How safe is 2 factor authorization for Darkcoin users?

[nj47]

Very interesting, thank you for your feedback on this. So different members of the community have some different perceptions and opinions on this, hopefully this will be cleared up with time, but a recurring theme definitely seems to be to make multiple backups!

Absolutely. Unfortunately the thread got a little derailed due to a miscommunication on what specific type of 2FA was being used.

The only one that you should use, which the Google Authenticator app uses and follows a peer reviewed open source standard I previously linked, will NOT make you more vulnerable to gov surveillance. However 2fa does nothing to provide any addional security against government survalince either - it solely is used to protect you from a hacker keylogging you, phising your password, or brute forcing it because only you will have the code to verify your identity.

If you are using the version that send you an SMS message I highly suggest you switch to the other asap.

This 2fa app also does not depend on your phone. However for most people running it in their phone will be the most secure way to run it, so for most people, there is no better option.

And finally yes, for your backup options the situation is not ideal. I still think the app authy is great, I use it for my low security risk sites while using the custom implementation I described above for my websites that I absolutely cannot afford to have compromised. But I do understand why people may not be comfortable using them. If that is the case then you need to save the keys before you import them into your phone, and keep a set of them at multiple physical locations to ensure something like a fire would not destroy them. It is very important to consider the risk to reward ratio of these options though.

 

[r-ando]

Great!

So there are multiple versions of 2FA and the one that does not involve SMS seem's to be the best option for now. It is also suggested you save the keys and keep backups in multiple locations.

 

[jpr]

What I do is: every time I set up a new 2FA somewhere I just make a screenshot of that key and put it in a zip file, password it, put it on my NAS and on spideroak cloud. All the passwords to all the exchanges and zips and websites and forums are different and long so I keep them in a single file, a keepass 2 file, which has a long and difficult MasterPassword. So I just have to remember that one password which would take hundreds of years to break

 

[Mike6099]

Just curious, what happens in the event my smartphone becomes dysfunctional and I loose my 2fa, am I locked out of the account forever?

 

[Lord Of The Internet]

Oh yeah. I forgot. I don't think i got a 2fa restore phrase or whatever on this site. I'm pretty sure i have something like that for all my other 2fa setups.

 

[raganius]

Just curious, what happens in the event my smartphone becomes dysfunctional and I loose my 2fa, am I locked out of the account forever?

That's a good question. Me too, I wonder what happens in case I lose my smartphone. What should be done in such situation?

What I have done, when setting up the 2FA, was to print the 2FA Key's QR Code generated: I believe that this way I'll be possible to use this QR Code to reconfigure a new device in case it's necessary. But I am not sure if it will work.

 

[splawik21]

You cant have google auth on 2 decices. I tried it once and pass key from other device was not correct. Didn't tried to deinstal or corrupt in some way the primary code to use 2nd one.
There should be a secret pass or question to restore 2FA imo.

 

[stonehedge]

I'm nervous about this too. I've got loads of 2FA accounts set up in google authenticator and most of the sites that I have them with didn't provide an alternative. I didn't realise that printing the QR code would work. Yet more stuff for my safe at the secret location

 

[daaarkcoins]

You cant have google auth on 2 decices. I tried it once and pass key from other device was not correct. Didn't tried to deinstal or corrupt in some way the primary code to use 2nd one.
There should be a secret pass or question to restore 2FA imo.

Dude, that's just wrong. The codes are generated from the timestamp and your secret (the QR code) only. There's no way for it to block multiple devices.

When you enter the key on another device, it works. As long as the time is set accurately on a device, it will work once you entered the key correctly.

If it didn't work there's only 3 possible points of failure:
- Device time isn't set properly
- You didn't use the same software
- You didn't type the key correctly


The "secret pass to restore 2FA" is shown next to the QR code when you set it up.



edit: Please use OTP Auth instead of Google Auth! It's a fork of the last open-sourced version of Google Auth which went closed-source.

https://kuix.de/android/otp-authenticator/

 

[raganius]

Dude, that's just wrong. The codes are generated from the timestamp and your secret (the QR code) only. There's no way for it to block multiple devices.

When you enter the key on another device, it works. As long as the time is set accurately on a device, it will work once you entered the key correctly.

If it didn't work there's only 3 possible points of failure:
- Device time isn't set properly
- You didn't use the same software
- You didn't type the key correctly

The "secret pass to restore 2FA" is shown next to the QR code when you set it up.



edit: Please use OTP Auth instead of Google Auth! It's a fork of the last open-sourced version of Google Auth which went closed-source.

https://kuix.de/android/otp-authenticator/

Thank you for the info. So I guess it was a good idea I had to print the 2FA Key's QRCode.

Indeed, having the time at the device (hours and minutes) exactly the same as at the computer when typing the generated access code is mandatory. I had trouble at first just because my computer time was 2 minutes in advance from the smartphone time.

 

[r-ando]

Very interesting. Thanks everyone!

 

[splawik21]

Lol so you want to say that the time on pc and on my android if not the same will cause the problems??

 

[raganius]

Lol so you want to say that the time on pc and on my android if not the same will cause the problems??

Exactly. With a few minutes difference it all went wrong. The moment the devices' times were synced it worked perfectly.

 

[daaarkcoins]

Your PC's time shouldn't make a difference at all. What needs to match is your mobile's time and the validating server's time. The server's time is synced with internet time servers so you need to sync your device's clock with those.
As long as the difference doesn't exceed the lifetime of a code there won't be any problems.

Edit: IIRC the Google Auth app even has a pop up message on its very first launch that your device's time needs to be synced for 2-FA to work properly. You guys shouldn't always just tap the first button you see but read the text thereabove now and then!

 

[raganius]

So, it might have been a coincidence for me... It's funny, because that's what realy has happened in my case. When I've installed the app in my smartphone I was requested to sync it's time, as you've said, but still I was not able to set 2FA until I have also synced my pc's time... As I am not a technical guy, I have just assumed that was the case, a kind of an empirical knowledge (like knowing that the Sun moves around the Earth).

But it's good to know how it really happens. And, more important, it's good that it works.

And I am glad that, when setting up the 2FA, I have printed the QR Code generated with the 2FA Key: as I understood of what you have said above, I'll always be possible to use this QR Code to reconfigure a new device in case it's necessary, as long as this device's time is synced.

Thanks again for all the info.