THIS 2-Factor-Authentication method is NOT secure!!

Ғылым және технология

If a hacker gets access to your email, bank, or crypto account, they can turn your life upside down. How secure are YOUR accounts?
One thing that can help you secure them is to use 2fa (2-factor-authentication) where you have to use multiple methods to sign into an account, rather than just a single password on a website. 2FA makes your account MUCH more secure.
But not all 2FA methods are create equal. For example SIM swaps allow hackers to intercept certain 2FA methods, so if your account is tied to a phone number then you're more vulnerable to being hacked.
We dive into various 2FA methods, including SMS verification, TOTP apps (authenticator apps), and security keys (like YubiKey), explain which is the most secure, and also talk about the tradeoffs of each.
00:00 Intro
01:58 SIM-based 2FA
05:28 Authenticator Apps / TOTP
09:52 Security Keys
For more info about 2FA, check out this awesome article from Paul Stamatiou: paulstamatiou.com/getting-sta...
*Edit: you can now export your google authenticator seed to another device.
Brought to you by NBTV members: Lee Rennie, Will Sandoval, Ogar, and Naomi Brockwell
To support NBTV, visit www.nbtv.media/support
(tax-deductible in the US)
Sign up for the free CryptoBeat newsletter here:
cryptobeat.substack.com/
Beware of scammers, I will never give you a phone number or reach out to you with investment advice. I do not give investment advice.
Visit the NBTV website:
nbtv.media
Watch this video on Odysee!
open.lbry.com/@NaomiBrockwell...
Here are a bunch of products I like and use. Using these links helps support the channel and future videos!
Recommended Books:
Permanent Record - Edward Snowden
amzn.to/305negc
No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State - Glenn Greenwald
amzn.to/2UQmJ4m
What has the government done to our money - Rothbard
amzn.to/2KMzmcu
Naomi's Privacy Bag: some of my favorite products to help protect your privacy!
Use the Brave browser! brave.com/nao076
USB-C to ethernet adapter:
amzn.to/2lOVBoy
Lightening to ethernet adapter:
amzn.to/2nWyNns
Faraday bag (signal stopping, to protect your fob, credit card, computer, and phone)
amzn.to/3DjIvCP
Data Blocker (if you're charging your phone in an unknown port, use this so that no data is transferred)
amzn.to/2SVh0J2
Computer privacy screen (use your computer in public? Keep your information safe! Choose the size right for your computer)
amzn.to/3F816Sn
Phone privacy screen (don't let people in public see your private data, choose the size for your phone)
amzn.to/3wNtYwb
Camera cover (for computers and phones, so no one can access your camera without you knowing)
amzn.to/2Mt7Hic
Privacy Tip: Turn off your wifi and bluetooth when you're not using them!!! (or don't use them at all)

Пікірлер: 291

  • @NaomiBrockwellTV
    @NaomiBrockwellTV2 жыл бұрын

    As per all my other videos, no I didn't delete your comment. KZread auto deletes comments all the time. If yours disappears, try posting again in various forms until it sticks, and good luck! 🙏 Also, since posting this video I've found out that google authenticator now allows you to back up all codes on another device! Have added that note to my video description.

  • @brandonfarley5297

    @brandonfarley5297

    2 жыл бұрын

    Do you have a podcast by any chance?

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    @@brandonfarley5297 yep! everything linked on my website www.nbtv.media/episodes/this-2-factor-authentication-method-is-not-secure

  • @cryptowealthonyt

    @cryptowealthonyt

    2 жыл бұрын

    Naomi my apologies? Where is the link to google auth. back up codes info?

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    @@cryptowealthonyt there is no link. the info is in the video description.

  • @TwstedTV

    @TwstedTV

    2 жыл бұрын

    2FAS Auth app is another really good one. I use both 2FAS Auth and Authy. The ONLY problem I have with Authy, is their android app consist of a 4 digit pin to log in. which is pretty insecure IMHO. I even tried to get them to implement a better password login with Alphanumeric, this was 4 years ago. still nothing was done and I have asked several times.

