As per all my other videos, no I didn't delete your comment. TH-cam auto deletes comments all the time. If yours disappears, try posting again in various forms until it sticks, and good luck! 🙏 Also, since posting this video I've found out that google authenticator now allows you to back up all codes on another device! Have added that note to my video description.
2FAS Auth app is another really good one. I use both 2FAS Auth and Authy. The ONLY problem I have with Authy, is their android app consist of a 4 digit pin to log in. which is pretty insecure IMHO. I even tried to get them to implement a better password login with Alphanumeric, this was 4 years ago. still nothing was done and I have asked several times.
A good way to protect those accounts that ask common questions, like mother's maiden name, or name of your first pet, is to lie. If you type in an answer that has nothing to do with the questions, then someone who investigates you and your family will never guess it. Yes, it might be hard for you to remember that the answer you gave to the question of your first pet's name is "the Peloponnesian war", but it will be bloody impossible for someone else to guess, no matter how well they have studies you. Well, unless that actually was your pet's name. Yelling down the hall ... "Here, Pello"?
8:40 Some would say someone typing in private login info on anything with that man's face on it, is a dead giveaway that you're going to lose everything. lmao
Nearly every large financial institution uses SMS for 2FA, many of them exclusively. They move billions of dollars in transactions every day in an industry where security is critical. Maybe, just maybe, they know what they are doing? 2FA is supposed to be "something you know" and "something you have". An auth app is "something you know" (the seed) not "something you have". Hardware keys are good except there is almost always a backup way in. I'll bet it's more likely your hardware key gets stolen than your SIM swapped.
I think that this is your best wardrobe yet. You're always very fashionable, but today is my favorite of your styles. Oh, and thanks for the great info. I really was listening while admiring the embroidery.
TFA is great as long as you have an offline option without the Internet or phone service. It happens where I live but I still need to work on my laptop. I have that option with an online code and an offline code in rural travel locations. Thanks Naomi for the discussion and links.
Hi Naomi, I love your videos, they are so useful. I have a way of improving the security on iphones. In settings, scroll down to screen time. Open screen time and scroll down to "Content and Privacy Restrictions. Here you can toggle on or off Allow password changes and account changes to "don't allow. I have both of these set to "don't allow. Very useful.
Great episode! Already have a few security keys, but they are pretty old school. looking forward to the next episode you mentioned that will look into key differences in security keys!
I use KeePassXC with NextCloud to keep the database sync'd on my devices. I also use Aegis on my Android phone. Cool thing about KeePassXC is that it displays QR code of the TOTP token so you can scan it with Aegis. Works pretty well.
Great video. Thank you! One thing you need to point out with security keys: you need more than one, in case you lose that one you’ve used. AND many websites allow only 1 security key so these should be supplemented with a secondary form of 2FA not dependent on that single key.
Pretty happy with Microsoft Authenticator. Has a password lock on the app and backs up to your onedrive (imperfect but not terrible - it's encrypted at rest and in transit, at least on MS side).
strong security Alpha . thank you . Nice Shiba shorts too . Love to know more about strengthening sim 2fa . Wondering if changing a sim card will cause totp rejection on same device 👀
There are not many out there spending time to learn, AND spending time sharing that with others. It is very noble if you give your quality time and energy to do. For sure the definition of a good person without the intention to get something in return. You are one of them, thank you! As you can see English isn't my langue so I misunderstand or need some other way to explain please, 07:20 A lot of your friends use AndOTP and some Keypassxc, password manager with TOTP... 07:42 Some TOTP apps can also be integrated with your password manager but you would be very warry.... 07:20 & 07:42 =Password manager with TOTP /or TOTP integrated with your password manager...is not the same? If the same, both very warry, right? If not the same, 07:20 is the way to go?
I was thinking going back to original way paper and phone calls . Takes too long and phone calls navigating through automated systems and don’t like giving some info to a human .
The best way to NEVER GET HACKED is to have a physical yubikey without it not even you can sign into your account so if you lose it you screwed unless you have a backup code written down somewhere
This is so true. Banks are generally pretty horrendous in this regard. I'm not sure if it's still the case, but at least as recently as a couple years ago, passwords for Wells Fargo online accounts were case *insensitive*. Totally inexcusable.
Very useful information, thank you for providing it in such detail. I'd like to ask a question about a different topic but still security related, I've heard that ISP knows everything we are doing online excluding encrypted data, my issue is that I'd like to create a brand new Google account but they will still be able to track down my address, password and even phone number used, it is there any way that this situation can be avoided, like how to encrypt the data of precreation? Thank you in advance, I would love to see a video of yours on this topic.
