Support NeoGAF

[LoveCake]

Yesterday the screen on my phone broke, I couldn't click on anything on the right hand of the screen, I have 2 Factor Authentication on my various accounts, most use a text message which is fine, but the Microsoft accounts use the Microsoft Authenticator App, so today when setting up my new phone I had already stopped 2 Factor Authentication for my Gmail (just in case) but had left the Microsoft turned on, when I installed the Microsoft Authenticator App I had to of course log into it and it wanted authorization, it flashed up on my broken mobile and luckily the [approve] was on the left hand of the screen so I was able to authorize the app on my new phone.

Somewhere I do have the code for the Microsoft account that I printed out, but is there no other way, I am now paranoid, because if I lost my phone it died completely I would be screwed, wouldn't it be better to just use text messages as you can just put the sim into a new phone and it will work on any phone as the account is tied to your phone number than the actual phone?

I am going to have to I think get a spare phone that is kept in the safe at home and use the app on there and also have everything tied to the phone number on it.

I know that using 2 Factor Authentication is highly recommended, but there are also issues.

What do others do in regards to 2 Factor Authentication issues and what are the best ways to ensure you don't get locked out completely?

 

[xxracerxx]

Need to store those backup codes somewhere else, buster.

 

[UKUMI0]

You can do both, I have the app and text set up.

 

[redlegs87]

you could get something like pushbullet pro that pushes notifications to your pc. Mine does this and I just click accept on that if I am at my pc.

Also you should be able to select another method such as text.

 

[Primus]

1) Backup codes.

2) Switch to Authy, which can cloud backup your settings so migrating to a new device is nothing.

 

[Tathanen]

you could get something like pushbullet pro that pushes notifications to your pc. Mine does this and I just click accept on that if I am at my pc.

Well gosh that just totally defeats the point of 2FA doesn't​ it.

Assuming someone's trying to log into something via your computer at least.

 

[ClosingADoor]

Print the backup codes and put them in a folder with other important papers.

 

[redlegs87]

Well gosh that just totally defeats the point of 2FA doesn't​ it.

Assuming someone's trying to log into something via your computer at least.

My computer is locked if I am not at it with a really strong password.

 

[LoveCake]

Need to store those backup codes somewhere else, buster.

I have them printed out and in the safe, I have just re-printed the Microsoft one.

You can do both, I have the app and text set up.

For Microsoft accounts?

2) Switch to Authy, which can cloud backup your settings so migrating to a new device is nothing.

I will have a look at this.

 

[ephemeral garbage]

Somewhere I do have the code for the Microsoft account that I printed out

good

wouldn't it be better to just use text messages

no, it would be significantly worse because then someone can steal your account by impersonating you to the phone company, which is surprisingly easy

What do others do in regards to 2 Factor Authentication issues and what are the best ways to ensure you don't get locked out completely?

use a password manager, keep the 2fa backup codes securely in the password manager, and use multiple backup solutions for your password manager's database file

 

[Guess Who]

Well gosh that just totally defeats the point of 2FA doesn't​ it.

Assuming someone's trying to log into something via your computer at least.

Might as well not have codes go to your phone either, because what if someone's trying to log in with your phone?

2FA is not designed to protect against someone also stealing your trusted device in addition to your password.

 

[Primus]

I will have a look at this.

Authy has a blog post from December going into details about the cloud backup service. There is a lot of nitty-gritty, but the baseline is that all your personal data is encrypted prior to cloud backup, and stored encrypted on Authy's servers.

 

[Exile20]

Print the backup codes and put them in a folder with other important papers.

How is this a thread?

Backup codes are a thing.

 

[epmode]

1) Backup codes.

2) Switch to Authy, which can cloud backup your settings so migrating to a new device is nothing.

I was going to post exactly this. Authy is great. I have it installed on three devices.

How is this a thread?

Backup codes are a thing.

Unfortunately, a few shitty sites don't provide an option for backup codes.

 

[Mimir]

I store my 2FA credentials on my Yubikey, so I can easily switch devices without having to worry.

 

[Ephemeris]

How is this a thread?

Backup codes are a thing.

You'd be surprised how many people don't write this down or save it.

 

[draetenth]

1) Backup codes.

2) Switch to Authy, which can cloud backup your settings so migrating to a new device is nothing.

