Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information

 Actions

Two-factor authentication 2FA

Google authenticator is the most popular 2FA application

TODO: image of Google authenticator.

Users tend to loose 2FA backup codes.

TODO: image of a 2FA backup code.

Users tend to not backup 2FA backup codes since no (popular) services enforces [1] backups. Or users loose their 2FA backup codes and then when they loose the device used to generate 2FA codes, they will lock themselves out.

Common misconception: Google 2FA backup login codes cannot restore 2FA for services other than google. These are only a way to login into a google account after having lost access to the 2FA device.

Google authenticator doesn't have a backup function.

Popularly used 2FA is not:

When does 2FA work:

  • When users fail victim to spear phishing, i.e. when they send their login password (and maybe even 2FA code) by e-mail to an attacker. By the time the attacker receives the message, the 2FA code is either missing (not sent by user) or if the user is lucky, already expired.
  • It results in weakly protected logins due to weak passwords getting stronger.
  • A shoulder surfed password alone is not enough to login.

When does 2FA not work:

  • When the user's device is already infected by malware. In that case a trojan horse can simply take over the login session without the user's knowledge.

Possible de-anonymization when using the following apps on a non-torified device:

  • authy requires an internet connection
  • Symantec VIP requires an internet connection

Google authenticator desktop application replacement:

keepassxc can be used as a replacement for Google Authenticator (actually TTOP, Time based One Time Password) on desktop computers on Windows, Qubes OS (recommended), Linux (recommended) or Mac.

Footnotes[edit]

  1. Like bitcoin wallets enforce retyping the wallet mnemonic seed.

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Did you know that anyone can edit the Whonix wiki to improve it?


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.