Oh my God! You are so right on time! On the last President's Day someone tried to Hack my phone and Amazon account ! I called them the next day Tuesday and told them. My phone Security programs protected me ! So Amazon locked my account and I called my Bank to lock my Account! The caller ID said Amazon Sanfrancisco! It wasn't them but my phone didn't save the phone number! To give to them. Amazon Tech Support was Awesome!!!
Very informative video. Maybe consider adding chapters so the more informed audience can quickly jump to the important points, especially if you use a clickbait title!
@@NaomiBrockwellTV The title suggests that there is one specific insecure 2FA method. So I clicked on it, thinking someone had discovered a new security flaw in a 2FA method. Instead, I got a video explaining various 2FA options and listing their pros and cons.
@@xXxJakobxXx3 The video is about how sms 2fa is not secure, and how OTP apps are not as secure as many people think, and I explain why. I don't think that's clickbait.
One good open source OTP app for iOS that allows encrypted backup is Raivo OTP if anyone’s looking. It’s the only one I could find that met those requirements
My email got hacked over a month ago and still dealing with other accounts being attempted to be logged into. Just received a yubikey and never going through that kind of stress again
When will the TH-cam video be out comparing and contrasting security keys. This was a very informative video, and I want to purchase a security key but I don't know what are the best security keys for me.
Thanks for your reply. I followed the link that you sent, but it led me to the video that I watched this morning in which you indicated that another video will follow in which you will compare and contrast the various kinds of security keys. Thanks again.
While general consensus is that SMS 2FA is better than no 2FA, it may be the opposite in some ways. If I use SMS 2FA (even with a VOIP number), on multiple sites/apps/platforms, inevitable leaks can be cross-referenced with each other and a profile can be formed. This is particularly pernicious if any such leak includes your name, address, work, etc. Did your research for this video lead you to such claims, and either way, what are your thoughts on this? As you can tell from my username, I’ve been called paranoid once or twice :) But with all the automated data scraping and analysis going on, it doesn’t seem so far-fetched.
@@NaomiBrockwellTV True, but as you well know, security and privacy are somewhat intertwined. Anonymous SIM certainly helps. I use something similar. Phone numbers individualized to each service help even more, but somewhat expensive if you need dozens of them. Ultimately, phone number reuse (for an authentication factor) is similar to password reuse (also an authentication factor), just not AS dangerous.
Like many i am sure, my company requires us to have Microsoft Authenticator. However, I find it works very well. It is secured behind a password or biometrics and backups the data. Also, i think the tip to not use the same service as your password manager is sound.
Great advice. Btw, for "security questions" you absolutely do not need to answer the actual questions. "What's your favorite pet?" "Chocolate Cookies" is a lot harder to guess. Just make something up that you can remember down the line :)
@@NaomiBrockwellTV I'm wary of password managers myself, though I use one - sorta. It's on a repurposed old phone without Internet or WiFi (it's also in airplane mode). Offline storage is the only safe storage, IMO.
I just would like that what you described as a replay attack is a man in the middle attack. (I would like to call that proxy attack but I'm not sure if this terminology is correct but it is essentially to just reroute the traffic like a proxy so you can usurp the real website but still have the green lock as the traffic is genuinely secured between you and the proxy) Replay attack is when you can reuse what the user send to someone else even if it is encrypted to bypass the authentication. One common use for example on old car keys is recording the signal send from the car key to the car. Then to open the car, you just "play" your record back. In case of TOTP it would mean for example if an evil extension copy the TOTP code sent to the good website, then send it to someone else to make it connect immediately with the same code. Normally websites should block a TOTP code from being using twice to connect. It is a best security practice, unfortunately that doesn't mean every website prevent it.
Hey Naomi! So I’ve been careful to record all of 2FA setup keys for my google authenticator. That means that if I do lose my phone or access to the authenticator app I could set it all backup on a new phone or redownloaded google auth app using the setup keys, right?
Yes. Also the feature wasn't in the app at first, but now you can retroactively get the seeds, right from the app (which Naomi edited the description to mention)
Do not use Google Authenticator , use Apps with end-to-end encryption . GA sends the “seed key” over the network unencrypted. Seed key is the one contained in the QR code.
Hi Naomi. Thanks for the great video. Very informative. However, I beg to differ on one thing-doesn't Google Authenticator allow you to backup on other devices? I backed up my Google Auth on my other phones, so in case I lose one phone I have a backup.
On the TOTP replay topic: I believe the relevant OWASP cheatsheet does highlight this, and strongly suggests the server stores the last OTP and does NOT let people re-use it. Whether implementers of said systems are following that practice, that's another interesting question...