Print the backup codes and put them in a folder with other important papers.

^

 

[UnemployedVillain]

no, it would be significantly worse because then someone can steal your account by impersonating you to the phone company, which is surprisingly easy

Lol wut. Is this from experience of just what you think?

 

[XBP]

Two things that help with this:

1. Using Authy or a 2 factor solution that you can open with your browser as well.

2. Using a password manager's secure notes feature to backup codes for these accounts. This way you're not printing them off or storing them in plain text in your documents folder.

 

[Septimus Prime]

Well, you guys just sold me on Authy. It's slick.

 

[tim.mbp]

Another authy user. Think I switched because Humble Bundle requires it for 2fa. There's also a browser extension which makes using it convenient.

 

[AcceptableGhost]

I always have all 2FA stuff on 2 devices at the same time (also make sure to store any backup codes available).

 

[kyser73]

good



no, it would be significantly worse because then someone can steal your account by impersonating you to the phone company, which is surprisingly easy



use a password manager, keep the 2fa backup codes securely in the password manager, and use multiple backup solutions for your password manager's database file

Yeah.

No.

Terrible idea. Password managers are a single point of failure as it is, stuffing one full of your 2fa backup codes alongside your password is extremely risky.

At the very least use another password locker (I.e another provider) for the 2fa codes.

Lol wut. Is this from experience of just what you think?

Look up the phrase 'social engineering' - impersonation to support desks is one of the oldest methods of gaining access to people's stuff.

 

[XBP]

Yeah.

No.

Terrible idea. Password managers are a single point of failure as it is, stuffing one full of your 2fa backup codes alongside your password is extremely risky.

At the very least use another password locker (I.e another provider) for the 2fa codes.



Look up the phrase 'social engineering' - impersonation to support desks is one of the oldest methods of gaining access to people's stuff.

If they have your passwords then your backup codes are kinda pointless as well.

 

[D4Danger]

If they have your passwords then your backup codes are kinda pointless as well.

no, that's the whole point. You keep them separate because if they have your password they'd still be challenged for a code.

 

[Primus]

Another authy user. Think I switched because Humble Bundle requires it for 2fa. There's also a browser extension which makes using it convenient.

I had been a dedicated Google Authenticator user, but had to start using Authy for Twitch 2FA. When I moved to a new phone last year, I found there was no way of backing up and moving Google Authenticator to the new phone, and since I was going to have to re-do everything anyways, I migrated everything to Authy. Never looked back.

 

[Zabka]

I had a similar situation. Since I'm on T-Mobile I bought a $25 feature phone running on my same number as a backup. Also I have backup codes stored in a safe place.

T-Mo also has a desktop client that can receive texts but I had a bunch of issues with it.

Lol wut. Is this from experience of just what you think?

I remember there was a wave of youtubers getting hit by a scam involving this.

 

[Lord Error]

Look up the phrase 'social engineering' - impersonation to support desks is one of the oldest methods of gaining access to people's stuff.

You are only at any real risk of this if you are a celebrity, or if you have someone close to you who plain hates you. In which case I'd say you have a bigger worry than keeping passwords safe. For a normal person, SMS authentication is the most sane and reliable option.

 

[LoveCake]

How is this a thread?

Backup codes are a thing.

I was worried, I do have back-up codes but when, things like this happen people like myself sometimes panic, when the Microsoft app asks for approval and you are not able to either press the screen of have lost the phone/device completely, what is the option for entering the back-up code, I admit I am a pessimist and I want to know before hand the process, I was prodding at my phones screen in vain hoping it would work so I could port my data over to the new phone but it wouldn't work.

Hopefully this thread has helped people 'just in case' or to set-up 2 Factor Authentication.

When looking about the other day on my Google account they now recommend having another phone as a back-up so you can gain access if you cannot get to your main phone.

Even when I had set up my new phone and had both turned on when I went to log-into my MS account both flashed up on the Microsoft App.

I have not yet had a good look at Authy it seems to have a few sites that I already use that I could switch to it, but there doesn't seem to be Microsoft on there.

I think in the coming weeks I will have to get a back-up phone with a new Pay and Go number and keep that at home in the safe as a back-up device.

