There are actually 5 factors you can choose from: Something you know (password) Something you have (phone, token, whatever) Something you are (fingerprint, iris, etc) Somewhere you are (geolocation, proximity detection) Somewhen you are (only on specific days/times) The last two are rarely used, but ARE valid factors (a common thing for somewhere is being able to unlock your phone without a password as long as you're on your home wifi or within X distance of GPS coordinates).
Alexander McColl its more applicable to banking than you think. "When can the vault be opened?" "Only during business hours" (no rogue employees coming back after hours and openings the vault) "At least 30 minutes after the request" (fouling a bank robbery as if they are still there 30 mins later, they are caught)
no, it's something you have (the wireless keyfob transmitter). Also a flawed pattern for cars, since it only uses something you have, and also allows for amplification attacks (bring an amplifier between your bedroom window and your car while you're sleeping with your keyfob => open and start the car)
Mike Pound and Brailsford are two of the people I can listen to ad infinitum. I'd love people like them as teachers. Actually, that's exactly what they are doing right now.
Yeah definitely! Graham Hutton teaches a Haskell module, and a few times he suggested we check out his video on the Lambda calculus and other concepts. Steve Bagley and Max Wilson also reference their videos occasionally. There's some real interesting stuff on this channel.
If you're using Unix time, Timezones shouldn't factor in, as Unix time *should* be the same no matter where you are; The "time" where you are is then calculated after that.
Jeremia Dominguez Time zone could still be a problem though. If someone misconfigured their machine to use a different timezone than what it really should be, but set their real time clock so that they're seeing a "correct" time, then the machine will think that it's in a different Unix time than the actual Unix time. A common misconfiguratio for example would be someone who adjust for daylight savings by moving the real time clock rather than by choosing the correct timezones for their area. Or a technically challenged user who fixes their computer's clock by moving the real time clock when moving to a different country.
I always think of timezones as a date format parameter, unless of course I need the calculate the beginning of the day, 8 am specifically, or something like that.
@@jackt6112 You can also get an, actualy extremely acurate, time from GPS since it actualy calculates your position and time based on the position and clock of the satelites.
@@birsp So is that in the kernel (not hardware right) it must use it's own best clock (its crystal reference clock) and it's best measure of how fast its clock is. Still, without a regular internet connection it would get off after a while. *I'm glad you brought this up, interesting stuff* So does the crystal go even when the machine is off? Or is there some other unit by which it counts, probably less precisely l, when it's off. Hmmmmmmmmm, I'm sure it depends on the hardware (I doubt RPI will keep time without a connection but I will test this. Forgetting myvwifi signal now, I let you guys know if I have the right time tomorrow.
Back in the mid 1980's when the company my partner worked for got computers in each office, someone in top management insisted they require all employees to use complex passwords, no real words were allowed and they had to be changed every week. Of course no one could remember these crazy passwords so management recommended they write them down on sticky notes and stick them on their monitors. That lasted about 3 months before some top secret government documents were stolen by someone on the cleaning crew.
I always found 2FA to be quite convinient, since it takes only bout 10 seconds to get my phone, open the app and type it in and I rarely have to do it. All the while it removes a huge security risk. Anyway that's what I thought until I lost my phone's data and had to reset everything.
@@grn1 Data's creator is dying and sends a signal telling him to come see him basically, but it turns data into "cannot be stopped" mode and locks everyone out of the ship in like a minute.
There is a problem with one version of 2 factor. A number of people have run into an issue where a hacker gets control of their phone number and then goes to various websites and clicks "reset password." Not only is the hacker in, but the original user is frozen out. Sometimes the hacker calls up the phone company, claims to work in a store and they are selling a new phone to a customer. If the operator is stupid, she may transfer the phone number to the hacker's phone.
In StarTrek the thing to "have" is your personalized communicator. It has to be in the same room as the attemt is done from. More than once you see them tap their communicator first before they say their password. If you lost your communicator you probably can do it, but you have to "reprogram" the computer first.
I love you guys! I can work under my british accent watching your videos and also get some knowledge about my passion wich is computer programming. Keep up your fabulous work !
Timezones _shouldn't_ figure into it, because Unix time is always UTC. Any local time is derived from that according to those really complex rules Tom Scott explained. It may be a bit of a challenge on systems which do not keep their time in relation to that Unix time, but a lot of the popular OSes (e.g., Linux) do.
"I mean you smash your phone the last thing you're thinking about is 'ah, I must save my Google authenticator passwords!'" (4:40) Really? That's the single thing I am the most scarred about losing my phone. Everything else is backed up to the cloud, so if I lose my phone the only real loss would be the physical device (which can be replaced with a a few hundred dollars) and the damn 2FA passwords (which I have over 20 of), which can be a REAL PAIN to recover. Theses days, I just keep a safe hard copy of the QR codes and instead of Google Authenticator, use Authy (which has some backup/recovery functionality).
