reach the end of the video. 30 minutes is quite a lot. Nonetheless, with my time. Thank you, mate!
I came here from a "best apps for Linux" where the comment was "authy! yikes!" with the link to this video, and let me tell you when I saw the kind of shitty lighting and a vaguely scruffy dude in a hoodie with the hood up I was getting strapped in for a conspiracy rant video, needless to say I was very pleasantly surprised, so much so I have now subscribed. I used to use lastpass for a bunch of things, but the difficulty to use put me off, so I'm glad I made a good choice
Man... You have showed this aging man how silly he's been time and time again. Former LastPass user and tomorrow I'll be a former Authy user. I thought I was doing great with Authy.
I wonder what else you'll be informing me what I'm doing wrong. I look forward to it.
So clear and good, Henry.
Is using a secure VOIP phone number more secure than just your ol’ Verison phone number?
More secure or private? Secure?... Not generally unless you are using and end to end encrypted messenger.
Services like Google Voice have better protection from account-takeover attempts which have infamously happened with traditional carriers who fell victim to simple phone-based social engineering attacks.
So yes, small security improvement just for this reason alone. However, it comes at the cost of needing a Google (or other VOIP) account, and each service’s security/privacy practices will wildly vary. Another complication is many accounts online will flag the VOIP number and not allow you to use it.
No right answer here, just some things to think about.
@@techlore thanks for the response! For the services that only do text-message 2fa, I’ve been using a VOIP number. Might be a small decrease in privacy for an increase in security, so that’s what I do.
@@LandSurfer96 I forgot to reference the fact that I’m referring to using these for 2fa. Seems VoIP might be more secure if the account you have with the VoIP provider is properly secured with its own 2fa. Google voice has the option of TOTP / hardware keys for example.
I have to remove all my 2fa from all my sites then remove authy then set them all up again in Aegis. Thanks for the info.
Thanks bro, convinced me to migrate from authy to aegis.
even though i'm fairly tech savy and care about privacy and security, i wasn't really sure how to use apps like aegis i just knew they are good for privacy. this video was really simple to grasp and i'm able to use 2FA quite easily now. thanks :)
Privacy =\ security
3:32 maybe the codes should be sent via signal. I know Facebook are planning on sending login codes via WhatsApp. (I guess also to get more people to use WhatsApp due to the rise in signal users).
Also I can't recommend Bitwarden enough.
My threat level: I am not wealthy, famous, or politically/publically/militarily relevant
Bitwarden has:
1) zero knowledge encryption
2) Cloud Syncing
3) Extensions for all browsers
4) Android, iOS, Windows, Linux, and MacOS apps
5) Built in TOTP authenticator
6) Built in password generator
7) Option to download all passwords and seeds
8) Auditing tools to check for weak, reused, and compromised passwords
9) It is open source
10) Regularly audited by 3rd parties & findings are publically accessible
It is $10 dollars a year to get premium. It is one of the only pieces of software I have bought. It really is a great product.
Looking forward to a guide to physical security keys 😎👍
Really enjoyed the presentation. Informative, with many valid points. I also steer people away from Authy just based on the requirement for a phone number. But in fairness, what authentication apps export the seed keys? I don't mean allow you to transfer to another device, but generate the actual original secret key that was registered at the time of adding the account? Excellent Mate! Thank you
Is there a list somewhere of which services provide 2FA and which implementations they offer?
this was incredibly helpful. thanks a lot!
Such a great video, thanks a lot!
Great video, why backup the seed when there are 2fa recovery codes?
Be sure to save your keys (seeds) in a secure location.
I store mine in an encrypted text file that I save on a flash drive stored in a safe.
That way I can switch to a different authenticator app.
It's tedious to add the keys, but gives the most flexibility.
You could just save the QR image there as well. Makes it a lot easier :)
I've got a somewhat unrelated question...I am interested in using the Trezor as a Fido key. Usually when you use something like a yubikey it is recommended to use multiple ones to make sure that you can still log into your accounts when one of them breaks (because apparently there is no way to recover a broken ones seed ???). Is the same thing true for the Trezor? If your Trezor breaks you can recover your wallet with the seed words but would that also recover my U2F or is that something different?
Amazing video...... I left Auty about a month ago (Desktop version and IOS version were not syncing property and Auty admitted that their desktop version has many flaws) and went to Microsoft Authenticator but I had to disable 2FA for all my 26 accounts when I was changing from Authy to Microsoft Authenticator....... :( :( :( .......