 

[Wowfunhappy]

use a password manager, keep the 2fa backup codes securely in the password manager, and use multiple backup solutions for your password manager's database file

But then anyone who breaks into the password manager can access the account. At that point, what is the advantage of 2FA over a standard password? (Assuming said password is generated by and stored within a good password manager)

I understand writing down and/or printing out backup codes, but I always lose papers. Which is why I always store stuff digitally.

 

[antibolo]

I keep my backup codes as photos synced to my iCloud account.

If they have your passwords then your backup codes are kinda pointless as well.

Holy shit this couldn't be more wrong. You are COMPLETELY missing the point of 2FA.

 

[ephemeral garbage]

Lol wut. Is this from experience of just what you think?

Huh? https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

Maybe my phrasing was off, by "surprisingly easy" I really mean "depressingly easy". I would rather trust strong crypto (TOTP) than some company's outsourced customer service department (SMS) for my second factor.

Terrible idea. Password managers are a single point of failure as it is

But then anyone who breaks into the password manager can access the account.

Excellent points, sorry for giving bad advice. I do have my TOTP and backup codes segmented into a separate database that is backed up to a different provider. If you're worried about possible compromise of the password database you're definitely gonna wanna do that.

 

[AppleSeason]

And this is why I prefer having a physical authenticator. Or a separate cheap phone to purely act as an authenticator app. I already had to cry a bit to blizzard last time I needed a new phone.

 

[antibolo]

Huh? https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

Maybe my phrasing was off, by "surprisingly easy" I really mean "depressingly easy". I would rather trust strong crypto (TOTP) than some company's outsourced customer service department (SMS) for my second factor.

This article is a bit alarmist. Using SMS for 2FA is perfectly fine for regular people to prevent casual account hacking. Yes it's technically possible to intercept a text message, but at this point we're talking about a highly motivated attack, which is not what most people have to worry about. It also assumes that the attacker knows the cell phone number tied to the account.

The whole point of 2FA is add another wall between your account and an attacker. It doesn't need to be perfect, it just needs to provide an extra layer of inconvenience to a potential hacker to make your account not worth the trouble to hack into.

 

[LoveCake]

Do you just set up Authy with an email and password and then you can just log into it on any device you install it on?

How do you migrate sites where you already have 2FA to Authy?

Sorry for these newbie questions, I don't want to mess anything up whilst trying to set this up, I had a real job trying to get Twitter to recognise my mobile phone number.

 

[Beeks]

2) Switch to Authy, which can cloud backup your settings so migrating to a new device is nothing.

Ding ding ding. Authy works fantastically, as soon as I get a new device the first app I download is Authy, restore my 2FAs, and then get everything else up and running. Also makes it easy to have a spare authenticator set up on my tablet for all my accounts in case I need to unexpectedly hard reset my phone. Has been a lifesaver multiple times.

How do you migrate sites where you already have 2FA to Authy?

If you go into the 2FA settings for each site and tell them you want to set up a new authenticator, they will either generate a long character string or a QR code that generates the settings for that site's 2FA code. Enter or scan that into Authy, and you're all set.

 

[LoveCake]

Ding ding ding. Authy works fantastically, as soon as I get a new device the first app I download is Authy, restore my 2FAs, and then get everything else up and running. Also makes it easy to have a spare authenticator set up on my tablet for all my accounts in case I need to unexpectedly hard reset my phone. Has been a lifesaver multiple times.



If you go into the 2FA settings for each site and tell them you want to set up a new authenticator, they will either generate a long character string or a QR code that generates the settings for that site's 2FA code. Enter or scan that into Authy, and you're all set.

Ok thank you, I still have the upgrade to the new Android version Nougat to run and install first, then I will have a look at setting Authy up, I just don't want to mess anything up and end up getting locked out :/

 

[The Albatross]

Lol wut. Is this from experience of just what you think?

It's real.

Happened to Ethan and Hila, h3H3 that popular YouTube channel. Basically someone called TMobile and pretended to be a TMobile employee and got a replacement sim sent to them, then loaded that into a new phone, requested a password reset/2factor auth, and then got the codes. Even after Ethan called Tmobile (or whoever) and told them "DONT SEND ANY SIMS TO ANYBODY," some CSR at TMobile still did it.

It's happened to others as well but that was a prominent one that I knew of.