  • @CoronaBorealis02
    @CoronaBorealis022 жыл бұрын

    i have been using a yubikey for about a year now and have been loving it. Great video

  • @xperyskop2475
    @xperyskop24752 жыл бұрын

    Yubikey is the key to proper 2fa security

  • @terry2can914
    @terry2can9142 жыл бұрын

    That crocheted top girl you’re rocking it💃🏽💃🏽

  • @iamaduckquack
    @iamaduckquack21 күн бұрын

    The best 2fa is the one your account provider offers. Many financial institutions only offer SMS or email (which is unacceptable) but you have to work with what you have.

  • @anuzis
    @anuzis2 жыл бұрын

    Great episode! Already have a few security keys, but they are pretty old school. looking forward to the next episode you mentioned that will look into key differences in security keys!

  • @IamAcerbus
    @IamAcerbus Жыл бұрын

    I love that you cite helpful articles for further reading. 😊

  • @Avarua59
    @Avarua592 жыл бұрын

    Thank you. Very good information. BTW - nice sweater!

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Glad you like it!

  • @harrisonhicks9697
    @harrisonhicks96972 жыл бұрын

    Superb, Naomi. Really well done.

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Thanks - I really appreciate that

  • @timbinder1966
    @timbinder19666 ай бұрын

    Hi Naomi, I love your videos, they are so useful. I have a way of improving the security on iphones. In settings, scroll down to screen time. Open screen time and scroll down to "Content and Privacy Restrictions. Here you can toggle on or off Allow password changes and account changes to "don't allow. I have both of these set to "don't allow. Very useful.

  • @italimarco
    @italimarco2 жыл бұрын

    Always helping us with great content. Thanks Naomi!

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Thanks Marco!

  • @lossless4129
    @lossless41292 жыл бұрын

    Been using a yubi for 4 years, love it

  • @NWforager
    @NWforager2 жыл бұрын

    strong security Alpha . thank you . Nice Shiba shorts too . Love to know more about strengthening sim 2fa . Wondering if changing a sim card will cause totp rejection on same device 👀

  • @NWforager

    @NWforager

    2 жыл бұрын

    @@mirrorneurongirl Neat . many banks for some reason don't have totp and your findings are a good extra layer via an isolated google voice number .

  • @mjmeans7983
    @mjmeans79832 жыл бұрын

    A good way to protect those accounts that ask common questions, like mother's maiden name, or name of your first pet, is to lie. If you type in an answer that has nothing to do with the questions, then someone who investigates you and your family will never guess it. Yes, it might be hard for you to remember that the answer you gave to the question of your first pet's name is "the Peloponnesian war", but it will be bloody impossible for someone else to guess, no matter how well they have studies you. Well, unless that actually was your pet's name. Yelling down the hall ... "Here, Pello"?

  • @cryptowealthonyt
    @cryptowealthonyt2 жыл бұрын

    This was a timely video for me regarding security keys. Thanks Naomi!

  • @Portugal478
    @Portugal4782 жыл бұрын

    Ta Naomi, great update on digital security!

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Most welcome - thanks for watching!

  • @nathanmead4080
    @nathanmead40802 жыл бұрын

    Hey Naomi! So I’ve been careful to record all of 2FA setup keys for my google authenticator. That means that if I do lose my phone or access to the authenticator app I could set it all backup on a new phone or redownloaded google auth app using the setup keys, right?

  • @GuillaumeRossolini

    @GuillaumeRossolini

    2 жыл бұрын

    Yes. Also the feature wasn't in the app at first, but now you can retroactively get the seeds, right from the app (which Naomi edited the description to mention)

  • @_awizzo_
    @_awizzo_2 жыл бұрын

    Thanks Naomi.....That was enlightening :)

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Most welcome Ombima

  • @RaveSongRecords
    @RaveSongRecords2 жыл бұрын

    Excellent review ! Thanks so much! I’ve been wondering about a security key! 🔐

  • @angelad1008
    @angelad10082 жыл бұрын

    I think that this is your best wardrobe yet. You're always very fashionable, but today is my favorite of your styles. Oh, and thanks for the great info. I really was listening while admiring the embroidery.