Thanks for another detailed guide🙌💯
So helpful :) Thank you for this information-rich and amazing video!
Keep going my Friend , keep going 👍🕊️🙏
100% accurate keep it coming!
This video finally game me motivation to move away from Authy. I have literally had other open source totp app on my phone for a year, but since there no export option it's just going to be so pain in the ass.
Gotta also remember to send them message to delete all my data.
Google Authentificator blocks the seed "reveal" as well...
Good video. Unfortunate phrasing when you said “enter it before the thirty second timer runs-out.” The little bit of wiggle-room you get by being able to use the code before or after the one for the current time is very nice (and sensible ‘cause you know, not everyone has an atomic clock). I’ve personally heard people being annoyed they “have to” wait until the timer runs-out and they have time to enter the code. Sometimes this annoyance is even _the_ blocker for them (it sounds silly, but if you’re a really slow typer, have a disability or whatever else, it can be very hard to enter something within ten seconds).
When I got the TOTP from Microsoft, I pasted it in a note, and pasted the same text file into an authenticator. A few days later, I pasted the same text string into a different authenticator, and it gives the same numbers, but not with exactly the same time. Why are they not changing at exactly the same time?
I used to have Authy, and I learned all your disadvantages the hard way. Thanks for that script! I'm using Aegis on my phone now.
By the way, is there a TOTP app for computers?
Waiting for an answer
currently, no
Well, Bitwarden definitely works for 2fa as an app on the computer with the paid version. (Like $1/month)
Authy works great if you set it up properly.
@@BeatBoxBrian Well, I already use Bitwarden free, so I might look into that.
I love your videos! Major fan! I've been watching your videos for almost 2 years now and you have taught me so much and actually gave me the inspiration to pursue a career in cybersercurity. I love your videos on going incognito from Google. Everyone thought I was crazy when I was doing my research and when I found out what all Google can do on my devices as well as Samsung in my opinion. Lol. But anyway you have let me know I'm not so crazy and I'm on the right track. Your awesome please keep making all these videos you do
If you could do a video on how Chrome uses my phone as a sercurity key and how I'm suppose to link it with a QR code. I found it in settings in Chrome and it was saying my tablet could be used as a sercurity key. I've never set this up. But there was a button there saying clear linked devices in Chrome settings. I never use Chrome and I'm so confused how that would have gotten set up or it's like that cause my boyfriend said it's already set up but wouldn't I have had to have scanned QR codes to make a device to clear one. Yeah I really hope you understand what I'm asking.
Google Chrome sercurity key involving the QR code and it said it would link device to use device to sign in or unlock other device I'm thinking
I know you don't like Google but if you could just clear this question up for me I would be so appreciative
Hey Juli! We're love to hear that we assisted you in your life with your career and everything privacy related! That's amazing! Now, onto your question: Unfortunately, there are time constraints so we cannot assist people with technical questions. We have a community full of people that would be willing to assist you on Matrix, Discord and even a new forum we launched! We hope you can find the assistance you need.
Fantastic video, subscribed
I had a conversation with my bank about how I can’t use there rsa key for there banking app and the lady said to me why don’t I use sms 2fa and I said cause you can clone or intercept sms. Her response was if the bank thought it could be down they would change.
When is the surveillance report 52 gonna come out henry?
Love your work
We need a video on how to get off LastPass
Absolutely. Will do.
How about Dashlane TOTP ?
I definitely agree that we should stop using SMS for everything. I hate SMS
I know it's a relatively old video, but thank you for saying all the things I think about Authy. Seriously, fuck that service!
Is microsoft authenticator good??
god, that was awesome and I really want to get that guy on a date...
If TechLore is genuinely MAD about something on camera, you know it’s serious.
Why no 3...4....5FA?
fantastic info! gracias duder
thank you for good info and interesting videos :)
I will push back gently on the idea that multi device sync is not important - maybe in your life, you have plenty of people that don't switch devices (or lose them) but to the layman, that stuff happens all the time. I wish the FOSS authenticators did what bitwarden does and have multi-device sync. Usability is important if we want non-technically minded folks to use these things - that's why authy has the reputation (despite the other flaws you rightfully point out)
andyotp extension is best option or not for browser??? plz ans me
Good useful video 👍
Why you have remove tofu 2fa from your recommandation ?
Fortunately, banks in Germany have their own type of 2FA method, with which you need a reader (a small device with a camera and a screen and a keypad) and your bank debit card. The smartcard processor on the debit card does the crypto, while the reader device just is the interface between your screen, you and the smartcard processor on your debit card. It's really secure, much better than SMS 2FA or their newest clown idea, a 2FA app for your spyphone...
