UPDATE: Google Authenticator has since added biometric lock to the app, so my primary gripe about the security of the app has been resolved. I still prefer Authy, however, and for even better security, consider using a 2FA key like this: th-cam.com/video/xRmDIL9l3b0/w-d-xo.html
I am using google authenticator, Microsoft authenticator, lastpass authenticator for different purposes (e.g. work, personal, etc). Just read Authy's privacy policy - they share a lot with third parties "as required to provide their services". That's a NO-GO for me. MS and Lastpass are pass protected which is great. Google authenticator has been compromised already as far as I know.
As of Feb 2021 Google Authenticator now allows for export of 2FA's for backup, and when installing the App for the first time set a pincode to access it. This makes the product now the best there is if one does not like using cloud storage.
Only if your password database with the 2FA codes got compromised. If it's some other kind of attack, which 2FA could have prevented, it's not a big deal.
Google authenticator is designed to be the equivalent of a hardware token on your phone. In other words, it's something you have and cannot be easily duplicated. While I agree that having the option of protecting my MFA is an extra layer of security, I believe that the biggest benefit is that someone only has access while they have my phone - i.e. they can't make a clone of it. Best practice, in my opinion, is to use a password safe that contains my backup codes. Since most MFA systems only allow for one OTP seed, this forces me to retire the lost seed and then generate a new one.
Yeah that, or uh.. You know... He *could* focus on stuff like... NOT making videos around statements that are completely false? But hey at least he got the timestamps on there. (slow clap) very nicely done on those timestamps
I think Aegis is an option more interesting, it allows you to backup in a encrypted file in a cloud of your choice, and also give You the option to do it manually exporting that file and save it wherever You want. And You can switch from Google authenticator exporting acounts and it Will read the que code without a problem.
I'll never be convinced that being able to backup codes is more secure than not being able to. Your first point makes sense, however its a app feature that could be easily implemented and until google does Ill just use third party security apps to lock access to the app. Also, as of now google authenticator has a option to transfer your codes to other devices.
I print out my QR codes and place them in a secure location. This allows me to restore my setup when I wipe my device twice a year. Also, I like the idea of not having a backup as I find it more secure :-)
Be careful how you print. If you're on wifi there could be a man-in-the-middle attack on your LAN. Anyone running Wireshark could see your documents in plain text as they are sent to the printer. Also, some fancier printers (usually laser printers) have hard drives in them that store what is printed. Best option is to use a real cheap inkjet printer via USB cable, the old-fashioned way. If you're printing sensitive info, I would go this route. You can pick up a printer like that for $30, but ink refills are ridiculous.
If an attacker can access your phone, he somehow got around whatever you use to unlock your phone. So if an app would use that same method, the attacker can most likely get around that just the same. So using a different method (for example I use a pattern for my phone to unlock, but a 4 digit number for authy) would make it a lot more secure. Complaining about Google authenticator not being secure enough, but also wanting a backup method is a bit of a contradiction. Having your keys stored at an additional place, online, that has to be accessible without 2FA keys (at least by this method) does make it less secure. I do agree that this is a "Should have" feature, however, definitely not from a security standpoint. And the iCloud Backup (luckily that is only the case for iPhones) is quite misrepresented as well. 04:17 "So it's not going to Microsoft, it's not going to Authy, it's your iCloud Account." Which means it goes to Apple. Or the other way around, it goes to YOUR Microsoft account or YOUR Authy account. I fail to see what the advantage of it being in stored in the iCloud. Of course, everyone gets to have their own opinion, but this is clearly fanboy bullshit presented as a security feature.
Responsible people will save the 2FA seed codes in a password manager, so losing your phone becomes a non-issue. Alternatives to Google Authenticator also exist, which enable you to backup your 2FA seeds into an encrypted file.
yup you're right bro. i also had a hard time with GA when i lost my phone. They have no back up or anything and I even emailed google about it. And they reply that it will lead to court because of the legality issues...BIG no to GA..
Hey, man! You're good! Very good! Clear explanation, calm voice, real emotions, no faking, no overdoing it, no squeaking noises coming out of your mouth to make it "fun" and "cool", by some standards. No loud or annoying music... I was looking for Shakepay 2 step authentication explanation and stumbled upon your authenticator video. Don't know when you started your channel, but I wish you get hundreds of thousands subscribers soon! All the best!
Hold on a second, this just made me realize that if i lose my phone, i lose access to all my investments. Man thank you for explaining this. I am switching asap!
Great video.... I just dumped Google Auth all together. Question for you, authy looks good as I do like the multi-device option so I don't have to access my phone to get a 2FA code but I don't like giving them my mobile number. Microsoft auth backup in iCloud is great but would you happen to know the answer to this question - if I lost my iPhone and I decide to buy another iPhone three days later and I need a 2FA code before I get my new iPhone I am out of luck unless I have backup codes right?
I totally get you. I always thought Google authenticator would have some backup feature to save all the account codes. To my horror when my phone got downgraded from Android 12 beta to 11, all my data was stored and could be restored except for Google authenticator. Had a painful time trying to recover each account one by one. Will be switching over to authy!!
Thank you for sharing, I just started using GA. I'm that type of person who might upgrade in just a few years (My old phone's screen broke just after 1.5 years) so having an option for multiple devices is much needed
Keep using GA. Try to find articles about someone being hacked with GA, you won't find any. Even a basic SIM-SWAP is hard work. Carriers aren't THAT retarded.
Awesome video buddy … thanks. Can you suggest any easy way to move out of Google Authenticator? Also a recommendation for a future video - please… comparison between the new iOS 15 2FA vs 1Password. Thank You 🙏
Authy requires a phone number to setup.. that in itself makes it less secure than google authenticator. , > you can find hacking stories on this on reddit subs. also, having various 'backup' options in multiple devices might be good for convenience but bad for security. if you use google authenticator properly, i.e. downloading the backup codes as you should for your own security then there's no need to downgrade to authy
True.People just don't understand how google authenticator works. Using your phone number to setup anything is not secure at all.Because of a "sim swap" attack.