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    🙏💛🧵

  • @kbs7340
    @kbs73402 жыл бұрын

    Really appreciate the info Naomi thx 💖

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Glad it was helpful!

  • @stepot3715
    @stepot37152 жыл бұрын

    So if my phone is stolen along with my sim card with my personal number' can I still open my google account on another device?

  • @HOLLYWOODlosANGELES
    @HOLLYWOODlosANGELES Жыл бұрын

    *Merci pour cette montagne d'informations !!*

  • @Cryptonomics7
    @Cryptonomics72 жыл бұрын

    Def looking forward to the upcoming video on security keys! thanks

  • @michellebrunken1340
    @michellebrunken13402 жыл бұрын

    Love your content, and the fact it is always unique and useful. Thank you

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Thanks Michelle

  • @tomausman8645
    @tomausman86452 жыл бұрын

    Great show 🇨🇦🖖🇨🇦

  • @gossedejong9248
    @gossedejong92482 жыл бұрын

    thank you! Looking forward to your advice on the keys.....

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Coming soon!

  • @gossedejong9248

    @gossedejong9248

    2 жыл бұрын

    @@NaomiBrockwellTV and just so that you know: you are brilliant, fantastic, and great!!!!

  • @ukkendoka
    @ukkendoka2 жыл бұрын

    I've been Yubikey for 2 years now. Very happy. I would recommend the NFC Yubikey to anyone.

  • @brodriguez11000

    @brodriguez11000

    2 жыл бұрын

    Unfortunately a lot of phones don't have NFC.

  • @ukkendoka

    @ukkendoka

    2 жыл бұрын

    @@brodriguez11000 I’d also recommend phones with NFC. :) . You can buy one that plugs into your phone otherwise.

  • @mnmlst1
    @mnmlst1 Жыл бұрын

    I absolutely love every single blouse you use. They are so pretty! Totally off topic, I know, but oh my, they are beautiful.

  • @terry2can914
    @terry2can9142 жыл бұрын

    Thx for this info as I need it ✊🏽✊🏽💃🏽💥

  • @hanelyp1
    @hanelyp12 жыл бұрын

    Screwgle has burned me on 2FA. Forcing activation of 2FA on my chromebook, defaulting to using the paired phone as a security key, they broke login. Due to some kind of bug in the pairing software I have to reset pairing anytime either device restarts, which I can't do until I'm logged in on both devices. So I'm down to a choice of, at login time: - SMS as a second factor - generating one time keys - disabling 2FA using a device I can log into.

  • @harveygresham3636
    @harveygresham36362 жыл бұрын

    your channel is so ... useful. thank you.

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Thanks Harvey .. I'm glad it was useful

  • @sunchips5
    @sunchips52 жыл бұрын

    This is a really good video. Thank you.

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    🙏

  • @markb9347
    @markb93472 жыл бұрын

    Definitely looking forward to your next video. Thanks Naomi!

  • @ogcrypto6022
    @ogcrypto60222 жыл бұрын

    Thanks Naomi

  • @sylversyrfer6894
    @sylversyrfer68942 жыл бұрын

    Excellent as always, Naomi! One question: I could not find anywhere the 2FA signature counter you mentioned (the one that looks like a YubiKey with 4 digits on it). Any idea where one can find something like it for purchase?

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Sorry for the confusion, the signature counter isn’t visible, it’s an internal process that I tried to visualize!

  • @PP-ob8zr
    @PP-ob8zr2 жыл бұрын

    HI Naomi, Same great channel...same pretty lady! Thank you great job! 😊👍👍

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Thanks for being here!

  • @Referee006
    @Referee006 Жыл бұрын

    When will the KZread video be out comparing and contrasting security keys. This was a very informative video, and I want to purchase a security key but I don't know what are the best security keys for me.

