@@marcosmcm86 It depends on the service, and what you mean by "hack your phone number". Just knowing your phone number isn't enough. They have to actually be able to recieve texts sent to that number, which is very difficult to do. Of course if they steal your phone physically, then they could get the SMS's. MOST services will require additional proof that they're authorized when a password is forgotten, but for others it's possible that getting the SMS could be enough.
What about now that Autry got hacked? Aegis? Only key? Solo key? Your info is greatly appreciated Leo! So many gullible millennials get promoted because they assume "reputable companies" are are common
@@SmedleyButler1 I continue to recommend (and use) Authy. The hack affected Authy in a very limited way and was completely contained: "the security team found out that only 93 Authy users out of 75 million were affected, with bad actors registering additional devices to the accounts. These unauthorized devices have since been removed from the accounts, and the targeted users in question were all contacted by the company." - via www.androidpolice.com/authy-hacked-what-to-know/
@Zarility Tech What I meant was please provide references to Auithy having been hacked. As I said, that's news to me. And why are Google and Microsoft no-goes for you?
A concern that always needs to be addressed is to also have available some recovery option or backup in case you lose your primary authentication method or device.
Absolutely. Most services will insist that you do so when you enable 2-factor. Often it's as simple as confirming your alternate email addres, sometimes it's downloading one-time use tokens, but there must always be a way to recover from losing your second factor. That alternative way may be more inconvenient, but it needs to be present.
I really like the authy desktop approach. The biggest resistance I get from employees is they don’t want a work related app on their private phones, I can’t blame them. This solution takes care of it.
In 3:02 you said : "It [2FA] is usually done by having your device scan a QR code displayed or entering a special key that then associates your specific phone, your specific installation of the Google Authenticator with your account. No other Google Authenticator will do. it has to be your phone and your Google Authenticator that's used to authenticate you are who you say you are." As of today, this is incorrect, I've just tried the special key on a friend phone and it generates the same six digit codes. So, it doesn't have to be your SPECIFIC phone and your SPECIFIC installation of GA app.
This channel is a true gem and you're seriously defying the age stereotype with your sharp thought. Also thanks for the confidence. Often times I consume info about a given topic and at the end, there is a "well I am not sure if it's better though". Which makes the whole thing pretty much pointless.
Is he really defying the stereotype, though? He clearly doesn't fully understand what he's talking about and provides bad advice. He calls the Authy app "Google Authenticator-compatible." Google Authenticator is not a protocol. It's just an app that implements the TOTP protocol. Authy also happens to implement TOTP. He also recommends Authy, which no serious security professional would recommend because they're not open source and thus their storing of 2FA secrets can't be independently audited. Apparently his recommendation for Authy is because he likes that the app has logos... Please don't choose any security mechanism because it has... pictures. Authy was hacked in 2022. Imagine listening to this "true gem" (your words) only to have your account hacked.
Authy is great, but the account is linked to your phone number. I prefer to use an application that doesn't do this. I installed 2FAS on my Android phone. It has an option to back-up to Google Drive, so your seeds can survive an app reinstall, and can be transferred to another Android device pretty simply.
I would recommend an authenticator app since sometimes with email or text message, it takes a long time and sometimes even never to get a text or email for the security code
I hate the fact that even now in 2024, Microsoft, Yahoo, and other services insist and basically require you to give them a phone #. And I understand this, because they want to have a contact number for you. But the problem is, they will automatically include it as a 2FA SMS option and account recovery option whether you like it or not, making it the weakest link. I wish they would give you more control over what the phone # can be used for. There is no reason for them to include my phone as a 2FA option, if I already have multiple other methods that include authenticator app, security key, and email for 2FA.
Think about it if ur using Google’s authentication app and it’s to do with your phone a unique code only matches ur phone u might as well just have a code sent to your phone more easier
If you have 2 factor authentication do you have to enter the authentication coda every time you log in or can you just authenticate your device once to log into your application?
Generally you get to choose. In most cases it's once every 30 days (or until you clear cookies). You can also say "don't remember" so that a device you might lose - like a laptop - could still require it every time. It all depends on the service.