Google Authenticator also does not allow you to reclaim the seed for the accounts! Wonder how you missed that point! One can only transfer it to another Google account with a QR code which can only be read by Google...
Any recommendations for a MacOS 2FA client? Something like Ravio for mac?
I am confused with this scenario and not able to find a proper answer
Let's say i have 2FA on for all my account and have backed up all the seeds in case i need them
I lose my device , since i have the backups i can easily setup my 2FA in my new device
But what about the old device ? It still has the 2FA running on it , what if someone somehow manages to get to the 2FA app and then they have access to my seed and 6 digit 2FA codes
Wow I didn't know about that Twitch Authy thing! This video is a year old and it's still valid because Twitch STILL uses Authy. I just checked and there's no mention of Authy in the Terms of Service but users are still reporting issues with it on Reddit!
What should we use instead of google school stuff example google docs sheets slides etc
any private alternatives?
Excellent video
What do you think about Standard Notes and its 2FA extension?
some services like Twitch literally only give you a choice between SMS and Authy
Panda Express doesn't even give you the option to change your password lol
When everyone covers most secure TOTP apps, no one ever mentions Yubikey's. With their app the keys are on the Yubikey hardware key to store the seed. The app supplies the screen to show the code and the timer. The app can't be used without the hardware key. And the hardware key needs the app. So it seems like that adds another layer of protection in case your phone gets hacked. You can have two keys so you have a back up. And if you switch devices, all you have to do is install the Yubikey authenticator on the new device. Then connect your key when you need a code. It seems like the only down side to it would be the cost of the keys. But since no one ever talks about it, I don't know for sure. Any thoughts?
We talked about Yubikeys briefly in the video, and will be coming out with a Yubikey video shortly. -S
Can you do a video on how to use TOTP with KeePass
Lastpass export tools?
Hi. I have a question if I may ask. Do you think Instagram should have a security key option for 2FA? Just curious about your thoughts.
How to export from other apps? Like Google?
Could you make a guide on the safest cloud backup services? A little more in depth than the Go Incognito lesson would be greatly appreciated. Thanks for the info!
Funny enough, already recorded this video last week. In production and should be live this Friday
@@techlore Let's go! Awesome
How do set it up.
Question :
Is Microsoft 2AF good enough ?
The password manager was mentioned as a less secure option for TOTP, than a dedicated app... Is This relation stil stands if it is two seperate database, file, account whatever, with seperately strong masterpasswords?
What do you think of Apple 2FA IOS15 ecosystem?
2FA is great, i use it all the time. But I also hate the implementation of it. If it is set up you may not been able to log in to the service without the code. I know that this is the intention for 2FA.
For example on Steam you can't that easy play any game you installed. On banking one bank for needs the code for everything the other is more reasonable and only require the second factor for money transfer.
No one offers me a setting for when the code should be required.
Why the QR code? Does that some how make it more secure? Why not just use the code?
Good dentist.
Yeaaaaaaa kk thanks 🙏!
If TOTP is a standard, does this mean I can use a windows program to login to my google account? (I don't see the seed code on my Google authenticator)
What about keeping 2FA authenticator app and password manager in the same device? For example keepass+aegis in the same android device. There is a single point o f failure because if the device gets hacked the attackers has 2 databases (keepass and aegis) to crack.
Isn't the weather hot to wear a hoodie?
if it has a timer ,it's TOTP;
if it has a refresh-button, it's HOTP
So what do you do for the accounts like Twitch that only allow Authy?
Options:
- Use Authy just for those services
- Use Authy, but export the seeds unofficially and use your normal TOTP client day-to-day. Then keep your Authy account active but unused.
- Stick with only SMS 2FA on services like Twitch (They do allow SMS)
- While it is an option, I struggle to even shed light on the possibility of opting-out of 2FA altogether for these services. However, it really is the only option if you’re trying to avoid Authy AND avoid handing over a phone number for SMS.
Musts:
- Email twitch support and express your disgust.
@@techlore definitely agree on that must XD
I didn´t know the authy practices, what I know is that pos hates desktop users that's why I'm looking for other 2fa authenticator.
i have andOTP.....how is it?
Maybe it's possible to get your authy seeds on a rooted android phone just like from the steam app?
Unfortunately you don't offer a compelling alternative to Authy so sticking with it for now.
Is andOTP no good anymore?