The one time generated password might just be a regular password in the sense that it uses a pre shared key, but at least this pre shared key is not susceptible to any sort of social engineering or phishing attack, like a normal password is
Is it really 2FA iftheyI can say “I forgot my password” and now my phone is enouth to get anyone into my E-Mail account and therefore all other accounts?
"Forgot my password" usually doesn't remove 2FA, you can not just get into anything by only having the 2FA key. There is always a weak point but 2FA is meant to give security by separation. An attacker would have to compromise two systems or get your phone otherwise which very much increases the security. Obviously there are ways to remove your 2FA key in many places but those usually require more extensive verification of the user or at the very least verification via email which should also have its own 2FA ideally. 2FA main benefit is also that even if some website leaks your password due to an attack on that site your stuff is still secure.
Also, biometric markers, no matter if it's a fingerprint, a face image, voice print or gait recognition, are never useful as an authenticator - because an authenticator (as in "your password") must have the ability to be changed, but you can't change your biometric markers. Which makes them useful only as the identifyier, that is the "user name" part of the authentication process. So if you swipe your finger or hold your face into a camera, and it recognizes who you are and then asks you for authentification (no matter how many factors), that would be acceptable for a service that is allowed to know you real identity. However, if it knows who wants to log in and then uses your biometric marker to log you in automatically, that is just stupidly unsafe. And yes, we all do it - I even installed fingerprint-gui on my laptop as a convenience feature, instead of having to type my password for every time I want to sudo something. But that works only locally, not over the interent.
I've had my phone replaced before and just completely forgot that I needed to store these somewhere. Slightly concerned that every service let me reset it with basically no additional verification...
I mean they still send you an email you have to get a code/link from to do so. Which admitedly isn't great. The ones that don't make it so easy warn you about keeping recovery codes just in case.
11:03 Timezones DONT cause a problem. Unix time is in UTC time, and timezones are handled by the computer and it's own locale configuration. Unix time does not keep timezone data.
I have also wondered the same thing about Star Trek. Recently, I've been trying to figure out if it's really a password that the commander is speaking, or maybe some sort of verification code that they didn't use something like "initiate self-destruct" in a sentence.
You could have stored all your TOTP keys in a separate database of a password manager and, once you phone has broken down, you'd ask a friend for a substitute phone for a few weeks if they have a spare obsolete model, and you'd install the password manager there and the TOTP base. Your story about the two weeks without TOTP is actually what happens when you know enough to set up a password manager and use a password database regularly but forget to set up proper backup system BEFOREHAND. If you TOTP base exists only on your phone and doesn't get backed up regularly and often enough, then when you phone breaks you'll lose it, so find out how to better sync and backup stuff from your many clients. And better use cloud + encryption for one of the backup copies, but also have a few local ones. And maybe store the backups in such a way so that you'd have 3 (2 local and 1 in the cloud) up-to-date ones and 3 (2 local and 1 in the cloud) 1 day or so late, and also have version control for all your backups, that way, even if you do something wrong and the new backup isn't right, the version control will have the previous version and the 1 day late scheme will save you from re-writing a backup repo with a repo that has a corrupted index. Check out BorgBackup.
Warm reminder: if you are using iPhone, you can turn off message previews under notifications -> messages -> Show previews (scroll to bottom) -> set to "When Unlocked". To prevent people get your phone and allow them to get the one time code. Now at least they also need to know your pin to unlock the phone first.
Surely, though, the Star Trek computer simply tracks everyone's location? This has happened in many episodes where a member of the crew would ask the computer "Where's Riker?" and it would give them his current location on board the ship. So you'd have the idea that, when you get on board, the ship identifies who you are - say, by biometrics (which, of course, if they take the transporter to board the ship, then you've got the perfect biometric that the transporter buffer has them stored right down to the atom, to confirm who they are on an atomic level) - and then, whilst on board, the computer's always tracking everyone with its internal sensors. Once it knows that that heat signature is Commander Riker, then it can follow that heat signature around the ship with its sensors to be aware of where Riker is at all times. And if that heat signature starts ordering commands, then it knows that it's Riker already. So, really, the voice recognition is just a double check - just in case, in tracking people wandering about the ship, it didn't at some point get confused as two people got very close together and mixed them up - which leaves you with the idea that the password is actually a sanity check. And by sanity check, I literally mean a check of that crew member's sanity. It's not authentication, but rather a deliberately inconvenient "are you sure?" prompt, so they can't set off the self-destruct accidentally, but have to really very deliberately mean it.
Who is this guy?? He should be an educator. Fantastic speaking and explanatory skills! And btw, to whom is he speaking? Is he being interviewed/ Why else does he looks past the camera?
12:24 In _ST:TNG,_ we've seen that the system can be fooled, although it does take some special circumstances. There's that one episode (4x03, "Brothers") where Data goes haywire and hijacks the _Enterprise_ by imitating Picard's voice. And then he turns the security against the crew by locking all command functions with a security code much longer than most humans would be able to remember.