1. In most Android phones an app can be secured within the phone. 2. When you enable 2FA, the website gives you 10 codes for backup to use for emergencies like when your phone breaks down, or lost, or stolen. Whene you switch phones the google authenticator has an option to transfer the registrations to your new phone, to the new authenticator. On the other hand if your app has somewhere a backup outside the phone guess what? That can be a target for hackers.
I don't agree. 2FA is meant to be "something you have". Along with that you have the regular which is "something you know". If you have access to your phone, it should be all you need to qualify as the something you have.
No, authy requires a phone number to set up and then you either get a verification code by text or call to your number to access your app. Then after that you have to enter your backup password to access the accounts. And just so you know backup passwords are never stored by authy meaning if you forget it you can’t recover it. Same for the pin. So authy is still as secure as google authenticator. And plus authy has a better UI than google authenticator
The main reason I switched to Authy is because it saves my info. My recent phone died, and so I downloaded the app on my new phone, and there was everything as it was on my old device. The google app was just completely wiped.
So basically if Authenticator required biometric unlocking of app you might still use it. As for site code backup I just snap a pic of the setup QR codes with a cheap offline camera.
If you're adding 2FA to your desktop app, you're violating 2FA if you also store the password in a password manager on that machine and it is unlocked, same issue on your phone. Two factor needs to be two factors of security. Something you know: passcode, something you have: device.
You’re speaking of this as if 2FA is some sort of “moral code”. Is keeping your password and your 2FA on different devices a best practice? Absolutely. But what you’re describing still requires something you have (a device) and something you know (a password). In other words, it’s still 2FA. No “violation”.
1) I trust a larger company more than a smaller one. 2) You can export all your codes via QR code to another unit. Even print it for safekeeping. 3) The fact that there is no app lock is not a deal breaker. 2FA is meant to stop hackers/phishers with no access to the phone. 4) You have affiliate links
1. The bigger they are, the harder they fall. 2. You can save backup codes when you setup any 2FA, so what's the difference between that and the QR code? 3. My home security system is supposed to deter thieves, but I still lock my doors. Your point? 4. My first two recommended options are not affiliate links, and I clearly declare that 1Password is an affiliate link because it's the one I use. Are you implying that this somehow taints my message?
I don't know how it works on Android, but on iOS with MS Authenticator, if the device doesn't recognize your face it just asks for the device password. This means that a bad actor with physical access that already breached your device (i.e. determined the device password) will be able to get into MS Auth as easy as Google Auth. At least as far as I can tell.
I just tried it and the app doesn't give me the option to type in my device passcode. If Face ID doesn't work, I'm not granted access to the device (on iOS). Perhaps they anticipated that problem you mentioned?
@@cocatfan Bitwarden is a password manager mainly and not an authenticator. Yes, it does have TOTP authentication as premium feature. But the purpose of using an authenticator is to use a different device or app for additional verification. A person who can get into your password manager can also see your 2FA code if they are together and totally negates the purpose of 2FA.
What are you talking about? Google Authenticator has backup. Just hit export accounts, select which accounts, then it will generate a QR code which you can use on a new phone with google Authenticator.
Thanks for sharing. This doesn't really help if you've lost your phone or had it stolen. I wouldn't call it a "backup" as much as it's just a "transfer service". And even for that, it only allows you to transfer 10 accounts at a time.
Wait a backup cloud option would bring itself some security issues. Even if they are (like they say) encrypted, someone who knows what he does and get access to these cloud saves can still decrypt them and get access now to all of your 2fa codes. It's better to write down the backup or recovery codes instead of using backup cloud saving, but the issue is that some sites like paypal or amazon do not provide any backup or recovery code for 2fa which is a shame.
The problem with any 2FA is that if you lose it you need another way to get in. Google authenticator can be used as a backup plus its always a good idea to save backup fixed kets if available
Yeah, I snip the qr code, print that out then add the account to authenticator from that printout just to make sure the hard copy works. Label the paper and keep it somewhere secure with your other important documents. I recently re-flashed my phone and getting my accounts back in authenticator took 3 minutes.
@@bufordmaddogtannen I use a password manager for passwords but figure the paper backup might be slightly more secure being a different basket to keep the 2fa in. Otherwise if the password manager were to get hacked they'd have my whole world. Same concept that people use for crypto and keeping private keys on paper rather than digitally on an internet-connected device.
@@levielliott4673 indeed. It's an additional layer of protection. Although I'd not be at ease putting qr codes together with, for instance, electricity bills (there they are unprotected) or in a safe (that's a target). Maybe I'll have to hide things under the floor. Like John Wick. 😁🤣
If a person doesn't use their device for anything important...never does banking on their phone, or anything "confidential", but just does it at home a PC...is there any reason to use 2FA? Thanks.
Google added the transfer option which gives you a single QC to important to another but I just took a picture with another device them provider it out and put it in the safe as a backup.
Uhmm... I have Google Authenticator on a secure folder on my phone, so... to enter to that secure folder I have to use passcode or fingerprint reader, and a good habit is to have a password manager, so... Everytime I add a new account to Google authenticator I add the code to my password manager that makes automatic backups, is sinc with the cloud and is encripted. Im not telling that Authy or the others are not good... just the reasons you give to change it are not that important for me. Thanks anyway for the video. :P
DO NOT LISTEN TO THIS GUY!! First of all you can password secure your phone with a password or a pin to block anyone from accessing your google authenticator. Second, yes you can make a backup with the key given to you when setting up the authentication procedure. Third, install the google authenticator on an airgapped used (old) cell phone for better security, DO NOT INSTALL ON MULTIPLE DEVICES!! you expose yourself and your keys!! and last and very important do not backup to your cloud, if anyone gets to your SIM card or calls the telephone company to get your SIM card replace they will have access to your cloud and all your apps including your authenticators. VERY IRRESPONSIBLE VIDEO!!