The example they used of a phishing site isn't even a replay attack because they can use the code you entered to gain access with it being the first time it was used, not a replay
You can lock the autentication app and any other with an App Lock app, these lock the apps themselves so when you want to open one you have to put in a seperate password in before the app loads as the App Lock app loads first.
The problem with security keys is if someone physically steals your key then (and biometrics) their security is useless. I can see a cascading future of needing 3fa then 4fa, 5fa ect. Example, a key needs to be inserted into a device matching multiple specific hardware id's (tpm as an example among others) running on a specific internal network over a specific VPN. These right now would be people needing an extremely high degree opsec and are completely user unfriendly.
Generally, you still have to input a password. If one key is stolen you can remove it from the account with the backup key. If both are stolen you... for example with coinbase, I think you can have the account frozen and then provide extensive documentation such as id/passports to verify identity. Course, if you have 2fa to login to a computer you only manage or something you might be out of luck. People will have to start thinking of them as like house keys or a passport or driver's license that you need to audit for periodically and then take action if they are gone. When people used to steal check books (probably they still do) it was always a bit problematic.
For TOTP Codes... ALLWAYS have some Form of Backup / register to multiple Devices. But you've been told to do Backups for everything for the last 20 Years, if you didn't learn it allready - tough Luck. I have them stored on Yubikeys, which can't be recovered as well. Which I see as a Security Feautre. Realize the Plural - Key*s*. If I loose one, I'm still able to access everything and create new TOTPs.
I like how she has to apologize for privacy concerns every time she mentions a google product. As she mentioned, they're pretty darned good at security. Sure I would go with another option than google authenticator but I don't object to things simply on the basis that they come from google. I wonder if the privacy nuts have pushed the discussion in an illogical direction for most people. As for me, I think I will create a small circle of trust in google and take a chance with possibly receiving targeted ads and having my anonymized data shared to 3rd parties, rather then trusting a wider variety of 3rd parties to be involved in all my services and taking a chance having my critical accounts (like email and cloud storage) hacked.
We should absolutely not use google if concerned about privacy because they're atrocious. But for things that don't compromise your privacy so much, the security they offer can definitely be worth using certain services.
The best 2fa is the one your account provider offers. Many financial institutions only offer SMS or email (which is unacceptable) but you have to work with what you have.
Nice review. For Fido, need to disable other recovery options such as phone,. Also most phones, mobile devices have Fido chips built in and could use this method for a factor. The ultimate goal is to get rid of passwords.
D m vinethics he'll help you He fixed mine he has 90k followers account. TH-cam is not letting me to write to you in full make sure is the right account you Dm
Screwgle has burned me on 2FA. Forcing activation of 2FA on my chromebook, defaulting to using the paired phone as a security key, they broke login. Due to some kind of bug in the pairing software I have to reset pairing anytime either device restarts, which I can't do until I'm logged in on both devices. So I'm down to a choice of, at login time: - SMS as a second factor - generating one time keys - disabling 2FA using a device I can log into.
Anyone remember RSA's little mess from a few years ago with their 2FA tokens. Like anything - it is only as secure as much as you trust the companies products.
all here mention is insecure in comparison to a method used some long time ago: certified cryptographic devices with verification process in place with connects to secure access module (special sim card) and then in return connects to verified cryptographic software. It was rolled out with ID cards in some countries but never got really activated (you had to pay to get access to the feature which was already on your ID-card) and some people didn't like it that all email is going to be securely encrypted even for the law enforcement.
Yubikeys are pretty fantastic. I use them to authenticate SSH and Sudo for my linux desktops and servers. Be ready to do some chroot to recover a locked computer, if you mess up, though.
google authenticator has a "transfer accounts" option now, so i just use that to sync all my auth codes to a retired air gapped phone - safer than keeping a copy of backup codes in your documents folder yeah keepassxc is nice with browser integration and cross platform support - but don't use it as your 2 factor method!
Hi. great content. I activate the backup of my totp, I have forget this. About SMS, I don’t have one on my phone. I have a virtual one. Is it more secure ? or the same as having a real one ? external device are interesting. is it more secure than biometric auth ?
I hate that the new iPhones have gotten rid of the touch and replaced it with the face recognition. I wear glasses and when Im in bed I don't wear glasses. In the past I could use my finger but they got rid of that. We need to get rid of SMS for 2FA. Also websites should go by the latest standards of NIST. All websites should allow you to past the passwords.
D m vinethics he'll help you He fixed mine he has 90k followers account. TH-cam is not letting me to write to you in full make sure is the right account you Dm
[edit: I'm wrong. While there are many standards for time based one time passwords that have existed long before TOTP came around, TOTP itself refers to a specific standard.] 6:08 *Any Google-Authenticator-based TOTP app will work. There are many different TOTP formats, and only ones that are based on Google Authenticator's implementation are interchangeable with Google Authenticator.
