THIS 2-Factor-Authentication method is NOT secure!!
Ғылым және технология
If a hacker gets access to your email, bank, or crypto account, they can turn your life upside down. How secure are YOUR accounts?
One thing that can help you secure them is to use 2fa (2-factor-authentication) where you have to use multiple methods to sign into an account, rather than just a single password on a website. 2FA makes your account MUCH more secure.
But not all 2FA methods are create equal. For example SIM swaps allow hackers to intercept certain 2FA methods, so if your account is tied to a phone number then you're more vulnerable to being hacked.
We dive into various 2FA methods, including SMS verification, TOTP apps (authenticator apps), and security keys (like YubiKey), explain which is the most secure, and also talk about the tradeoffs of each.
00:00 Intro
01:58 SIM-based 2FA
05:28 Authenticator Apps / TOTP
09:52 Security Keys
For more info about 2FA, check out this awesome article from Paul Stamatiou: paulstamatiou.com/getting-sta...
*Edit: you can now export your google authenticator seed to another device.
Brought to you by NBTV members: Lee Rennie, Will Sandoval, Ogar, and Naomi Brockwell
To support NBTV, visit www.nbtv.media/support
(tax-deductible in the US)
Sign up for the free CryptoBeat newsletter here:
cryptobeat.substack.com/
Beware of scammers, I will never give you a phone number or reach out to you with investment advice. I do not give investment advice.
Visit the NBTV website:
nbtv.media
Watch this video on Odysee!
open.lbry.com/@NaomiBrockwell...
Here are a bunch of products I like and use. Using these links helps support the channel and future videos!
Recommended Books:
Permanent Record - Edward Snowden
amzn.to/305negc
No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State - Glenn Greenwald
amzn.to/2UQmJ4m
What has the government done to our money - Rothbard
amzn.to/2KMzmcu
Naomi's Privacy Bag: some of my favorite products to help protect your privacy!
Use the Brave browser! brave.com/nao076
USB-C to ethernet adapter:
amzn.to/2lOVBoy
Lightening to ethernet adapter:
amzn.to/2nWyNns
Faraday bag (signal stopping, to protect your fob, credit card, computer, and phone)
amzn.to/3DjIvCP
Data Blocker (if you're charging your phone in an unknown port, use this so that no data is transferred)
amzn.to/2SVh0J2
Computer privacy screen (use your computer in public? Keep your information safe! Choose the size right for your computer)
amzn.to/3F816Sn
Phone privacy screen (don't let people in public see your private data, choose the size for your phone)
amzn.to/3wNtYwb
Camera cover (for computers and phones, so no one can access your camera without you knowing)
amzn.to/2Mt7Hic
Privacy Tip: Turn off your wifi and bluetooth when you're not using them!!! (or don't use them at all)
Пікірлер: 291
As per all my other videos, no I didn't delete your comment. KZread auto deletes comments all the time. If yours disappears, try posting again in various forms until it sticks, and good luck! 🙏 Also, since posting this video I've found out that google authenticator now allows you to back up all codes on another device! Have added that note to my video description.
@brandonfarley5297
2 жыл бұрын
Do you have a podcast by any chance?
@NaomiBrockwellTV
2 жыл бұрын
@@brandonfarley5297 yep! everything linked on my website www.nbtv.media/episodes/this-2-factor-authentication-method-is-not-secure
@cryptowealthonyt
2 жыл бұрын
Naomi my apologies? Where is the link to google auth. back up codes info?
@NaomiBrockwellTV
2 жыл бұрын
@@cryptowealthonyt there is no link. the info is in the video description.
@TwstedTV
2 жыл бұрын
2FAS Auth app is another really good one. I use both 2FAS Auth and Authy. The ONLY problem I have with Authy, is their android app consist of a 4 digit pin to log in. which is pretty insecure IMHO. I even tried to get them to implement a better password login with Alphanumeric, this was 4 years ago. still nothing was done and I have asked several times.
i have been using a yubikey for about a year now and have been loving it. Great video
Yubikey is the key to proper 2fa security
That crocheted top girl you’re rocking it💃🏽💃🏽
The best 2fa is the one your account provider offers. Many financial institutions only offer SMS or email (which is unacceptable) but you have to work with what you have.