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    Жыл бұрын

    Last month! kzread.info/dash/bejne/h5x1sNV6pNmyfpM.html

  • @Referee006

    @Referee006

    Жыл бұрын

    Thanks for your reply. I followed the link that you sent, but it led me to the video that I watched this morning in which you indicated that another video will follow in which you will compare and contrast the various kinds of security keys. Thanks again.

  • @timothystockman7533
    @timothystockman7533 Жыл бұрын

    I have a pair of Yubikeys, and tried to start using them, but support is just not quite there, yet, so I have disabled them for now.

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    Жыл бұрын

    yeah platforms are increasingly using yubikeys, keep an eye out as they add support, and you can switch in yubikeys as they do

  • @Darkk6969
    @Darkk69692 жыл бұрын

    I use KeePassXC with NextCloud to keep the database sync'd on my devices. I also use Aegis on my Android phone. Cool thing about KeePassXC is that it displays QR code of the TOTP token so you can scan it with Aegis. Works pretty well.

  • @RazvanOmega
    @RazvanOmega2 жыл бұрын

    Very useful information, thank you for providing it in such detail. I'd like to ask a question about a different topic but still security related, I've heard that ISP knows everything we are doing online excluding encrypted data, my issue is that I'd like to create a brand new Google account but they will still be able to track down my address, password and even phone number used, it is there any way that this situation can be avoided, like how to encrypt the data of precreation? Thank you in advance, I would love to see a video of yours on this topic.

  • @twiddajones
    @twiddajones2 жыл бұрын

    Thank you for sharing this information with the community!!! Always great content! I hope you have a wonderful day ☀

  • @natemarx4999
    @natemarx49992 жыл бұрын

    The Queen is blessing us with more uploads, we must continue to behave well for more!

  • @sim021ful

    @sim021ful

    2 жыл бұрын

    wtf dude

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    LOL

  • @davidspencer3597
    @davidspencer35972 жыл бұрын

    great info. Thank you

  • @seanknight9808
    @seanknight98082 жыл бұрын

    Hi Naomi. Thanks for the great video. Very informative. However, I beg to differ on one thing-doesn't Google Authenticator allow you to backup on other devices? I backed up my Google Auth on my other phones, so in case I lose one phone I have a backup.

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Yeah I didn't know that at time of posting, but have since added it to the description! Thanks for the heads up!

  • @TheCurlPapi
    @TheCurlPapi Жыл бұрын

    My email got hacked over a month ago and still dealing with other accounts being attempted to be logged into. Just received a yubikey and never going through that kind of stress again

  • @sylversyrfer6894
    @sylversyrfer68942 жыл бұрын

    Ironically, banks are often the worst safety offenders by offering 2FA by SMS ONLY.

  • @aaronboggs5799

    @aaronboggs5799

    2 жыл бұрын

    This is so true. Banks are generally pretty horrendous in this regard. I'm not sure if it's still the case, but at least as recently as a couple years ago, passwords for Wells Fargo online accounts were case *insensitive*. Totally inexcusable.

  • @darkwolf41nite53
    @darkwolf41nite53 Жыл бұрын

    Actually I would like to use One of the 2FA keys you shown goes into usb can use it on Bluetooth it’s handy !

  • @troy_productiveai
    @troy_productiveai2 жыл бұрын

    This was brilliant. VERY well done. Shared!

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Thanks Troy

  • @ckpriv6167
    @ckpriv6167 Жыл бұрын

    Hi. great content. I activate the backup of my totp, I have forget this. About SMS, I don’t have one on my phone. I have a virtual one. Is it more secure ? or the same as having a real one ? external device are interesting. is it more secure than biometric auth ?

  • @xandstapleford1682
    @xandstapleford16822 жыл бұрын

    One good open source OTP app for iOS that allows encrypted backup is Raivo OTP if anyone’s looking. It’s the only one I could find that met those requirements

  • @johnbeckmeyer1696
    @johnbeckmeyer1696 Жыл бұрын

    How is Google different with regards to privacy vs security? I don't see the difference?

