Oddbean new post about | logout
 4 Tips for 2FA

2FA or 2-Factor Authentication is a great security tool if done correctly.  Here’s 4 tips.

1) SMS 2FA Sucks

Ethereum developer Vitalik Buterin mouths off about decentralization, but got his Twitter account hacked by linking it to a government phone number.  SMS texts are the easiest 2FA method for random hackers to compromise. There’s a technique known as SIM swapping which allows a hacker to switch SIM cards, so his or her device can receive your SMS texts. This can then be used to compromise your 2FA.  

Also, SMS SIM cards leak your real exact physical location when it connects to a cellphone tower. In addition, you’ve given the mobile service provider the information to know what services or websites you’re using.

Another reason SMS 2FA is horrible is that the SIM card is often tied to your identity.

________________

2) KYC is less secure

Often out of ignorance, people associate real identity verification as being more secure. But in reality this is untrue because once you associate an account with a real person, then social engineering, SIM card swapping, and identity-based password guessing become possible. In addition, the physical location of password databases can become known to violent actors.

________________

3) Reject large proprietary companies

Also many people, out of ignorance, favor technology services from large corporations because they assume them to be more secure. They presume that the large company can be trusted with their identity information.

In reality, large companies may be bureaucratic, enabling hackers to prey on their inefficiencies. For example, recently Uber and Rockstar Games were hacked with social engineering. The Uber hack released not only the financial information of customers but also to where the customers had traveled.

Microsoft’s Password database manager for government accounts was hacked by Iranians. The local governments had to pay Bitcoin as ransom to get control back. This further demonstrates that large companies like Microsoft and Google can not be trusted to safely store your data or identity.

We do NOT recommend the use of omnipotent Google Authenticator for numerous reasons. First it’s not open source, so who knows what malicious tracking Google is doing. Google’s track record regarding privacy is piss poor, so why should you trust these malicious clowns?

Second, Google Authenticator will prevent you from getting the backup phrase which can be used to transfer the 2FA account to either a different authenticator phone app or a desktop client. The only thing that Google’s app will let you do is transfer the app to a different Google Authenticator account. So essentially Google has locked you into the Google ecosystem, and once you are dumb enough to use Google Authenticator, you can’t switch to an open source one without the website giving you a brand new backup phrase.

________________

4)  Avoid Phones

You want to avoid doing 2FA on a phone that you carry around. A phone is real easy to accidentally lose or be stolen; you might leave it in an unsafe place.  Additionally, phones have unsafe hardware.  Phones have 2 “brains”, one with the CPU/RAM and another called the baseband modem that connects to cellphone towers.  Numerous studies have demonstrated that hackers can remotely access bandband modems by pretending to be the cellphone tower.

When you put a phone in airplane mode, this is just an API REQUEST from the CPU/RAM brain to the baseband modem asking it to please stop.  The baseband modem does not have to honor this request and won’t if corrupt government thugs are illegally hacking you in violation of their own constitutions.

________________

Conclusion:
2FA should be done on a Linux computer using KeePass XC with TOTP.  This avoids connecting to the internet with open source software you control.  Google Auth is just one client for TOTP, but KeePass XC will work. 
 Good read on MFA / 2FA

nostr:note1y53s6p48n0wajp4gdxkwtjfsddr433m2l02xj3uvn4r5mfuj46jq8f8x4q 

For those locked in with Google Authenticator, this tool might be helpful to extract the TOTP secrets in different formats for other apps.

https://github.com/scito/extract_otp_secrets

Thanks, @SimplifiedPrivacy.com Podcast! 
 Thanks, interesting. 
Do you recommend to use Keepass for passwords and 2FA? Wouldn't that be a single point of failure?  
 It depends on your threat model and goals.  You could have KeePass original with other info.  Another possibility is VeraCrypt for both.  Or 2nd device.  Or virtual machine w keepass outside it.