What about authenticators on the same computer, how secure is that? Unless your computer gets hijacked, there doesn't seem to be a problem. I use WinAuth with a password and a PowerShell script I found online for my work computer (no password).
It's admittedly less secure than having a separate device running your TOTP codes, but it's still much more secure than not using 2FA at all. I use KeepassXC on my computer to generate TOTP codes for my browser. Assuming an intruder has no access to my computer, it's as secure as any other TOTP setup. If they do have access to my computer, they will need to get past my computer's password (22 characters), as well as open my kdbx vault file with its password (37 characters). If I choose to set it up with a keyfile on a flash drive or a disc, then it's still secured, even if they have both passwords.
Leo, this one concerns me regarding TOTP seeds: How does the website handle the seed file? Passwords are best handled by hashing and salting them, and never storing in plaintext or encrypted form. This means that your passwords should never be known by the website. If there's a breach, then the salted hashes are revealed, but this alone doesn't compromise anyone's account, unless they use weak passwords. TOTP seeds are referred to as a "shared secret," which implies that the website has a copy of this file, either in plaintext or encrypted, but not salted or hashed. If this is true, if a user loses his seed, he could at least theoretically request a new copy from the website. Also, this means the seed is vulnerable to a breach. Do you have any insights?
This has a good overview of how it's handled: www.freecodecamp.org/news/how-time-based-one-time-passwords-work-and-why-you-should-use-them-in-your-app-fdd2b9ed43c3/
@@askleonotenboom The article was helpful, but not complete. It does not address secure handling of the TOTP secret server-side. I appreciate the link, though. Thank you.
Thanks for the forecast! 📊 Just a small off-topic question: 😅 I only have these words 🤔. (behave today finger ski upon boy assault summer exhaust beauty stereo over). What is this? 🤔
Two step verification sounds like the generic description of 2 step or multi-factor authentication. Two factor authenticator sounds like it is referring to the authenticator app, which is one of the means of doing multi-factor authentication. Security keys are the best level, authenticator apps are next, SMS, email and voice are on down the line. But as Leo says, USE SOMETHING TO DO MFA - NOTHING IS THE WORST.
I recently formatted my phone and forgot to keep the backup codes that were saved in it. After formatting was done when i was setting up my account on the phone i couldn't sign in despite knowing my password bcoz i didn't have the backup codes so they didn't recognise me and this was the only device i was logged in. In such a case will Google authenticator be helpful?
I would use a Google Authenticator compatible option like Authy - it lets you set up two factor on more than one device, including your PC, and keeps the 2fa codes in sync.
It's not helpful after-the-fact. If you used Authy and had the backup codes saved, you could have had your codes set up on another device before reformatting the new phone.
the best 2 factor authenticator is none , 2 step verification is one of the most annoying things on the face of this planet , what if i wanna just trust people , plus if i wanna verify my identity i will go and look in the mirror , boom im done , i know im me.
My only authentication no longer works for some reason. They told me to delete my account and create a new one and connect it with a passid but they didnt telll me where i get one 😭
@@manny7886 To be clear, YubiKey is not a password manager, it's a two-factor-authentication device. It doesn't do anything with respect to passwords, specifically.
@@askleonotenboom - Understood, password manager has nothing to do with Yubikey or any 2FA devices. I use Yubikey as a 2FA to my BitWarden password manager. Thank you for this video, I'm now changing my authentication method from SMS to Authy.
Great video, and 100% everyone should be using MFA, however you did not mention Microsoft Authenticator. This is way better and more secure than Google Authenticator, as you can backup codes to your MS account, lock the app with biometrics, and the same app is also a totaly free and really good password manager that synchronises up with MS Edge across ANY device you have, (Windows, MacOS, iOS, Android).
You realize TH-cam is a Google product, yes? And that there are compatible alternatives to Google Authenticator like Authy? (And yes, I often recommend Google products in 2021. No cringing here.)
The worst is none at all... but which one should you choose?
Leo, can the person who hacks your phone number cllick in "forgot passsword" and use the SMS to change the password?