Nice video Naomi - what are your thoughts on push notification on apps such as Okta, etc, compared to TOTP? It occurs to me that someone being asked if it was them, could get confused and think perhaps it was them doing something and answer yes to a push notification, but with TOTP, they would not even know someone was attempting to login, so they wouldn't push yes, by mistake, but it would still be nice to get the alert that someone was trying to login as them...
I've had that thought as well. Microsoft authenticator has a clever solution to this where they show a random number during the 2FA process that the user has to select on when clicking on the popup. If a hacker managed to steal your creds, then you as the user would not know which number to select, which makes it obvious that you're not the one attempting the sign in.
Would you please do a video for security for journalists and dissidents?How does a security key protect accounts, if providers share info with corrupt law enforcement who falsify records to get warrants?
Excellent as always, Naomi! One question: I could not find anywhere the 2FA signature counter you mentioned (the one that looks like a YubiKey with 4 digits on it). Any idea where one can find something like it for purchase?
People fail to realize there is a difference between 2 Step Authentication and 2 Factor Authentication. SMS is 2 Step and can be man in the middle attacked. A phone clone etc. Google Auth works well but you point out some the exact issues that caused me to leave Google for another app.
no backup is the reason why I ditched Google Authenticator and went with MS Authenticator. Now I can easily restore all my codes to any devices with my account.
what if 2fa locks out a legitimate account holder and somebody hacks the legitimate account holder's account and that legitimate account holder has no idea it happened because they are locked out?
As per all my other videos, no I didn't delete your comment. TH-cam auto deletes comments all the time. If yours disappears, try posting again in various forms until it sticks, and good luck! 🙏 Also, since posting this video I've found out that google authenticator now allows you to back up all codes on another device! Have added that note to my video description.
Do you have a podcast by any chance?
@@brandonfarley5297 yep! everything linked on my website www.nbtv.media/episodes/this-2-factor-authentication-method-is-not-secure
Naomi my apologies? Where is the link to google auth. back up codes info?
@@cryptowealthonyt there is no link. the info is in the video description.
2FAS Auth app is another really good one. I use both 2FAS Auth and Authy.
The ONLY problem I have with Authy, is their android app consist of a 4 digit pin to log in. which is pretty insecure IMHO.
I even tried to get them to implement a better password login with Alphanumeric, this was 4 years ago. still nothing was done and I have asked several times.
i have been using a yubikey for about a year now and have been loving it. Great video
Yubikey is the key to proper 2fa security
A good way to protect those accounts that ask common questions, like mother's maiden name, or name of your first pet, is to lie. If you type in an answer that has nothing to do with the questions, then someone who investigates you and your family will never guess it. Yes, it might be hard for you to remember that the answer you gave to the question of your first pet's name is "the Peloponnesian war", but it will be bloody impossible for someone else to guess, no matter how well they have studies you. Well, unless that actually was your pet's name. Yelling down the hall ... "Here, Pello"?
That crocheted top girl you’re rocking it💃🏽💃🏽
I've been Yubikey for 2 years now. Very happy. I would recommend the NFC Yubikey to anyone.
Unfortunately a lot of phones don't have NFC.
@@brodriguez11000 I’d also recommend phones with NFC. :) . You can buy one that plugs into your phone otherwise.
The Queen is blessing us with more uploads, we must continue to behave well for more!
wtf dude
LOL
8:40 Some would say someone typing in private login info on anything with that man's face on it, is a dead giveaway that you're going to lose everything. lmao
Nearly every large financial institution uses SMS for 2FA, many of them exclusively. They move billions of dollars in transactions every day in an industry where security is critical. Maybe, just maybe, they know what they are doing? 2FA is supposed to be "something you know" and "something you have". An auth app is "something you know" (the seed) not "something you have". Hardware keys are good except there is almost always a backup way in. I'll bet it's more likely your hardware key gets stolen than your SIM swapped.
I think that this is your best wardrobe yet. You're always very fashionable, but today is my favorite of your styles. Oh, and thanks for the great info. I really was listening while admiring the embroidery.
🙏💛🧵
TFA is great as long as you have an offline option without the Internet or phone service. It happens where I live but I still need to work on my laptop. I have that option with an online code and an offline code in rural travel locations. Thanks Naomi for the discussion and links.
Hi Naomi, I love your videos, they are so useful. I have a way of improving the security on iphones. In settings, scroll down to screen time. Open screen time and scroll down to "Content and Privacy Restrictions. Here you can toggle on or off Allow password changes and account changes to "don't allow. I have both of these set to "don't allow. Very useful.
