You are viewing a single comment's thread from:

RE: "Authy" or Goole 2FA??

in #twofactor7 years ago

Please don't backup your codes online!

I think you may be missing the point. 2FA stands for 2 factor authentication. It should not be possible to get your codes recovered from the web because that removes one of the factors of 2 factor authentication!

The 2 factors in 2FA are something you know (i.e. your password) and something you have (in this case, your phone).

If all a hacker has to do is get to your online backup then all he really needs is 1 factor twice! Your password for your backup and then your password for the site he actually want's access to.

If you want to follow the advice posted here, by switching to Authy then; please do so fully informed that you will be compromising your level of security by doing so.

Do the right thing and write your backup codes down on paper with a pen or pencil that way you can store it in a fireproof safe as that kind of backup is still "something you have".
BONUS: if you store your backups in a bio-metric safe (i.e. something you are, fingerprint/DNA/Retina) then the loss of your phone will actually trigger a 3 factor event to retrieve your codes.

This is all especially relevant now because the current preferred attack on digital personalities depends on compromising someones google account in order to retrieve their saved passwords and/or password recovery email address. The vector for this attack is your cell phone providers customer service department. Unless you trust those people to protect your digital currencies/identity with the same vim and vigor that you would, I highly suggest changing your google account recovery phone number so that it's in no way associated with you.

Make it your third cousin's brother-in-law's boss's phone number or something. That way, when you actually lose your password to your google account you can go stand at cousin bob's brother's boss's desk (much to his confusion I'm sure) and receive your recovery phone call. But... if a Black Hat was to gain control of you phone number and attempt to reset your google password... he would be left dumbfound regarding why the phone didn't ring.

It's also a good idea to start lying on all of your recovery questions!!! That way, if Black Bart the social engineer tries to guess your recovery answers he wont be able to just log into Facebook and see that your mom's maiden name is listed on her profile (so her high school chums can find her easier)! When he answers the correct name in an attempt to recover your password... it will simply be wrong.

7 years ago in #twofactor by
$0.00
    1 vote
    Reply 1
    Sort:  
  • Trending