  • @rayn1ful
    @rayn1ful Жыл бұрын

    what if 2fa locks out a legitimate account holder and somebody hacks the legitimate account holder's account and that legitimate account holder has no idea it happened because they are locked out?

  • @tootalldan5702
    @tootalldan57022 жыл бұрын

    TFA is great as long as you have an offline option without the Internet or phone service. It happens where I live but I still need to work on my laptop. I have that option with an online code and an offline code in rural travel locations. Thanks Naomi for the discussion and links.

  • @MichiganTrikker
    @MichiganTrikker2 жыл бұрын

    Nice video Naomi - what are your thoughts on push notification on apps such as Okta, etc, compared to TOTP? It occurs to me that someone being asked if it was them, could get confused and think perhaps it was them doing something and answer yes to a push notification, but with TOTP, they would not even know someone was attempting to login, so they wouldn't push yes, by mistake, but it would still be nice to get the alert that someone was trying to login as them...

  • @LimitedWard

    @LimitedWard

    2 жыл бұрын

    I've had that thought as well. Microsoft authenticator has a clever solution to this where they show a random number during the 2FA process that the user has to select on when clicking on the popup. If a hacker managed to steal your creds, then you as the user would not know which number to select, which makes it obvious that you're not the one attempting the sign in.

  • @loc4725

    @loc4725

    Жыл бұрын

    Repeatedly generating push notifications until the user caves in and authenticates to stop them appearing has worked in the past.

  • @ronm6585
    @ronm65852 жыл бұрын

    Thank you.

  • @2point..0
    @2point..02 жыл бұрын

    Excellent @Naomi Brockwell, cant wait for that Security Keys video!!! Thank you!!!

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Thanks KJ - stay tuned!

  • @2point..0

    @2point..0

    2 жыл бұрын

    @@NaomiBrockwellTV As always, Sure!!!

  • @jasonkaiser1179
    @jasonkaiser11792 жыл бұрын

    The problem with security keys is if someone physically steals your key then (and biometrics) their security is useless. I can see a cascading future of needing 3fa then 4fa, 5fa ect. Example, a key needs to be inserted into a device matching multiple specific hardware id's (tpm as an example among others) running on a specific internal network over a specific VPN. These right now would be people needing an extremely high degree opsec and are completely user unfriendly.

  • @ironfist7789

    @ironfist7789

    2 жыл бұрын

    Generally, you still have to input a password. If one key is stolen you can remove it from the account with the backup key. If both are stolen you... for example with coinbase, I think you can have the account frozen and then provide extensive documentation such as id/passports to verify identity. Course, if you have 2fa to login to a computer you only manage or something you might be out of luck. People will have to start thinking of them as like house keys or a passport or driver's license that you need to audit for periodically and then take action if they are gone. When people used to steal check books (probably they still do) it was always a bit problematic.

  • @mr.amsterdam2063
    @mr.amsterdam2063 Жыл бұрын

    There are not many out there spending time to learn, AND spending time sharing that with others. It is very noble if you give your quality time and energy to do. For sure the definition of a good person without the intention to get something in return. You are one of them, thank you! As you can see English isn't my langue so I misunderstand or need some other way to explain please, 07:20 A lot of your friends use AndOTP and some Keypassxc, password manager with TOTP... 07:42 Some TOTP apps can also be integrated with your password manager but you would be very warry.... 07:20 & 07:42 =Password manager with TOTP /or TOTP integrated with your password manager...is not the same? If the same, both very warry, right? If not the same, 07:20 is the way to go?

  • @iamagi
    @iamagi2 жыл бұрын

    The fact that Google can’t recover you 2fa codes is a feature not a bug. I add them to two devices when ever I sign up for a new service.

