Support NeoGAF

[Celcius]

I don't currently use 2 factor authentication on anything and I'm thinking about finally setting it up on everything. I understand that 2 factor auth means that in addition to having a password, you also need a second way to authenticate yourself... usually a passcode that gets sent to your phone via a text message.

Is having a phone number be the 2nd auth the best way to go, or would email be better? (or is there even usually a choice?)
Any drawbacks to 2FA?
What do you do if someday you have to change your phone number?
Do you guys use 2FA yet?

Just looking to learn what I can before I take the plunge. Thanks!

 

[Superkewl]

I use 2FA whenever possible. Preferably using either the MS or Google authenticators. Peace of mind.

I changed my number and got locked out of my Amazon account, but a quick call to support fixed that.

 

[daveonezero]

SMS is horrible for this. It is not secure or private at all

2fa is basically something you have as opposed to a password which is something you know.

A good way to set them up is use an Authenticator app which generates the codes. You phone is the something you have. Just make sure to keep a password lock on and don’t use biometrics to unlock your Authenticator.

Also if someone has your phone and get get your passwords then they just broke the 2 factor by having access to everything. So separate passwords is a good idea.

Better way is to use an Authenticator physical key

Personally I have it setup in OTP Auth on my iPhone.

 

[Celcius]

SMS is horrible for this. It is not secure or private at all

2fa is basically something you have as opposed to a password which is something you know.

A good way to set them up is use an Authenticator app which generates the codes. You phone is the something you have. Just make sure to keep a password lock on and don’t use biometrics to unlock your Authenticator.

Also if someone has your phone and get get your passwords then they just broke the 2 factor by having access to everything. So separate passwords is a good idea.

Better way is to use an Authenticator physical key

Personally I have it setup in OTP Auth on my iPhone.

Hmm that sounds complicated... do Steam, PlayStation, etc... support authenticator apps?
I've heard of SMS not being great for 2FA though.

edit: doing more research: https://www.pcmag.com/picks/the-best-authenticator-apps

 

[Sakura]

I fucking hate 2FA.
To log into my CRA account (Canada Tax stuff) for example, I first log into my bank account because that is used as my login, which requires 2FA, so they send a text to my phone. Then it takes me to the CRA page, which also requires me getting a text to my phone.
You have to do this every time and can't opt out.

On my CRA account, it used to be set to send me a phone call where they would verbally give me a code that you enter in. Call never came, so I clicked resend code. Call never came again, so I clicked resend again. Oops now I am locked out of my account for requesting a code too many times.
This shit is so stupid.

Meanwhile if I log into my bank on my phone, I can just use my face ID and don't even need to enter a password, let alone get a code.

 

[BlvckFox]

2FA is a necessity at this point.

Data breaches, if they have not already, will likely result in some of your accounts credentials being exposed to bad actors.

While nothing is impossible, its a hell of a lot harder to break into your account when a second level of authentication is required.

I really like using Authenticator apps as opposed to just a phone number and fortunately there are no shortage of them.

Microsoft’s Authenticator is really nice and could handle your email, PlayStation, etc.

Authy is another you could check out.
I highly recommend you take the plunge.

2FA isn’t meant to be convenient. Good security never is.

 

[Lasha]

I have two hardware keys that I attach to any account which supports MFA. Two hardware keys mitigates the risk of damage or loss of a key.

I also use software authenticators. The only trick there is to keep your recovery key someplace safe since you will need it to remove the software authenticator if your phone breaks.

Use MFA everywhere. MFA will keep your accounts safe.

 

[Sakura]

2FA is a necessity at this point.

Data breaches, if they have not already, will likely result in some of your accounts credentials being exposed to bad actors.

While nothing is impossible, its a hell of a lot harder to break into your account when a second level of authentication is required.

I really like using Authenticator apps as opposed to just a phone number and fortunately there are no shortage of them.

Microsoft’s Authenticator is really nice and could handle your email, PlayStation, etc.

Authy is another you could check out.
I highly recommend you take the plunge.

2FA isn’t meant to be convenient. Good security never is.

Even if said bad actors don't have access to your phone or whatever for the 2FA, as long as they have your info they can just call customer support pretending to be you, to have the 2FA switched to another phone number or something.
It's what I've had to do when I've been locked out of my account, and it's probably a lot easier to do than to somehow access your 2FA device.