 

[killer rin]

You can setup multiple ways of getting your two factor code. Set it to be primarily the app, but have a phone number or a separate email account as backup

 

[louiedog]

Wells Fargo is my bank. For the last couple of months two factor texts haven't been coming through.

Today I requested a call, which has been working, and I didn't get it for like 10 minutes at which point it expired. I then got locked out for requesting too many hoping my other number would work and trying a couple of times. I cannot currently pay off my credit card. I'm going to have to disable the security feature when I get back in which sucks.

Why does my bank have shittier implementation than even EA?

 

[thespot84]

I'm interested in lastpass's new cloud backup feature, which would solve this issue. It allows you to restore in case your phone is gone AND it doesn't use IMEI so it's not vulnerable to someone spoofing your sim card.

In short, lastpass authenticator stores your codes in the cloud tied to your lastpass account.

They claim it's secure because attackers would have to have both access to your account AND access to your device in order to restore the codes. That or break AES 256. It seems reasonable on its face, mostly bypassing the single point of failure worry.

Curious everyone's thoughts.

https://blog.lastpass.com/2017/05/a...asier-multifactor-security-for-everyone.html/

https://lastpass.com/support.php?cmd=showfaq&id=11272

https://nakedsecurity.sophos.com/20...backup-option-sunny-skies-or-a-brewing-storm/

 

[louiedog]

I'm interested in lastpass's new cloud backup feature, which would solve this issue. It allows you to restore in case your phone is gone AND it doesn't use IMEI so it's not vulnerable to someone spoofing your sim card.

In short, lastpass authenticator stores your codes in the cloud tied to your lastpass account.

They claim it's secure because attackers would have to have both access to your account AND access to your device in order to restore the codes. That or break AES 256. It seems reasonable on its face, mostly bypassing the single point of failure worry.

Curious everyone's thoughts.

I use lastpass as my password manager and authy for my two factor. I worry about one vulnerability taking down both lastpass passwords and two factor which gives the attacker everything they need to get into my accounts. Using two services, even if neither is as secure as keeping everything local, means they'd have to get at both at the same time.

 

[thespot84]

I use lastpass as my password manager and authy for my two factor. I worry about one vulnerability taking down both lastpass passwords and two factor which gives the attacker everything they need to get into my accounts. Using two services, even if neither is as secure as keeping everything local, means they'd have to get at both at the same time.

The point I'm wrestling with is the lastpass cloud design is such that in the event of a total breach of lastpass the attacker would still need my device to get into any of my accounts that use two factor, even if the master password were compromised.

This seems to provide the same protection as authy, doesn't it? Only the accounts protected by 2fa are protected in either case, everything else is compromised.

 

[Kyuur]

If you fail to have a backup you usually just contact customer service. There is no scenario in which you are permanently locked out due to 2FA, although you may be delayed in access.

 

[blame space]

If I lose my phone I guess I lost my Playstation and steam accounts 😯

 

[LoveCake]

If I lose my phone I guess I lost my Playstation and steam accounts 😯

This is the issue I was raising, if the Windows app had Deny - Allow instead of Allow - Deny (due to the issue with my scree) I could have been locked out of my email and Xbox, if had lost my phone or was unable to retrieve the sim card then it would have potentially been even worse, the amount of phones that get lost, stolen or badly damaged is a very real risk to 2FA imo.

 

[thespot84]

This is the issue I was raising, if the Windows app had Deny - Allow instead of Allow - Deny (due to the issue with my scree) I could have been locked out of my email and Xbox, if had lost my phone or was unable to retrieve the sim card then it would have potentially been even worse, the amount of phones that get lost, stolen or badly damaged is a very real risk to 2FA imo.

Both Authy and Lastpass will backup your codes. You can also set up another device that you also scan the QR code too before confirming and now your codes are on two devices. That or use recovery codes as intended and go through the PITA of recovering all your accounts when you use your device.

 

[michaelius]

This is the issue I was raising, if the Windows app had Deny - Allow instead of Allow - Deny (due to the issue with my scree) I could have been locked out of my email and Xbox, if had lost my phone or was unable to retrieve the sim card then it would have potentially been even worse, the amount of phones that get lost, stolen or badly damaged is a very real risk to 2FA imo.

Yep but why would companies care? They use 2FA to shift blame on user if something happen to their accounts.