Great episode! Already have a few security keys, but they are pretty old school. looking forward to the next episode you mentioned that will look into key differences in security keys!
I love that you cite helpful articles for further reading. 😊
Thank you. Very good information. BTW - nice sweater!
@NaomiBrockwellTV
2 жыл бұрын
Glad you like it!
Superb, Naomi. Really well done.
@NaomiBrockwellTV
2 жыл бұрын
Thanks - I really appreciate that
Hi Naomi, I love your videos, they are so useful. I have a way of improving the security on iphones. In settings, scroll down to screen time. Open screen time and scroll down to "Content and Privacy Restrictions. Here you can toggle on or off Allow password changes and account changes to "don't allow. I have both of these set to "don't allow. Very useful.
Always helping us with great content. Thanks Naomi!
@NaomiBrockwellTV
2 жыл бұрын
Thanks Marco!
Been using a yubi for 4 years, love it
strong security Alpha . thank you . Nice Shiba shorts too . Love to know more about strengthening sim 2fa . Wondering if changing a sim card will cause totp rejection on same device 👀
@NWforager
2 жыл бұрын
@@mirrorneurongirl Neat . many banks for some reason don't have totp and your findings are a good extra layer via an isolated google voice number .
A good way to protect those accounts that ask common questions, like mother's maiden name, or name of your first pet, is to lie. If you type in an answer that has nothing to do with the questions, then someone who investigates you and your family will never guess it. Yes, it might be hard for you to remember that the answer you gave to the question of your first pet's name is "the Peloponnesian war", but it will be bloody impossible for someone else to guess, no matter how well they have studies you. Well, unless that actually was your pet's name. Yelling down the hall ... "Here, Pello"?
This was a timely video for me regarding security keys. Thanks Naomi!
Ta Naomi, great update on digital security!
@NaomiBrockwellTV
2 жыл бұрын
Most welcome - thanks for watching!
Hey Naomi! So I’ve been careful to record all of 2FA setup keys for my google authenticator. That means that if I do lose my phone or access to the authenticator app I could set it all backup on a new phone or redownloaded google auth app using the setup keys, right?
@GuillaumeRossolini
2 жыл бұрын
Yes. Also the feature wasn't in the app at first, but now you can retroactively get the seeds, right from the app (which Naomi edited the description to mention)
Thanks Naomi.....That was enlightening :)
@NaomiBrockwellTV
2 жыл бұрын
Most welcome Ombima
Excellent review ! Thanks so much! I’ve been wondering about a security key! 🔐
I think that this is your best wardrobe yet. You're always very fashionable, but today is my favorite of your styles. Oh, and thanks for the great info. I really was listening while admiring the embroidery.
@NaomiBrockwellTV
2 жыл бұрын
🙏💛🧵
Really appreciate the info Naomi thx 💖
@NaomiBrockwellTV
2 жыл бұрын
Glad it was helpful!
So if my phone is stolen along with my sim card with my personal number' can I still open my google account on another device?
*Merci pour cette montagne d'informations !!*
Def looking forward to the upcoming video on security keys! thanks
Love your content, and the fact it is always unique and useful. Thank you
@NaomiBrockwellTV
2 жыл бұрын
Thanks Michelle
Great show 🇨🇦🖖🇨🇦
thank you! Looking forward to your advice on the keys.....
@NaomiBrockwellTV
2 жыл бұрын
Coming soon!
@gossedejong9248
2 жыл бұрын
@@NaomiBrockwellTV and just so that you know: you are brilliant, fantastic, and great!!!!
I've been Yubikey for 2 years now. Very happy. I would recommend the NFC Yubikey to anyone.
@brodriguez11000
2 жыл бұрын
Unfortunately a lot of phones don't have NFC.
@ukkendoka
2 жыл бұрын
@@brodriguez11000 I’d also recommend phones with NFC. :) . You can buy one that plugs into your phone otherwise.
I absolutely love every single blouse you use. They are so pretty! Totally off topic, I know, but oh my, they are beautiful.
