Hello 2FA experts!
So, it looks like Facebook has been misusing people's phone numbers to sell ads, even if they were only meant for 2FA security purposes (https://9to5mac.com/2018/09/28/facebook-ad-targeting-2fa/).
Are there any 2FA methods you would recommend which are easy to use, respect privacy and don't involve giving websites your contact details?
SMS 2FA is considered weak
e-mail 2FA is considered acceptable
If you can use an app like andOTP it's better since you rely do not rely on Internet for the connexion to the website and your e-mail.
A Yubikey/physical device is the best. But I never tested how easy it is to use.
@switchingsocial it depends on the website's support, and the most affordable while remaining secure way is TOTP, time-based one-time password. it's a code which is generated in a mobile app every 30 seconds. there also are fido u2f, which is a hardware key; client-side tls certificates, etc.
this list of u2f supported websites https://www.dongleauth.info/#social shows that facebook supports both totp and u2f
Facebook is capable of pushing a confirmation notification to your active sessions, but I'm not sure you can set it up specifically. For me it came as a side effect of setting up 2FA.
I use Microsoft's Authenticator for my codes. I use it for both my Mastodon accounts, Lastpass, Protonmail, some work-related stuff, and Facebook. It's not unique, if you don't quite trust MS, but I'd recommend something like it. I trust math.
@switchingsocial yubikey and its generics are great bc its a physical item and so doesn't involve giving up personal information. Im a non techie and find it easy to use bc all you do is plug it in and press a button. The big problem with it is that most websites which offer 2FA don't accept it as an option, although Google does. There are some pretty cheap ones on Amazon
The best is a physical hardware token like yubikey.
Using an OTP application is the second best option like Authy, Duo or Free OTP.
@switchingsocial ideally, services would start supporting WebAuthn (ie FIDO2 and U2F), which is an open standard for authentication without the exchange of secrets: the website stores your public key, and you hold one or more tokens containing the secret. when the website gets hacked, no secrets (ie passwords, oauth tokens) are compromised.
on the user side, websites ask you to insert a usb key, you do so and press the button, and you are auth'd. super simple!
@switchingsocial TOTP is a good second place, with the caveat that TOTP *does* require secrets be exchanged. in this case, the service sends the user a secret, which they store and prove possession of (by assembling it and the current time into a numeric code)
the downside to TOTP is that it requires the user to store and safeguard one additional secret per website, where with WebAuthn users hold only one secret, usually on a secure hardware module (yubikey is popular, and goes as low as $20)
@switchingsocial Avoid SMS and anything to do with phone numbers entirely wherever possible. Others have mentioned Google Authenticator and similar; that’s (broadly) the most secure option. Avoid proprietary schemes like Authy, but if you can’t (as a user) or own both the client and server sides (like Facebook, or in the case of Authy’s and Duo’s mobile apps), push notifications are _much_ butter usability with not a huge hit to security. FIDO U2F in a physical token for best security.
@switchingsocial A Yubikey Neo does the job for me. U2F (USB or over nfc for Google on my android) where possible or TOTP. The TOTP credentials are stored on the Yubikey and you retreive the 2-factor codes with the Yubikey authenticator by plugging the yubikey in your pc or keeping it near your android's nfc.
I'm also using the HOTP-functionality of the Yubikey Neo for one account, but that is probably a bit complicated for many people.
@switchingsocial The trickiest part is dealing with “I lost my device” recovery. The most secure options fail closed if you lose your token. Users must store recovery codes somewhere; not great UX. Some apps/services (like Duo) sync your stuff to avoid recovery codes, but end up using an phone number to auth. that. Use a Google Voice or other VoIP number that’s decoupled from your phone for MFA instead of a telco-controlled number.
@switchingsocial BTW besides Yubikey there are more producers of hardware keys like Nitrokey, this one: https://www.kickstarter.com/projects/conorpatrick/solo-the-first-open-source-fido2-security-key-usb or Google.
For the people still using Facebook, Facebook also offers U2F.
@switchingsocial An OTP app (e.g., FreeOTP), with a fallback to email authentication for those who can't/won't use OTP. Physical tokens are great but involve too much cost for many users.
@switchingsocial freeotp works for me, but not on FB I don't think.
mastodon.at is a microblogging site that federates with most instances on the Fediverse.