 

[Meicyn]

Use Authy, it’s great for handling your one time passwords. Works in place of Google’s authenticator, syncs across devices, etc

 

[Lasha]

I fucking hate 2FA.
To log into my CRA account (Canada Tax stuff) for example, I first log into my bank account because that is used as my login, which requires 2FA, so they send a text to my phone. Then it takes me to the CRA page, which also requires me getting a text to my phone.
You have to do this every time and can't opt out.

On my CRA account, it used to be set to send me a phone call where they would verbally give me a code that you enter in. Call never came, so I clicked resend code. Call never came again, so I clicked resend again. Oops now I am locked out of my account for requesting a code too many times.
This shit is so stupid.

Meanwhile if I log into my bank on my phone, I can just use my face ID and don't even need to enter a password, let alone get a code.

Your phone is the second factor. Most banking apps incorporate a security token. Biometric is used to validate a saved password.

 

[Celcius]

Thanks for the info everyone. After doing more research on 2FA I'm strongly leaning towards using the Microsoft authenticator app since it's a company that I've heard of before and trust, and we also literally just started using this app at work as well. Using the authenticator app should be much more secure than using sms text messaging for 2FA and I also feel like I've learned a lot in the process. While I'm at it I'll probably go ahead and change my regular passwords everywhere too.

 

[Celcius]

Looks like Steam is weird for some reason and requires you to use their mobile app for 2FA, but otherwise looks like I'll be able to use the authenticator app of my choice for everywhere else.

edit: oh, and looks like apple will just use my iPhone for 2FA.
edit 2: Looks like battle.net has it's own authenticator app as well...

 

[Superkewl]

I fucking hate 2FA.
To log into my CRA account (Canada Tax stuff) for example, I first log into my bank account because that is used as my login, which requires 2FA, so they send a text to my phone. Then it takes me to the CRA page, which also requires me getting a text to my phone.
You have to do this every time and can't opt out.

On my CRA account, it used to be set to send me a phone call where they would verbally give me a code that you enter in. Call never came, so I clicked resend code. Call never came again, so I clicked resend again. Oops now I am locked out of my account for requesting a code too many times.
This shit is so stupid.

Meanwhile if I log into my bank on my phone, I can just use my face ID and don't even need to enter a password, let alone get a code.

Yeah, CRA is annoying. There is an option to not bug you again for 8 hours, but wish it was like other places where you can simply add your current device as a trusted device.

 

[Celcius]

One more question - Later this year I plan to upgrade from the iPhone 12 Pro to iPhone 15 Pro (once it comes out). Will it be easy to move all of these authenticator apps from the old phone to the new phone?

 

[jshackles]

Looks like Steam is weird for some reason and requires you to use their mobile app for 2FA

For what it's worth, if you know what you're doing it's possible (with a rooted Android phone) to extract Steam's TOTP so that you can get other 2FA apps to generate valid codes for it.

I run all of my 2FA through Aegis, an open source secure 2FA app for Android. Personally, I wouldn't trust a corporation with that level of access into my digital life.

 

[Northeastmonk]

One more question - Later this year I plan to upgrade from the iPhone 12 Pro to iPhone 15 Pro (once it comes out). Will it be easy to move all of these authenticator apps from the old phone to the new phone?

That really depends. Some cases you can if you move the app over or you have to sign into the app to add it back. My iPhone did it but I also have my phone setup with Intune for my work and iCloud backup. It should move over.

Two factor is a must these days. It’s crazy how bad it is without it. You can bypass it if you know what you’re doing. Copying cookies over and so forth. It’s safer to have it than to not have it.

 

[Mistake]

I do email 2FA whenever possible. A lot less to worry about if my phone ever has an issue

 

[AJUMP23]

I use it on most stuff, especially financial stuff.

 

[Dural]

I always have 2FA if the site has it as an option. Just a couple weeks ago I tried to log in to my Walmart account and it said my password was wrong. I logged in using a code to my phone then saw that someone had taken over the account and made a bunch of purchases sent to Long Beach, CA, I live in Illinois. Walmart doesn't have 2FA, but they have the option to log in with a code sent to your phone rather than a pw, so I changed it to that. I've gotten a couple messages since when someone is trying to get on my account. Can't believe that in this day Walmart doesn't have 2FA, also can't believe that they don't screen for logins from unrecognized locations.