Thx for this info as I need it ✊🏽✊🏽💃🏽💥
Screwgle has burned me on 2FA. Forcing activation of 2FA on my chromebook, defaulting to using the paired phone as a security key, they broke login. Due to some kind of bug in the pairing software I have to reset pairing anytime either device restarts, which I can't do until I'm logged in on both devices. So I'm down to a choice of, at login time: - SMS as a second factor - generating one time keys - disabling 2FA using a device I can log into.
your channel is so ... useful. thank you.
@NaomiBrockwellTV
2 жыл бұрын
Thanks Harvey .. I'm glad it was useful
This is a really good video. Thank you.
@NaomiBrockwellTV
2 жыл бұрын
🙏
Definitely looking forward to your next video. Thanks Naomi!
Thanks Naomi
Excellent as always, Naomi! One question: I could not find anywhere the 2FA signature counter you mentioned (the one that looks like a YubiKey with 4 digits on it). Any idea where one can find something like it for purchase?
@NaomiBrockwellTV
2 жыл бұрын
Sorry for the confusion, the signature counter isn’t visible, it’s an internal process that I tried to visualize!
HI Naomi, Same great channel...same pretty lady! Thank you great job! 😊👍👍
@NaomiBrockwellTV
2 жыл бұрын
Thanks for being here!
When will the KZread video be out comparing and contrasting security keys. This was a very informative video, and I want to purchase a security key but I don't know what are the best security keys for me.
@NaomiBrockwellTV
Жыл бұрын
Last month! kzread.info/dash/bejne/h5x1sNV6pNmyfpM.html
@Referee006
Жыл бұрын
Thanks for your reply. I followed the link that you sent, but it led me to the video that I watched this morning in which you indicated that another video will follow in which you will compare and contrast the various kinds of security keys. Thanks again.
I have a pair of Yubikeys, and tried to start using them, but support is just not quite there, yet, so I have disabled them for now.
@NaomiBrockwellTV
Жыл бұрын
yeah platforms are increasingly using yubikeys, keep an eye out as they add support, and you can switch in yubikeys as they do
I use KeePassXC with NextCloud to keep the database sync'd on my devices. I also use Aegis on my Android phone. Cool thing about KeePassXC is that it displays QR code of the TOTP token so you can scan it with Aegis. Works pretty well.
Very useful information, thank you for providing it in such detail. I'd like to ask a question about a different topic but still security related, I've heard that ISP knows everything we are doing online excluding encrypted data, my issue is that I'd like to create a brand new Google account but they will still be able to track down my address, password and even phone number used, it is there any way that this situation can be avoided, like how to encrypt the data of precreation? Thank you in advance, I would love to see a video of yours on this topic.
Thank you for sharing this information with the community!!! Always great content! I hope you have a wonderful day ☀
The Queen is blessing us with more uploads, we must continue to behave well for more!
@sim021ful
2 жыл бұрын
wtf dude
@NaomiBrockwellTV
2 жыл бұрын
LOL
great info. Thank you
Hi Naomi. Thanks for the great video. Very informative. However, I beg to differ on one thing-doesn't Google Authenticator allow you to backup on other devices? I backed up my Google Auth on my other phones, so in case I lose one phone I have a backup.
@NaomiBrockwellTV
2 жыл бұрын
Yeah I didn't know that at time of posting, but have since added it to the description! Thanks for the heads up!
My email got hacked over a month ago and still dealing with other accounts being attempted to be logged into. Just received a yubikey and never going through that kind of stress again
Ironically, banks are often the worst safety offenders by offering 2FA by SMS ONLY.
@aaronboggs5799
2 жыл бұрын
This is so true. Banks are generally pretty horrendous in this regard. I'm not sure if it's still the case, but at least as recently as a couple years ago, passwords for Wells Fargo online accounts were case *insensitive*. Totally inexcusable.
Actually I would like to use One of the 2FA keys you shown goes into usb can use it on Bluetooth it’s handy !
This was brilliant. VERY well done. Shared!
