I recently had a scare when I ended up dropping my phone into water. The first thing that popped into my head was I can't get into any of my accounts anymore. Luckily I had trusted my laptop for most of my accounts so i was able to log in and disable 2 factor. I love 2 factor authentication but this made me rethink my backup solutions just in case I broke my phone again.
How can I understand the otp code generating algorithm of an *http* website? I have my username & PW. But otp gets delayed due to my weak network or might be different reasons, is there any way I can generate or understand otp without waiting for the otp code in my sms.
One question I've always had on this is whether it would be easy to brute force into an account even without the authenticator if you had someone's username and password. Like, you only have 30 seconds before the code resets but there are also only 1,000,000 unique combinations for the typical six-digit 2FA code. Do most sites just cap the number of attempted logins in a short period of time to reduce the risk of someone guessing the code? Let's say a site limits you to five login attempts per hour and it takes me six months for me to hear about the breach and reset my password. In that situation an attacker would have about a 2.2% chance of accessing my account before I could change my password, assuming they're always trying the maximum amount of codes and no one stops them. Comparing that to the 100% chance they'd have without 2FA, this seems like a clear win for 2FA. With that said, I don't have much feel for how possible brute force attacks are in the real world. Is it reasonable to expect attackers could only do a handful of attempts an hour? Or could they theoretically just brute force right through with no limits? Obviously 2FA is better than nothing, but given that there are downsides too (e.g. slower login times, higher risk of losing access to your account) I'm trying to gauge the practical utility of 2FA.
I wish Authy and related apps could somehow transfer devices when I get a new iPhone and restore from and encrypted backup. Maybe it’ll be solved someday. Normal users won’t know about this. Heck I barely caught it when I got a new phone.
Authy does allow you to transfer devices from a cloud synced backup. It even allows you to have the accounts available on multiple simultaneous devices. Just go into settings and enable backups and multi-devices if you want.
Did you say that "someone could hijack your phone number without getting your phone"? Mind to explain exactly how could this be achieved? I doubt such thing is possible unless you work for the mobile operator or the CIA. I think the authenticator was implemented mainly because companies don't want to pay for the SMS.
that weird sound issue is there again, its got to be that silver mic you use for this vlog, the other mic you use doesn't make the weird noise, is the diaphragm on its way out, or possibly some distortion creeping in somewhere. you got a different mic to use, I hear ebay is good for (hint) ?
first example is faint at 0:3 seconds when you say open standard. they are all pretty faint to be honest(and numerous examples(maybe its clipping a bit)) but I really find it makes it hard to listen to when its happening, I'm using sennheiser game zero's, just tried my sony headphones and it happens with those as well. can anyone else hear it, tell me I'm not going mad :(. I know hearing declines with age, is there any young people at your gaff who can have a listen, I'm not having a dig, its true :)
I accidently deleted one of my exchange website 2 factor authentication , I try to login using the backup code but it said expire, now i can not log in to my account, my account has bitcoin's in it, I try to message the site support but not sure if they response..
Great video, thank you for making it easy to understand.
I recently had a scare when I ended up dropping my phone into water. The first thing that popped into my head was I can't get into any of my accounts anymore. Luckily I had trusted my laptop for most of my accounts so i was able to log in and disable 2 factor. I love 2 factor authentication but this made me rethink my backup solutions just in case I broke my phone again.
Backup codes
0:18 surely such a hacker would then also have the secret key for TOTP
So TOTP will defend against a user hack but not against a server hack.
It's never meant to, that's completely different game.
How can I understand the otp code generating algorithm of an *http* website? I have my username & PW. But otp gets delayed due to my weak network or might be different reasons, is there any way I can generate or understand otp without waiting for the otp code in my sms.
One question I've always had on this is whether it would be easy to brute force into an account even without the authenticator if you had someone's username and password. Like, you only have 30 seconds before the code resets but there are also only 1,000,000 unique combinations for the typical six-digit 2FA code. Do most sites just cap the number of attempted logins in a short period of time to reduce the risk of someone guessing the code?
Let's say a site limits you to five login attempts per hour and it takes me six months for me to hear about the breach and reset my password. In that situation an attacker would have about a 2.2% chance of accessing my account before I could change my password, assuming they're always trying the maximum amount of codes and no one stops them. Comparing that to the 100% chance they'd have without 2FA, this seems like a clear win for 2FA.
With that said, I don't have much feel for how possible brute force attacks are in the real world. Is it reasonable to expect attackers could only do a handful of attempts an hour? Or could they theoretically just brute force right through with no limits? Obviously 2FA is better than nothing, but given that there are downsides too (e.g. slower login times, higher risk of losing access to your account) I'm trying to gauge the practical utility of 2FA.
Most any modern site supports rate limiting.
@@LAWRENCESYSTEMS Makes sense! Thanks.
Where can I find the bash code? Thanks
Awesome explanation. Thank you!
What an excellent video, Tysm! I take things haven't changed much under the hood right?
Paypal is unsafe and awful. Even C- eBay dropped Paypal /Braintree
I wish Authy and related apps could somehow transfer devices when I get a new iPhone and restore from and encrypted backup. Maybe it’ll be solved someday. Normal users won’t know about this. Heck I barely caught it when I got a new phone.
I have been looking at Authenticaor+ as it has an encrypted backup option. I will be doing a review of it soon.
Authy does allow you to transfer devices from a cloud synced backup. It even allows you to have the accounts available on multiple simultaneous devices. Just go into settings and enable backups and multi-devices if you want.
stuart you can use an App called Latch, that syncs everything from Cloud without relying on a phone number
Syncing to the cloud in any way for 2FA completely defeats the purpose.
But the secret key is encypted somehow or isn't it?
paypal now supports GAuth
Did you say that "someone could hijack your phone number without getting your phone"? Mind to explain exactly how could this be achieved? I doubt such thing is possible unless you work for the mobile operator or the CIA. I think the authenticator was implemented mainly because companies don't want to pay for the SMS.
Impersonating someone and having the phone company switch it. Does not require a job at the CIA...lol th-cam.com/video/LlcAHkjbARs/w-d-xo.htmlm52s
andOTP
that weird sound issue is there again, its got to be that silver mic you use for this vlog, the other mic you use doesn't make the weird noise, is the diaphragm on its way out, or possibly some distortion creeping in somewhere. you got a different mic to use, I hear ebay is good for (hint) ?
+Stuart Whittaker I listen to the last one and just can't find the noise, can you give me the time index for hearing it?
first example is faint at 0:3 seconds when you say open standard. they are all pretty faint to be honest(and numerous examples(maybe its clipping a bit)) but I really find it makes it hard to listen to when its happening, I'm using sennheiser game zero's, just tried my sony headphones and it happens with those as well. can anyone else hear it, tell me I'm not going mad :(. I know hearing declines with age, is there any young people at your gaff who can have a listen, I'm not having a dig, its true :)
I think it is just a lack of a pop filter and me being too close to the Microphone
I accidently deleted one of my exchange website 2 factor authentication , I try to login using the backup code but it said expire, now i can not log in to my account, my account has bitcoin's in it, I try to message the site support but not sure if they response..
So did they respond?
@@FURIArts did they?
did they?
Typo in title - TOTP
Thanks, Fixed it :)