What’s the Best Two-Factor Authentication Option?

Подписаться 86 тыс.

Просмотров 40 тыс.

50% 1

❓ The best two-factor authentication approach varies based on your needs, and what's offered by the service you're trying to use it with.
Dedicated hardware devices are typically the most secure two-factor authentication alternative, but also possibly the least convenient. Google Authenticator and compatible apps are more commonly supported and more flexible. SMS and voice messaging, as well as email notifications, are all viable alternatives as well if Google Authenticator compatible two-factor isn’t offered. What’s most important is that you use two-factor authentication whenever you can.
Updates, related links, and more discussion: askleo.com/23456
🔔 Subscribe to the Ask Leo! RU-vid channel for more tech videos & answers: go.askleo.com/ytsub
✅ Watch next ▶ - How Two-Factor Authentication Works, and Why You Should Use It to Keep Hackers Out - • How Two-Factor Authent...
❤️ My best articles: go.askleo.com/best
❤️ My Most Important Article: go.askleo.com/number1
More Ask Leo!
☑️ askleo.com to get your questions answered
☑️ newsletter.askleo.com to subscribe to the Confident Computing newsletter.
☑️ askleo.com/patron to help support Ask Leo!
☑️ askleo.com/all-the-different-... for even more!
#askleo #two-factor #authentication

Наука

Опубликовано:

5 мар 2021

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 121

@askleonotenboom 3 года назад

The worst is none at all... but which one should you choose?

@marcosmcm86 2 года назад

Leo, can the person who hacks your phone number cllick in "forgot passsword" and use the SMS to change the password?

@askleonotenboom 2 года назад

@@marcosmcm86 It depends on the service, and what you mean by "hack your phone number". Just knowing your phone number isn't enough. They have to actually be able to recieve texts sent to that number, which is very difficult to do. Of course if they steal your phone physically, then they could get the SMS's. MOST services will require additional proof that they're authorized when a password is forgotten, but for others it's possible that getting the SMS could be enough.

@SmedleyButler1 Год назад

What about now that Autry got hacked? Aegis? Only key? Solo key? Your info is greatly appreciated Leo! So many gullible millennials get promoted because they assume "reputable companies" are are common

@askleonotenboom Год назад

@@SmedleyButler1 I continue to recommend (and use) Authy. The hack affected Authy in a very limited way and was completely contained: "the security team found out that only 93 Authy users out of 75 million were affected, with bad actors registering additional devices to the accounts. These unauthorized devices have since been removed from the accounts, and the targeted users in question were all contacted by the company." - via www.androidpolice.com/authy-hacked-what-to-know/

@askleonotenboom Год назад

@Zarility Tech What I meant was please provide references to Auithy having been hacked. As I said, that's news to me. And why are Google and Microsoft no-goes for you?

@msun12000 3 года назад

A concern that always needs to be addressed is to also have available some recovery option or backup in case you lose your primary authentication method or device.

@askleonotenboom 3 года назад

Absolutely. Most services will insist that you do so when you enable 2-factor. Often it's as simple as confirming your alternate email addres, sometimes it's downloading one-time use tokens, but there must always be a way to recover from losing your second factor. That alternative way may be more inconvenient, but it needs to be present.

@lynetteford6063 Год назад

Why can learn this it's been three weeks dumb.

@zen-ventzi-marinov 3 года назад

This channel is a true gem and you're seriously defying the age stereotype with your sharp thought. Also thanks for the confidence. Often times I consume info about a given topic and at the end, there is a "well I am not sure if it's better though". Which makes the whole thing pretty much pointless.

@brandnewname5185 4 месяца назад

Is he really defying the stereotype, though? He clearly doesn't fully understand what he's talking about and provides bad advice. He calls the Authy app "Google Authenticator-compatible." Google Authenticator is not a protocol. It's just an app that implements the TOTP protocol. Authy also happens to implement TOTP. He also recommends Authy, which no serious security professional would recommend because they're not open source and thus their storing of 2FA secrets can't be independently audited. Apparently his recommendation for Authy is because he likes that the app has logos... Please don't choose any security mechanism because it has... pictures. Authy was hacked in 2022. Imagine listening to this "true gem" (your words) only to have your account hacked.

