Two-factor Authentication (2FA)

From Whonix


Ambox warning pn.svg.png You are your e-mail address! If your e-mail address gets hacked, the attacker might takeover most of your digital identity such as impersonating you on social media, forums, even deplete bank accounts.

Ambox warning pn.svg.png Documentation for this is incomplete. Contributions are happily considered!


Even users who are knowledgeable about bulk phishing or spear phishing can benefit from 2FA.

Ask yourself:

  • What would happen if you lost access to your e-mail address now?
  • What would happen if a malicious third party had exclusive access to your e-mail address while you did not?

In other words, your digital identity is your e-mail address. For many purposes, it's a trust anchor. The person who controls your e-mail address, has major control about most of your digital life.

What happened to other people once an attacker had access to their e-mail account?

  • The attacker sent e-mails to all of the user's contacts asking for money and/or crypto currency transfer to the attacker's account claiming to be the victim.
  • Password recovery requests to all social media accounts.
  • Contacting all social media contacts asking for money too.
  • Harm of reputation due to upload of indecent content, photos, videos to social media or sending inappropriate e-mails.
  • Blackmail of person who's e-mail account got hacked.
  • Sending termination letter to employer, employee, landlord, mobile carrier, banks, etc.

All of this is obviously really bad but damage can be limited through proper use of 2FA.

Common Misconceptions[edit]

  • Requires Google.
    • No. While google authenitcator is the most popular implementation, by no means any Google software is required to take advantage for 2FA.
    • Often services link to, recommend google authenitcator, but any HOTP implementation will work. See #Software Choices.
  • Internet connection required.
    • No. TOTP (Time based One Time Password) authentication mechanism does not require any internet connection.


Users tend to not backup 2FA backup codes since no (popular) services enforces [1] backups. Or users lose their 2FA backup codes and then when they lose the device used to generate 2FA codes, they will lock themselves out.


  • Always set up at least two (2) devices which can generate 2FA one time passwords.
  • Always backup, write down 2FA backup codes in two (2) different places.

Common misconception: Google 2FA backup login codes cannot restore 2FA for services other than google. These are only a way to login into a google account after having lost access to the 2FA device.

Software Choices[edit]

Google authenticator doesn't have a backup function. Non-freedom software. Therefore not the best choice.

Google authenticator desktop application replacement:

  • keepassxc can be used as a replacement for Google Authenticator on desktop computers on Windows, Qubes OS (recommended), Linux (recommended) or Mac. Functional in offline virtual machine (VM).


Most popular, most supported at most services:

  • TOTP, Time based One Time Password (often called "Google Authenticator") although Google Authenticator is not specifically required. See #Software Choices for Freedom Software applications.

Popular but not the most popular:

Threat Model[edit]

When does 2FA work:

  • When e-mail address of the user gets compromised either due to the e-mail provider getting hacked or a rouge employee. In that case, the attacker could be impersonating the user, use the password recovery option of external services such as other e-mail services, financial services, (social media) accounts, etc. The attacker would however the the 2FA one time passwords.
  • When users fail victim to spear [archive] phishing [archive], i.e. when they send their login password (and maybe even 2FA code) by e-mail to an attacker. By the time the attacker receives the message, the 2FA code is either missing (not sent by user) or if the user is lucky, already expired.
  • It results in weakly protected logins due to weak passwords "getting stronger".
  • A shoulder surfed [archive] password alone is not enough to login.

When 2FA might work:

  • Sometimes password databases of third party services (such as banks and crypto currency exchanges) get compromised, their 2FA database does not get compromised by the attacker. In these cases, probability of not losing any funds gets lower.
  • When an e-mail provider gets compromised (server compromise by attacker or rogue employee), having unauthorized access to an e-mail address is often enough to reset passwords. Depending on the policies of the third party service, changing 2FA credentials may not be so easy. In these cases, account compromise at the third party service might be prevented.

When does 2FA not work:

  • When the user's device is already infected by malware. In that case a trojan horse can simply take over the login session without the user's knowledge.


Security Related[edit]

Avoid SMS-based 2FA due to SIM Swap Scam and malicious SMS re-routing [archive] as mentioned on the Account and Mobile Security wiki page.

Anonymity Related[edit]

Possible de-anonymization when using the following apps on a non-torified device:

  • authy requires an internet connection
  • Symantec VIP requires an internet connection
  • Google authenticator / andOTP [archive] do not use the internet at the time of writing to our current understanding but this might change with an (automatic) update.

If anonymity matters, it is strongly recommended to only run 2FA software in non-networked or torified machines.


For reasons of practicality, users might consider for real life, non-anonymous accounts at for example banks could be secured through TOTP generation on multiple non-anonymous devices such as Android and iPhone devices.


See Also[edit]


  1. Like bitcoin wallets enforce retyping the wallet mnemonic seed.

Fosshost is sponsors Kicksecure stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Two-factor authentication 2FA&body= link= authentication 2FA link= authentication 2FA link= authentication 2FA%20 authentication 2FA

Want to help create awesome, up-to-date screenshots for the Whonix ™ wiki? Help is most welcome!

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.