Wouldn't this mean that anybody logging in with an authenticator app and you're username and password would be able to get in?
-
Ever wanted an RSS feed of all your favorite gaming news sites? Go check out our new Gaming Headlines feed! Read more about it here.
-
We have made minor adjustments to how the search bar works on ResetEra. You can read about the changes here.
Hey you, reminder to turn on 2FA right now
- Thread starter DFG
- Start date
I don't tie any of my cards to my accounts and I have experience dealing with customer support to get my accounts back.
It's not a "minor inconvenience". My phone's battery doesn't last an entire day anymore and I'd have to buy a new one (or at least a new battery) to have it on me at all times.
You know Minecraft?
It randomly generates a new world every new game, but you also have the option to give it a fixed "seed" value (Like "2033394339" for example).
If you generate a new world with that seed value, it will always generate the same world every time.
But you still need that seed for it to generate said value, and authentication apps generate said seed every time you set a new account on them.
So even if you use the same app, it generates different numbers for each individual user, while also generating the same value for both sides.
So this makes sense to me, but don't you need to somehow connect the authenticator app you choose to the company or website you're attempting to log into? I was told that somehow these authenticators would work without that connection being made, and that's what's wrinkling my brain.
You can disable access for new devices, so no, they would need to have your PC.
I don't think it's exactly a connection being made, but when you get that QR Code that you have to scan on your authenticator app, the info needed for the authenticator to generate the correct values is probably in that QR code.
Correct. The QR contains a unique code, just for you. This code will remain the same until you turn off 2FA or reset it. The authenticator app stores and uses this code plus the current time to generate a 2FA code.
The website has also stored your unique code and will calculate the required 2FA code. If the inputted code matches, it will let you log in.
The time based component requires that your phone has the correct time set. If it's off by too much, it will generate codes that have already expired or codes that are not valid yet.
Any experts here? I have both Google Authenticator and Microsoft Aunthenticator. I would like to use only one, but I don't know if it's hard to switch. I only have one account (my Nintendo Account) linked to Google Authenticator. Possible to switch at all? Or is it sealed in blood? Lol.
Login to your Nintendo account and deactivate the 2Fa. Then reenable and scan the QR code with the Microsoft Authenticator. Delete the google Authenticator and never use again.
I used to have the google one but apparently if you lose that phone you are so screwed so switched to Authy, people say it isn't as bad if that happens so I hope that is the case.
Don't forget to save on a safe place / print not only the recovery codes but also a lot of people recommend to save the original QR code / key that you used to generate your 2FA.
Don't forget to save on a safe place / print not only the recovery codes but also a lot of people recommend to save the original QR code / key that you used to generate your 2FA.
Is it a PITA to transfer access from Google Authenticator to Authy? I've been hearing more horror stories about trying to recover accounts, and I want to try and avoid that in the future. Thankfully I only have a few accounts connected.
Edit - Ah, looks like this was already answered in a prior post. I'll have to follow through and see.
Edit - Ah, looks like this was already answered in a prior post. I'll have to follow through and see.
I have 2FA on all my important accounts. Some still use SMS and it doesn't allow a VOIP number such as Google voice. Just anxious that I'll get simhacked one day.
One time I was really screwed was when my phone died due to the motherboard failing and that component had to get replaced. Worst thing is they had to factory reset it, so even when I got it back, I had no access and had to call customer support to remove the authenticator. So as long as I don't lose my phone or it doesn't die on me lol, I'm good.
I might transfer to Authy from GA as long as it isn't too troublesome.
One time I was really screwed was when my phone died due to the motherboard failing and that component had to get replaced. Worst thing is they had to factory reset it, so even when I got it back, I had no access and had to call customer support to remove the authenticator. So as long as I don't lose my phone or it doesn't die on me lol, I'm good.
I might transfer to Authy from GA as long as it isn't too troublesome.
Should have this thread bumped once a month, some people just don't seem to take it seriously until they're fucked.
Probably dudes skipping by this thread with 'Pa55word1234' as their password thinking they're witty and that it is enough since nothing has happened to them yet.
Probably dudes skipping by this thread with 'Pa55word1234' as their password thinking they're witty and that it is enough since nothing has happened to them yet.
Oh, it wants a phone number? I was ready to switch solely for that but I have no phone either, so it would be the same.
Ehh, it's fine, I've been using Google Auth for 4 years without issues and I written my backup codes if the worst has to happen.
I've also generated new passwords again with Bitwarden just last week.
Quickly deavtivated 2FA on GA and reactivated on Authy. It prompted me to setup a password for encrypted online backups? Made a password anyway. The only account that had trouble scanning the QR code was my Yahoo one, so I had to manual enter a 20 digit code. Authy requires a phonenumber which GA doesn't. Been using GA for 5 years and had no issue outside of my phone dying.
Made new backup recovery codes and saved it on a thumb drive. I had those codes on my PC for years, so I just moved them off.
Made new backup recovery codes and saved it on a thumb drive. I had those codes on my PC for years, so I just moved them off.
...why go through the whole process of setting up 2FA if you end up doing the equivalent of writing your password on a sticky note 😦
Don't you want those recovery codes somewhere else than on your PC?