I know I'm several months late, but I wish you'd touched a bit more on the increased vulnerability to phishing MFA can lead to. If you know you have MFA set up for an account, receiving an email which states "a login attempt was made, if it wasn't you, click here to change your login information" might make you more likely to follow the link without checking the email address itself or other signs of phishing. Then you've clicked the link and filled in your "old" login info and now the phisher has that info.
there actually is an episode of Star Trek: The Next Generation, where Captain Picard falls victim to a phishing attack! ("Ship in a Bottle", season 6). i find that especially noteworthy as back when it was made it was the early 1990s, before such a practice became something of note. idk if the term "phishing" even was invented back then, though it might have been... of course, the voice imprint as second factor doesn't help a lot if you can record the audio of him saying the password (or when you can outright synthesize the voice)...
4:48 That is why there is one time use code sent to your account after you use MRS so you can use it to login back and copy the 2fa secret to the auth app
Ever since i seen a white-hat hacking expo were a security expert showed that he could intercept text messages, i dont use my phone for password recovering or 2FA unless its the only option.
xkcd reference? I mean I'm pretty sure I've seen the xkcd time zone comic strip you're talking about but I thought they were referencing their own time zone video they did a couple years ago.
I hate to be pedantic, but TOTP HMAC is 2SV, not 2FA. There is a second step to logging in, not a second factor to logging in. A true second factor would be a Yubikey. The only XFA, where X > 2, that I know of that actually works is MIRACL.
Thanks for the analysis! 🔍 Just a small off-topic question: 😅 I only have these words 🤔. (behave today finger ski upon boy assault summer exhaust beauty stereo over). I don't know what they are. What should I do with them? 🤷♀️
it's not so much identify you are who you say you are, it is more knowing some information that is harder to know. for instance if you have access to a mobile phone, you have access to ALL the apps on that phone, be that an authenticator app, a stored password database, that doesn't mean the person is you. but it is harder for some other person on the other side of the world having access.
Oh, another problem is SMS authentication. A website recently had a hacking incident, where someone called up the website owner's phone company, convinced them they were the owner of the phone, and had the number moved to another SIM card. So when they tried to reset the person's password and received an SMS to verify their identity, the message was sent to the attacker's phone instead. This probably would not have happened if the 2-factor authentication wasn't through SMS, and instead through something like Google's Authenticator App, but it just shows that the biggest point of weakness in any security system you can think of is the Human element. Aka, Social Engineering.
@10:56 About time zones problem: that's why EPOCH or UTC is used, for this kind of applications... :-) My big concern on data exchange nowadays is focused on different character encoding troubles...
@Comupterphile. I am wrong for presuming that 2FA to work, I must have a KEY that corresponds to my Facebook profile to gain access? My situation is that my account was hacked and then the activated the 2FA feature that I hadn't previously used. Facebook confirmed that I was hacked, but since I was logged out on my other devices, I can't access the key. I've contacted FB, but they've been giving me a hard time... They won't deactivate/bypass the feature and won't send me text authentication instead... What can I do?
no, they do it all the time, most often for overriding safety features (i.e. pushing equipment past their normal intended use), unlocking encrypted messages or for transferring access privileges from one person to another. also, on The Original Series, they (at least) once used their self-destruct codes, but canceled it before the countdown ran out. and apparently even after that they still didn't change those passwords, even some 15 or so years later when they actually destroy the ship in Star Trek III, they use the very same passwords from back then!
Interesting topic! I'm curious about the difference between 2-Step Verification and 2-Factor Authentication, and what criteria define them? For instance, hackers have been able to take over people's phone numbers and intercept the security texts - thereby fullfilling the possession factor without physical accesss to your phone. (I've seen claims, that texts therefore only count as 2SV and not 2FA, but I don't know, if this definition is correct.) And would an app like Google Authenticator be impervious to this kind of trickery?
Don't use google authenticator, without writing down backup codes or something like that, because there is no way to back up the shared secret after it has been configured, which means if you factory reset your phone the codes you've got set up are gone, even if your settings are backed up. Even if you have backup codes, this is still a total pain in the ass to go and reset everything, and set up new codes everywhere... There are a number of open TOTP apps on F-Droid, as well as commercial services which provide better usability (though in my opinion they all fall short in terms of trustworthyness).
Those 16 digit codes that we are given when we set up 2FA on an app such as Binance, or similar. Can we re-view them/check if they are correct somehow?
Discord had one time password to diable the 2FA should you loose it ideally they are kept someplace phyiscally safe or in such a way that if someone finds it they have no idea what these numbers are like you call the file gameshark-codes.txt or something
Is there any need for this if you use really long randomly generated passwords which can't be cracked or stolen in a password manager? Also if you have a recovery code stored somewhere if 2fa fails on you then all an attacker needs is that code right?
+JNCressey Agreed maybe if they actually sold music and thus did actually store a cash balance in the account it would make sense but they don't. Makes sense for such as steam for that reason as they can hold a non trivial balance but not so much Spotify. iTunes or similar would be different too as again iTunes accounts have cash balances.