@stevejenkins2335 Год назад

I really like the authy desktop approach. The biggest resistance I get from employees is they don’t want a work related app on their private phones, I can’t blame them. This solution takes care of it.

@srd65 3 года назад

I would recommend an authenticator app since sometimes with email or text message, it takes a long time and sometimes even never to get a text or email for the security code

@yusufmain5356 3 года назад

Think about it if ur using Google’s authentication app and it’s to do with your phone a unique code only matches ur phone u might as well just have a code sent to your phone more easier

@medramzi2648 11 месяцев назад

In 3:02 you said : "It [2FA] is usually done by having your device scan a QR code displayed or entering a special key that then associates your specific phone, your specific installation of the Google Authenticator with your account. No other Google Authenticator will do. it has to be your phone and your Google Authenticator that's used to authenticate you are who you say you are." As of today, this is incorrect, I've just tried the special key on a friend phone and it generates the same six digit codes. So, it doesn't have to be your SPECIFIC phone and your SPECIFIC installation of GA app.

@linlinzhu8077 2 года назад

Your video helps me a lot, amazing work!!!!! Thanks!!!!

@Mike_UNMUTED Год назад

Great video, you explained things so simply. THANKS

@kristjanlink007 3 года назад

What about authenticators on the same computer, how secure is that? Unless your computer gets hijacked, there doesn't seem to be a problem. I use WinAuth with a password and a PowerShell script I found online for my work computer (no password).

@neuideas 2 года назад

It's admittedly less secure than having a separate device running your TOTP codes, but it's still much more secure than not using 2FA at all. I use KeepassXC on my computer to generate TOTP codes for my browser. Assuming an intruder has no access to my computer, it's as secure as any other TOTP setup. If they do have access to my computer, they will need to get past my computer's password (22 characters), as well as open my kdbx vault file with its password (37 characters). If I choose to set it up with a keyfile on a flash drive or a disc, then it's still secured, even if they have both passwords.

@swaha55 Год назад

If you have 2 factor authentication do you have to enter the authentication coda every time you log in or can you just authenticate your device once to log into your application?

@askleonotenboom Год назад

Generally you get to choose. In most cases it's once every 30 days (or until you clear cookies). You can also say "don't remember" so that a device you might lose - like a laptop - could still require it every time. It all depends on the service.

@eladbari 3 года назад

I WISH apps enabled 2FA with email. But they don't! They opt for SMS which is stupid if you're abroad with a local SIM card.

@neuideas 3 года назад

Authy is great, but the account is linked to your phone number. I prefer to use an application that doesn't do this. I installed 2FAS on my Android phone. It has an option to back-up to Google Drive, so your seeds can survive an app reinstall, and can be transferred to another Android device pretty simply.

@hypercrack7440 2 года назад

Aegis -+ another awesome app which does the same stuff

@Yasmin-pi5pr 2 года назад

Me too, it you loose the phone, you have to wait for sim replacement, plus if you travel it would complicate a lot

@itsyaboivoid 2 года назад

Agreed. I use 2fas too and it's awesome.

@gtcstorm40 3 месяца назад

To do a simswap attack the attacker also needs your password so low risk, but if you use bad passwords risk goes way up

@lynetteford6063 Год назад

What is the business email is it like being on the job i keep running into that when I ask for certain information

@pmutch Год назад

Great video, and 100% everyone should be using MFA, however you did not mention Microsoft Authenticator. This is way better and more secure than Google Authenticator, as you can backup codes to your MS account, lock the app with biometrics, and the same app is also a totaly free and really good password manager that synchronises up with MS Edge across ANY device you have, (Windows, MacOS, iOS, Android).

@RyeFleming20 3 года назад

So I’m wondering why you would suggest to use google authentication when authy just sounds better.

@askleonotenboom 3 года назад

My recommendation is "google authenticator compatible". In otherwords, Authy, or any of the others. I use Authy myself.

@RyeFleming20 3 года назад

@@askleonotenboom okay so any is good I’ll stick with authy just seems more secure when you can use a passcode lock on app.

