This shit sucks. Especially when you use the Google Authenticator and you factory reset your phone or are unable to backup phone to new phone via android. I've had this happen to me for other gaming accounts and it was a pain in the ass to get the accounts back with new codes. I only stick to 2FA that doesn't rely on that
Maintaining integrity of the device id in such a migration is possible if you know what you're doing, and most of the perpetrators dealing with this business at scale knows what they're doing.Even if your hard drive is cloned to another device (same model and all), wouldn't some fingerprinting data/metadata prevent this from happening? I can see this working in many cases though.
Just don't do it if it's your Nintendo Account and you are not from North America or Japan.
I kid you not, I factory resetted my cellphone with my authenticator tokens and lost my access to my Nintendo account because of it. Support for Latin America was garbage and they literally told me there was nothing I could do to recover it, even though I provided all information required. I was locked out of my account forever cause they don't have a way to verify your access with a phone message or alternate email.
The experience soured me so much that I sold my Nintendo Switch and I'm never getting one of their products again.
Doing 2FA within KeePass is less than ideal since it's a single point of failure if a) a hacker gets your KeePass DB password or b) you forget your KeePass password and lose everything.
On this note, does anyone print the back up codes that 2FA enabled sites offer?
I printed them all and stuck them in the safe. I still haven't made up my mind whether its a good idea or not... but I figured the chances that that something happens to my phone or the 2fA apps (its already happened twice) is much higher than the chance that someone finds out my password and then breaks into my home, finds my safe and cracks it open to also steal the back up codes.
My password manager (KeePass) has many plugins, one of them lets you store OTP (one-time passwords, meaning 2FA) information in KeePass databases. When I run into a 2FA challenge in my browser I just toggle over to KeePass (presuming I'm logged into the right database) and grab the OTP answer from there. Pretty painless.Does this product exist:
- An app like Authy or Google Authenticator that gives me similar 2FA functionality BUT...
- Also lets me launch the app in an already-authenticated web browser, etc?
So I use 2FA for everything, but I'd say 95% of my 2FA is SMS or email based and I want to switch over full time to an authy-like solution. BUT... I keep my phone in my desk like 90% of the day at work, and I keep it in my room at home often, not carrying it around with me. So is there a 2FA app like Authy/GA that lets me also verify/authenticate via some service that can additionally launch in my browser or computer app of an aready-authenticated device? I can do this with SMS & Email already which is why I usually default to that out of convenience. The phone thing for me is important, I made a conscious decision a few years ago to cut back on phone addiction and like having my phone not on my person at all times.
*edit*
Ooh... Authy might also work as a Chrome extension? That'd probably solve my use case.
the other day i got a message on my phone from google telling me that somebody tried to access my gmail account and i said it wasn't me. changed my password right away but i still wonder how the hell they even knew it to begin with.
Microsoft also has the "Safe" inside the One Drive. It only opens with fingerprint scan. (Im not sure how it opens on desktop) So, that is three layers of security at least.Someone just tried getting into my Microsoft account. Thankfully, I have 2FA on, and was able to stop all attempts.
Just a friendly reminder for you to do the same on all your eligible accounts.
Edit: I'm not saying this is bulletproof. I'm saying it helps. A lot.
nothing there that applies to me.Have I Been Pwned: Check if your email has been compromised in a data breach
Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.haveibeenpwned.com
If you have 2FA enabled, make sure to guard your phone with your life. If you drop it down a sewer drain and you can't find your access codes, say bye-bye to your accounts.
This should be a universal standard IMO.If you use Authy, you can put the same 2FA authentiation tokens on multiple devices. so no single point of loss.
If you use Authy, you can put the same 2FA authentiation tokens on multiple devices. so no single point of loss.
In light of recent events, wanted to bump this thread and ask about app-based 2FA.
I have been using a password manager for quite a while now, but have yet to start using app-based 2FA. The concept's always left me slightly worried/confused about various "what if"/"how screwed am I?" scenarios.
I know that if (for whatever reason) I can't get into my password manager (even if temporarily), I can resort to a password reset for most of my accounts. I don't know how that works if I add app-based 2FA into the mix.
I suppose if I started using it it for like one account, I'd just get used to it and start using it for everything.
- What if the 2FA company shuts down/kills the app?
- What if the 2FA app gets broken by an OS update?
- What if my phone dies and I need to factory reset or replace it?
- Are there various 2FA apps that are/aren't supported by different sites, so you'd end up needing multiple services, or are they one-size-fits-all?
- If I left my phone at home, and didn't have any other devices with the 2FA app on hand, and I SOL until I get back to my phone?
So on the new device, you'd download the app, log in, and "deactivate" (all my old tokens are dead) and "reactivate" (get a new token for each site as I log into them)? So I didn't really lose anything in the end, as long as I can log into the same 2FA app on the new device?3. You' deactivate and reactivate with a token from your new device. Pretty simple and common.
He might work for 23 and me, he could know
Once or twice I've gotten that iCloud popup showing someone trying to log-in from Romania or something, and thought "What the fuck are you trying to do?"
I wish we could trust devices forever on this site with 2FA. Having to reenter a 2FA code every 30 days doesn't sound too bad at face value, but when you factor in the fact that I'm logged in to like 4 different devices, then it gets to be pretty annoying.