Actions

Two-factor authentication 2FA

From Whonix

(Redirected from 2FA)


Ambox warning pn.svg.png Documentation for this is incomplete. Contributions are happily considered!

Google authenticator is the most popular 2FA application

TODO: image of Google authenticator.

Users tend to loose 2FA backup codes.

TODO: image of a 2FA backup code.

Users tend to not backup 2FA backup codes since no (popular) services enforces [1] backups. Or users loose their 2FA backup codes and then when they loose the device used to generate 2FA codes, they will lock themselves out.

Common misconception: Google 2FA backup login codes cannot restore 2FA for services other than google. These are only a way to login into a google account after having lost access to the 2FA device.

Google authenticator doesn't have a backup function.

Popularly used 2FA is not:

When does 2FA work:

  • When users fail victim to spear [archive] phishing [archive], i.e. when they send their login password (and maybe even 2FA code) by e-mail to an attacker. By the time the attacker receives the message, the 2FA code is either missing (not sent by user) or if the user is lucky, already expired.
  • It results in weakly protected logins due to weak passwords getting stronger.
  • A shoulder surfed [archive] password alone is not enough to login.

When 2FA might work:

  • Sometimes password databases of third party services (such as banks and crypto currency exchanges) get compromised, their 2FA database does not get compromised by the attacker. In these cases, probability of not loosing any funds gets lower.
  • When an e-mail provider gets compromised (server compromise by attacker or rouge employee), having unauthorized access to an e-mail address is often enough to reset passwords. Depending on the policies of the third party service, changing 2FA credentials may not be so easy. In these cases, account compromise at the third party service might be prevented.

When does 2FA not work:

  • When the user's device is already infected by malware. In that case a trojan horse can simply take over the login session without the user's knowledge.

Possible de-anonymization when using the following apps on a non-torified device:

  • authy requires an internet connection
  • Symantec VIP requires an internet connection

Connectivity requirements:

  • While TTOP (Time based One Time Password) authentication mechanism does not require any internet connection technically. However. Google authenticator / andOTP does not require an internet at the time of writing to our current understanding but this might change with an (automatic) update.

Google authenticator desktop application replacement:

  • keepassxc can be used as a replacement for Google Authenticator (actually TTOP, Time based One Time Password) on desktop computers on Windows, Qubes OS (recommended), Linux (recommended) or Mac.

Debian[edit]

Footnotes[edit]

  1. Like bitcoin wallets enforce retyping the wallet mnemonic seed.


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Please help us to improve the Whonix Wikipedia Page [archive]. Also see the feedback thread [archive].

https [archive] | (forcing) onion [archive]

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.