you have been at it since years not a viewer tbh since i dont have interest in these topics but stumbled upon your old video online you are great my man keep at it lots of love and support subbed!!
regardless of which app, is it possible to reverse engineer authenticator apps? Let's say someone has either physical access or remote access (via malware) on your phone and they got passed all the lock screens. So now they have the 6 digit authenticator codes, can they reverse engineer the app to get your password to your accounts/emails?
Great question. Everything is possible in this world of technology. It's just by the time the general public knows about it, it's too late. The dark web finds out first, the anti-virus companies find out next and then the public. (generally speaking). So we have to just do everything we can. Hackers generally go for the easiest low hanging fruit, unless they are targeting someone specifically, then they will go full out until they get in. Everything is hackable.
i'm late to the party but let's say i had physical access to your phone (one of your examples). If I could open the google auth app, i could export the entire thing to a different phone. I'd need the phone unlock password though but it does give a method for attacking. People should pair their 2FA installed devices with a secure, non pin password and maybe install an applock program on top of that to make it harder to crack
Excellent question. Some services you sign into allow you to have more than one method to login, so if the phone is lost and you don't have access to the authenticator or SMS messages, you can recover by email. Failing that, you should have a recovery code created during the initial setup. if you don't have recovery codes for your sites, start developing a list of them just incase the day comes you might need it.
If I understand your question correctly, you want to know if getting a text message as a backup code is still safe if you lost the app. It's still not perfect because anyone else could claim the lost the app and can't get the code and request it bypass and go to text message. If they hack your phone they have your texts. But as I mention in this video it's not as likely to happen as someone hacking your computer or any of your accounts online. They need to hack both phone and computer or account. Not very likely, and hopefully you would know and fix the first one before the second gets compromised.
Depending on the site you're trying to get into, you should have backup options including a recovery code when you first set it up. if you don't have any of those, you'd have to contact the website service support and see if they can verify you another way and recover. But this is the entire point of 2FA so no one can get in without the code, including yourself. You can't lose your codes and plan ahead when switching your phone and/or phone number.
Just a short Question: You say you wont get into how they clone your Phone. But in general, what Information do they need to do that? Do they need my device physically once? Or is knowing my telephone number enough? Then again, from where would they know my phone number attached to that specific account before having logged into that account once?
Thanks for your question. There are two ways I'm aware of without technical details. The 1st is they need the phone physically to clone the SIM card. The 2nd method is they have information information about you to impersonate you and ask your phone carrier to port your number over to a new phone. You then lose access to your existing phone number and the hacker takes over. Then there is what we don't know. Normally in the IT industry, the good guys don't know what new protections to put in place until a bunch of people have been compromised. You want to just hope you're not one of those first to be attacked. It's a sad concept, but that's how it works.
@@TwinBytesInc Thank you for your response. If it's those 2 I can live with that level of security. Both are very personalized Threat Vectors in my opinion and the threat is also highly dependend on the way you use sms 2fa.
Hello. This is slightly confusing. Sounds like you are locked out of one of your accounts. However you wouldn't get the sms code until you enter the correct password. So if you are getting the SMS code, that means you must have entered the correct password. So you should have access to your account. More detail is required.
@@TwinBytesInc you should indeed make a video on it. The more popularity is has the more sites will support it. That thing is great for paranoid people such as myself an end users alike bc safer and a lot more convenient than authenticator apps
you have been at it since years
not a viewer tbh since i dont have interest in these topics
but stumbled upon your old video online
you are great my man
keep at it
lots of love and support
subbed!!
Thank you for your kind words.
Great topic never thought anyone would talk about it. Thank you man.
Thank you, and you're welcome.
regardless of which app, is it possible to reverse engineer authenticator apps? Let's say someone has either physical access or remote access (via malware) on your phone and they got passed all the lock screens. So now they have the 6 digit authenticator codes, can they reverse engineer the app to get your password to your accounts/emails?
Great question. Everything is possible in this world of technology. It's just by the time the general public knows about it, it's too late. The dark web finds out first, the anti-virus companies find out next and then the public. (generally speaking). So we have to just do everything we can. Hackers generally go for the easiest low hanging fruit, unless they are targeting someone specifically, then they will go full out until they get in. Everything is hackable.
i'm late to the party but let's say i had physical access to your phone (one of your examples). If I could open the google auth app, i could export the entire thing to a different phone. I'd need the phone unlock password though but it does give a method for attacking. People should pair their 2FA installed devices with a secure, non pin password and maybe install an applock program on top of that to make it harder to crack
what about email 2fa ? what can be said on email 2fa?
Thanks for your question. 2fa for anything including email is all the same. It is about the method of receiving your 2fa code.
How about if I lost my phone with the authentication there?
Excellent question. Some services you sign into allow you to have more than one method to login, so if the phone is lost and you don't have access to the authenticator or SMS messages, you can recover by email. Failing that, you should have a recovery code created during the initial setup. if you don't have recovery codes for your sites, start developing a list of them just incase the day comes you might need it.
What if you have two step authentication app for sign in but also have phone as recovery in-case you lose the app? Is that still less secure?
If I understand your question correctly, you want to know if getting a text message as a backup code is still safe if you lost the app. It's still not perfect because anyone else could claim the lost the app and can't get the code and request it bypass and go to text message. If they hack your phone they have your texts. But as I mention in this video it's not as likely to happen as someone hacking your computer or any of your accounts online. They need to hack both phone and computer or account. Not very likely, and hopefully you would know and fix the first one before the second gets compromised.
What do I do if I don't have the 2fa number anymore?
Depending on the site you're trying to get into, you should have backup options including a recovery code when you first set it up. if you don't have any of those, you'd have to contact the website service support and see if they can verify you another way and recover. But this is the entire point of 2FA so no one can get in without the code, including yourself. You can't lose your codes and plan ahead when switching your phone and/or phone number.
Just a short Question:
You say you wont get into how they clone your Phone.
But in general, what Information do they need to do that?
Do they need my device physically once?
Or is knowing my telephone number enough?
Then again, from where would they know my phone number attached to that specific account before having logged into that account once?
Thanks for your question. There are two ways I'm aware of without technical details.
The 1st is they need the phone physically to clone the SIM card.
The 2nd method is they have information information about you to impersonate you and ask your phone carrier to port your number over to a new phone. You then lose access to your existing phone number and the hacker takes over.
Then there is what we don't know. Normally in the IT industry, the good guys don't know what new protections to put in place until a bunch of people have been compromised. You want to just hope you're not one of those first to be attacked. It's a sad concept, but that's how it works.
@@TwinBytesInc
Thank you for your response.
If it's those 2 I can live with that level of security.
Both are very personalized Threat Vectors in my opinion and the threat is also highly dependend on the way you use sms 2fa.
@@Durayne Happy to help
I got my code by the sms ,but how I will use it to get my profile back?
Hello. This is slightly confusing. Sounds like you are locked out of one of your accounts. However you wouldn't get the sms code until you enter the correct password. So if you are getting the SMS code, that means you must have entered the correct password. So you should have access to your account. More detail is required.
I just wanna clone my sim card because i lost my phone
Not sure how you would clone it if you lost it. You'd have to ask your phone provider for options.
I just wish more sites supported the yubikey
Actually a friend gave me a Yubikey a while ago and I haven't looked at it yet. That's for another video.
@@TwinBytesInc you should indeed make a video on it. The more popularity is has the more sites will support it.
That thing is great for paranoid people such as myself an end users alike bc safer and a lot more convenient than authenticator apps