@NaomiBrockwellTV
2 жыл бұрын
Thanks Troy
Hi. great content. I activate the backup of my totp, I have forget this. About SMS, I don’t have one on my phone. I have a virtual one. Is it more secure ? or the same as having a real one ? external device are interesting. is it more secure than biometric auth ?
One good open source OTP app for iOS that allows encrypted backup is Raivo OTP if anyone’s looking. It’s the only one I could find that met those requirements
How is Google different with regards to privacy vs security? I don't see the difference?
what if 2fa locks out a legitimate account holder and somebody hacks the legitimate account holder's account and that legitimate account holder has no idea it happened because they are locked out?
TFA is great as long as you have an offline option without the Internet or phone service. It happens where I live but I still need to work on my laptop. I have that option with an online code and an offline code in rural travel locations. Thanks Naomi for the discussion and links.
Nice video Naomi - what are your thoughts on push notification on apps such as Okta, etc, compared to TOTP? It occurs to me that someone being asked if it was them, could get confused and think perhaps it was them doing something and answer yes to a push notification, but with TOTP, they would not even know someone was attempting to login, so they wouldn't push yes, by mistake, but it would still be nice to get the alert that someone was trying to login as them...
@LimitedWard
2 жыл бұрын
I've had that thought as well. Microsoft authenticator has a clever solution to this where they show a random number during the 2FA process that the user has to select on when clicking on the popup. If a hacker managed to steal your creds, then you as the user would not know which number to select, which makes it obvious that you're not the one attempting the sign in.
@loc4725
Жыл бұрын
Repeatedly generating push notifications until the user caves in and authenticates to stop them appearing has worked in the past.
Thank you.
Excellent @Naomi Brockwell, cant wait for that Security Keys video!!! Thank you!!!
@NaomiBrockwellTV
2 жыл бұрын
Thanks KJ - stay tuned!
@2point..0
2 жыл бұрын
@@NaomiBrockwellTV As always, Sure!!!
The problem with security keys is if someone physically steals your key then (and biometrics) their security is useless. I can see a cascading future of needing 3fa then 4fa, 5fa ect. Example, a key needs to be inserted into a device matching multiple specific hardware id's (tpm as an example among others) running on a specific internal network over a specific VPN. These right now would be people needing an extremely high degree opsec and are completely user unfriendly.
@ironfist7789
2 жыл бұрын
Generally, you still have to input a password. If one key is stolen you can remove it from the account with the backup key. If both are stolen you... for example with coinbase, I think you can have the account frozen and then provide extensive documentation such as id/passports to verify identity. Course, if you have 2fa to login to a computer you only manage or something you might be out of luck. People will have to start thinking of them as like house keys or a passport or driver's license that you need to audit for periodically and then take action if they are gone. When people used to steal check books (probably they still do) it was always a bit problematic.
There are not many out there spending time to learn, AND spending time sharing that with others. It is very noble if you give your quality time and energy to do. For sure the definition of a good person without the intention to get something in return. You are one of them, thank you! As you can see English isn't my langue so I misunderstand or need some other way to explain please, 07:20 A lot of your friends use AndOTP and some Keypassxc, password manager with TOTP... 07:42 Some TOTP apps can also be integrated with your password manager but you would be very warry.... 07:20 & 07:42 =Password manager with TOTP /or TOTP integrated with your password manager...is not the same? If the same, both very warry, right? If not the same, 07:20 is the way to go?
The fact that Google can’t recover you 2fa codes is a feature not a bug. I add them to two devices when ever I sign up for a new service.
While general consensus is that SMS 2FA is better than no 2FA, it may be the opposite in some ways. If I use SMS 2FA (even with a VOIP number), on multiple sites/apps/platforms, inevitable leaks can be cross-referenced with each other and a profile can be formed. This is particularly pernicious if any such leak includes your name, address, work, etc. Did your research for this video lead you to such claims, and either way, what are your thoughts on this? As you can tell from my username, I’ve been called paranoid once or twice :) But with all the automated data scraping and analysis going on, it doesn’t seem so far-fetched.
@NaomiBrockwellTV
2 жыл бұрын
Well 2fa is security measure not a privacy measure, if you want both then an anonymous sim might be your best bet!