@@marcosmcm86 It depends on the service, and what you mean by "hack your phone number". Just knowing your phone number isn't enough. They have to actually be able to recieve texts sent to that number, which is very difficult to do. Of course if they steal your phone physically, then they could get the SMS's. MOST services will require additional proof that they're authorized when a password is forgotten, but for others it's possible that getting the SMS could be enough.
What about now that Autry got hacked? Aegis? Only key? Solo key?
Your info is greatly appreciated Leo! So many gullible millennials get promoted because they assume "reputable companies" are are common
@@SmedleyButler1 I continue to recommend (and use) Authy. The hack affected Authy in a very limited way and was completely contained:
"the security team found out that only 93 Authy users out of 75 million were affected, with bad actors registering additional devices to the accounts. These unauthorized devices have since been removed from the accounts, and the targeted users in question were all contacted by the company." - via www.androidpolice.com/authy-hacked-what-to-know/
@Zarility Tech What I meant was please provide references to Auithy having been hacked. As I said, that's news to me. And why are Google and Microsoft no-goes for you?
A concern that always needs to be addressed is to also have available some recovery option or backup in case you lose your primary authentication method or device.
Absolutely. Most services will insist that you do so when you enable 2-factor. Often it's as simple as confirming your alternate email addres, sometimes it's downloading one-time use tokens, but there must always be a way to recover from losing your second factor. That alternative way may be more inconvenient, but it needs to be present.
Why can learn this it's been three weeks dumb.
I really like the authy desktop approach. The biggest resistance I get from employees is they don’t want a work related app on their private phones, I can’t blame them. This solution takes care of it.
In 3:02 you said : "It [2FA] is usually done by having your device scan a QR code displayed or entering a special key that then associates your specific phone, your specific installation of the Google Authenticator with your account. No other Google Authenticator will do. it has to be your phone and your Google Authenticator that's used to authenticate you are who you say you are."
As of today, this is incorrect, I've just tried the special key on a friend phone and it generates the same six digit codes. So, it doesn't have to be your SPECIFIC phone and your SPECIFIC installation of GA app.
This channel is a true gem and you're seriously defying the age stereotype with your sharp thought. Also thanks for the confidence. Often times I consume info about a given topic and at the end, there is a "well I am not sure if it's better though". Which makes the whole thing pretty much pointless.
Is he really defying the stereotype, though? He clearly doesn't fully understand what he's talking about and provides bad advice.
He calls the Authy app "Google Authenticator-compatible." Google Authenticator is not a protocol. It's just an app that implements the TOTP protocol. Authy also happens to implement TOTP.
He also recommends Authy, which no serious security professional would recommend because they're not open source and thus their storing of 2FA secrets can't be independently audited. Apparently his recommendation for Authy is because he likes that the app has logos... Please don't choose any security mechanism because it has... pictures. Authy was hacked in 2022. Imagine listening to this "true gem" (your words) only to have your account hacked.
I recently watched a TH-cam video stating that Google Authenticator is one of the least secure authenticators out there
Well, then, if it's in a TH-cam video it must be true, right? (Would love to know what video that was.)
Authy is great, but the account is linked to your phone number. I prefer to use an application that doesn't do this. I installed 2FAS on my Android phone. It has an option to back-up to Google Drive, so your seeds can survive an app reinstall, and can be transferred to another Android device pretty simply.
Aegis -+ another awesome app which does the same stuff
Me too, it you loose the phone, you have to wait for sim replacement, plus if you travel it would complicate a lot
Agreed. I use 2fas too and it's awesome.
I would recommend an authenticator app since sometimes with email or text message, it takes a long time and sometimes even never to get a text or email for the security code
I hate the fact that even now in 2024, Microsoft, Yahoo, and other services insist and basically require you to give them a phone #. And I understand this, because they want to have a contact number for you. But the problem is, they will automatically include it as a 2FA SMS option and account recovery option whether you like it or not, making it the weakest link. I wish they would give you more control over what the phone # can be used for. There is no reason for them to include my phone as a 2FA option, if I already have multiple other methods that include authenticator app, security key, and email for 2FA.