A friend of mine had his Android phone break on him, which then made it impossible to log back into his Google account from his PC becaue he couldn't acknowledge the second factor on his phone. He had to get another phone first and then he could use his account and his email again. He turned off 2FA after that experience.
Same happened to me with Google authenticator, never again, use Authy if you lose your phone just initiate session on other defice to get access to your 2fa
Best passwords I've used, (I don't use this exact, but the same concept), follows this general idea: Land0Of1The1Free2And3Home5Of8The13Brave! A sentence from something that is easy to remember, the words Titleized, separated by numbers from a sequence you know, end by a special character. Super easy to remember, extremely hard to crack
Instead of Google Authenticator, I use an app called Authy. If my phone dies, I can still access my keys from some other device, or eventually via web browser.
He had a failed phone with Google Authentication. Resolution 1: Backup The QR Codes. Resolution 2: Authy - What I use. Resolution 3: Backup The Recovery Codes. - Seriously, they tell you that explicitly with many service where you use authentication. Most give you a 'single' code. Or more frequently. A number of codes. Resolution 4: Have a 'backup' option for authentication. - Many services give the option of a Yubi Key!
I noticed some apps like discord have backup codes displayed on the actual app just in case you do not have access to your authenticator apps. Is this a security flaw? It seems like it could be. Feels like it defeats the purpose.
These are recovery codes, and other apps suggest that you should print them out and store them in a safe place. The threat of always showing them is that someone who has access to a device you're logged in on can get a 2FA code to use to log in on a new device, while the utility is that if you haven't printed them during setup like it asks you to, you can do that at some later time. Considering that people with a security posture such that they think enabling 2FA is worth it are also likely to lock their devices, I'd say this is an acceptable trade-off but that's mostly a matter of preference.
Several times now, they have done a SIM swap and the hackers got hold of the text message with the code and then logged in. After this, our company will never use SMS text for MFA again.
Lol. Well you're not wrong about the Star Trek Password thing being a bit... Problematic. I mean, Data took control of the ship by replicating Picard's voice, and repeating his command codes. Though I assume Data's reproduction of Picard's voice is a bit more precise than that, it's akin to breaking the security for all the key ship's systems by using a tape recorder.
2 factor authentification: combine a thing you can forget with a thing you can lose.
@MadYellowAsian especially when you really try not to lose something you lose it
I hope no one has put dementia on my schedule.
@MadYellowAsian What if I forget not to lose it?
You have nothing worthy enough of value to have this mindset
Boruut this comment is under appreciated lol
There are actually 5 factors you can choose from:
Something you know (password)
Something you have (phone, token, whatever)
Something you are (fingerprint, iris, etc)
Somewhere you are (geolocation, proximity detection)
Somewhen you are (only on specific days/times)
The last two are rarely used, but ARE valid factors (a common thing for somewhere is being able to unlock your phone without a password as long as you're on your home wifi or within X distance of GPS coordinates).
Alexander McColl its more applicable to banking than you think. "When can the vault be opened?"
"Only during business hours" (no rogue employees coming back after hours and openings the vault)
"At least 30 minutes after the request" (fouling a bank robbery as if they are still there 30 mins later, they are caught)
So if my car opens when I get close to it, this is authorisation by localization ?
no, it's something you have (the wireless keyfob transmitter). Also a flawed pattern for cars, since it only uses something you have, and also allows for amplification attacks (bring an amplifier between your bedroom window and your car while you're sleeping with your keyfob => open and start the car)
Isn't it both then ?
You have to have the key and be in range of the signal.
Methinks, the some*where* of your home wifi is essentially the some*thing* you have of the router itself.
Mike Pound and Brailsford are two of the people I can listen to ad infinitum. I'd love people like them as teachers. Actually, that's exactly what they are doing right now.
Niels Schellekens i was kind of sad when the video was over after about 13 minutes :(
yeah, if he tells you it's unsafe, would you still use it?
I'm taking Mike's module in Computer Security next year :^)
He's a lecturer at my uni
That´s so cool! Do you ever talk about his videos in Uni? Would be an amazing tie in to learn more of the details!
Yeah definitely! Graham Hutton teaches a Haskell module, and a few times he suggested we check out his video on the Lambda calculus and other concepts. Steve Bagley and Max Wilson also reference their videos occasionally. There's some real interesting stuff on this channel.
"correcthorsebatterystaple" you say?
The safest password there is
Indeed... I use it all the time!! ... Ummm. Whoops.
Diggnuts not so safe any more!
Fash Pone you're safe, all I see is ********
HuNT3r2 is uuncrackable!
If you're using Unix time, Timezones shouldn't factor in, as Unix time *should* be the same no matter where you are; The "time" where you are is then calculated after that.
Jeremia Dominguez Time zone could still be a problem though. If someone misconfigured their machine to use a different timezone than what it really should be, but set their real time clock so that they're seeing a "correct" time, then the machine will think that it's in a different Unix time than the actual Unix time. A common misconfiguratio for example would be someone who adjust for daylight savings by moving the real time clock rather than by choosing the correct timezones for their area. Or a technically challenged user who fixes their computer's clock by moving the real time clock when moving to a different country.
