Two-factor Authentication (2FA)
Google authenticator is the most popular 2FA application
TODO: image of Google authenticator.
Users tend to lose 2FA backup codes.
TODO: image of a 2FA backup code.
Users tend to not backup 2FA backup codes since no (popular) services enforces  backups. Or users lose their 2FA backup codes and then when they lose the device used to generate 2FA codes, they will lock themselves out.
Common misconception: Google 2FA backup login codes cannot restore 2FA for services other than google. These are only a way to login into a google account after having lost access to the 2FA device.
Google authenticator doesn't have a backup function.
Popularly used 2FA is not:
When does 2FA work:
- When users fail victim to spear [archive] phishing [archive], i.e. when they send their login password (and maybe even 2FA code) by e-mail to an attacker. By the time the attacker receives the message, the 2FA code is either missing (not sent by user) or if the user is lucky, already expired.
- It results in weakly protected logins due to weak passwords getting stronger.
- A shoulder surfed [archive] password alone is not enough to login.
When 2FA might work:
- Sometimes password databases of third party services (such as banks and crypto currency exchanges) get compromised, their 2FA database does not get compromised by the attacker. In these cases, probability of not losing any funds gets lower.
- When an e-mail provider gets compromised (server compromise by attacker or rogue employee), having unauthorized access to an e-mail address is often enough to reset passwords. Depending on the policies of the third party service, changing 2FA credentials may not be so easy. In these cases, account compromise at the third party service might be prevented.
When does 2FA not work:
- When the user's device is already infected by malware. In that case a trojan horse can simply take over the login session without the user's knowledge.
Possible de-anonymization when using the following apps on a non-torified device:
- authy requires an internet connection
- Symantec VIP requires an internet connection
- While TOTP (Time based One Time Password) authentication mechanism does not require any internet connection technically. However. Google authenticator / andOTP does not require an internet at the time of writing to our current understanding but this might change with an (automatic) update.
Google authenticator desktop application replacement:
- keepassxc can be used as a replacement for Google Authenticator (actually TOTP, Time based One Time Password) on desktop computers on Windows, Qubes OS (recommended), Linux (recommended) or Mac.
- https://packages.debian.org/buster/libpam-barada [archive]
- https://packages.debian.org/buster/libpam-google-authenticator [archive]
- https://packages.debian.org/buster/libpam-blue [archive]
- https://packages.debian.org/buster/libpam-oath [archive]
- https://packages.debian.org/buster/libpam-otpw [archive]
- https://packages.debian.org/buster/libpam-p11 [archive]
- https://packages.debian.org/buster/libpam-poldi [archive]
- https://packages.debian.org/buster/libpam-fprintd [archive]
- https://wiki.debian.org/SecurityManagement/fingerprint%20authentication [archive]
- Like bitcoin wallets enforce retyping the wallet mnemonic seed.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)