@thisisntmeitssomeperson
2 жыл бұрын
@@NaomiBrockwellTV True, but as you well know, security and privacy are somewhat intertwined. Anonymous SIM certainly helps. I use something similar. Phone numbers individualized to each service help even more, but somewhat expensive if you need dozens of them. Ultimately, phone number reuse (for an authentication factor) is similar to password reuse (also an authentication factor), just not AS dangerous.
You can lock the autentication app and any other with an App Lock app, these lock the apps themselves so when you want to open one you have to put in a seperate password in before the app loads as the App Lock app loads first.
@ultraret
Жыл бұрын
I wonder how secure that is if it just hides or really encrypts -- stupid that google doesn't lock the app themselves
Can you recommend any alternative to Boxcryptor, now that they've been taken over by Dropbox?
I have not yet come across a security key with a signature counter. Just searching for options now. If anyone can recommend one, I'd appreciate you sharing. Thanks in advance.
5:50 actually the old code is still valid for slightly a bit of time for user experience sake
i use bitwarden with bitwarden totp and on my phone i use authenticator pro for protecting my bitwarden account
Very informative video. Maybe consider adding chapters so the more informed audience can quickly jump to the important points, especially if you use a clickbait title!
@NaomiBrockwellTV
2 жыл бұрын
please define clickbait for me
@xXxJakobxXx3
2 жыл бұрын
@@NaomiBrockwellTV The title suggests that there is one specific insecure 2FA method. So I clicked on it, thinking someone had discovered a new security flaw in a 2FA method. Instead, I got a video explaining various 2FA options and listing their pros and cons.
@xXxJakobxXx3
2 жыл бұрын
I am sorry, I should have read the description!
@NaomiBrockwellTV
2 жыл бұрын
@@xXxJakobxXx3 The video is about how sms 2fa is not secure, and how OTP apps are not as secure as many people think, and I explain why. I don't think that's clickbait.
Is microsoft authenticator or authy better for security and preventing haching? (Although authy needs the mobile number)
@NaomiBrockwellTV
Жыл бұрын
kzread.info/dash/bejne/fHx9o6uzf7PgY6w.html
Pretty happy with Microsoft Authenticator. Has a password lock on the app and backs up to your onedrive (imperfect but not terrible - it's encrypted at rest and in transit, at least on MS side).
HI, I enjoyed the video. Which security keys have signature counters?
Like many i am sure, my company requires us to have Microsoft Authenticator. However, I find it works very well. It is secured behind a password or biometrics and backups the data. Also, i think the tip to not use the same service as your password manager is sound.
Securitykey does it have to be a separate device? I mean is it possible to have a securitkey on a different phone? Like when you have 2 phones for separate phonenumbers? 🇳🇱❤️🇺🇦
@prettysmile6869
2 жыл бұрын
@Sissel yes it is the flag from The Netherlands with love and solidarity to Ukraine. Peace 2 the world
Oh my God! You are so right on time! On the last President's Day someone tried to Hack my phone and Amazon account ! I called them the next day Tuesday and told them. My phone Security programs protected me ! So Amazon locked my account and I called my Bank to lock my Account! The caller ID said Amazon Sanfrancisco! It wasn't them but my phone didn't save the phone number! To give to them. Amazon Tech Support was Awesome!!!
I just would like that what you described as a replay attack is a man in the middle attack. (I would like to call that proxy attack but I'm not sure if this terminology is correct but it is essentially to just reroute the traffic like a proxy so you can usurp the real website but still have the green lock as the traffic is genuinely secured between you and the proxy) Replay attack is when you can reuse what the user send to someone else even if it is encrypted to bypass the authentication. One common use for example on old car keys is recording the signal send from the car key to the car. Then to open the car, you just "play" your record back. In case of TOTP it would mean for example if an evil extension copy the TOTP code sent to the good website, then send it to someone else to make it connect immediately with the same code. Normally websites should block a TOTP code from being using twice to connect. It is a best security practice, unfortunately that doesn't mean every website prevent it.
Keys that authenticate the URL... do they also check that the website SSL cert fingerprint has not changed or query other witnesses to said fingerprint? I hate those MItM (man -in-the-middle) attacks from my company or my church or my ISP or my devious friend, lol!