@kez99 2 года назад

Use Aegis and so you can manage your totp secrets yourself.

@johngreene6783 Год назад

I recently watched a RU-vid video stating that Google Authenticator is one of the least secure authenticators out there

@askleonotenboom Год назад

Well, then, if it's in a RU-vid video it must be true, right? (Would love to know what video that was.)

@geevee9582 2 года назад

My only authentication no longer works for some reason. They told me to delete my account and create a new one and connect it with a passid but they didnt telll me where i get one 😭

@prathameshpatil1410 3 года назад

I recently formatted my phone and forgot to keep the backup codes that were saved in it. After formatting was done when i was setting up my account on the phone i couldn't sign in despite knowing my password bcoz i didn't have the backup codes so they didn't recognise me and this was the only device i was logged in. In such a case will Google authenticator be helpful?

@askleonotenboom 3 года назад

I would use a Google Authenticator compatible option like Authy - it lets you set up two factor on more than one device, including your PC, and keeps the 2fa codes in sync.

@neuideas 3 года назад

It's not helpful after-the-fact. If you used Authy and had the backup codes saved, you could have had your codes set up on another device before reformatting the new phone.

@askleonotenboom 3 года назад

@@neuideas That's why I so often tell people to set this stuff up BEFORE they need it. Many don't bother until it's too late.

@user-xt5sb9wm6f 3 года назад

The best one is fido keys such as yubikeys

@gsgidney 3 месяца назад

Has Google updated their authenticator with end to end encryption?

@lynetteford6063 11 месяцев назад

What is service provider actually provides.

@lynetteford6063 9 месяцев назад

Another obstacles scanning QRCode can't figure out especially when qrcode is on a billboard

@WatzaMataU. 4 месяца назад

Outstanding video. Thank you. QUESTION: How do I create a new QR code for an account I accidentally erased from my Google Authenticator app?

@askleonotenboom 4 месяца назад

Turn off the 2FA on that account, and then turn it back on again to generate a new code.

@NickCassimon 7 месяцев назад

I would love a key like that but so worried what will happen if I loose it...

@keithdavis262 5 месяцев назад

That's why it is important to have a backup - another security key or an authenticator app.

@trollingthetrolls9073 3 года назад

iam using the google one n every code i get does not work when trying to log in facebook, what do i do?

@askleonotenboom 3 года назад

Follow Google's account recovery process.

@asinheaven 3 месяца назад

If a SIM swapper can get your SMS 2FA, why wouldn't they also be able to get you Google authenticator codes?

@askleonotenboom 3 месяца назад

No. Google Authenticator is unrelated to your SIM and phone number.

@neuideas 3 года назад

Leo, this one concerns me regarding TOTP seeds: How does the website handle the seed file? Passwords are best handled by hashing and salting them, and never storing in plaintext or encrypted form. This means that your passwords should never be known by the website. If there's a breach, then the salted hashes are revealed, but this alone doesn't compromise anyone's account, unless they use weak passwords. TOTP seeds are referred to as a "shared secret," which implies that the website has a copy of this file, either in plaintext or encrypted, but not salted or hashed. If this is true, if a user loses his seed, he could at least theoretically request a new copy from the website. Also, this means the seed is vulnerable to a breach. Do you have any insights?

@askleonotenboom 3 года назад

This has a good overview of how it's handled: www.freecodecamp.org/news/how-time-based-one-time-passwords-work-and-why-you-should-use-them-in-your-app-fdd2b9ed43c3/

@neuideas 3 года назад

@@askleonotenboom The article was helpful, but not complete. It does not address secure handling of the TOTP secret server-side. I appreciate the link, though. Thank you.

@cmdrefstathiusplacidus9003 Год назад

are you still using Authy after they were hacked?

@askleonotenboom Год назад

I am. From what I've read I'm not overly concerned.

@nickfifield1 Год назад

What if someone steals your phone ?

@askleonotenboom Год назад

askleo.com/lose-my-second-factor/ and ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-wbXSdHZDW8A.html

@jorgehenao3900 Год назад

nice video hi from COLOMBIA

@rextexan4727 8 дней назад

So are you still using Authy even after the recent data breach and leaks that happened recently?