How to move from Google Authenticator to Microsoft Authenticator? Do I have to set up each one separately or is there a transfer option? What I need to know is my Microsoft Authenticator on my old phone has a backup. How do I restore the backup of Microsoft Authenticator from my old iPhone to my new iPhone?
3:35 - It should be known that Authy doesn't allow access to the seeds for the 2FA codes. This means that if you get locked out of your Authy account (for whatever reason) then you could have to reset your 2FA accounts individually.
That's fine. Have the seeds backed up to an encrypted container locked in your safe, for worst scenario situations. Should have Authy on several devices. I have Authy on several devices - phone / tablet / PC. Once Authy is set up on several devices, turn off multiple device option and no one else can log into your Authy account unless you approve. Super secure and safe.
@@mementomori29231 how do you have the seeds locked up in a safe if Authy doesn't give access to the seeds? Also, I can do everything you just said with every other 2FA app AND STILL have plain text access to the seeds for my codes. 🤷
Untrue about losing 2fa on GA if you lose your phone,. You can save and then manually enter the 2fa key for each site. It does require copy and pasting the keys, but once you've saved them to a secure note, it's no problem. The keys are random numbers and digits. Please issue a correction. I've done this many times with my phones
Thank you for the video. Why am I learning this lesson right now! I never bothered with 2FA previously. I always thought it was an odd sort of overkill. I had used 2FA before at work to access specific tools for an employer but that was it. I enabled the feature recently given concerns about security. I must say, If I were not a better person I would have fallen out with Google over this. I am unable to access accounts. I should have done my research before hand. I am grateful that I am finding this out now I hadn’t had the accounts long but the experience has been a huge time suck. If I had of watched this video or absorb everything I have researching this topic I would have opted for an alternative.
Google Authenticator is insecure, but saving your 2fa with your password in 1password is secure??? And btw Google Authenticator is backed up to iCloud via the full device backup
While I agree that using 1Password isn’t the MOST secure way to setup 2FA, it’s definitely better than Google Authenticator for many different reasons. As for the iCloud backup, I’ve had mixed results. I definitely wouldn’t rely on that method alone as your only backup.
Might pick Authy, I can install this on my main and old phone and only use the old phone when I need backup access if the current phone is lost/breaks.
Everyone should print 2FA keys and store safely and it's OK. Noone has access to your phone, so you should lock it with fingerprint, face recognition etc.
GA has a “privacy screen” setting, meaning face recognition is instantly required when opening the app, unlocking your phone and (re) opening the already running app, etc. Does this not resolve your no password concern for GA?? Seems secure to me.
DO NOT LISTEN TO THIS GUY!! First of all you can password secure your phone with a password or a pin to block anyone from accessing your google authenticator. Second, yes you can make a backup with the key given to you when setting up the authentication procedure. Third, install the google authenticator on an airgapped used (old) cell phone for better security, DO NOT INSTALL ON MULTIPLE DEVICES!! you expose yourself and your keys!! and last and very important do not backup to your cloud, if anyone gets to your SIM card or calls the telephone company to get your SIM card replace they will have access to your cloud and all your apps including your authenticators. VERY IRRESPONSIBLE VIDEO!!
Thanks for opening my eyes with Google!!! I was starting using Microsoft authenticator before this video because has his own password, can backup and has his own password which found it much better for the situation in case lost my phone.
I feel all these options are slightly less secure than google auth. The only reason you would switch is to protect yourself from yourself. The fact that the codes are gone with the device is a good thing any additional back ups make you vulnerable especially to a SIM swap. Create a phone passcode that nobody knows and then use face ID or touch ID. There is no reason anyone should know your phone PIN code. There will always be a way to regain access to accounts that have google auth on them if you lose access to your google auth app. A decent site would not allow you to enable it without having a secure method of account recovery if you lost access to phone. Coinbase has a sytstem were they verify your identity and renable it. Most sites have a back up code generated at the beginning, just store it safely and don't lose it.
the reason I use Google sync is because it is totally off line you can back up Google Auth Back up by creating a qr code for a different device to scan just go to transfer account -> export account and you can backup the code you need (there is a small problem on the if you have too many as the qr code will be very big, the workaround will be splitting the code you need to backup to different group) I have been doing this the sync for all 4 of my device doing a cloud sync is a no no for me for security reason and for the app cannot be lock issue, I mean when you are in a location more then yourself, you should always fully lock you phone before it leave you hand..........
Ok, then why do you still have your video on using Google authenticator on your channel from 7 months ago? Maybe delete it, it's confusing to have both. Cheers.
Looking into switching as well, mostly looking for the convenience of an "Approve" request like I get with some Microsoft sign ins and other accounts, looking for an authenticator app that can do that for any account I use in it. These were some nice points though, unfortunately I don't like the idea of device sync, I'm sure you know, it's similar to the "all eggs in one basket approach."
Yea, I completely get that. I don't personally use device sync either, but I do keep a local backup of my file for protection against theft or loss of my device.
4:08 Aren't cloud services also susceptible to hacking? I've seen plenty of news of clouds being breached - Dropbox, Microsoft, Apple iCloud etc. I wouldn't put any important information and files on the cloud without it being encrypted first.
Thanks for the tip, Mattis! I hadn't used it before. From what I see on the app store, I probably wouldn't use the notification center feature. Do you think it's worth the paid version when others like Authy are free?
It is generally, if you want to be convenient and easy to use, security will be exposed. Therefore, I generally do not use automatic cloud backup, I am backing up my own method(You can back it up with a file, then you have to modify the name of it, and then upload it to your cloud. ). BTW, I using andOTP APP, Because it is a completely open source application, and it can encrypt your file backups. You also need a pin or password to get in.
Yep , conveniency come with the cause! andOTP is great and you can see the source code,so there no back door for third party to services to get in. All the security in your own hand!
Security and convenience are always inversely proportionate. If you really want to be secure you shouldn't even use the same device for your password manager and 2FA authenticator and even use physical USB keys (eg. Yubikey) for them, but not many people do that because it's very inconvenient.