  • @thisisntmeitssomeperson
    @thisisntmeitssomeperson2 жыл бұрын

    While general consensus is that SMS 2FA is better than no 2FA, it may be the opposite in some ways. If I use SMS 2FA (even with a VOIP number), on multiple sites/apps/platforms, inevitable leaks can be cross-referenced with each other and a profile can be formed. This is particularly pernicious if any such leak includes your name, address, work, etc. Did your research for this video lead you to such claims, and either way, what are your thoughts on this? As you can tell from my username, I’ve been called paranoid once or twice :) But with all the automated data scraping and analysis going on, it doesn’t seem so far-fetched.

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Well 2fa is security measure not a privacy measure, if you want both then an anonymous sim might be your best bet!

  • @thisisntmeitssomeperson

    @thisisntmeitssomeperson

    2 жыл бұрын

    @@NaomiBrockwellTV True, but as you well know, security and privacy are somewhat intertwined. Anonymous SIM certainly helps. I use something similar. Phone numbers individualized to each service help even more, but somewhat expensive if you need dozens of them. Ultimately, phone number reuse (for an authentication factor) is similar to password reuse (also an authentication factor), just not AS dangerous.

  • @bluewinterwolf
    @bluewinterwolf Жыл бұрын

    You can lock the autentication app and any other with an App Lock app, these lock the apps themselves so when you want to open one you have to put in a seperate password in before the app loads as the App Lock app loads first.

  • @ultraret

    @ultraret

    Жыл бұрын

    I wonder how secure that is if it just hides or really encrypts -- stupid that google doesn't lock the app themselves

  • @hoopoe_
    @hoopoe_ Жыл бұрын

    Can you recommend any alternative to Boxcryptor, now that they've been taken over by Dropbox?

  • @UnBubba
    @UnBubba4 ай бұрын

    I have not yet come across a security key with a signature counter. Just searching for options now. If anyone can recommend one, I'd appreciate you sharing. Thanks in advance.

  • @medicalwei
    @medicalwei2 жыл бұрын

    5:50 actually the old code is still valid for slightly a bit of time for user experience sake

  • @wumwum42
    @wumwum422 жыл бұрын

    i use bitwarden with bitwarden totp and on my phone i use authenticator pro for protecting my bitwarden account

  • @xXxJakobxXx3
    @xXxJakobxXx32 жыл бұрын

    Very informative video. Maybe consider adding chapters so the more informed audience can quickly jump to the important points, especially if you use a clickbait title!

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    please define clickbait for me

  • @xXxJakobxXx3

    @xXxJakobxXx3

    2 жыл бұрын

    @@NaomiBrockwellTV The title suggests that there is one specific insecure 2FA method. So I clicked on it, thinking someone had discovered a new security flaw in a 2FA method. Instead, I got a video explaining various 2FA options and listing their pros and cons.

  • @xXxJakobxXx3

    @xXxJakobxXx3

    2 жыл бұрын

    I am sorry, I should have read the description!

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    @@xXxJakobxXx3 The video is about how sms 2fa is not secure, and how OTP apps are not as secure as many people think, and I explain why. I don't think that's clickbait.

  • @ritagriffin7120
    @ritagriffin7120 Жыл бұрын

    Is microsoft authenticator or authy better for security and preventing haching? (Although authy needs the mobile number)

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    Жыл бұрын

    kzread.info/dash/bejne/fHx9o6uzf7PgY6w.html

  • @chloefletcher9612
    @chloefletcher96122 жыл бұрын

    Pretty happy with Microsoft Authenticator. Has a password lock on the app and backs up to your onedrive (imperfect but not terrible - it's encrypted at rest and in transit, at least on MS side).

  • @Wigglythegreat2
    @Wigglythegreat2 Жыл бұрын

    HI, I enjoyed the video. Which security keys have signature counters?

  • @kcgunesq
    @kcgunesq Жыл бұрын

    Like many i am sure, my company requires us to have Microsoft Authenticator. However, I find it works very well. It is secured behind a password or biometrics and backups the data. Also, i think the tip to not use the same service as your password manager is sound.