 

[Celcius]

I always have 2FA if the site has it as an option. Just a couple weeks ago I tried to log in to my Walmart account and it said my password was wrong. I logged in using a code to my phone then saw that someone had taken over the account and made a bunch of purchases sent to Long Beach, CA, I live in Illinois. Walmart doesn't have 2FA, but they have the option to log in with a code sent to your phone rather than a pw, so I changed it to that. I've gotten a couple messages since when someone is trying to get on my account. Can't believe that in this day Walmart doesn't have 2FA, also can't believe that they don't screen for logins from unrecognized locations.

One thing I also do is never leave my card details saved to a website. I always re-enter all the details for every transaction.

 

[Dural]

One thing I also do is never leave my card details saved to a website. I always re-enter all the details for every transaction.

After my account was compromised I went and tried to delete all card details but it wouldn't allow me, I had to keep one card on file.

 

[Talkin Hawkin]

2fa is a scam.

It is a work around for you to give legal permission for companies to use your personal details and partly to circumvent the reduction of sharing marketing-related dated that was blocked under the European GDPR.

Think about it, you have to prove to a company that you are who you say you are by using a phone number that could be attached to a burner phone. How does that prove anything and how does that reduce the likely hood that your account will be hacked? It doesn't.

But don't think for yourselves, listen to and trust the people who stand to financially benefit from telling you that 2fa is a must.

 

[Celcius]

2fa is a scam.

It is a work around for you to give legal permission for companies to use your personal details and partly to circumvent the reduction of sharing marketing-related dated that was blocked under the European GDPR.

Think about it, you have to prove to a company that you are who you say you are by using a phone number that could be attached to a burner phone. How does that prove anything and how does that reduce the likely hood that your account will be hacked? It doesn't.

But don't think for yourselves, listen to and trust the people who stand to financially benefit from telling you that 2fa is a must.

As mentioned above in the thread you shouldn’t use sms text messages for 2FA. You should use an authenticator app.

 

[Talkin Hawkin]

As mentioned above in the thread you shouldn’t use sms text messages for 2FA. You should use an authenticator app.

There's no difference. The app is still installed on your phone and in the small print you have to give permission to the app to X,Y and Z areas of your phone and data.

 

[eddie4]

One more question - Later this year I plan to upgrade from the iPhone 12 Pro to iPhone 15 Pro (once it comes out). Will it be easy to move all of these authenticator apps from the old phone to the new phone?

It should transfer over when you migrate, but double-check before you wipe your old phone. When I switched to a newer phone, google authenticator did not transfer anything, so I had to export and import all the accounts manually.

 

[Celcius]

There's no difference. The app is still installed on your phone and in the small print you have to give permission to the app to X,Y and Z areas of your phone and data.

So what do you do… just use a basic password and nothing else?


Also, another question guys - what happens if I lose my phone or someone steals it? I would then use the recovery string that you get when you setup 2FA?

 

[jshackles]

There's no difference. The app is still installed on your phone and in the small print you have to give permission to the app to X,Y and Z areas of your phone and data.

See my first post in this thread above. It's possible to host your own secure open source 2FA application that doesn't report back to any corporation.

Also, another question guys - what happens if I lose my phone or someone steals it? I would then use the recovery string that you get when you setup 2FA?

Most 2FA authenticator apps have a way for you to create an export or backup of your app's configuration. I believe all of them will require that you place a password on the file to encrypt it. So one option is to export your authenticator's data with a password, then move it on to a source that isn't connected to the internet - like a portable thumb drive. Then store that thumb drive offline in a fire safe or along with your important documents. Set up a calendar reminder to re-do this process every couple of months, so your backup will always have any new accounts you may add.

The backup codes will also work, but keep in mind that these codes are one time use only - meaning they get burned when you use them. They should be printed and kept along with your thumb drive backup, but should really only be used in the event of an emergency.

 

[Talkin Hawkin]

So what do you do… just use a basic password and nothing else?

I avoid any application, game or website that requires 2fa. For passwords I throw scrabble tiles on the floor and use that. Pure random, no chance of guessing or predicting through patterns what my password would be.

See my first post in this thread above. It's possible to host your own secure open source 2FA application that doesn't report back to any corporation.

Sounds like unnecessary hassle.

 

[Superkewl]

One thing I also do is never leave my card details saved to a website. I always re-enter all the details for every transaction.

I do this as well. It's a pain in the ass, but gives me peace of mind.