I always think of timezones as a date format parameter, unless of course I need the calculate the beginning of the day, 8 am specifically, or something like that.
I would think if the device is using NTP or cellular network time to remain synched, rather than manually putting in the time, they cannot miss.
@@jackt6112 You can also get an, actualy extremely acurate, time from GPS since it actualy calculates your position and time based on the position and clock of the satelites.
@@birsp So is that in the kernel (not hardware right) it must use it's own best clock (its crystal reference clock) and it's best measure of how fast its clock is. Still, without a regular internet connection it would get off after a while.
*I'm glad you brought this up, interesting stuff*
So does the crystal go even when the machine is off? Or is there some other unit by which it counts, probably less precisely l, when it's off.
Hmmmmmmmmm, I'm sure it depends on the hardware (I doubt RPI will keep time without a connection but I will test this. Forgetting myvwifi signal now, I let you guys know if I have the right time tomorrow.
Back in the mid 1980's when the company my partner worked for got computers in each office, someone in top management insisted they require all employees to use complex passwords, no real words were allowed and they had to be changed every week. Of course no one could remember these crazy passwords so management recommended they write them down on sticky notes and stick them on their monitors. That lasted about 3 months before some top secret government documents were stolen by someone on the cleaning crew.
That's quite a story!
classic. when you compromise usability, you lose usability and security.
I always found 2FA to be quite convinient, since it takes only bout 10 seconds to get my phone, open the app and type it in and I rarely have to do it. All the while it removes a huge security risk. Anyway that's what I thought until I lost my phone's data and had to reset everything.
red toasti Just store 2FA keys on paper. Even with them, no one can access your account without your password.
I love that the password was "correct horse battery staple".
The video is 12:34 long. Well done :D
The perfect example of a bad password. lol!
It marks 12:33, but close enough?
That time when it accepted "12345678" but entering "mypenis" failed saying "too short"!
"password" ? Oh no you have just revealed your main err password as used by thousands! ;-)
In one of the episodes, Data impersonates Picard's voice to commandeer the enterprise.
Don't remember that episode.
@@grn1 Data's creator is dying and sends a signal telling him to come see him basically, but it turns data into "cannot be stopped" mode and locks everyone out of the ship in like a minute.
@@Yakobo15 That sounds vaguely familiar now. Guess I'll have to go back and rewatch TNG sometime.
There is a problem with one version of 2 factor. A number of people have run into an issue where a hacker gets control of their phone number and then goes to various websites and clicks "reset password." Not only is the hacker in, but the original user is frozen out. Sometimes the hacker calls up the phone company, claims to work in a store and they are selling a new phone to a customer. If the operator is stupid, she may transfer the phone number to the hacker's phone.
meh boy mike has the most loveable facial expressions and way of speaking.. like idk its just soo nice to just watch
2FA gives an extra layer of protection and you can easily enable it for various services
In StarTrek the thing to "have" is your personalized communicator. It has to be in the same room as the attemt is done from. More than once you see them tap their communicator first before they say their password. If you lost your communicator you probably can do it, but you have to "reprogram" the computer first.
Please enable captions, I'm a deaf
Yeah listen to that guy
@Pure Hungarian well, 3 years ago or before they did not activate them
I love when Mike explains cryptography. It would be nice to see more about OTP and the XOR function behind it.
I'm glad Mike sorted the ghost cube on the shelf! He's a great lecture as one of my highest grades was in his security lecture :D
I love you guys! I can work under my british accent watching your videos and also get some knowledge about my passion wich is computer programming.
Keep up your fabulous work !
for some reason i watch exclusively the videos where DR Mike is talking
Timezones _shouldn't_ figure into it, because Unix time is always UTC. Any local time is derived from that according to those really complex rules Tom Scott explained. It may be a bit of a challenge on systems which do not keep their time in relation to that Unix time, but a lot of the popular OSes (e.g., Linux) do.
Pound that thumbs up button for Dr Mike
No wonder he's a hash expert
+Jeff Irwin AMAZING! 10/10 punnage!
"I mean you smash your phone the last thing you're thinking about is 'ah, I must save my Google authenticator passwords!'" (4:40)
Really? That's the single thing I am the most scarred about losing my phone. Everything else is backed up to the cloud, so if I lose my phone the only real loss would be the physical device (which can be replaced with a a few hundred dollars) and the damn 2FA passwords (which I have over 20 of), which can be a REAL PAIN to recover. Theses days, I just keep a safe hard copy of the QR codes and instead of Google Authenticator, use Authy (which has some backup/recovery functionality).
@computerphile Correction: Retina scan, voice recognition, and password is still just 2FA because the first two are the same factor. 5:42
Nah, clearly your eyes are 'something you *have.'* :D
"put it aside for today"
Man a biosecurity video would be so cool!
0:43
2FA
2:15
Combination.
3:45
Multifactor authentication.
5:34
2FA as a subset.
