Author Topic: 2FA - pardon my ignorance...  (Read 855 times)

0 Members and 1 Guest are viewing this topic.

Offline etiTopic starter

  • Super Contributor
  • ***
  • !
  • Posts: 1801
  • Country: gb
  • MOD: a.k.a Unlokia, glossywhite, iamwhoiam etc
2FA - pardon my ignorance...
« on: July 07, 2021, 12:31:12 am »
2FA, or "Two Factor Authentication" for Google; please pardon my ignorance, but the reason I've always disabled it, is due to not wanting to have to sign back in EVERY TIME I use Google services. Have I misunderstood how it works?

# Will a newly 2FA-signed-in device retain the login?

I can't think of the right phrases to Google, or I'd not be asking something so mundane; I am usually very self-sufficient, software-wise.

Many thanks.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11905
  • Country: us
    • Personal site
Re: 2FA - pardon my ignorance...
« Reply #1 on: July 07, 2021, 12:41:34 am »
2FA only comes into play at the same time when a normal 1FA. So you will not have to log in more than you already do.
Alex
 
The following users thanked this post: tooki, eti

Offline etiTopic starter

  • Super Contributor
  • ***
  • !
  • Posts: 1801
  • Country: gb
  • MOD: a.k.a Unlokia, glossywhite, iamwhoiam etc
Re: 2FA - pardon my ignorance...
« Reply #2 on: July 07, 2021, 01:11:41 am »
2FA only comes into play at the same time when a normal 1FA. So you will not have to log in more than you already do.

Thank you mate!
 

Offline sleemanj

  • Super Contributor
  • ***
  • Posts: 3051
  • Country: nz
  • Professional tightwad.
    • The electronics hobby components I sell.
Re: 2FA - pardon my ignorance...
« Reply #3 on: July 07, 2021, 03:00:05 am »
Maybe I can piggyback onto this thread actually.

I don't use 2FA because I see it as complicated and dangerous in that it's likely prone to me getting locked out, this is probably because I don't know what "good simple relatively universal device" exists.

I want something that...

  1. Works at least with Google

  2. Is not an app on a phone or a desktop, I do not carry or have a phone near me most times

  3. Is small that I can hang on my keychain preferably, or similar form to a credit card (like the old SecureID card I used 20 some years ago)

  4. Something that I can have at LEAST one, preferably two spares of, physically, just like spare keys, completely identical so that "it just works"

  5. Works (in authenticating) on all platforms and devices, so likely means, does not need to be plugged into USB to use it for authentication (but setup could)

2FA afficionados - does such a thing exist?

---

Edit to add:  Seems like Limor Fried has similar desires -  https://hackaday.com/2018/01/04/two-factor-authentication-with-the-esp8266/ - so I want something almost the same like that, but not DIY (I could DIY, but I'm not motivated enough to DIY).
« Last Edit: July 07, 2021, 03:20:33 am by sleemanj »
~~~
EEVBlog Members - get yourself 10% discount off all my electronic components for sale just use the Buy Direct links and use Coupon Code "eevblog" during checkout.  Shipping from New Zealand, international orders welcome :-)
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11905
  • Country: us
    • Personal site
Re: 2FA - pardon my ignorance...
« Reply #4 on: July 07, 2021, 03:33:00 am »
I have not used any physical devices, since I'm generally more likely to have my phone with me. From what I understand, YubiKey is the most common solution. But that is USB or NFC. I don't think devices with a screen that cycles the numbers still exist and actively supported. Although I would get one if there were any.

Ability to enroll multiple devices depends on the service that uses 2FA. I can't tell for google, since I don't have any physical devices, and it is not clear if you can add multiples.

And as a backup, there are always recovery codes. I store them in a password manager, so chances are I have access to that if I need to log in into google from a new device and don't have the phone.

But also, I just checked in my profile: "2-Step Verification is ON since Aug 1, 2016". I have never had an issue where I could not login, so I guess I'm fine for now. Of course, it may backfire spectacularly one day.
Alex
 

Offline radar_macgyver

  • Frequent Contributor
  • **
  • Posts: 748
  • Country: us
Re: 2FA - pardon my ignorance...
« Reply #5 on: July 07, 2021, 04:37:21 am »
Have not yet had any trouble with Google or any other service with 2FA. Google offers multiple authentication methods, and also backup codes.

One nice little hack I got from the Security Now podcast is to print out the QR codes used with phone based authenticator apps. This way, when I replace the phone, I load the authenticator app on the new phone, and then scan all the QR codes from the printouts. This is much quicker than going to each website and setting up 2FA all over again.
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 5050
  • Country: si
Re: 2FA - pardon my ignorance...
« Reply #6 on: July 07, 2021, 05:17:58 am »
Yep 2FA is used at the same time you have to type in a password right now. It just adds a extra step to that.

You don't need to have only 2 authentication sources wired up to your 2FA. You can have 3 or 4 different methods enabled. That way if you loose one you still have others. Having a 2nd email account registered with google also helps a lot with recovering lost login credentials. Technically all of this makes it less secure, but it is still a great deal more secure than a password that could get exposed somewhere by a malicious application or phishing attack. It locks out pretty much all automated attacks, so you would really need to be in the interest of a hacker to particularly target you before they are going to go for breaking into 2FA.

Like all security there is a balance between convenience and security. But given how important a google account is (especially when if most other sites are registered to its gmail) it makes sense to go trough a little bit of inconvenience.  Also the inconvenience mostly comes when you are trying to log in from somewhere else than your house. Google learns what your devices look like and what your IP is, so it tends to not even ask for a password again at home once logged in. But if you take your laptop to another country and connect using the local IP then alarm bells go off, google asks for a password, notifies you on your phone and email about the login etc... And this is mostly where you would be going trough the 2FA process.
« Last Edit: July 07, 2021, 05:19:56 am by Berni »
 

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3559
  • Country: se
  • SA0XLR
    • My very static home page
Re: 2FA - pardon my ignorance...
« Reply #7 on: July 07, 2021, 06:18:31 am »
The really important part is that you should work really that extra to secure your email. Just since, as was mentioned, the email address and your ability to read and keep safe the communication sent to that account is the prime backup authentication method for a lot of other services. In my personal case, that email is not a big provider. If I want to, I can get in touch with them just by thinking; I'm my own provider. This means that it is harder to fool me, but also that I can't shift blame. And attackers need to target me more specifically; I won't be as much a victim of spray-and-pray attacks.

Besides, MFA devices with air gap exist and continue to be used. The relevant standards are HOTP and TOTP. (good google words)  I'd do Yubikey instead today. It's easy to integrate, and works in a lot of places. With NFC it works in the context of a modern phone too, which is increasingly important.


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf