2FA: Two Factor Authentication - Computerphile

2 factor authentification: combine a thing you can forget with a thing you can lose.

Mike Pound and Brailsford are two of the people I can listen to ad infinitum. I'd love people like them as teachers. Actually, that's exactly what they are doing right now.

There are actually 5 factors you can choose from:
Something you know (password)
Something you have (phone, token, whatever)
Something you are (fingerprint, iris, etc)
Somewhere you are (geolocation, proximity detection)
Somewhen you are (only on specific days/times)
The last two are rarely used, but ARE valid factors (a common thing for somewhere is being able to unlock your phone without a password as long as you're on your home wifi or within X distance of GPS coordinates).

Back in the mid 1980's when the company my partner worked for got computers in each office, someone in top management insisted they require all employees to use complex passwords, no real words were allowed and they had to be changed every week. Of course no one could remember these crazy passwords so management recommended they write them down on sticky notes and stick them on their monitors. That lasted about 3 months before some top secret government documents were stolen by someone on the cleaning crew.

"correcthorsebatterystaple" you say?

If you're using Unix time, Timezones shouldn't factor in, as Unix time *should* be the same no matter where you are; The "time" where you are is then calculated after that.

I always found 2FA to be quite convinient, since it takes only bout 10 seconds to get my phone, open the app and type it in and I rarely have to do it. All the while it removes a huge security risk. Anyway that's what I thought until I lost my phone's data and had to reset everything.

I'm glad Mike sorted the ghost cube on the shelf! He's a great lecture as one of my highest grades was in his security lecture :D

I love you guys! I can work under my british accent watching your videos and also get some knowledge about my passion wich is computer programming.
Keep up your fabulous work !

I love that the password was "correct horse battery staple".

Love Dr Pound! More videos with him please!

In one of the episodes, Data impersonates Picard's voice to commandeer the enterprise.

meh boy mike has the most loveable facial expressions and way of speaking.. like idk its just soo nice to just watch

I learned so many things that my university didn't really teach me in this channel Thank you guys

Thanks dude, this was very helpful, you're carrying my CS exam right now. :)

for some reason i watch exclusively the videos where DR Mike is talking

I love when Mike explains cryptography. It would be nice to see more about OTP and the XOR function behind it.

In StarTrek the thing to "have" is your personalized communicator. It has to be in the same room as the attemt is done from. More than once you see them tap their communicator first before they say their password. If you lost your communicator you probably can do it, but you have to "reprogram" the computer first.

The video is 12:34 long. Well done :D

"put it aside for today"
Man a biosecurity video would be so cool!

2FA gives an extra layer of protection and you can easily enable it for various services

Timezones _shouldn't_ figure into it, because Unix time is always UTC. Any local time is derived from that according to those really complex rules Tom Scott explained. It may be a bit of a challenge on systems which do not keep their time in relation to that Unix time, but a lot of the popular OSes (e.g., Linux) do.

There is a problem with one version of 2 factor. A number of people have run into an issue where a hacker gets control of their phone number and then goes to various websites and clicks "reset password." Not only is the hacker in, but the original user is frozen out. Sometimes the hacker calls up the phone company, claims to work in a store and they are selling a new phone to a customer. If the operator is stupid, she may transfer the phone number to the hacker's phone.

there actually is an episode of Star Trek: The Next Generation, where Captain Picard falls victim to a phishing attack! ("Ship in a Bottle", season 6).
i find that especially noteworthy as back when it was made it was the early 1990s, before such a practice became something of note. idk if the term "phishing" even was invented back then, though it might have been...
of course, the voice imprint as second factor doesn't help a lot if you can record the audio of him saying the password (or when you can outright synthesize the voice)...

Who is this guy?? He should be an educator. Fantastic speaking and explanatory skills!
And btw, to whom is he speaking? Is he being interviewed/ Why else does he looks past the camera?

Nice gentleman, a lot of briefing for enthusiast. Thanks.

Yeah, if only we had a video on time zones... perhaps with a guy in a red t-shirt? (imho the best video EVER!)

Authy allows you to have your 2FA be shared between multiple devices.

"I mean you smash your phone the last thing you're thinking about is 'ah, I must save my Google authenticator passwords!'" (4:40)
Really? That's the single thing I am the most scarred about losing my phone. Everything else is backed up to the cloud, so if I lose my phone the only real loss would be the physical device (which can be replaced with a a few hundred dollars) and the damn 2FA passwords (which I have over 20 of), which can be a REAL PAIN to recover. Theses days, I just keep a safe hard copy of the QR codes and instead of Google Authenticator, use Authy (which has some backup/recovery functionality).

