Two-factor Authentication (2FA)
Even users who are knowledgeable about bulk phishing or spear phishing can benefit from 2FA.
- What would happen if you lost access to your e-mail address now?
- What would happen if a malicious third party had exclusive access to your e-mail address while you did not?
In other words, your digital identity is your e-mail address. For many purposes, it's a trust anchor. The person who controls your e-mail address, has major control about most of your digital life.
What happened to other people once an attacker had access to their e-mail account?
- The attacker sent e-mails to all of the user's contacts asking for money and/or crypto currency transfer to the attacker's account claiming to be the victim.
- Password recovery requests to all social media accounts.
- Contacting all social media contacts asking for money too.
- Harm of reputation due to upload of indecent content, photos, videos to social media or sending inappropriate e-mails.
- Blackmail of person who's e-mail account got hacked.
- Sending termination letter to employer, employee, landlord, mobile carrier, banks, etc.
All of this is obviously really bad but damage can be limited through proper use of 2FA.
- Requires Google.
- No. While google authenitcator is the most popular implementation, by no means any Google software is required to take advantage for 2FA.
- Often services link to, recommend google authenitcator, but any HOTP implementation will work. See #Software Choices.
- Internet connection required.
- No. TOTP (Time based One Time Password) authentication mechanism does not require any internet connection.
Users tend to not backup 2FA backup codes since no (popular) services enforces  backups. Or users lose their 2FA backup codes and then when they lose the device used to generate 2FA codes, they will lock themselves out.
- Always set up at least two (2) devices which can generate 2FA one time passwords.
- Always backup, write down 2FA backup codes in two (2) different places.
Common misconception: Google 2FA backup login codes cannot restore 2FA for services other than google. These are only a way to login into a google account after having lost access to the 2FA device.
Google authenticator doesn't have a backup function. Non-freedom software. Therefore not the best choice.
Google authenticator desktop application replacement:
- keepassxc can be used as a replacement for Google Authenticator on desktop computers on Windows, Qubes OS (recommended), Linux (recommended) or Mac. Functional in offline virtual machine (VM).
Most popular, most supported at most services:
- TOTP, Time based One Time Password (often called "Google Authenticator") although Google Authenticator is not specifically required. See #Software Choices for Freedom Software applications.
Popular but not the most popular:
When does 2FA work:
- When e-mail address of the user gets compromised either due to the e-mail provider getting hacked or a rouge employee. In that case, the attacker could be impersonating the user, use the password recovery option of external services such as other e-mail services, financial services, (social media) accounts, etc. The attacker would however the the 2FA one time passwords.
- When users fail victim to spear [archive] phishing [archive], i.e. when they send their login password (and maybe even 2FA code) by e-mail to an attacker. By the time the attacker receives the message, the 2FA code is either missing (not sent by user) or if the user is lucky, already expired.
- It results in weakly protected logins due to weak passwords "getting stronger".
- A shoulder surfed [archive] password alone is not enough to login.
When 2FA might work:
- Sometimes password databases of third party services (such as banks and crypto currency exchanges) get compromised, their 2FA database does not get compromised by the attacker. In these cases, probability of not losing any funds gets lower.
- When an e-mail provider gets compromised (server compromise by attacker or rogue employee), having unauthorized access to an e-mail address is often enough to reset passwords. Depending on the policies of the third party service, changing 2FA credentials may not be so easy. In these cases, account compromise at the third party service might be prevented.
When does 2FA not work:
- When the user's device is already infected by malware. In that case a trojan horse can simply take over the login session without the user's knowledge.
Possible de-anonymization when using the following apps on a non-torified device:
- authy requires an internet connection
- Symantec VIP requires an internet connection
- Google authenticator / andOTP [archive] do not use the internet at the time of writing to our current understanding but this might change with an (automatic) update.
If anonymity matters, it is strongly recommended to only run 2FA software in non-networked or torified machines.
For reasons of practicality, users might consider for real life, non-anonymous accounts at for example banks could be secured through TOTP generation on multiple non-anonymous devices such as Android and iPhone devices.
- https://packages.debian.org/buster/libpam-barada [archive]
- https://packages.debian.org/buster/libpam-google-authenticator [archive]
- https://packages.debian.org/buster/libpam-blue [archive]
- https://packages.debian.org/buster/libpam-oath [archive]
- https://packages.debian.org/buster/libpam-otpw [archive]
- https://packages.debian.org/buster/libpam-p11 [archive]
- https://packages.debian.org/buster/libpam-poldi [archive]
- https://packages.debian.org/buster/libpam-fprintd [archive]
- https://wiki.debian.org/SecurityManagement/fingerprint%20authentication [archive]
- Like bitcoin wallets enforce retyping the wallet mnemonic seed.