Two-factor Authentication (2FA)

From Whonix

(Redirected from 2FA)

Ambox warning pn.svg.png Documentation for this is incomplete. Contributions are happily considered!

Google authenticator is the most popular 2FA application

TODO: image of Google authenticator.

Users tend to lose 2FA backup codes.

TODO: image of a 2FA backup code.

Users tend to not backup 2FA backup codes since no (popular) services enforces [1] backups. Or users lose their 2FA backup codes and then when they lose the device used to generate 2FA codes, they will lock themselves out.

Common misconception: Google 2FA backup login codes cannot restore 2FA for services other than google. These are only a way to login into a google account after having lost access to the 2FA device.

Google authenticator doesn't have a backup function.

Popularly used 2FA is not:

When does 2FA work:

  • When users fail victim to spear [archive] phishing [archive], i.e. when they send their login password (and maybe even 2FA code) by e-mail to an attacker. By the time the attacker receives the message, the 2FA code is either missing (not sent by user) or if the user is lucky, already expired.
  • It results in weakly protected logins due to weak passwords getting stronger.
  • A shoulder surfed [archive] password alone is not enough to login.

When 2FA might work:

  • Sometimes password databases of third party services (such as banks and crypto currency exchanges) get compromised, their 2FA database does not get compromised by the attacker. In these cases, probability of not losing any funds gets lower.
  • When an e-mail provider gets compromised (server compromise by attacker or rogue employee), having unauthorized access to an e-mail address is often enough to reset passwords. Depending on the policies of the third party service, changing 2FA credentials may not be so easy. In these cases, account compromise at the third party service might be prevented.

When does 2FA not work:

  • When the user's device is already infected by malware. In that case a trojan horse can simply take over the login session without the user's knowledge.

Possible de-anonymization when using the following apps on a non-torified device:

  • authy requires an internet connection
  • Symantec VIP requires an internet connection

Connectivity requirements:

  • While TOTP (Time based One Time Password) authentication mechanism does not require any internet connection technically. However. Google authenticator / andOTP does not require an internet at the time of writing to our current understanding but this might change with an (automatic) update.

Google authenticator desktop application replacement:

  • keepassxc can be used as a replacement for Google Authenticator (actually TOTP, Time based One Time Password) on desktop computers on Windows, Qubes OS (recommended), Linux (recommended) or Mac.


See Also[edit]


  1. Like bitcoin wallets enforce retyping the wallet mnemonic seed.

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Check out the Whonix ™ News Blog. Rss.png

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.