I love that you cite helpful articles for further reading. 😊
Great episode! Already have a few security keys, but they are pretty old school. looking forward to the next episode you mentioned that will look into key differences in security keys!
I use KeePassXC with NextCloud to keep the database sync'd on my devices. I also use Aegis on my Android phone. Cool thing about KeePassXC is that it displays QR code of the TOTP token so you can scan it with Aegis. Works pretty well.
Great video. Thank you! One thing you need to point out with security keys: you need more than one, in case you lose that one you’ve used. AND many websites allow only 1 security key so these should be supplemented with a secondary form of 2FA not dependent on that single key.
I haven't come across any websites that only allow one key, that's a super annoying practice! Thanks for the heads up!
can confirm, paypal only allows one key 🤦♀
Ta Naomi, great update on digital security!
Most welcome - thanks for watching!
Pretty happy with Microsoft Authenticator. Has a password lock on the app and backs up to your onedrive (imperfect but not terrible - it's encrypted at rest and in transit, at least on MS side).
strong security Alpha . thank you . Nice Shiba shorts too . Love to know more about strengthening sim 2fa .
Wondering if changing a sim card will cause totp rejection on same device 👀
@@mirrorneurongirl Neat . many banks for some reason don't have totp and your findings are a good extra layer via an isolated google voice number .
So much damn info…I feel more lost after watching the video, than before.
It’s like…the safest thing to do, is to just use the internet as little as possible.
¯\_(ツ)_/¯
Take a deep breath and ask me any question :)
Indeed as JJ said, you can now export you google authenticator seed to another device, I didn't realize it when making the video!
There are not many out there spending time to learn, AND spending time sharing that with others. It is very noble if you give your quality time and energy to do. For sure the definition of a good person without the intention to get something in return. You are one of them, thank you!
As you can see English isn't my langue so I misunderstand or need some other way to explain please,
07:20 A lot of your friends use AndOTP and some Keypassxc, password manager with TOTP...
07:42 Some TOTP apps can also be integrated with your password manager but you would be very warry....
07:20 & 07:42 =Password manager with TOTP /or TOTP integrated with your password manager...is not the same?
If the same, both very warry, right? If not the same, 07:20 is the way to go?
Thank you. Very good information. BTW - nice sweater!
Glad you like it!
Superb, Naomi. Really well done.
Thanks - I really appreciate that
This was a timely video for me regarding security keys. Thanks Naomi!
The only security measure against hacking is to not use technology.
I was thinking going back to original way paper and phone calls . Takes too long and phone calls navigating through automated systems and don’t like giving some info to a human .
Been using a yubi for 4 years, love it
The best way to NEVER GET HACKED is to have a physical yubikey without it not even you can sign into your account so if you lose it you screwed unless you have a backup code written down somewhere
I have two yubikeys. I just register both. One yubikey is on my keychain and the other is hidden somewhere.
*Merci pour cette montagne d'informations !!*
I absolutely love every single blouse you use. They are so pretty!
Totally off topic, I know, but oh my, they are beautiful.
thank you! Looking forward to your advice on the keys.....
Coming soon!
@@NaomiBrockwellTV and just so that you know: you are brilliant, fantastic, and great!!!!
Always helping us with great content. Thanks Naomi!
Thanks Marco!
Ironically, banks are often the worst safety offenders by offering 2FA by SMS ONLY.
This is so true. Banks are generally pretty horrendous in this regard.
I'm not sure if it's still the case, but at least as recently as a couple years ago, passwords for Wells Fargo online accounts were case *insensitive*. Totally inexcusable.
They move billions of dollars in transactions every day in an industry where security is critical. Maybe, just maybe, they know what they are doing?
Actually I would like to use One of the 2FA keys you shown goes into usb can use it on Bluetooth it’s handy !
Very useful information, thank you for providing it in such detail.
I'd like to ask a question about a different topic but still security related, I've heard that ISP knows everything we are doing online excluding encrypted data, my issue is that I'd like to create a brand new Google account but they will still be able to track down my address, password and even phone number used, it is there any way that this situation can be avoided, like how to encrypt the data of precreation?
Thank you in advance, I would love to see a video of yours on this topic.
Excellent review ! Thanks so much! I’ve been wondering about a security key! 🔐
Oh my God! You are so right on time! On the last President's Day someone tried to Hack my phone and Amazon account ! I called them the next day Tuesday and told them. My phone Security programs protected me ! So Amazon locked my account and I called my Bank to lock my Account! The caller ID said Amazon Sanfrancisco! It wasn't them but my phone didn't save the phone number! To give to them. Amazon Tech Support was Awesome!!!
Holy S…t. I’m throwing my phone in the trash and going back to a Day Runner.