The one time generated password might just be a regular password in the sense that it uses a pre shared key, but at least this pre shared key is not susceptible to any sort of social engineering or phishing attack, like a normal password is
Is it really 2FA iftheyI can say “I forgot my password” and now my phone is enouth to get anyone into my E-Mail account and therefore all other accounts?
"Forgot my password" usually doesn't remove 2FA, you can not just get into anything by only having the 2FA key.
There is always a weak point but 2FA is meant to give security by separation. An attacker would have to compromise two systems or get your phone otherwise which very much increases the security.
Obviously there are ways to remove your 2FA key in many places but those usually require more extensive verification of the user or at the very least verification via email which should also have its own 2FA ideally.
2FA main benefit is also that even if some website leaks your password due to an attack on that site your stuff is still secure.
That would just be a second single factor authentication method.
I learned so many things that my university didn't really teach me in this channel Thank you guys
Also, biometric markers, no matter if it's a fingerprint, a face image, voice print or gait recognition, are never useful as an authenticator - because an authenticator (as in "your password") must have the ability to be changed, but you can't change your biometric markers. Which makes them useful only as the identifyier, that is the "user name" part of the authentication process. So if you swipe your finger or hold your face into a camera, and it recognizes who you are and then asks you for authentification (no matter how many factors), that would be acceptable for a service that is allowed to know you real identity. However, if it knows who wants to log in and then uses your biometric marker to log you in automatically, that is just stupidly unsafe. And yes, we all do it - I even installed fingerprint-gui on my laptop as a convenience feature, instead of having to type my password for every time I want to sudo something. But that works only locally, not over the interent.
I've had my phone replaced before and just completely forgot that I needed to store these somewhere. Slightly concerned that every service let me reset it with basically no additional verification...
I mean they still send you an email you have to get a code/link from to do so. Which admitedly isn't great. The ones that don't make it so easy warn you about keeping recovery codes just in case.
11:03
Timezones DONT cause a problem.
Unix time is in UTC time, and timezones are handled by the computer and it's own locale configuration.
Unix time does not keep timezone data.
To survive through the repair scenario, always keep an 'old phone' in your cupboard that will work with your current SIM card.
I have also wondered the same thing about Star Trek. Recently, I've been trying to figure out if it's really a password that the commander is speaking, or maybe some sort of verification code that they didn't use something like "initiate self-destruct" in a sentence.
Maybe it's actually a very long one time password that's being whispered to them by their communicators. Would also explain how they remember them.
Steamguard... :/
Why every time? Sheesh.
Thanks dude, this was very helpful, you're carrying my CS exam right now. :)
You could have stored all your TOTP keys in a separate database of a password manager and, once you phone has broken down, you'd ask a friend for a substitute phone for a few weeks if they have a spare obsolete model, and you'd install the password manager there and the TOTP base.
Your story about the two weeks without TOTP is actually what happens when you know enough to set up a password manager and use a password database regularly but forget to set up proper backup system BEFOREHAND. If you TOTP base exists only on your phone and doesn't get backed up regularly and often enough, then when you phone breaks you'll lose it, so find out how to better sync and backup stuff from your many clients. And better use cloud + encryption for one of the backup copies, but also have a few local ones. And maybe store the backups in such a way so that you'd have 3 (2 local and 1 in the cloud) up-to-date ones and 3 (2 local and 1 in the cloud) 1 day or so late, and also have version control for all your backups, that way, even if you do something wrong and the new backup isn't right, the version control will have the previous version and the 1 day late scheme will save you from re-writing a backup repo with a repo that has a corrupted index.
Check out BorgBackup.
Warm reminder: if you are using iPhone, you can turn off message previews under notifications -> messages -> Show previews (scroll to bottom) -> set to "When Unlocked".
To prevent people get your phone and allow them to get the one time code.
Now at least they also need to know your pin to unlock the phone first.
Surely, though, the Star Trek computer simply tracks everyone's location?
This has happened in many episodes where a member of the crew would ask the computer "Where's Riker?" and it would give them his current location on board the ship.
So you'd have the idea that, when you get on board, the ship identifies who you are - say, by biometrics (which, of course, if they take the transporter to board the ship, then you've got the perfect biometric that the transporter buffer has them stored right down to the atom, to confirm who they are on an atomic level) - and then, whilst on board, the computer's always tracking everyone with its internal sensors.
Once it knows that that heat signature is Commander Riker, then it can follow that heat signature around the ship with its sensors to be aware of where Riker is at all times. And if that heat signature starts ordering commands, then it knows that it's Riker already.
So, really, the voice recognition is just a double check - just in case, in tracking people wandering about the ship, it didn't at some point get confused as two people got very close together and mixed them up - which leaves you with the idea that the password is actually a sanity check.
And by sanity check, I literally mean a check of that crew member's sanity.
It's not authentication, but rather a deliberately inconvenient "are you sure?" prompt, so they can't set off the self-destruct accidentally, but have to really very deliberately mean it.
Please enable Captions....
Who is this guy?? He should be an educator. Fantastic speaking and explanatory skills!