@askleonotenboom 8 дней назад

Which data breach? I've not heard of any related. (And I'm still using it, but now only for one account. 1Password now holds my 2FA codes.)

@lynetteford6063 8 месяцев назад

Is 2 step vertification different from two factor authenticator

@askleonotenboom 8 месяцев назад

They're typically the same, yes.

@keithdavis262 5 месяцев назад

Two step verification sounds like the generic description of 2 step or multi-factor authentication. Two factor authenticator sounds like it is referring to the authenticator app, which is one of the means of doing multi-factor authentication. Security keys are the best level, authenticator apps are next, SMS, email and voice are on down the line. But as Leo says, USE SOMETHING TO DO MFA - NOTHING IS THE WORST.

@KamranB1 2 года назад

Thanks for your video, If I lost Yubikey what should I do?

@askleonotenboom 2 года назад

Use one of the recovery methods you set up for the account in question, and disassociate the YubiKey you lost.

@KamranB1 2 года назад

@@askleonotenboom Thank you.

@manny7886 2 года назад

That's why I use 3 YubiKeys for my password manager. I put 1 in my car, 1 in the house, and the third one is in my keychain.

@askleonotenboom 2 года назад

@@manny7886 To be clear, YubiKey is not a password manager, it's a two-factor-authentication device. It doesn't do anything with respect to passwords, specifically.

@manny7886 2 года назад

@@askleonotenboom - Understood, password manager has nothing to do with Yubikey or any 2FA devices. I use Yubikey as a 2FA to my BitWarden password manager. Thank you for this video, I'm now changing my authentication method from SMS to Authy.

@lynetteford6063 9 месяцев назад

Is there textbooks on this subject I can screammmmmm😂😂😂😂😂😂😂I got a feel. 😊

@yusufmain5356 3 года назад

Of course all methods of 2 factor are good some better then others but in my opinion geting a code sent to your phone is the best

@bored78612 3 года назад

TOTP is better imo. SMS is not as secure imo

@NinaMango789 3 года назад

Look up sim swapping, getting a text is far from the best

@musicjunk8266 Год назад

what's wrong with sms?

@askleonotenboom Год назад

It's theoretically hackable.

@musicjunk8266 Год назад

@@askleonotenboom I see

@kabirmalik8794 2 года назад

Microsoft authenticator is best. Linked with email backup your data.

@itsyaboivoid 2 года назад

2fas is the best hands down.

@mkreider-sh2ih 3 месяца назад

I tend to prefer GAuth

@lynetteford6063 8 месяцев назад

Why am I not comprehending this something wrong.

@rayn1ful 2 года назад

the best 2 factor authenticator is none , 2 step verification is one of the most annoying things on the face of this planet , what if i wanna just trust people , plus if i wanna verify my identity i will go and look in the mirror , boom im done , i know im me.

@askleonotenboom 2 года назад

Yep. It's definitely WAY WAY easier to let your account get hacked. Totally agree.

@lynetteford6063 Год назад

Having problems comprehending very afraid

@lynetteford6063 Год назад

I can scream

@lynetteford6063 11 месяцев назад

This is a very hard task I admit I am a hard learner.

@lynetteford6063 Год назад

I so mad can remember.

@Anonymous_programmer1 14 дней назад

4:00 authy

@askleonotenboom 14 дней назад

Which I USED to love, but then they stopped the desktop version.

@jamesedwards3923 2 года назад

SMS is the worst option.

@askleonotenboom 2 года назад

It's still better than no two-factor at all.

@DyegoSutilMendes Год назад

leoooooo

@abdullahal-shimri3091 2 года назад

Immediate dislike when you said you prefer Google authentication

@askleonotenboom 2 года назад

¯\_(ツ)_/¯

@itsyaboivoid 2 года назад

Agreed.

@JanusDuo 2 года назад

Recommending a Google product in 2021? Cringe

@askleonotenboom 2 года назад

You realize RU-vid is a Google product, yes? And that there are compatible alternatives to Google Authenticator like Authy? (And yes, I often recommend Google products in 2021. No cringing here.)