Very informative video. Maybe consider adding chapters so the more informed audience can quickly jump to the important points, especially if you use a clickbait title!
please define clickbait for me
@@NaomiBrockwellTV The title suggests that there is one specific insecure 2FA method. So I clicked on it, thinking someone had discovered a new security flaw in a 2FA method. Instead, I got a video explaining various 2FA options and listing their pros and cons.
I am sorry, I should have read the description!
@@xXxJakobxXx3 The video is about how sms 2fa is not secure, and how OTP apps are not as secure as many people think, and I explain why. I don't think that's clickbait.
Def looking forward to the upcoming video on security keys! thanks
One good open source OTP app for iOS that allows encrypted backup is Raivo OTP if anyone’s looking. It’s the only one I could find that met those requirements
Excellent @Naomi Brockwell, cant wait for that Security Keys video!!! Thank you!!!
Thanks KJ - stay tuned!
@@NaomiBrockwellTV As always, Sure!!!
My email got hacked over a month ago and still dealing with other accounts being attempted to be logged into. Just received a yubikey and never going through that kind of stress again
The fact that Google can’t recover you 2fa codes is a feature not a bug.
I add them to two devices when ever I sign up for a new service.
HI Naomi, Same great channel...same pretty lady! Thank you great job! 😊👍👍
Thanks for being here!
I love my yubikeys everyone should have them
3:46 there's poop on my screen... oh wait, it's just Klaus Schwab
Thanks Naomi.....That was enlightening :)
Most welcome Ombima
Thanks Naomi
When will the TH-cam video be out comparing and contrasting security keys. This was a very informative video, and I want to purchase a security key but I don't know what are the best security keys for me.
Last month! th-cam.com/video/UhANsAtvLN0/w-d-xo.html
Thanks for your reply. I followed the link that you sent, but it led me to the video that I watched this morning in which you indicated that another video will follow in which you will compare and contrast the various kinds of security keys. Thanks again.
This was brilliant. VERY well done. Shared!
Thanks Troy
While general consensus is that SMS 2FA is better than no 2FA, it may be the opposite in some ways. If I use SMS 2FA (even with a VOIP number), on multiple sites/apps/platforms, inevitable leaks can be cross-referenced with each other and a profile can be formed. This is particularly pernicious if any such leak includes your name, address, work, etc. Did your research for this video lead you to such claims, and either way, what are your thoughts on this? As you can tell from my username, I’ve been called paranoid once or twice :) But with all the automated data scraping and analysis going on, it doesn’t seem so far-fetched.
Well 2fa is security measure not a privacy measure, if you want both then an anonymous sim might be your best bet!
@@NaomiBrockwellTV True, but as you well know, security and privacy are somewhat intertwined. Anonymous SIM certainly helps. I use something similar. Phone numbers individualized to each service help even more, but somewhat expensive if you need dozens of them. Ultimately, phone number reuse (for an authentication factor) is similar to password reuse (also an authentication factor), just not AS dangerous.
Love your content, and the fact it is always unique and useful. Thank you
Thanks Michelle
Like many i am sure, my company requires us to have Microsoft Authenticator. However, I find it works very well. It is secured behind a password or biometrics and backups the data.
Also, i think the tip to not use the same service as your password manager is sound.
Great advice.
Btw, for "security questions" you absolutely do not need to answer the actual questions. "What's your favorite pet?" "Chocolate Cookies" is a lot harder to guess. Just make something up that you can remember down the line :)
I’d recommend using randomly generated strings for those and storing in a password manager!
@@NaomiBrockwellTV I'm wary of password managers myself, though I use one - sorta.
It's on a repurposed old phone without Internet or WiFi (it's also in airplane mode). Offline storage is the only safe storage, IMO.
I just would like that what you described as a replay attack is a man in the middle attack. (I would like to call that proxy attack but I'm not sure if this terminology is correct but it is essentially to just reroute the traffic like a proxy so you can usurp the real website but still have the green lock as the traffic is genuinely secured between you and the proxy)
Replay attack is when you can reuse what the user send to someone else even if it is encrypted to bypass the authentication.
One common use for example on old car keys is recording the signal send from the car key to the car. Then to open the car, you just "play" your record back.
In case of TOTP it would mean for example if an evil extension copy the TOTP code sent to the good website, then send it to someone else to make it connect immediately with the same code.
Normally websites should block a TOTP code from being using twice to connect. It is a best security practice, unfortunately that doesn't mean every website prevent it.
I have a pair of Yubikeys, and tried to start using them, but support is just not quite there, yet, so I have disabled them for now.
yeah platforms are increasingly using yubikeys, keep an eye out as they add support, and you can switch in yubikeys as they do
Hey Naomi! So I’ve been careful to record all of 2FA setup keys for my google authenticator. That means that if I do lose my phone or access to the authenticator app I could set it all backup on a new phone or redownloaded google auth app using the setup keys, right?