And btw, to whom is he speaking? Is he being interviewed/ Why else does he looks past the camera?
How does FIDO2 work? The flow of data is one way, so it's not a challenge/response mechanism. How does the server know the generated code is valid?
Nobody:
Computerphile: Ah let’s start talking about passwords-
12:24 In _ST:TNG,_ we've seen that the system can be fooled, although it does take some special circumstances. There's that one episode (4x03, "Brothers") where Data goes haywire and hijacks the _Enterprise_ by imitating Picard's voice. And then he turns the security against the crew by locking all command functions with a security code much longer than most humans would be able to remember.
Including the ship's computer. What was on screen didn't match what Data was saying.
If both the device and the server are set internally in UTC, how do timezones affect this method? UTC doesn’t use timezones.
TOTP will forever be 'Top of the Pops'
how did we get from "more factors help" to "oh and the additional factor cannot just be random, let's look at this HMAC" ?
Talk about DES and AES
Do keys make you secure? like hardward, like the yubikey 5c nfc?
Yeah, if only we had a video on time zones... perhaps with a guy in a red t-shirt? (imho the best video EVER!)
Authy allows you to have your 2FA be shared between multiple devices.
I know I'm several months late, but I wish you'd touched a bit more on the increased vulnerability to phishing MFA can lead to. If you know you have MFA set up for an account, receiving an email which states "a login attempt was made, if it wasn't you, click here to change your login information" might make you more likely to follow the link without checking the email address itself or other signs of phishing. Then you've clicked the link and filled in your "old" login info and now the phisher has that info.
there actually is an episode of Star Trek: The Next Generation, where Captain Picard falls victim to a phishing attack! ("Ship in a Bottle", season 6).
i find that especially noteworthy as back when it was made it was the early 1990s, before such a practice became something of note. idk if the term "phishing" even was invented back then, though it might have been...
of course, the voice imprint as second factor doesn't help a lot if you can record the audio of him saying the password (or when you can outright synthesize the voice)...
Turned down an offer for studying Computer Science at Nottingham, these videos really make me regret that choice
4:48
That is why there is one time use code sent to your account after you use MRS so you can use it to login back and copy the 2fa secret to the auth app
Ever since i seen a white-hat hacking expo were a security expert showed that he could intercept text messages, i dont use my phone for password recovering or 2FA unless its the only option.
Twelve and a half minutes to explain that 2-FA is 2-Fluoroamphetamine?
Best password ever Mike (correcthorseb)
Nice xkcd reference xD
The timezones are real!
xkcd reference? I mean I'm pretty sure I've seen the xkcd time zone comic strip you're talking about but I thought they were referencing their own time zone video they did a couple years ago.
I'm fairly sure he was talking about the password at 1:05
Correcthorsebatterystaple
I hate to be pedantic, but TOTP HMAC is 2SV, not 2FA. There is a second step to logging in, not a second factor to logging in.
A true second factor would be a Yubikey. The only XFA, where X > 2, that I know of that actually works is MIRACL.
Thanks for the analysis! 🔍 Just a small off-topic question: 😅 I only have these words 🤔. (behave today finger ski upon boy assault summer exhaust beauty stereo over). I don't know what they are. What should I do with them? 🤷♀️
it's not so much identify you are who you say you are, it is more knowing some information that is harder to know. for instance if you have access to a mobile phone, you have access to ALL the apps on that phone, be that an authenticator app, a stored password database, that doesn't mean the person is you. but it is harder for some other person on the other side of the world having access.
Oh, another problem is SMS authentication. A website recently had a hacking incident, where someone called up the website owner's phone company, convinced them they were the owner of the phone, and had the number moved to another SIM card. So when they tried to reset the person's password and received an SMS to verify their identity, the message was sent to the attacker's phone instead.
This probably would not have happened if the 2-factor authentication wasn't through SMS, and instead through something like Google's Authenticator App, but it just shows that the biggest point of weakness in any security system you can think of is the Human element. Aka, Social Engineering.
2FA is a must for financial systems. Most other systems work well with strong passwords.
@10:56 About time zones problem: that's why EPOCH or UTC is used, for this kind of applications... :-) My big concern on data exchange nowadays is focused on different character encoding troubles...
The video started off so well but then needlessly complicated.
Hi, I think this is a great video for my followers and so is it ok to share?
What if you don't have a phone?
@Comupterphile. I am wrong for presuming that 2FA to work, I must have a KEY that corresponds to my Facebook profile to gain access? My situation is that my account was hacked and then the activated the 2FA feature that I hadn't previously used. Facebook confirmed that I was hacked, but since I was logged out on my other devices, I can't access the key. I've contacted FB, but they've been giving me a hard time... They won't deactivate/bypass the feature and won't send me text authentication instead... What can I do?
What is the appropriate way to store the secret key when using Google Authenticator?
Love Dr Pound! More videos with him please!
So what can I do to stop the same thing that happened to you from happening to me regarding google authenticator?