First of all for the lock you can easily fix this by using app locker and in OnePlus and Xiaomi phone it's build in. For the backup, you now have options to export the accounts
Ty , I have OnePlus and worked for me. But I have a question how it will happen when hackers have control over your phone, they can see what your password is or what?
Josh, I have always used 2FA but only recently employed the Authy Authenticator app. I neglected to keep any backup codes when I was setting up my accounts. I didn't even consider this as an important step until watching this video. Is there a method of correcting this and storing codes now? Thanks for the great content.
Authy, Microsoft, One password... You're missing the importance of Open Source software. Who would trust a proprietary app with their personal data?? Your channel could be so much better if you got your feet wet in the world of REAL privacy and security. Take some inspiration from Techlore
@All Things Secured you just login into your account and get a fresh set of backup codes. Also you can store the qr code and use it with your new mobile devices. It's easy .
hey there man, i agree but the part you were talking about you can't lock the app is not true. many antivirus companies allow app locking which can be done easily but good video
If you have an antivirus installed on the phone and most have not. I personally stopped using antivirus on android for many years because the only thing what it did is generate traffic and needs a lot of battery, as someone who can see if a website or mail is wrong, blocking ads and cookies and only install well known apps from Play Store an antivirus is just useless.
@@rileynichol1016 Microsoft authentication gives you another code (number) that works like a second password, that code changes every 30 secs so it’s so complicated to hack. You just need to download the app and scan the QR to link the website to secure with Microsoft authentication.
im using it rn, now how do. i delete the app? do i logout out and delete or just delete the app, im kinda scared after u have said all this because i use google authenticator a lot
and a software shouldn't be so crappy that you need a second/spare phone, just to do an export to google auth on that phone, to put it away as a spare. How crap is that design!
there is a way though. Print the QR codes on paper and place them somewhere safe :) You could also print the emergency OTPs provided by the accounts that allow you to integrate 2fa. They are meant for scenarios like these :) Since the security risks for all these services are still non-zero, it would still be okay to use services that backup to the cloud though. Just know that they are less secure than using google 2fa.
UPDATE: Google Authenticator has since added biometric lock to the app, so my primary gripe about the security of the app has been resolved. I still prefer Authy, however, and for even better security, consider using a 2FA key like this: th-cam.com/video/xRmDIL9l3b0/w-d-xo.html
I was using Google Authenticator but you highlighted a few issues that warranted the switch!
Both of them, first I get password from google authentication then I use I 2FA.
Yep I was using G Auth, now switched to Authy better actually!
I am using google authenticator, Microsoft authenticator, lastpass authenticator for different purposes (e.g. work, personal, etc). Just read Authy's privacy policy - they share a lot with third parties "as required to provide their services". That's a NO-GO for me. MS and Lastpass are pass protected which is great. Google authenticator has been compromised already as far as I know.
I used to use the Google Authenticator, then the Microsoft Authenticator and now Authy Authenticator
I have a tattoo of my QR code sketched on my inner-thigh. You know, maximum security so nobody can see my weird search history.
As of Feb 2021 Google Authenticator now allows for export of 2FA's for backup, and when installing the App for the first time set a pincode to access it. This makes the product now the best there is if one does not like using cloud storage.
1password auto entering the 2FA code completely defeats 2FA. That's 1FA... The hen eats the egg.
yeah that suggestion is honestly a step back from google authenticator.
Agreed. Trading security for convenience is never a good deal.
but some people may be willing to do the risk as 2fa config is sometimes forced to be done in some accounts on some sites.
Only if your password database with the 2FA codes got compromised. If it's some other kind of attack, which 2FA could have prevented, it's not a big deal.
1password is garbage, this video is garbage. Surprising tbh.
Auto-filler pass-mgr
good one.
update on the authenticator app: it now supports a lock screen so you have to enter your phone passcode, fingerprint or faceID
Google authenticator is designed to be the equivalent of a hardware token on your phone. In other words, it's something you have and cannot be easily duplicated. While I agree that having the option of protecting my MFA is an extra layer of security, I believe that the biggest benefit is that someone only has access while they have my phone - i.e. they can't make a clone of it.
Best practice, in my opinion, is to use a password safe that contains my backup codes. Since most MFA systems only allow for one OTP seed, this forces me to retire the lost seed and then generate a new one.
Thanks for the input here, JT.
GA is perfect. ATS Clickbaiting
Until ya drop ya phone, all gone.
@@PutsOnSneakers Have a second phone stored in away at home.
Man, I know you probably won't see this; but I really appreciate the small things that most other content creators pass up, like timestamps.
Yeah that, or uh.. You know... He *could* focus on stuff like... NOT making videos around statements that are completely false? But hey at least he got the timestamps on there. (slow clap) very nicely done on those timestamps
@@DJStompZone Said false statements being...? (Not being an ass, genuinely wondering)
I think Aegis is an option more interesting, it allows you to backup in a encrypted file in a cloud of your choice, and also give You the option to do it manually exporting that file and save it wherever You want. And You can switch from Google authenticator exporting acounts and it Will read the que code without a problem.
Aegis authenticator is the way to go.I prefer to use open source apps when compaed to closed source as it is quite reliable .
yes!
What is the advantage of open vs. closed source?
I'll never be convinced that being able to backup codes is more secure than not being able to. Your first point makes sense, however its a app feature that could be easily implemented and until google does Ill just use third party security apps to lock access to the app. Also, as of now google authenticator has a option to transfer your codes to other devices.
I print out my QR codes and place them in a secure location. This allows me to restore my setup when I wipe my device twice a year. Also, I like the idea of not having a backup as I find it more secure :-)
Yea, I understand that. Also, why do you print out the QR codes instead of the text backup codes that they give you?
Be careful how you print. If you're on wifi there could be a man-in-the-middle attack on your LAN. Anyone running Wireshark could see your documents in plain text as they are sent to the printer. Also, some fancier printers (usually laser printers) have hard drives in them that store what is printed. Best option is to use a real cheap inkjet printer via USB cable, the old-fashioned way. If you're printing sensitive info, I would go this route. You can pick up a printer like that for $30, but ink refills are ridiculous.
