You are viewing a single comment's thread from:

RE: 2 Factor Authentication w/ Encrypted Backup and Device Sync - Bye Bye Google Authenticator

in #security7 years ago

Nice contribution. I haven't tried the 2FA function in 1Pass yet.

I don't quite understand your statement at the end where you say that cell phones are bad 2FA devices.

In the case of 1Pass, if I understand correctly, both factors are secured in one place.

I use Authy myself and I am very satisfied with it.
In any case better than Google Authenticator :)

Sort:  

If sms is used as second factor, someone can call your mobile company and pretend to need a copy of the sim and they will sometimes get it. At that point they can get all your sms messages.

Yes that is right. Social Engeneering is an often used attack vector.
But I don’t think Authy can be restored only with sms. If this is so there is no need for Authy at all.

As you might know, some providers send the auth code via SMS instead of using a 2FA application. In theory, if you're planning to attack a single person, it's shockingly easy to call the provider and gain access to the SIM card. This technique is called "Social Engineering" and is actually pretty effective.

Google Authenticator and competitors use an encryption key which is shared with the device via the QR code you're scanning at initial setup. Therefore, the code is unique and device-bound, so there is no way for an attacker to gain access to it (unless he gets access to your device).

acá toca guardar la clave secreta de cada sitio para la configuración de 2FA.