 

[Vestal]

Anyone using just a password/sms to secure their accounts in 2023 is just begging for trouble.

 

[thefool]

Don't forget to save your backup codes.

 

[Bojji]

So what do you do… just use a basic password and nothing else?


Also, another question guys - what happens if I lose my phone or someone steals it? I would then use the recovery string that you get when you setup 2FA?

I thought about that some time ago and:

Bought the second phone (slightly better but cheap - Xperia X3), i have exact copy of my bank application (with access) and google authenticator (with everything exported) so when i lose or break my phone i will still be able to do everything.

 

[cash_longfellow]

Always use 2fa. I learned my lesson when my psn account got snatched in the first few months after ps4 came out.

 

[Saiyan-Rox]

I use 2fa with SMS

I know it's not technically secure but the thought my phone could break/stolen and I'd loose access to my authenticator scares me a little.

I was going to get one of those physical authenticators that plug in via usb c or use NFC but I think there was some compatibility issues when I looked at them a few years ago.

 

[nkarafo]

My mother's e-mail account is locked forever because of this. When i try to login for her on a new PC it asks for the security number they send on her phone, but that phone number is not in use anymore, she changed it a decade ago.

 

[Celcius]

I use 2fa with SMS

I know it's not technically secure but the thought my phone could break/stolen and I'd loose access to my authenticator scares me a little.

I was going to get one of those physical authenticators that plug in via usb c or use NFC but I think there was some compatibility issues when I looked at them a few years ago.

Yeah as I'm doing more research I do have the concern that I could accidentally somehow lock myself out of my own accounts forever... that almost seems like a risk same as someone trying to hack my account.

 

[daveonezero]

Hmm that sounds complicated... do Steam, PlayStation, etc... support authenticator apps?
I've heard of SMS not being great for 2FA though.

edit: doing more research: https://www.pcmag.com/picks/the-best-authenticator-apps

It’s not that complicated. It is just a bit of setup.

Once that is done the “app” is the something you have.

I use the iOS macOS app and it is cloud based and synced on my devices.

I use 2fa with SMS

I know it's not technically secure but the thought my phone could break/stolen and I'd loose access to my authenticator scares me a little.

I was going to get one of those physical authenticators that plug in via usb c or use NFC but I think there was some compatibility issues when I looked at them a few years ago.

There are ways to back up both the app set up and most sites with 2fa have a way to save backup codes.

SIM spoofing isn’t hard and it basically makes SMS 2fa totally ineffective.

Yeah as I'm doing more research I do have the concern that I could accidentally somehow lock myself out of my own accounts forever... that almost seems like a risk same as someone trying to hack my account.

Backup codes exist and the cloud bases Authenticator apps are recoverable.

It’s a measure against all the data leaks. If your HN and PW leak from a rando website you are protected by 2fa. Also using unique passwords and aliases will help.

These days it’s best to assume all companies will eventually leak your data. All the security you can get is better than being an easy target.

 

[Celcius]

"If you're already using two-factor authentication with your Apple ID, you can't turn it off. If you updated to two-factor authentication inadvertently, you can turn it off within two weeks of enrollment."
https://support.apple.com/en-us/HT204915#:~:text=If you're already using,a higher level of security.

"Certain features in iOS, iPadOS, and macOS require the security of two-factor authentication"
https://support.apple.com/guide/iphone/manage-factor-authentication-apple-iphd709a3c46/ios

Apple seems to be pushing it pretty aggressively... I wouldn't be surprised if it becomes mandatory within the next few years.

 

[Hypereides]

FYI, 2FA has been broken. Its better than nothing though.

Always use 2fa. I learned my lesson when my psn account got snatched in the first few months after ps4 came out.

Did you update your password after the 2011 Sony network hack?

 

[GeekyDad]

Thanks for the info everyone. After doing more research on 2FA I'm strongly leaning towards using the Microsoft authenticator app since it's a company that I've heard of before and trust, and we also literally just started using this app at work as well. Using the authenticator app should be much more secure than using sms text messaging for 2FA and I also feel like I've learned a lot in the process. While I'm at it I'll probably go ahead and change my regular passwords everywhere too.

 

[The Cockatrice]

2fa is a scam.

It is a work around for you to give legal permission for companies to use your personal details and partly to circumvent the reduction of sharing marketing-related dated that was blocked under the European GDPR.

