Two-factor authentication on the web: a guide

Jan · Sep 25, 2017

A guide to two-factor authentication on the web

Two-factor authentication is one of the biggest-bang-for-your-buck ways to improve the security of your online accounts.

backstreetboy · Sep 25, 2017

Lastpass Authenticator provides push 2fa on some sites and cloud based backup.

JerryMungo · Sep 25, 2017

What many people don't realise - at least with Google's authenticator - is how important it is to backup your authenticator key. If you lose that and re-install the software on your mobile, getting back in usually involves communicating with the site admins and a lengthy back and forth process.

saor · Sep 25, 2017

Sabre Wulf said:
What many people don't realise - at least with Google's authenticator - is how important it is to backup your authenticator key. If you lose that and re-install the software on your mobile, getting back in usually involves communicating with the site admins and a lengthy back and forth process.

Good point.
The key isn't usually available to see again once 2FA has been activated. I try to printscreen the QR code and key and keep that stored on a flash before activating.

AlphaJohn · Sep 25, 2017

Sabre Wulf said:
What many people don't realise - at least with Google's authenticator - is how important it is to backup your authenticator key. If you lose that and re-install the software on your mobile, getting back in usually involves communicating with the site admins and a lengthy back and forth process.

That and if you serious about 2 step Auth make sure to remove your phone number from Google's recovery options.

[video=youtube;mLh1Nmqa6OM]https://www.youtube.com/watch?v=mLh1Nmqa6OM[/video]

SS7 holes exist and they are up for rent on the darknet so simswap is not needed if the attacker is skilled.

backstreetboy · Sep 25, 2017

Sabre Wulf said:
What many people don't realise - at least with Google's authenticator - is how important it is to backup your authenticator key. If you lose that and re-install the software on your mobile, getting back in usually involves communicating with the site admins and a lengthy back and forth process.

Only stupid sites that don't have sms or email fallback. Luckely Lastpass or Authy fixes that.

AlphaJohn · Sep 25, 2017

backstreetboy said:
Only stupid sites that don't have sms or email fallback. Luckely Lastpass or Authy fixes that.

Sms / Email fallback is actually a nice entry point to bypass the codes so they not so cool after all.

backstreetboy · Sep 25, 2017

AlphaJohn said:
Sms / Email fallback is actually a nice entry point to bypass the codes so they not so cool after all.

They'll need my 12 character password and then intercept my sms/email. Good luck with that.

AlphaJohn · Sep 25, 2017

backstreetboy said:
They'll need my 12 character password and then intercept my sms/email. Good luck with that.

I am responding to your fallback comment ie: If its an sms fallback you select forgot my password and the system sends recovery code via sms. Once you intercept that you can make the password whatever you want so do not need the 12 character password.

Join the MyBroadband community

Get started

Two-factor authentication on the web: a guide

Jan

Who's the Boss?

backstreetboy

Honorary Master

JerryMungo

Honorary Master

saor

Honorary Master

AlphaJohn

Honorary Master

backstreetboy

Honorary Master

AlphaJohn

Honorary Master

backstreetboy

Honorary Master

AlphaJohn

Honorary Master