I had no idea this was possible. I feel like it wasn't when the app authenticator first went live.
..but I just disabled my authenticator app and Steam defaulted to email authentication. Much better. I'd still prefer to use a real 2FA app though.
Ideally the backup codes would be protected in a password manager of some sort. That way someone can't just break into your accounts if they have that USB stick.
I assume you have to turn off 2FA on all of your accounts secured with Google Authenticator and then re-enable them with Authy. I have somewhere in the neighborhood of 30 accounts tied to Google Auth and some of them would be a huge pain to get new keys for (like some of my work related stuff). I know that Google's kind of sucks, but I'm not sure it's worth hours worth of effort to switch at this point.
Just added 2FA to Sony and Blizzard. Thank you for the heads up!
OP
OP
I'm still waiting for them to add another option to 'Export' to other 2FA apps for ease of use, but it'll never happen.
So another password manager for the backup codes? Not in the same ones where you store your passwords. If it ever gets compromised, they have access to your accounts.
Haven't put much thought on where to store the backup codes. Some recommend encrypting it, make a hard copy and put it in a deposit box, others say in your wallet.
As long as I don't lose my phone, I'm good. I've used my backup codes less than a handful of times.
a thumb drive stashed somewhere in your house is not much of a security risk imo. even if some thief ransacked your place and stole it (and a <$5 usb drive is probably not a prime target of theft, I have a dozen of them containing absolute garbage), without also having the corresponding username/passwords they're not going to get anywhere with it. and it's very easy to put your backup codes behind a password in an encrypted zip file or w/e for an extra layer of security. this isn't the same as writing username:password on a post-it stuck to your monitor
Last edited:
If someone breaks into my house, finds a hidden USB drive, AND knows how to crack a password-protected folder, then I was fucked no matter what.
Not much I can do about such determined and gifted criminals.
I am using my mobile number for 2step with Sony, there doesn't seem to be a way to use an authenticator.
edit: I am using Google Authenticator , got confused.
edit: I am using Google Authenticator , got confused.
Last edited:
I keep my backup codes in my one password database. It's not as secure as what you're suggesting but good luck getting into my password manager. Complex password, powerful encryption.Database deletes itself after a few failed attempts which stops someone that happens to steal one of my devices.
On the off chance someone manages to get my encrypted password database from the cloud and tries to break in offsite, they would also need a key file that's stored in a different location.
If someone gets through all of that (plus device-level encryption), I guess they deserve the passwords.
The simple run down is this: A 2FA code is a pre-generated static code key + time. The output you see in the authenticator is 100% predictable if you know both the initial code and what the current time is, it's not actually random. Both ends (the server & your authenticator) already know the initial code key, and they both have clocks that are in sync. Math is used to scramble the output from the initial code based on what the time is, you give the output to the server and the server compares it to its own code with the same time. It won't check codes passed a certain period of time, and the outputted codes you see aren't feasibly reversible (like hashes) so they are secure as long as no-one learns the initial key used to generate them.
This is why you don't need an internet connection, because all the variables are already known to both ends, the rest is just deterministic mathematics with time as the variable. If you always feed the mathematics the same time it would always give you back the same code (this also means if your or the server clock is wrong, your codes won't work), the methodology at play here is that the clocks are always moving forward, and the output isn't mathematically reversible in the same way as file hashes.
Last edited:
2FA being natively rolled into iOS is amazing; don't have to deal with third party apps anymore.
Yeah, i spent about an hour but hearing all the horror stories about Google authenticator imploding or losing it pushed me to do it
Yes. it was easy and seamless for me when I moved to a new iPhone however I still believe Authy is the best.
I don't get this, having it offline in your house is safer than online in the cloud. The only way to gain access is physically stealing it, and that's not the main threat.
I understand that Authy is better than Google Authenticator minaly due to the fact that if you lose your phone, you don't lose your codes, however, you can always print screen or take a picture of the QR code you set up for the first time and just store it somewhere safe. This way, you can always reference the code if you ever need to swap your phone for whatever reason.
OP
OP
Some people have 20+ accounts so it's understandable tbh. It's too bothersome to individually deactivate and activate on a different app.
Ah this is the information I was looking for. The hurdle for me right now is understanding how the authenticator app is initially connected to the service that you're trying to log into. I'm having trouble understanding how all of this could work without that initial connection being made.
The manner in which the code is generated, which I appreciate everyone trying to explain, that part makes sense to me.
The great thing about Authy is you have control of the multi-device access - so what I usually do is toggle it on when I get a new device I want to add, set it all up, then toggle Multi-Device off. Everything already connected will still work, but it will stop any attempt at adding additional devices. From that screen you can also see what devices have access and remove access, to the point of going nuclear and removing everything except the current device if you're not sure.
I've been using google authenticator for a while -- Since I'm fortunate enough to have both a phone and a tablet, I just export my stuff to the tablet as well, that way I have a redundancy. It's super easy/quick to copy over things between devices using the QR code
This is what I've moved to as well. Was wondering if I was the only one since no one has mentioned it.
This is not true. You can transfer your codes from one phone to another with Google Auth. I also don't get the issue with the "code window" being narrow, but the codes are intentionally being replaced at a fixed interval.