Think about it, you have to prove to a company that you are who you say you are by using a phone number that could be attached to a burner phone. How does that prove anything and how does that reduce the likely hood that your account will be hacked? It doesn't.

But don't think for yourselves, listen to and trust the people who stand to financially benefit from telling you that 2fa is a must.

Oh no, companies spying on me? What will I ever do? How are they going to use my futanari porn collection against me? Dont be fucking ridiculous with your tin foil hat. Even if you say is true, so what? How does it impact your daily life? It doesnt.

All 2FA's are secure, even the SMS one, no idea what ppl are rambling about. Unless you lose access to your number, how in the seven hells is it not secure? I guess in America where the average joe uses prepaid shit, it might not be ok, but in Europe most of us own the number, and its almost impossible to lose access to it, unless you stop paying for it or you close it.

You can safely use any 2FA. They are safe.

 

[Lasha]

Oh no, companies spying on me? What will I ever do? How are they going to use my futanari porn collection against me? Dont be fucking ridiculous with your tin foil hat. Even if you say is true, so what? How does it impact your daily life? It doesnt.

All 2FA's are secure, even the SMS one, no idea what ppl are rambling about. Unless you lose access to your number, how in the seven hells is it not secure? I guess in America where the average joe uses prepaid shit, it might not be ok, but in Europe most of us own the number, and its almost impossible to lose access to it, unless you stop paying for it or you close it.

You can safely use any 2FA. They are safe.

This article has a lot of references explaining why sms 2FA is insecure. The risk has nothing to do with identity being attached to a phone but rather the susceptibility of the sim to external attacks.

Secure SMS 2FA Proposal - Security.NL

www.security.nl

 

[The Cockatrice]

This article has a lot of references explaining why sms 2FA is insecure. The risk has nothing to do with identity being attached to a phone but rather the susceptibility of the sim to external attacks.

Secure SMS 2FA Proposal - Security.NL

www.security.nl

Thats a lot of nonsense risks with 0.5% risks of happening. The average user will never experience those risks. We dont live in a movie my guy. A lot more people get their google accounts lost/hacked and therefore one can easily screw their google authenticator as well. Risk is with everything in life.

 

[Hypereides]

This article has a lot of references explaining why sms 2FA is insecure. The risk has nothing to do with identity being attached to a phone but rather the susceptibility of the sim to external attacks.

Secure SMS 2FA Proposal - Security.NL

www.security.nl

You're obviously dealing with a security expert.

 

[Lasha]

Thats a lot of nonsense risks with 0.5% risks of happening.

How did you calculate that probability?

 

[The Cockatrice]

How did you calculate that probability?

 

[cash_longfellow]

FYI, 2FA has been broken. Its better than nothing though.



Did you update your password after the 2011 Sony network hack?

I did. Luckily I never kept my card saved or anything though, and Sony was able to recover my account and block the IP address from the Network!

 

[AV]

Put it this way - there's a reason most of the big name celebrity nude photo hacks happened before 2FA. 2FA almost entirely put a bullet in it.

I don't think people understand how easy it used to be to download the contents of peoples' phones.

 

[Vestal]

This thread sure is something else.

I appreciate some of the more outlandish posts. They reaffirm my belief in CyberSec & IAM job security

 

[Talkin Hawkin]

Oh no, companies spying on me? What will I ever do? How are they going to use my futanari porn collection against me? Dont be fucking ridiculous with your tin foil hat. Even if you say is true, so what? How does it impact your daily life? It doesnt.

All 2FA's are secure, even the SMS one, no idea what ppl are rambling about. Unless you lose access to your number, how in the seven hells is it not secure? I guess in America where the average joe uses prepaid shit, it might not be ok, but in Europe most of us own the number, and its almost impossible to lose access to it, unless you stop paying for it or you close it.

You can safely use any 2FA. They are safe.

You? Where in my post did I mention you? I don't know or care about you, so get over yourself.

Do you what you want and make sure you keep up the cheery attitude as well! It sure is a great way to sway people to your point by calling them "fucking ridiculous" and wearing a tin foil hat. It does impact my daily life because I don't work for free. Companies using my data are making mega money from me I won't be a slave for the sake of 'safety' and 'security'.

Do bank accounts get hacked without people losing their bank details? Can online games be hacked without people losing their disc? Can Applications have all of their clients' information leaked without the client losing their dropping the app down a drain or leaving it on a bus?