I use a dedicated Protonmail email account ( used only for authentication) AND protect that email account with an authenticator app.
For 2FA I use Apple keychain in the settings
Phone 2FA used to be trivially overcome vía SS7 exploits.
For TOTP Codes... ALLWAYS have some Form of Backup / register to multiple Devices. But you've been told to do Backups for everything for the last 20 Years, if you didn't learn it allready - tough Luck. I have them stored on Yubikeys, which can't be recovered as well. Which I see as a Security Feautre. Realize the Plural - Key*s*. If I loose one, I'm still able to access everything and create new TOTPs.
Microsoft Authenticator works really well as you can set it up to require authentication from the user before it even opens.
Would you please do a video for security for journalists and dissidents?How does a security key protect accounts, if providers share info with corrupt law enforcement who falsify records to get warrants?
@NaomiBrockwellTV
Жыл бұрын
Freedom of the press foundation is a great resource for that
How do you copy and paste passwords safely and typing in master password for your password vault. Can anyone help please
Nice review. For Fido, need to disable other recovery options such as phone,. Also most phones, mobile devices have Fido chips built in and could use this method for a factor. The ultimate goal is to get rid of passwords.
Thank you for the awesome content.
@NaomiBrockwellTV
2 жыл бұрын
Thanks for watching!
Anyone remember RSA's little mess from a few years ago with their 2FA tokens. Like anything - it is only as secure as much as you trust the companies products.
Great video well presented and clear.
So much damn info…I feel more lost after watching the video, than before.
@Chuck8541
2 жыл бұрын
It’s like…the safest thing to do, is to just use the internet as little as possible. ¯\_(ツ)_/¯
@NaomiBrockwellTV
2 жыл бұрын
Take a deep breath and ask me any question :)
@NaomiBrockwellTV
2 жыл бұрын
Indeed as JJ said, you can now export you google authenticator seed to another device, I didn't realize it when making the video!
Great episode! :)
Holy S…t. I’m throwing my phone in the trash and going back to a Day Runner.
The best way to NEVER GET HACKED is to have a physical yubikey without it not even you can sign into your account so if you lose it you screwed unless you have a backup code written down somewhere
@MarvelousMarvinB
2 жыл бұрын
I have two yubikeys. I just register both. One yubikey is on my keychain and the other is hidden somewhere.
What about aegis
Ma'am please make a video on Authentication cookies, and how to reset them.
The only security measure against hacking is to not use technology.
On the TOTP replay topic: I believe the relevant OWASP cheatsheet does highlight this, and strongly suggests the server stores the last OTP and does NOT let people re-use it. Whether implementers of said systems are following that practice, that's another interesting question...
@FireRat
2 жыл бұрын
The example they used of a phishing site isn't even a replay attack because they can use the code you entered to gain access with it being the first time it was used, not a replay
@2FAS is open source, private, cloud backups, no account required, community driven 2FA app.
@thomasedison9047
10 ай бұрын
D m vinethics he'll help you He fixed mine he has 90k followers account. KZread is not letting me to write to you in full make sure is the right account you Dm
@thomasedison9047
10 ай бұрын
ON Instagram
How about using MSFT/google authentication for your email and use google voice number for mobile.
What about session hijack does key protect from them
@NaomiBrockwellTV
2 жыл бұрын
session hijack or phishing?
People fail to realize there is a difference between 2 Step Authentication and 2 Factor Authentication. SMS is 2 Step and can be man in the middle attacked. A phone clone etc. Google Auth works well but you point out some the exact issues that caused me to leave Google for another app.
all here mention is insecure in comparison to a method used some long time ago: certified cryptographic devices with verification process in place with connects to secure access module (special sim card) and then in return connects to verified cryptographic software. It was rolled out with ID cards in some countries but never got really activated (you had to pay to get access to the feature which was already on your ID-card) and some people didn't like it that all email is going to be securely encrypted even for the law enforcement.
Merci Naomi
@NaomiBrockwellTV
2 жыл бұрын
Merci Achtung!