"Not having a backup is more secure" - since when?
@@andrewmurray1550 it is in terms of others getting access
@@andrewmurray1550 Having back up on other device is multiplying the chance of your 2FA being hacked.
If an attacker can access your phone, he somehow got around whatever you use to unlock your phone. So if an app would use that same method, the attacker can most likely get around that just the same. So using a different method (for example I use a pattern for my phone to unlock, but a 4 digit number for authy) would make it a lot more secure.
Complaining about Google authenticator not being secure enough, but also wanting a backup method is a bit of a contradiction. Having your keys stored at an additional place, online, that has to be accessible without 2FA keys (at least by this method) does make it less secure. I do agree that this is a "Should have" feature, however, definitely not from a security standpoint.
And the iCloud Backup (luckily that is only the case for iPhones) is quite misrepresented as well. 04:17 "So it's not going to Microsoft, it's not going to Authy, it's your iCloud Account." Which means it goes to Apple. Or the other way around, it goes to YOUR Microsoft account or YOUR Authy account. I fail to see what the advantage of it being in stored in the iCloud.
Of course, everyone gets to have their own opinion, but this is clearly fanboy bullshit presented as a security feature.
Responsible people will save the 2FA seed codes in a password manager, so losing your phone becomes a non-issue. Alternatives to Google Authenticator also exist, which enable you to backup your 2FA seeds into an encrypted file.
yup you're right bro. i also had a hard time with GA when i lost my phone. They have no back up or anything and I even emailed google about it. And they reply that it will lead to court because of the legality issues...BIG no to GA..
Hey, man! You're good! Very good! Clear explanation, calm voice, real emotions, no faking, no overdoing it, no squeaking noises coming out of your mouth to make it "fun" and "cool", by some standards. No loud or annoying music... I was looking for Shakepay 2 step authentication explanation and stumbled upon your authenticator video. Don't know when you started your channel, but I wish you get hundreds of thousands subscribers soon! All the best!
Thanks so much, Vladimir!
I'm not even watching the video but I applaud the uploader for this effort and agree with your sentiment. Hate those trendies.
Hold on a second, this just made me realize that if i lose my phone, i lose access to all my investments. Man thank you for explaining this. I am switching asap!
Great video.... I just dumped Google Auth all together. Question for you, authy looks good as I do like the multi-device option so I don't have to access my phone to get a 2FA code but I don't like giving them my mobile number. Microsoft auth backup in iCloud is great but would you happen to know the answer to this question - if I lost my iPhone and I decide to buy another iPhone three days later and I need a 2FA code before I get my new iPhone I am out of luck unless I have backup codes right?
I totally get you. I always thought Google authenticator would have some backup feature to save all the account codes. To my horror when my phone got downgraded from Android 12 beta to 11, all my data was stored and could be restored except for Google authenticator. Had a painful time trying to recover each account one by one.
Will be switching over to authy!!
i switched phones and i dint backed up my codes, now i need my old phone with G-authenticator. Good video
Yea, you're not the only one that has happened to. So sorry for the trouble!
you can easily transfer from one device to the next. I literally just did that last month when i moved from OP 5t to a new samsung S21
You can export accounts to the other device like I did but actually switched to Authy!
You can transfer from within the app..
Omg
Thank you for sharing, I just started using GA. I'm that type of person who might upgrade in just a few years (My old phone's screen broke just after 1.5 years) so having an option for multiple devices is much needed
Glad I could help!
Keep using GA. Try to find articles about someone being hacked with GA, you won't find any. Even a basic SIM-SWAP is hard work. Carriers aren't THAT retarded.
You can just export google authenticator OTPs and import them on a second device btw. I have them on my phone and on my iPad for backup.
Your channel is about to skyrocket
Google Authenticator has the ability to use Touch ID, and it also has a backup feature.
Awesome video buddy … thanks. Can you suggest any easy way to move out of Google Authenticator? Also a recommendation for a future video - please… comparison between the new iOS 15 2FA vs 1Password. Thank You 🙏
You can make a back up of all your codes by taking a picture of a barcode for back up!!! There is an option in the settings!
Nice work
Authy requires a phone number to setup.. that in itself makes it less secure than google authenticator. , > you can find hacking stories on this on reddit subs. also, having various 'backup' options in multiple devices might be good for convenience but bad for security. if you use google authenticator properly, i.e. downloading the backup codes as you should for your own security then there's no need to downgrade to authy
True.People just don't understand how google authenticator works.
Using your phone number to setup anything is not secure at all.Because of a "sim swap" attack.
1. In most Android phones an app can be secured within the phone. 2. When you enable 2FA, the website gives you 10 codes for backup to use for emergencies like when your phone breaks down, or lost, or stolen. Whene you switch phones the google authenticator has an option to transfer the registrations to your new phone, to the new authenticator. On the other hand if your app has somewhere a backup outside the phone guess what? That can be a target for hackers.
I don't agree. 2FA is meant to be "something you have".
Along with that you have the regular which is "something you know". If you have access to your phone, it should be all you need to qualify as the something you have.
No, authy requires a phone number to set up and then you either get a verification code by text or call to your number to access your app. Then after that you have to enter your backup password to access the accounts. And just so you know backup passwords are never stored by authy meaning if you forget it you can’t recover it. Same for the pin. So authy is still as secure as google authenticator. And plus authy has a better UI than google authenticator
I use 2fas on my phone, and Authenticator Pro on my tablet. Both allow PIN protection and various backup options, as well as export options.
It's VERY annoying to see someone like you purport to be a security conscious 'professional' and give out such bad advice.
The main reason I switched to Authy is because it saves my info. My recent phone died, and so I downloaded the app on my new phone, and there was everything as it was on my old device. The google app was just completely wiped.
So basically if Authenticator required biometric unlocking of app you might still use it.
As for site code backup I just snap a pic of the setup QR codes with a cheap offline camera.