TOTP will forever be 'Top of the Pops'

Pound that thumbs up button for Dr Mike

Interesting topic!
I'm curious about the difference between 2-Step Verification and 2-Factor Authentication, and what criteria define them?
For instance, hackers have been able to take over people's phone numbers and intercept the security texts - thereby fullfilling the possession factor without physical accesss to your phone. (I've seen claims, that texts therefore only count as 2SV and not 2FA, but I don't know, if this definition is correct.)
And would an app like Google Authenticator be impervious to this kind of trickery?

You could have stored all your TOTP keys in a separate database of a password manager and, once you phone has broken down, you'd ask a friend for a substitute phone for a few weeks if they have a spare obsolete model, and you'd install the password manager there and the TOTP base.
Your story about the two weeks without TOTP is actually what happens when you know enough to set up a password manager and use a password database regularly but forget to set up proper backup system BEFOREHAND. If you TOTP base exists only on your phone and doesn't get backed up regularly and often enough, then when you phone breaks you'll lose it, so find out how to better sync and backup stuff from your many clients. And better use cloud + encryption for one of the backup copies, but also have a few local ones. And maybe store the backups in such a way so that you'd have 3 (2 local and 1 in the cloud) up-to-date ones and 3 (2 local and 1 in the cloud) 1 day or so late, and also have version control for all your backups, that way, even if you do something wrong and the new backup isn't right, the version control will have the previous version and the 1 day late scheme will save you from re-writing a backup repo with a repo that has a corrupted index.
Check out BorgBackup.

Best password ever Mike (correcthorseb)

12:24 In _ST:TNG,_ we've seen that the system can be fooled, although it does take some special circumstances. There's that one episode (4x03, "Brothers") where Data goes haywire and hijacks the _Enterprise_ by imitating Picard's voice. And then he turns the security against the crew by locking all command functions with a security code much longer than most humans would be able to remember.

I have also wondered the same thing about Star Trek. Recently, I've been trying to figure out if it's really a password that the commander is speaking, or maybe some sort of verification code that they didn't use something like "initiate self-destruct" in a sentence.

best channel. best content. your explanation is best. but please give subtitles for this video.

Nice xkcd reference xD

The one time generated password might just be a regular password in the sense that it uses a pre shared key, but at least this pre shared key is not susceptible to any sort of social engineering or phishing attack, like a normal password is

@computerphile Correction: Retina scan, voice recognition, and password is still just 2FA because the first two are the same factor. 5:42

Warm reminder: if you are using iPhone, you can turn off message previews under notifications -> messages -> Show previews (scroll to bottom) -> set to "When Unlocked".
To prevent people get your phone and allow them to get the one time code.
Now at least they also need to know your pin to unlock the phone first.

Surely, though, the Star Trek computer simply tracks everyone's location?
This has happened in many episodes where a member of the crew would ask the computer "Where's Riker?" and it would give them his current location on board the ship.
So you'd have the idea that, when you get on board, the ship identifies who you are - say, by biometrics (which, of course, if they take the transporter to board the ship, then you've got the perfect biometric that the transporter buffer has them stored right down to the atom, to confirm who they are on an atomic level) - and then, whilst on board, the computer's always tracking everyone with its internal sensors.
Once it knows that that heat signature is Commander Riker, then it can follow that heat signature around the ship with its sensors to be aware of where Riker is at all times. And if that heat signature starts ordering commands, then it knows that it's Riker already.
So, really, the voice recognition is just a double check - just in case, in tracking people wandering about the ship, it didn't at some point get confused as two people got very close together and mixed them up - which leaves you with the idea that the password is actually a sanity check.
And by sanity check, I literally mean a check of that crew member's sanity.
It's not authentication, but rather a deliberately inconvenient "are you sure?" prompt, so they can't set off the self-destruct accidentally, but have to really very deliberately mean it.

To survive through the repair scenario, always keep an 'old phone' in your cupboard that will work with your current SIM card.

@10:56 About time zones problem: that's why EPOCH or UTC is used, for this kind of applications... :-) My big concern on data exchange nowadays is focused on different character encoding troubles...

11:00 timezones - the bane of programmers existence!!!!

Do keys make you secure? like hardward, like the yubikey 5c nfc?