  • @prettysmile6869
    @prettysmile68692 жыл бұрын

    Securitykey does it have to be a separate device? I mean is it possible to have a securitkey on a different phone? Like when you have 2 phones for separate phonenumbers? 🇳🇱❤️🇺🇦

  • @prettysmile6869

    @prettysmile6869

    2 жыл бұрын

    @Sissel yes it is the flag from The Netherlands with love and solidarity to Ukraine. Peace 2 the world

  • @jamesmarchetti3286
    @jamesmarchetti32862 жыл бұрын

    Oh my God! You are so right on time! On the last President's Day someone tried to Hack my phone and Amazon account ! I called them the next day Tuesday and told them. My phone Security programs protected me ! So Amazon locked my account and I called my Bank to lock my Account! The caller ID said Amazon Sanfrancisco! It wasn't them but my phone didn't save the phone number! To give to them. Amazon Tech Support was Awesome!!!

  • @TheRobbix1206
    @TheRobbix12062 жыл бұрын

    I just would like that what you described as a replay attack is a man in the middle attack. (I would like to call that proxy attack but I'm not sure if this terminology is correct but it is essentially to just reroute the traffic like a proxy so you can usurp the real website but still have the green lock as the traffic is genuinely secured between you and the proxy) Replay attack is when you can reuse what the user send to someone else even if it is encrypted to bypass the authentication. One common use for example on old car keys is recording the signal send from the car key to the car. Then to open the car, you just "play" your record back. In case of TOTP it would mean for example if an evil extension copy the TOTP code sent to the good website, then send it to someone else to make it connect immediately with the same code. Normally websites should block a TOTP code from being using twice to connect. It is a best security practice, unfortunately that doesn't mean every website prevent it.

  • @samsunga6927
    @samsunga69272 жыл бұрын

    Keys that authenticate the URL... do they also check that the website SSL cert fingerprint has not changed or query other witnesses to said fingerprint? I hate those MItM (man -in-the-middle) attacks from my company or my church or my ISP or my devious friend, lol!

  • @familyacct3367
    @familyacct3367 Жыл бұрын

    I use a dedicated Protonmail email account ( used only for authentication) AND protect that email account with an authenticator app.

  • @williamhalstediq
    @williamhalstediq2 жыл бұрын

    For 2FA I use Apple keychain in the settings

  • @iaincampbell4422
    @iaincampbell44222 жыл бұрын

    Phone 2FA used to be trivially overcome vía SS7 exploits.

  • @sagichdirdochnicht4653
    @sagichdirdochnicht46532 жыл бұрын

    For TOTP Codes... ALLWAYS have some Form of Backup / register to multiple Devices. But you've been told to do Backups for everything for the last 20 Years, if you didn't learn it allready - tough Luck. I have them stored on Yubikeys, which can't be recovered as well. Which I see as a Security Feautre. Realize the Plural - Key*s*. If I loose one, I'm still able to access everything and create new TOTPs.

  • @warmonkey96
    @warmonkey962 жыл бұрын

    Microsoft Authenticator works really well as you can set it up to require authentication from the user before it even opens.

  • @dystopianjustice247
    @dystopianjustice247 Жыл бұрын

    Would you please do a video for security for journalists and dissidents?How does a security key protect accounts, if providers share info with corrupt law enforcement who falsify records to get warrants?

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    Жыл бұрын

    Freedom of the press foundation is a great resource for that

  • @ashleymorris6636
    @ashleymorris66362 ай бұрын

    How do you copy and paste passwords safely and typing in master password for your password vault. Can anyone help please

  • @zgdafzgdaf4264
    @zgdafzgdaf42642 жыл бұрын

    Nice review. For Fido, need to disable other recovery options such as phone,. Also most phones, mobile devices have Fido chips built in and could use this method for a factor. The ultimate goal is to get rid of passwords.

  • @gitshell
    @gitshell2 жыл бұрын

    Thank you for the awesome content.

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Thanks for watching!