If you're adding 2FA to your desktop app, you're violating 2FA if you also store the password in a password manager on that machine and it is unlocked, same issue on your phone.
Two factor needs to be two factors of security. Something you know: passcode, something you have: device.
You’re speaking of this as if 2FA is some sort of “moral code”. Is keeping your password and your 2FA on different devices a best practice? Absolutely. But what you’re describing still requires something you have (a device) and something you know (a password). In other words, it’s still 2FA. No “violation”.
Switched! Thanks for the heads up
Glad you made the switch!
"Putting all of your eggs in one basket" which is exactly the Google business model
1) I trust a larger company more than a smaller one.
2) You can export all your codes via QR code to another unit. Even print it for safekeeping.
3) The fact that there is no app lock is not a deal breaker. 2FA is meant to stop hackers/phishers with no access to the phone.
4) You have affiliate links
1. The bigger they are, the harder they fall.
2. You can save backup codes when you setup any 2FA, so what's the difference between that and the QR code?
3. My home security system is supposed to deter thieves, but I still lock my doors. Your point?
4. My first two recommended options are not affiliate links, and I clearly declare that 1Password is an affiliate link because it's the one I use. Are you implying that this somehow taints my message?
btw .. you can lock the app with built in app lock feature :>
I don't know how it works on Android, but on iOS with MS Authenticator, if the device doesn't recognize your face it just asks for the device password. This means that a bad actor with physical access that already breached your device (i.e. determined the device password) will be able to get into MS Auth as easy as Google Auth. At least as far as I can tell.
I just tried it and the app doesn't give me the option to type in my device passcode. If Face ID doesn't work, I'm not granted access to the device (on iOS). Perhaps they anticipated that problem you mentioned?
I just learnt something I didn't even know I needed. Thank you for the wake up call!
Glad it was helpful!
Verry good video. Best password manager is definitely a sheet op paper 😂
Using Bitwarden with Microsoft Authenticator for years 😊
I don't understand the use of any authenticator. How is it different from using Bitwarden which I use?
@@cocatfan Bitwarden is a password manager mainly and not an authenticator. Yes, it does have TOTP authentication as premium feature. But the purpose of using an authenticator is to use a different device or app for additional verification. A person who can get into your password manager can also see your 2FA code if they are together and totally negates the purpose of 2FA.
Bitwarden + Microsoft? Like Privacy + Surveillance
@@twb0109 if it works well I'm ok with it. I also use both.
@@jorgemotta8290 yeah, people don't care about privacy
"I didn't use google apps anymore"
Me: youtube?
Ha! Touche.
What are you talking about? Google Authenticator has backup. Just hit export accounts, select which accounts, then it will generate a QR code which you can use on a new phone with google Authenticator.
Thanks for sharing. This doesn't really help if you've lost your phone or had it stolen. I wouldn't call it a "backup" as much as it's just a "transfer service". And even for that, it only allows you to transfer 10 accounts at a time.
1st time viewer great content
Thanks 🙏
Wait a backup cloud option would bring itself some security issues. Even if they are (like they say) encrypted, someone who knows what he does and get access to these cloud saves can still decrypt them and get access now to all of your 2fa codes. It's better to write down the backup or recovery codes instead of using backup cloud saving, but the issue is that some sites like paypal or amazon do not provide any backup or recovery code for 2fa which is a shame.
The problem with any 2FA is that if you lose it you need another way to get in. Google authenticator can be used as a backup plus its always a good idea to save backup fixed kets if available
Yes, backup is key.
Unless the desktop apps have an unlock PIN does it not defeat your stated purpose in switching from Google Authenticator?
They do. Sorry I didn't show that. You can create a "master password" for the Authy desktop app.
Besides the point.
I use and recommend Aegis Authenticator, which is available through the F-Droid open source app store.
Protip: save the various qr codes together with the security/recovery codes when you set 2FA, you'll be able to scan them on different devices.
Good tip!
Yeah, I snip the qr code, print that out then add the account to authenticator from that printout just to make sure the hard copy works. Label the paper and keep it somewhere secure with your other important documents. I recently re-flashed my phone and getting my accounts back in authenticator took 3 minutes.
@@levielliott4673 I use a password manager, but the concept is the same. Instant recovery in case I change phone. 😉
@@bufordmaddogtannen I use a password manager for passwords but figure the paper backup might be slightly more secure being a different basket to keep the 2fa in. Otherwise if the password manager were to get hacked they'd have my whole world. Same concept that people use for crypto and keeping private keys on paper rather than digitally on an internet-connected device.
@@levielliott4673 indeed. It's an additional layer of protection. Although I'd not be at ease putting qr codes together with, for instance, electricity bills (there they are unprotected) or in a safe (that's a target).
Maybe I'll have to hide things under the floor. Like John Wick. 😁🤣
If a person doesn't use their device for anything important...never does banking on their phone, or anything "confidential", but just does it at home a PC...is there any reason to use 2FA? Thanks.
Google added the transfer option which gives you a single QC to important to another but I just took a picture with another device them provider it out and put it in the safe as a backup.
Uhmm... I have Google Authenticator on a secure folder on my phone, so... to enter to that secure folder I have to use passcode or fingerprint reader, and a good habit is to have a password manager, so... Everytime I add a new account to Google authenticator I add the code to my password manager that makes automatic backups, is sinc with the cloud and is encripted.
Im not telling that Authy or the others are not good... just the reasons you give to change it are not that important for me.
Thanks anyway for the video. :P
DO NOT LISTEN TO THIS GUY!! First of all you can password secure your phone with a password or a pin to block anyone from accessing your google authenticator. Second, yes you can make a backup with the key given to you when setting up the authentication procedure. Third, install the google authenticator on an airgapped used (old) cell phone for better security, DO NOT INSTALL ON MULTIPLE DEVICES!! you expose yourself and your keys!! and last and very important do not backup to your cloud, if anyone gets to your SIM card or calls the telephone company to get your SIM card replace they will have access to your cloud and all your apps including your authenticators. VERY IRRESPONSIBLE VIDEO!!