Also, biometric markers, no matter if it's a fingerprint, a face image, voice print or gait recognition, are never useful as an authenticator - because an authenticator (as in "your password") must have the ability to be changed, but you can't change your biometric markers. Which makes them useful only as the identifyier, that is the "user name" part of the authentication process. So if you swipe your finger or hold your face into a camera, and it recognizes who you are and then asks you for authentification (no matter how many factors), that would be acceptable for a service that is allowed to know you real identity. However, if it knows who wants to log in and then uses your biometric marker to log you in automatically, that is just stupidly unsafe. And yes, we all do it - I even installed fingerprint-gui on my laptop as a convenience feature, instead of having to type my password for every time I want to sudo something. But that works only locally, not over the interent.

11:03
Timezones DONT cause a problem.
Unix time is in UTC time, and timezones are handled by the computer and it's own locale configuration.
Unix time does not keep timezone data.

4:48
That is why there is one time use code sent to your account after you use MRS so you can use it to login back and copy the 2fa secret to the auth app

So what can I do to stop the same thing that happened to you from happening to me regarding google authenticator?

Best passwords I've used, (I don't use this exact, but the same concept), follows this general idea: Land0Of1The1Free2And3Home5Of8The13Brave!
A sentence from something that is easy to remember, the words Titleized, separated by numbers from a sequence you know, end by a special character. Super easy to remember, extremely hard to crack

Nobody:
Computerphile: Ah let’s start talking about passwords-

Is there any need for this if you use really long randomly generated passwords which can't be cracked or stolen in a password manager?
Also if you have a recovery code stored somewhere if 2fa fails on you then all an attacker needs is that code right?

Steamguard... :/
Why every time? Sheesh.

0:43
2FA
2:15
Combination.
3:45
Multifactor authentication.
5:34
2FA as a subset.

How does FIDO2 work? The flow of data is one way, so it's not a challenge/response mechanism. How does the server know the generated code is valid?

I don't think timezones matter, as Google Authenticator and similar apps use UTC, it would be a nightmare otherwise. HMAC OTP can also be sync by server trying N future codes to find one provided by client. Thanks for the excellent video!

If both the device and the server are set internally in UTC, how do timezones affect this method? UTC doesn’t use timezones.

I know I'm several months late, but I wish you'd touched a bit more on the increased vulnerability to phishing MFA can lead to. If you know you have MFA set up for an account, receiving an email which states "a login attempt was made, if it wasn't you, click here to change your login information" might make you more likely to follow the link without checking the email address itself or other signs of phishing. Then you've clicked the link and filled in your "old" login info and now the phisher has that info.

I only remember passwords being said aloud on Star Trek TNG, they were self destruct codes. Hard to use twice. :D

Those 16 digit codes that we are given when we set up 2FA on an app such as Binance, or similar. Can we re-view them/check if they are correct somehow?

Stay on track.

Please enable captions, I'm a deaf

Hi, I think this is a great video for my followers and so is it ok to share?

for some reason this reason doesnt play with sound for me :(
other videos work just fine..

It looks like his watch is/was broken and he had to repair it. The card on our table spelling "Tick King" says many things ;)

I've had my phone replaced before and just completely forgot that I needed to store these somewhere. Slightly concerned that every service let me reset it with basically no additional verification...

so my master password is 11 characters long with symbols, upper and lower case letters and digits. would this be considered strong or weak?

Is it really 2FA iftheyI can say “I forgot my password” and now my phone is enouth to get anyone into my E-Mail account and therefore all other accounts?

my favorite scifi password is the safety override on the Eureka Maru.
"shut up and do what I tell you"
as to password security in space opera. in one episode of andromeda, they ran into somebody Becka hadn't seen in years, when Hunt said "he can't steal your ship" the response was "he knows the codes".
how doe he know the codes, you should have changed them dozens of times by now.

@Comupterphile. I am wrong for presuming that 2FA to work, I must have a KEY that corresponds to my Facebook profile to gain access? My situation is that my account was hacked and then the activated the 2FA feature that I hadn't previously used. Facebook confirmed that I was hacked, but since I was logged out on my other devices, I can't access the key. I've contacted FB, but they've been giving me a hard time... They won't deactivate/bypass the feature and won't send me text authentication instead... What can I do?

Oh, another problem is SMS authentication. A website recently had a hacking incident, where someone called up the website owner's phone company, convinced them they were the owner of the phone, and had the number moved to another SIM card. So when they tried to reset the person's password and received an SMS to verify their identity, the message was sent to the attacker's phone instead.
This probably would not have happened if the 2-factor authentication wasn't through SMS, and instead through something like Google's Authenticator App, but it just shows that the biggest point of weakness in any security system you can think of is the Human element. Aka, Social Engineering.