  • @steveos6472
    @steveos64722 жыл бұрын

    Anyone remember RSA's little mess from a few years ago with their 2FA tokens. Like anything - it is only as secure as much as you trust the companies products.

  • @Jasenz
    @Jasenz2 жыл бұрын

    Great video well presented and clear.

  • @Chuck8541
    @Chuck85412 жыл бұрын

    So much damn info…I feel more lost after watching the video, than before.

  • @Chuck8541

    @Chuck8541

    2 жыл бұрын

    It’s like…the safest thing to do, is to just use the internet as little as possible. ¯\_(ツ)_/¯

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Take a deep breath and ask me any question :)

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Indeed as JJ said, you can now export you google authenticator seed to another device, I didn't realize it when making the video!

  • @JesusCaminoGarcia
    @JesusCaminoGarcia Жыл бұрын

    Great episode! :)

  • @johnspitta6725
    @johnspitta6725 Жыл бұрын

    Holy S…t. I’m throwing my phone in the trash and going back to a Day Runner.

  • @kevOzilla
    @kevOzilla2 жыл бұрын

    The best way to NEVER GET HACKED is to have a physical yubikey without it not even you can sign into your account so if you lose it you screwed unless you have a backup code written down somewhere

  • @MarvelousMarvinB

    @MarvelousMarvinB

    2 жыл бұрын

    I have two yubikeys. I just register both. One yubikey is on my keychain and the other is hidden somewhere.

  • @ahil_god
    @ahil_god2 жыл бұрын

    What about aegis

  • @goodvibes4014
    @goodvibes4014 Жыл бұрын

    Ma'am please make a video on Authentication cookies, and how to reset them.

  • @herreraedgar694
    @herreraedgar6947 ай бұрын

    The only security measure against hacking is to not use technology.

  • @eight-double-three
    @eight-double-three2 жыл бұрын

    On the TOTP replay topic: I believe the relevant OWASP cheatsheet does highlight this, and strongly suggests the server stores the last OTP and does NOT let people re-use it. Whether implementers of said systems are following that practice, that's another interesting question...

  • @FireRat

    @FireRat

    2 жыл бұрын

    The example they used of a phishing site isn't even a replay attack because they can use the code you entered to gain access with it being the first time it was used, not a replay

  • @dhavanbhayani4907
    @dhavanbhayani490710 ай бұрын

    @2FAS is open source, private, cloud backups, no account required, community driven 2FA app.

  • @thomasedison9047

    @thomasedison9047

    10 ай бұрын

    D m vinethics he'll help you He fixed mine he has 90k followers account. KZread is not letting me to write to you in full make sure is the right account you Dm

  • @thomasedison9047

    @thomasedison9047

    10 ай бұрын

    ON Instagram

  • @yesnathan22
    @yesnathan22 Жыл бұрын

    How about using MSFT/google authentication for your email and use google voice number for mobile.

  • @alphatech__
    @alphatech__2 жыл бұрын

    What about session hijack does key protect from them

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    session hijack or phishing?

  • @duckshot
    @duckshot2 жыл бұрын

    People fail to realize there is a difference between 2 Step Authentication and 2 Factor Authentication. SMS is 2 Step and can be man in the middle attacked. A phone clone etc. Google Auth works well but you point out some the exact issues that caused me to leave Google for another app.

  • @losttownstreet3409
    @losttownstreet3409 Жыл бұрын

    all here mention is insecure in comparison to a method used some long time ago: certified cryptographic devices with verification process in place with connects to secure access module (special sim card) and then in return connects to verified cryptographic software. It was rolled out with ID cards in some countries but never got really activated (you had to pay to get access to the feature which was already on your ID-card) and some people didn't like it that all email is going to be securely encrypted even for the law enforcement.

  • @achtung001
    @achtung0012 жыл бұрын

    Merci Naomi

  • @NaomiBrockwellTV

    @NaomiBrockwellTV

    2 жыл бұрын

    Merci Achtung!

Келесі