switching.social
Follow

Hello 2FA experts!

So, it looks like Facebook has been misusing people's phone numbers to sell ads, even if they were only meant for 2FA security purposes (9to5mac.com/2018/09/28/faceboo).

Are there any 2FA methods you would recommend which are easy to use, respect privacy and don't involve giving websites your contact details?

@switchingsocial lot of websites permit to use an OTP as 2FA, and you can use an app like freeotp.github.io/ or google authenticator or any other implementing the spec

@switchingsocial If I'm not mistaken you cannot force a website/platform to use #2FA or the method you want. You can only accept to use it or not.

SMS 2FA is considered weak
e-mail 2FA is considered acceptable
If you can use an app like andOTP it's better since you rely do not rely on Internet for the connexion to the website and your e-mail.

A Yubikey/physical device is the best. But I never tested how easy it is to use.

@Zykino @switchingsocial btw no mail is not really acceptable, it's already the weak link for all these "password reset" mechanisms. And is is in 99% of the cases not on another device, which is what 2FA is about

@switchingsocial How about authenticator apps such as FreeOTP? It was developed by RedHat, - so I am assuming it is fairly trustworthy.

freeotp.github.io/

@switchingsocial it depends on the website's support, and the most affordable while remaining secure way is TOTP, time-based one-time password. it's a code which is generated in a mobile app every 30 seconds. there also are fido u2f, which is a hardware key; client-side tls certificates, etc.

this list of u2f supported websites dongleauth.info/#social shows that facebook supports both totp and u2f

@switchingsocial
Facebook is capable of pushing a confirmation notification to your active sessions, but I'm not sure you can set it up specifically. For me it came as a side effect of setting up 2FA.

I use Microsoft's Authenticator for my codes. I use it for both my Mastodon accounts, Lastpass, Protonmail, some work-related stuff, and Facebook. It's not unique, if you don't quite trust MS, but I'd recommend something like it. I trust math.

@switchingsocial using an authentication app (like google authentication, ms authenticator, authy, etc)

@switchingsocial yubikey and its generics are great bc its a physical item and so doesn't involve giving up personal information. Im a non techie and find it easy to use bc all you do is plug it in and press a button. The big problem with it is that most websites which offer 2FA don't accept it as an option, although Google does. There are some pretty cheap ones on Amazon

@switchingsocial

The best is a physical hardware token like yubikey.

Using an OTP application is the second best option like Authy, Duo or Free OTP.

@switching.social Your idea won't work. If a service requires a phone number before you can activate the other Two-Factor Authentication they offer, then you must add yiur phone number.

Some services use your phone to combat bots and companies from creating multiple accounts. If you remove your phone number, your #2FA is disabled or your account can get locked-out until you add a new number.

Theri are some which allows the use of email instead of phone number simply because they implemented 2FA via email. You can then add other 2FA methods on top of it as usual. Still, an email or phone number is still required before you can use whichever other 2FA methos they offer. More and more are requiring phone numbers because they can use it as a recovery method as well, and most people tend to switch and forget their emails but not less so with phone numbers.

@switchingsocial ideally, services would start supporting WebAuthn (ie FIDO2 and U2F), which is an open standard for authentication without the exchange of secrets: the website stores your public key, and you hold one or more tokens containing the secret. when the website gets hacked, no secrets (ie passwords, oauth tokens) are compromised.

on the user side, websites ask you to insert a usb key, you do so and press the button, and you are auth'd. super simple!

@switchingsocial TOTP is a good second place, with the caveat that TOTP *does* require secrets be exchanged. in this case, the service sends the user a secret, which they store and prove possession of (by assembling it and the current time into a numeric code)

the downside to TOTP is that it requires the user to store and safeguard one additional secret per website, where with WebAuthn users hold only one secret, usually on a secure hardware module (yubikey is popular, and goes as low as $20)

@switchingsocial Avoid SMS and anything to do with phone numbers entirely wherever possible. Others have mentioned Google Authenticator and similar; that’s (broadly) the most secure option. Avoid proprietary schemes like Authy, but if you can’t (as a user) or own both the client and server sides (like Facebook, or in the case of Authy’s and Duo’s mobile apps), push notifications are _much_ butter usability with not a huge hit to security. FIDO U2F in a physical token for best security.

@switchingsocial A Yubikey Neo does the job for me. U2F (USB or over nfc for Google on my android) where possible or TOTP. The TOTP credentials are stored on the Yubikey and you retreive the 2-factor codes with the Yubikey authenticator by plugging the yubikey in your pc or keeping it near your android's nfc.
I'm also using the HOTP-functionality of the Yubikey Neo for one account, but that is probably a bit complicated for many people.

@switchingsocial The trickiest part is dealing with “I lost my device” recovery. The most secure options fail closed if you lose your token. Users must store recovery codes somewhere; not great UX. Some apps/services (like Duo) sync your stuff to avoid recovery codes, but end up using an phone number to auth. that. Use a Google Voice or other VoIP number that’s decoupled from your phone for MFA instead of a telco-controlled number.

@switchingsocial BTW besides Yubikey there are more producers of hardware keys like Nitrokey, this one: kickstarter.com/projects/conor or Google.
For the people still using Facebook, Facebook also offers U2F.

@switchingsocial An OTP app (e.g., FreeOTP), with a fallback to email authentication for those who can't/won't use OTP. Physical tokens are great but involve too much cost for many users.

@switchingsocial freeotp works for me, but not on FB I don't think.

@switchingsocial Like others have mentioned TOTP is the accepted standard (for software at least) but I just wanted to mention twofactorauth.org/ as a useful resource.

I use andOTP (github.com/andOTP/andOTP), which is a fork of FreeOTP, on Android.

Sign in to participate in the conversation
Mastodon

mastodon.at is open to all users and federates with most instances.

🇩🇪 🇦🇹 🇨🇭 mastodon.at ist offen für alle User und ist mit vielen anderen Instanzen verbunden.