Ever since i seen a white-hat hacking expo were a security expert showed that he could intercept text messages, i dont use my phone for password recovering or 2FA unless its the only option.

Which previous video was he referring to?

In my dad's house... every electronic device is called a "doofer"... everything from the TV Remote, to the washing machine... :D

Talk about DES and AES

how did we get from "more factors help" to "oh and the additional factor cannot just be random, let's look at this HMAC" ?

Discord had one time password to diable the 2FA should you loose it ideally they are kept someplace phyiscally safe or in such a way that if someone finds it they have no idea what these numbers are like you call the file gameshark-codes.txt or something

2FA is a must for financial systems. Most other systems work well with strong passwords.

wait wait wait wait....
I figured command override passwords in star trek was always to be used in an emergency from anywhere on the ship/base therefore necessitating a voice activation through the computer voice terminal. Of course it will be a one-time or few time use within the actual emergency and to be updated immediately after use.
For extremely delicate and serious uses you need both the captains and the commanders and/or chief engineers concurring inputs.
i.e self-destruct activation.

Surely Unix Epoch is the same in all time zones though?

Turned down an offer for studying Computer Science at Nottingham, these videos really make me regret that choice

12:34 I like it

Don't use google authenticator, without writing down backup codes or something like that, because there is no way to back up the shared secret after it has been configured, which means if you factory reset your phone the codes you've got set up are gone, even if your settings are backed up. Even if you have backup codes, this is still a total pain in the ass to go and reset everything, and set up new codes everywhere...
There are a number of open TOTP apps on F-Droid, as well as commercial services which provide better usability (though in my opinion they all fall short in terms of trustworthyness).

Do you have a video about how fingerprint authentication works?

A friend of mine had his Android phone break on him, which then made it impossible to log back into his Google account from his PC becaue he couldn't acknowledge the second factor on his phone. He had to get another phone first and then he could use his account and his email again. He turned off 2FA after that experience.

The video started off so well but then needlessly complicated.

In Star Trek I think there is a kind of synchron-translator system that may obfuscate the told password.

Please enable Captions....

Now please tell us about push based (to mobile phone) 2 factor authentication, e.g from Microsoft

I added a MFA that apple had for its iCloud email. My backup codes were saved in a backup in iCloud but not on my phone. I was in debt so I had to sell my iPad and MacBook (more like loan it temporarily but it was never returned so I “sold” it) and my phone service was cut, losing access to that number. When I finally got back on my feet, I had no way of accessing the iCloud account on another device because for some reason it only listed my number, my iPad, and my MacBook. I had a totally legit phone that already authenticated but it refused to list it as a device that could authenticate me. I also couldn’t recover the account because I either needed one of those devices or the backup codes, which I remind you is in iCloud behind MFA (I can’t restore my phone to that backup without losing my last authenticated device). That phone also lost access to that email account (can’t remember the order of events) which was only the start of my troubles. Every other account that I forgot the password to could not be recovered. Luckily 90% of them let me recover it but I still can’t access one of my twitter accounts, Quora, and a few others. The first 2 is troubling because I can’t even delete my data for privacy concerns because you need access to those accounts, accounts that are essentially locked out forever. Luckily other companies aren’t as restrictive as Apple and the rest. There’s pros and cons to both approaches, just unfortunate for me.
That’s my horror story of MFA. I know better to save the backup codes on my device and I just use Authy to store 2FA in the cloud. Both solutions are insecure, right? Well, it’s still better than no 2FA and I’d rather not lose access to those accounts than have better security. I also rely on strong passwords so 2FA is just another layer, albeit weakened by my methods of keeping it accessible.

Is he related to Rimmer from red dwarf?

Lol. Well you're not wrong about the Star Trek Password thing being a bit... Problematic.
I mean, Data took control of the ship by replicating Picard's voice, and repeating his command codes.
Though I assume Data's reproduction of Picard's voice is a bit more precise than that, it's akin to breaking the security for all the key ship's systems by using a tape recorder.

why wouldnt 2fa be read first then the password. So that people couldnt social engineer your password?

I am Only using Google prompt and Backup Codes so i am safe right?

I hate to be pedantic, but TOTP HMAC is 2SV, not 2FA. There is a second step to logging in, not a second factor to logging in.
A true second factor would be a Yubikey. The only XFA, where X > 2, that I know of that actually works is MIRACL.

Nice midi woodblock for phone tapping sfx lol

Demolition Man. Just putting that out there.

What is the appropriate way to store the secret key when using Google Authenticator?

Perhaps in Star Trek their communicator provides an exact location, and it verifies both the voice and the location of the voice match.