Think about it if ur using Google’s authentication app and it’s to do with your phone a unique code only matches ur phone u might as well just have a code sent to your phone more easier
To do a simswap attack the attacker also needs your password so low risk, but if you use bad passwords risk goes way up
So I’m wondering why you would suggest to use google authentication when authy just sounds better.
My recommendation is "google authenticator compatible". In otherwords, Authy, or any of the others. I use Authy myself.
@@askleonotenboom okay so any is good I’ll stick with authy just seems more secure when you can use a passcode lock on app.
Use Aegis and so you can manage your totp secrets yourself.
The best one is fido keys such as yubikeys
I WISH apps enabled 2FA with email. But they don't! They opt for SMS which is stupid if you're abroad with a local SIM card.
What is the business email is it like being on the job i keep running into that when I ask for certain information
If you have 2 factor authentication do you have to enter the authentication coda every time you log in or can you just authenticate your device once to log into your application?
Generally you get to choose. In most cases it's once every 30 days (or until you clear cookies). You can also say "don't remember" so that a device you might lose - like a laptop - could still require it every time. It all depends on the service.
Great video, you explained things so simply. THANKS
Outstanding video. Thank you.
QUESTION: How do I create a new QR code for an account I accidentally erased from my Google Authenticator app?
Turn off the 2FA on that account, and then turn it back on again to generate a new code.
What about authenticators on the same computer, how secure is that? Unless your computer gets hijacked, there doesn't seem to be a problem. I use WinAuth with a password and a PowerShell script I found online for my work computer (no password).
It's admittedly less secure than having a separate device running your TOTP codes, but it's still much more secure than not using 2FA at all. I use KeepassXC on my computer to generate TOTP codes for my browser. Assuming an intruder has no access to my computer, it's as secure as any other TOTP setup. If they do have access to my computer, they will need to get past my computer's password (22 characters), as well as open my kdbx vault file with its password (37 characters). If I choose to set it up with a keyfile on a flash drive or a disc, then it's still secured, even if they have both passwords.
are you still using Authy after they were hacked?
I am. From what I've read I'm not overly concerned.
Leo, this one concerns me regarding TOTP seeds: How does the website handle the seed file? Passwords are best handled by hashing and salting them, and never storing in plaintext or encrypted form. This means that your passwords should never be known by the website. If there's a breach, then the salted hashes are revealed, but this alone doesn't compromise anyone's account, unless they use weak passwords. TOTP seeds are referred to as a "shared secret," which implies that the website has a copy of this file, either in plaintext or encrypted, but not salted or hashed. If this is true, if a user loses his seed, he could at least theoretically request a new copy from the website. Also, this means the seed is vulnerable to a breach. Do you have any insights?
This has a good overview of how it's handled: www.freecodecamp.org/news/how-time-based-one-time-passwords-work-and-why-you-should-use-them-in-your-app-fdd2b9ed43c3/
@@askleonotenboom The article was helpful, but not complete. It does not address secure handling of the TOTP secret server-side. I appreciate the link, though. Thank you.
Another obstacles scanning QRCode can't figure out especially when qrcode is on a billboard
What is service provider actually provides.
Has Google updated their authenticator with end to end encryption?
I would love a key like that but so worried what will happen if I loose it...
That's why it is important to have a backup - another security key or an authenticator app.
Thanks for the forecast! 📊 Just a small off-topic question: 😅 I only have these words 🤔. (behave today finger ski upon boy assault summer exhaust beauty stereo over). What is this? 🤔
No idea. Not nearly enough to go on. Looks like a recovery code of some sort, but for what I can't say.
So are you still using Authy even after the recent data breach and leaks that happened recently?
Which data breach? I've not heard of any related. (And I'm still using it, but now only for one account. 1Password now holds my 2FA codes.)
If a SIM swapper can get your SMS 2FA, why wouldn't they also be able to get you Google authenticator codes?
No. Google Authenticator is unrelated to your SIM and phone number.
Is 2 step vertification different from two factor authenticator
They're typically the same, yes.