Yes.
Also the feature wasn't in the app at first, but now you can retroactively get the seeds, right from the app (which Naomi edited the description to mention)
Do not use Google Authenticator , use Apps with end-to-end encryption . GA sends the “seed key” over the network unencrypted. Seed key is the one contained in the QR code.
Hi Naomi. Thanks for the great video. Very informative. However, I beg to differ on one thing-doesn't Google Authenticator allow you to backup on other devices? I backed up my Google Auth on my other phones, so in case I lose one phone I have a backup.
Yeah I didn't know that at time of posting, but have since added it to the description! Thanks for the heads up!
Thx for this info as I need it ✊🏽✊🏽💃🏽💥
On the TOTP replay topic: I believe the relevant OWASP cheatsheet does highlight this, and strongly suggests the server stores the last OTP and does NOT let people re-use it. Whether implementers of said systems are following that practice, that's another interesting question...
The example they used of a phishing site isn't even a replay attack because they can use the code you entered to gain access with it being the first time it was used, not a replay
Definitely looking forward to your next video. Thanks Naomi!
You can lock the autentication app and any other with an App Lock app, these lock the apps themselves so when you want to open one you have to put in a seperate password in before the app loads as the App Lock app loads first.
I wonder how secure that is if it just hides or really encrypts -- stupid that google doesn't lock the app themselves
Microsoft Authenticator works really well as you can set it up to require authentication from the user before it even opens.
i use bitwarden with bitwarden totp and on my phone i use authenticator pro for protecting my bitwarden account
The problem with security keys is if someone physically steals your key then (and biometrics) their security is useless. I can see a cascading future of needing 3fa then 4fa, 5fa ect. Example, a key needs to be inserted into a device matching multiple specific hardware id's (tpm as an example among others) running on a specific internal network over a specific VPN. These right now would be people needing an extremely high degree opsec and are completely user unfriendly.
Generally, you still have to input a password. If one key is stolen you can remove it from the account with the backup key. If both are stolen you... for example with coinbase, I think you can have the account frozen and then provide extensive documentation such as id/passports to verify identity. Course, if you have 2fa to login to a computer you only manage or something you might be out of luck. People will have to start thinking of them as like house keys or a passport or driver's license that you need to audit for periodically and then take action if they are gone. When people used to steal check books (probably they still do) it was always a bit problematic.
For TOTP Codes... ALLWAYS have some Form of Backup / register to multiple Devices. But you've been told to do Backups for everything for the last 20 Years, if you didn't learn it allready - tough Luck.
I have them stored on Yubikeys, which can't be recovered as well. Which I see as a Security Feautre. Realize the Plural - Key*s*. If I loose one, I'm still able to access everything and create new TOTPs.
I like how she has to apologize for privacy concerns every time she mentions a google product. As she mentioned, they're pretty darned good at security. Sure I would go with another option than google authenticator but I don't object to things simply on the basis that they come from google. I wonder if the privacy nuts have pushed the discussion in an illogical direction for most people. As for me, I think I will create a small circle of trust in google and take a chance with possibly receiving targeted ads and having my anonymized data shared to 3rd parties, rather then trusting a wider variety of 3rd parties to be involved in all my services and taking a chance having my critical accounts (like email and cloud storage) hacked.
We should absolutely not use google if concerned about privacy because they're atrocious. But for things that don't compromise your privacy so much, the security they offer can definitely be worth using certain services.
The best 2fa is the one your account provider offers. Many financial institutions only offer SMS or email (which is unacceptable) but you have to work with what you have.
Nice review. For Fido, need to disable other recovery options such as phone,. Also most phones, mobile devices have Fido chips built in and could use this method for a factor. The ultimate goal is to get rid of passwords.
5:50 actually the old code is still valid for slightly a bit of time for user experience sake
So if my phone is stolen along with my sim card with my personal number' can I still open my google account on another device?
Make sure you cover crypto hardware wallets like KeepKey that have FIDO webauth implemented so it can be used as a security key.
Yeah. Trezor and ledger have it too
@2FAS is open source, private, cloud backups, no account required, community driven 2FA app.
D m vinethics he'll help you He fixed mine he has 90k followers account. TH-cam is not letting me to write to you in full make sure is the right account you Dm
ON Instagram
Screwgle has burned me on 2FA. Forcing activation of 2FA on my chromebook, defaulting to using the paired phone as a security key, they broke login. Due to some kind of bug in the pairing software I have to reset pairing anytime either device restarts, which I can't do until I'm logged in on both devices. So I'm down to a choice of, at login time:
- SMS as a second factor
- generating one time keys
- disabling 2FA using a device I can log into.