Google Authenticator now has lock feature under Face ID
Yes, you are correct. Perhaps Google watched this video? 😉
@@AllThingsSecured Theyre always watching ;)
How to move from Google Authenticator to Microsoft Authenticator?
Do I have to set up each one separately or is there a transfer option?
What I need to know is my Microsoft Authenticator on my old phone has a backup. How do I restore the backup of Microsoft Authenticator from my old iPhone to my new iPhone?
3:35 - It should be known that Authy doesn't allow access to the seeds for the 2FA codes. This means that if you get locked out of your Authy account (for whatever reason) then you could have to reset your 2FA accounts individually.
Does 1password have this feature?
That's fine. Have the seeds backed up to an encrypted container locked in your safe, for worst scenario situations. Should have Authy on several devices. I have Authy on several devices - phone / tablet / PC.
Once Authy is set up on several devices, turn off multiple device option and no one else can log into your Authy account unless you approve. Super secure and safe.
@@mementomori29231 how do you have the seeds locked up in a safe if Authy doesn't give access to the seeds?
Also, I can do everything you just said with every other 2FA app AND STILL have plain text access to the seeds for my codes. 🤷
Untrue about losing 2fa on GA if you lose your phone,. You can save and then manually enter the 2fa key for each site. It does require copy and pasting the keys, but once you've saved them to a secure note, it's no problem. The keys are random numbers and digits. Please issue a correction. I've done this many times with my phones
Thank you for the video. Why am I learning this lesson right now! I never bothered with 2FA previously. I always thought it was an odd sort of overkill. I had used 2FA before at work to access specific tools for an employer but that was it. I enabled the feature recently given concerns about security. I must say, If I were not a better person I would have fallen out with Google over this. I am unable to access accounts. I should have done my research before hand. I am grateful that I am finding this out now I hadn’t had the accounts long but the experience has been a huge time suck. If I had of watched this video or absorb everything I have researching this topic I would have opted for an alternative.
What's a fa key... ? I need slow down n explain for beginners. Is thus Android or iPhone?
Google Authenticator is insecure, but saving your 2fa with your password in 1password is secure??? And btw Google Authenticator is backed up to iCloud via the full device backup
@燃えるおっぱい【海外35P】 agreed - Bitwarden is the only pass manager I ever tell people about.
While I agree that using 1Password isn’t the MOST secure way to setup 2FA, it’s definitely better than Google Authenticator for many different reasons. As for the iCloud backup, I’ve had mixed results. I definitely wouldn’t rely on that method alone as your only backup.
Just did the switch thanks to this video! Thank you so much for sharing your knowledge!
Might pick Authy, I can install this on my main and old phone and only use the old phone when I need backup access if the current phone is lost/breaks.
Love it. The backup idea is perfect.
Thank you this video was very helpful😀
Funny I noticed this as well about GA, and this was my first experience with 2FA. Thanks Subbed!!
Thanks for the sub, James!
you can back up your google 2fa QR code on usb drive. so not sure what ur on about
Why do that when I can just keep the backup codes for each account?
That was really helpful. Thank you so so much
Everyone should print 2FA keys and store safely and it's OK. Noone has access to your phone, so you should lock it with fingerprint, face recognition etc.
GA has a “privacy screen” setting, meaning face recognition is instantly required when opening the app, unlocking your phone and (re) opening the already running app, etc.
Does this not resolve your no password concern for GA?? Seems secure to me.
It wasn't there when this video was released but it is now
@@Dabs_Rulez sooo the app team listened to criticism and just like space wolf said i acknowledge my mistake and will correct it
This is really great advice. I just freaked out that this could happen, like if my phone broke i am screwed
Only if you don't have all your original account info and passwords. If you wrote down your original account set up info you are not screwed.
DO NOT LISTEN TO THIS GUY!! First of all you can password secure your phone with a password or a pin to block anyone from accessing your google authenticator. Second, yes you can make a backup with the key given to you when setting up the authentication procedure. Third, install the google authenticator on an airgapped used (old) cell phone for better security, DO NOT INSTALL ON MULTIPLE DEVICES!! you expose yourself and your keys!! and last and very important do not backup to your cloud, if anyone gets to your SIM card or calls the telephone company to get your SIM card replace they will have access to your cloud and all your apps including your authenticators. VERY IRRESPONSIBLE VIDEO!!
Thanks for opening my eyes with Google!!! I was starting using Microsoft authenticator before this video because has his own password, can backup and has his own password which found it much better for the situation in case lost my phone.
Glad I could help, Joel!
I feel all these options are slightly less secure than google auth. The only reason you would switch is to protect yourself from yourself. The fact that the codes are gone with the device is a good thing any additional back ups make you vulnerable especially to a SIM swap. Create a phone passcode that nobody knows and then use face ID or touch ID. There is no reason anyone should know your phone PIN code. There will always be a way to regain access to accounts that have google auth on them if you lose access to your google auth app. A decent site would not allow you to enable it without having a secure method of account recovery if you lost access to phone. Coinbase has a sytstem were they verify your identity and renable it. Most sites have a back up code generated at the beginning, just store it safely and don't lose it.
the reason I use Google sync is because it is totally off line
you can back up Google Auth Back up by creating a qr code for a different device to scan
just go to transfer account -> export account and you can backup the code you need
(there is a small problem on the if you have too many as the qr code will be very big, the workaround will be splitting the code you need to backup to different group)
I have been doing this the sync for all 4 of my device
doing a cloud sync is a no no for me for security reason
and for the app cannot be lock issue, I mean when you are in a location more then yourself, you should always fully lock you phone before it leave you hand..........