Two step verification sounds like the generic description of 2 step or multi-factor authentication. Two factor authenticator sounds like it is referring to the authenticator app, which is one of the means of doing multi-factor authentication. Security keys are the best level, authenticator apps are next, SMS, email and voice are on down the line. But as Leo says, USE SOMETHING TO DO MFA - NOTHING IS THE WORST.
Your video helps me a lot, amazing work!!!!! Thanks!!!!
What if someone steals your phone ?
askleo.com/lose-my-second-factor/ and th-cam.com/video/wbXSdHZDW8A/w-d-xo.html
I recently formatted my phone and forgot to keep the backup codes that were saved in it. After formatting was done when i was setting up my account on the phone i couldn't sign in despite knowing my password bcoz i didn't have the backup codes so they didn't recognise me and this was the only device i was logged in. In such a case will Google authenticator be helpful?
I would use a Google Authenticator compatible option like Authy - it lets you set up two factor on more than one device, including your PC, and keeps the 2fa codes in sync.
It's not helpful after-the-fact. If you used Authy and had the backup codes saved, you could have had your codes set up on another device before reformatting the new phone.
@@neuideas That's why I so often tell people to set this stuff up BEFORE they need it. Many don't bother until it's too late.
nice video hi from COLOMBIA
the best 2 factor authenticator is none , 2 step verification is one of the most annoying things on the face of this planet , what if i wanna just trust people , plus if i wanna verify my identity i will go and look in the mirror , boom im done , i know im me.
Yep. It's definitely WAY WAY easier to let your account get hacked. Totally agree.
My only authentication no longer works for some reason. They told me to delete my account and create a new one and connect it with a passid but they didnt telll me where i get one 😭
Thanks for your video, If I lost Yubikey what should I do?
Use one of the recovery methods you set up for the account in question, and disassociate the YubiKey you lost.
@@askleonotenboom Thank you.
That's why I use 3 YubiKeys for my password manager. I put 1 in my car, 1 in the house, and the third one is in my keychain.
@@manny7886 To be clear, YubiKey is not a password manager, it's a two-factor-authentication device. It doesn't do anything with respect to passwords, specifically.
@@askleonotenboom - Understood, password manager has nothing to do with Yubikey or any 2FA devices. I use Yubikey as a 2FA to my BitWarden password manager.
Thank you for this video, I'm now changing my authentication method from SMS to Authy.
Of course all methods of 2 factor are good some better then others but in my opinion geting a code sent to your phone is the best
TOTP is better imo. SMS is not as secure imo
Look up sim swapping, getting a text is far from the best
I tend to prefer GAuth
iam using the google one n every code i get does not work when trying to log in facebook, what do i do?
Follow Google's account recovery process.
Microsoft authenticator is best. Linked with email backup your data.
2fas is the best hands down.
Why am I not comprehending this something wrong.
Is there textbooks on this subject I can screammmmmm😂😂😂😂😂😂😂I got a feel. 😊
Having problems comprehending very afraid
I can scream
This is a very hard task I admit I am a hard learner.
Great breakdown!
SMS is the worst option.
It's still better than no two-factor at all.
I so mad can remember.
what's wrong with sms?
It's theoretically hackable.
@@askleonotenboom I see
Great video, and 100% everyone should be using MFA, however you did not mention Microsoft Authenticator. This is way better and more secure than Google Authenticator, as you can backup codes to your MS account, lock the app with biometrics, and the same app is also a totaly free and really good password manager that synchronises up with MS Edge across ANY device you have, (Windows, MacOS, iOS, Android).
4:00 authy
Which I USED to love, but then they stopped the desktop version.
leoooooo
Immediate dislike when you said you prefer Google authentication
¯\_(ツ)_/¯
Agreed.
"Authy" is the Opposite of security
Why do you say that?
Care to explain?
Recommending a Google product in 2021? Cringe
You realize TH-cam is a Google product, yes? And that there are compatible alternatives to Google Authenticator like Authy? (And yes, I often recommend Google products in 2021. No cringing here.)
Ask a boomer why dont ycha