Anyone remember RSA's little mess from a few years ago with their 2FA tokens. Like anything - it is only as secure as much as you trust the companies products.
Thank you for sharing this information with the community!!! Always great content! I hope you have a wonderful day ☀
Great show 🇨🇦🖖🇨🇦
your channel is so ... useful. thank you.
Thanks Harvey .. I'm glad it was useful
Phone 2FA used to be trivially overcome vía SS7 exploits.
all here mention is insecure in comparison to a method used some long time ago: certified cryptographic devices with verification process in place with connects to secure access module (special sim card) and then in return connects to verified cryptographic software. It was rolled out with ID cards in some countries but never got really activated (you had to pay to get access to the feature which was already on your ID-card) and some people didn't like it that all email is going to be securely encrypted even for the law enforcement.
Really appreciate the info Naomi thx 💖
Glad it was helpful!
Yubikeys are pretty fantastic. I use them to authenticate SSH and Sudo for my linux desktops and servers. Be ready to do some chroot to recover a locked computer, if you mess up, though.
google authenticator has a "transfer accounts" option now, so i just use that to sync all my auth codes to a retired air gapped phone - safer than keeping a copy of backup codes in your documents folder
yeah keepassxc is nice with browser integration and cross platform support - but don't use it as your 2 factor method!
HI, I enjoyed the video. Which security keys have signature counters?
Hi. great content. I activate the backup of my totp, I have forget this.
About SMS, I don’t have one on my phone. I have a virtual one. Is it more secure ? or the same as having a real one ?
external device are interesting. is it more secure than biometric auth ?
This is a really good video. Thank you.
🙏
For 2FA I use Apple keychain in the settings
I hate that the new iPhones have gotten rid of the touch and replaced it with the face recognition. I wear glasses and when Im in bed I don't wear glasses. In the past I could use my finger but they got rid of that. We need to get rid of SMS for 2FA. Also websites should go by the latest standards of NIST. All websites should allow you to past the passwords.
D m vinethics he'll help you He fixed mine he has 90k followers account. TH-cam is not letting me to write to you in full make sure is the right account you Dm
ON Instagram
[edit: I'm wrong. While there are many standards for time based one time passwords that have existed long before TOTP came around, TOTP itself refers to a specific standard.]
6:08 *Any Google-Authenticator-based TOTP app will work. There are many different TOTP formats, and only ones that are based on Google Authenticator's implementation are interchangeable with Google Authenticator.
How is Google different with regards to privacy vs security? I don't see the difference?
Nice video Naomi - what are your thoughts on push notification on apps such as Okta, etc, compared to TOTP? It occurs to me that someone being asked if it was them, could get confused and think perhaps it was them doing something and answer yes to a push notification, but with TOTP, they would not even know someone was attempting to login, so they wouldn't push yes, by mistake, but it would still be nice to get the alert that someone was trying to login as them...
I've had that thought as well. Microsoft authenticator has a clever solution to this where they show a random number during the 2FA process that the user has to select on when clicking on the popup. If a hacker managed to steal your creds, then you as the user would not know which number to select, which makes it obvious that you're not the one attempting the sign in.
Repeatedly generating push notifications until the user caves in and authenticates to stop them appearing has worked in the past.
Would you please do a video for security for journalists and dissidents?How does a security key protect accounts, if providers share info with corrupt law enforcement who falsify records to get warrants?
Freedom of the press foundation is a great resource for that
Excellent as always, Naomi! One question: I could not find anywhere the 2FA signature counter you mentioned (the one that looks like a YubiKey with 4 digits on it). Any idea where one can find something like it for purchase?
Sorry for the confusion, the signature counter isn’t visible, it’s an internal process that I tried to visualize!
You didn't mention AEGIS for TOTP
I am remiss!
The problem is that while many companies offer 2FA, it's opt-in. Companies need to make it opt-out at sign-up for new accounts.
indeed
I opted out of 2FA on my screwgle account, then they activated it anyway. And defaulted to a broken method.
People fail to realize there is a difference between 2 Step Authentication and 2 Factor Authentication. SMS is 2 Step and can be man in the middle attacked. A phone clone etc. Google Auth works well but you point out some the exact issues that caused me to leave Google for another app.
no backup is the reason why I ditched Google Authenticator and went with MS Authenticator. Now I can easily restore all my codes to any devices with my account.
Thank you.
what if 2fa locks out a legitimate account holder and somebody hacks the legitimate account holder's account and that legitimate account holder has no idea it happened because they are locked out?
Thank you for the awesome content.
Thanks for watching!