Newbie, so can I get rid of the OTP sms? Sms doesn't work when I'm out of the country. TIA
Ok, then why do you still have your video on using Google authenticator on your channel from 7 months ago? Maybe delete it, it's confusing to have both. Cheers.
hi from colombia cali..nice video bro
having 2fa codes on your password manager seems like a horrible idea lol
One more authenticator with pretty good interface is Zoho OneAuth (India). At this moment it has iOS, Android and masOS versions
Looking into switching as well, mostly looking for the convenience of an "Approve" request like I get with some Microsoft sign ins and other accounts, looking for an authenticator app that can do that for any account I use in it. These were some nice points though, unfortunately I don't like the idea of device sync, I'm sure you know, it's similar to the "all eggs in one basket approach."
Yea, I completely get that. I don't personally use device sync either, but I do keep a local backup of my file for protection against theft or loss of my device.
Google need to add some kinda extra password to the qr so that only one get the access who knows the password
Thank you very much sir! this video really helped me!!
This was really helpful. I thought all apps had same issues as Google's. Glad to know there is a solution.
Do you use Yubikey? For what cases are you using your Yubikey?
In any case where a key is accepted. For those that don’t, I use an Authenticator app.
@@AllThingsSecured Hmm. Do you think that Authy is safe?
4:08 Aren't cloud services also susceptible to hacking? I've seen plenty of news of clouds being breached - Dropbox, Microsoft, Apple iCloud etc. I wouldn't put any important information and files on the cloud without it being encrypted first.
More than that I wouldn't even trust those companies themselves with my private information so I wouldn't even use them anyway
Bitwarden is used by proprivacy people
I just wonder and you clarify it well , thanks 👍
Glad it was helpful, Ewan!
Do you know OTPAuth? You should give it a try. I thinks this app is awesome (Only available on iPhones)
Thanks for the tip, Mattis! I hadn't used it before. From what I see on the app store, I probably wouldn't use the notification center feature. Do you think it's worth the paid version when others like Authy are free?
@@AllThingsSecured Absolutely. On the iPhone it should be free. Only the Mac app bust be paid.
@@AllThingsSecured I am very satisfied with OTP Auth. It works well.
I agree, it's a much better option since it's open source. On Android "andOTP" is a great open source 2FA app.
You are right man...
I'll switch soon to any other app u suggested.
It is generally, if you want to be convenient and easy to use, security will be exposed. Therefore, I generally do not use automatic cloud backup, I am backing up my own method(You can back it up with a file, then you have to modify the name of it, and then upload it to your cloud. ).
BTW, I using andOTP APP, Because it is a completely open source application, and it can encrypt your file backups. You also need a pin or password to get in.
Yep , conveniency come with the cause!
andOTP is great and you can see the source code,so there no back door for third party to services to get in. All the security in your own hand!
Security and convenience are always inversely proportionate. If you really want to be secure you shouldn't even use the same device for your password manager and 2FA authenticator and even use physical USB keys (eg. Yubikey) for them, but not many people do that because it's very inconvenient.
Authenticator has multi devise support. I have it on my iPad and iPhone. Same codes on both devices.
My phone is always locked so g app doesnt need to
I just fired "Google Authenticator"! I switched to Microsoft Authenticator based on the information in this video!
First of all for the lock you can easily fix this by using app locker and in OnePlus and Xiaomi phone it's build in.
For the backup, you now have options to export the accounts
Exactly!
Nah
Ty , I have OnePlus and worked for me. But I have a question how it will happen when hackers have control over your phone, they can see what your password is or what?
Josh, I have always used 2FA but only recently employed the Authy Authenticator app. I neglected to keep any backup codes when I was setting up my accounts. I didn't even consider this as an important step until watching this video. Is there a method of correcting this and storing codes now? Thanks for the great content.
Authy, Microsoft, One password...
You're missing the importance of Open Source software. Who would trust a proprietary app with their personal data??
Your channel could be so much better if you got your feet wet in the world of REAL privacy and security. Take some inspiration from Techlore
So what is a good open source authenticator?
@@Ta3iapxHs Probably a metal card with your QR codes etched in or some shit lmao
FDroid... seems I can't type :(
Google has Backup codes, that you can refresh at your will.
What do you mean?
@All Things Secured you just login into your account and get a fresh set of backup codes. Also you can store the qr code and use it with your new mobile devices. It's easy .
hey there man, i agree but the part you were talking about you can't lock the app is not true. many antivirus companies allow app locking which can be done easily but good video
If you have an antivirus installed on the phone and most have not. I personally stopped using antivirus on android for many years because the only thing what it did is generate traffic and needs a lot of battery, as someone who can see if a website or mail is wrong, blocking ads and cookies and only install well known apps from Play Store an antivirus is just useless.
Authy for Bitwarden ! however, it doesn't work with my google accounts as "Google prompts" is the default one
It’s another level of security, sure. I don’t think it replaces 2FA, but it’s better than using only a password.
Google need to add some kinda extra password to the qr so that only one can get the access who knows the password
Is the 2fa feature available now where we can see our 2fa 6 digit passcode from the 1password itself?
I use Microsoft authentication and I love it. I can recover my codes.
Good deal!
where do you put in a code? I'm so lost
@@rileynichol1016 Microsoft authentication gives you another code (number) that works like a second password, that code changes every 30 secs so it’s so complicated to hack. You just need to download the app and scan the QR to link the website to secure with Microsoft authentication.
@@pptx24 ty
@@pptx24 what if I only have 1 device?
im using it rn, now how do. i delete the app? do i logout out and delete or just delete the app, im kinda scared after u have said all this because i use google authenticator a lot
I dropped Google authenticator last year for that same 2nd reason (no way to backup codes)
Yea, it's pretty scary, particularly if you keep your crypto backup codes on Google's app.
and a software shouldn't be so crappy that you need a second/spare phone, just to do an export to google auth on that phone, to put it away as a spare. How crap is that design!
there is a way though. Print the QR codes on paper and place them somewhere safe :) You could also print the emergency OTPs provided by the accounts that allow you to integrate 2fa. They are meant for scenarios like these :) Since the security risks for all these services are still non-zero, it would still be okay to use services that backup to the cloud though. Just know that they are less secure than using google 2fa.
Thanks for those great information and tips. I get caught up in that situation with Google authenticator.
My pleasure.