I only remember passwords being said aloud on Star Trek TNG, they were self destruct codes. Hard to use twice. :D
no, they do it all the time, most often for overriding safety features (i.e. pushing equipment past their normal intended use), unlocking encrypted messages or for transferring access privileges from one person to another.
also, on The Original Series, they (at least) once used their self-destruct codes, but canceled it before the countdown ran out. and apparently even after that they still didn't change those passwords, even some 15 or so years later when they actually destroy the ship in Star Trek III, they use the very same passwords from back then!
Interesting topic!
I'm curious about the difference between 2-Step Verification and 2-Factor Authentication, and what criteria define them?
For instance, hackers have been able to take over people's phone numbers and intercept the security texts - thereby fullfilling the possession factor without physical accesss to your phone. (I've seen claims, that texts therefore only count as 2SV and not 2FA, but I don't know, if this definition is correct.)
And would an app like Google Authenticator be impervious to this kind of trickery?
Don't use google authenticator, without writing down backup codes or something like that, because there is no way to back up the shared secret after it has been configured, which means if you factory reset your phone the codes you've got set up are gone, even if your settings are backed up. Even if you have backup codes, this is still a total pain in the ass to go and reset everything, and set up new codes everywhere...
There are a number of open TOTP apps on F-Droid, as well as commercial services which provide better usability (though in my opinion they all fall short in terms of trustworthyness).
Surely Unix Epoch is the same in all time zones though?
Those 16 digit codes that we are given when we set up 2FA on an app such as Binance, or similar. Can we re-view them/check if they are correct somehow?
Perhaps in Star Trek their communicator provides an exact location, and it verifies both the voice and the location of the voice match.
why wouldnt 2fa be read first then the password. So that people couldnt social engineer your password?
Why does it matter how the OTP is created? As long as it's > 8 characters and it's only going to be used once, it shouldn't matter how you create it.
Discord had one time password to diable the 2FA should you loose it ideally they are kept someplace phyiscally safe or in such a way that if someone finds it they have no idea what these numbers are like you call the file gameshark-codes.txt or something
Is there any need for this if you use really long randomly generated passwords which can't be cracked or stolen in a password manager?
Also if you have a recovery code stored somewhere if 2fa fails on you then all an attacker needs is that code right?
Nice gentleman, a lot of briefing for enthusiast. Thanks.
so my master password is 11 characters long with symbols, upper and lower case letters and digits. would this be considered strong or weak?
for some reason this reason doesnt play with sound for me :(
other videos work just fine..
the day after spotify reconfirmed they're not implementing 2fa...
Why would a music player require 2fa?
What's a hacker going to do; fill your playlists with justin beiber?
+JNCressey Agreed maybe if they actually sold music and thus did actually store a cash balance in the account it would make sense but they don't. Makes sense for such as steam for that reason as they can hold a non trivial balance but not so much Spotify. iTunes or similar would be different too as again iTunes accounts have cash balances.
A friend of mine had his Android phone break on him, which then made it impossible to log back into his Google account from his PC becaue he couldn't acknowledge the second factor on his phone. He had to get another phone first and then he could use his account and his email again. He turned off 2FA after that experience.
Same happened to me with Google authenticator, never again, use Authy if you lose your phone just initiate session on other defice to get access to your 2fa
Best passwords I've used, (I don't use this exact, but the same concept), follows this general idea: Land0Of1The1Free2And3Home5Of8The13Brave!
A sentence from something that is easy to remember, the words Titleized, separated by numbers from a sequence you know, end by a special character. Super easy to remember, extremely hard to crack
Instead of Google Authenticator, I use an app called Authy. If my phone dies, I can still access my keys from some other device, or eventually via web browser.
Which previous video was he referring to?
He had a failed phone with Google Authentication.
Resolution 1: Backup The QR Codes.
Resolution 2: Authy
- What I use.
Resolution 3: Backup The Recovery Codes.
- Seriously, they tell you that explicitly with many service where you use authentication. Most give you a 'single' code. Or more frequently. A number of codes.
Resolution 4: Have a 'backup' option for authentication.
- Many services give the option of a Yubi Key!
Now please tell us about push based (to mobile phone) 2 factor authentication, e.g from Microsoft
I noticed some apps like discord have backup codes displayed on the actual app just in case you do not have access to your authenticator apps. Is this a security flaw? It seems like it could be. Feels like it defeats the purpose.
These are recovery codes, and other apps suggest that you should print them out and store them in a safe place. The threat of always showing them is that someone who has access to a device you're logged in on can get a 2FA code to use to log in on a new device, while the utility is that if you haven't printed them during setup like it asks you to, you can do that at some later time.
Considering that people with a security posture such that they think enabling 2FA is worth it are also likely to lock their devices, I'd say this is an acceptable trade-off but that's mostly a matter of preference.
Do you have a video about how fingerprint authentication works?
In Star Trek I think there is a kind of synchron-translator system that may obfuscate the told password.
It looks like his watch is/was broken and he had to repair it. The card on our table spelling "Tick King" says many things ;)
best channel. best content. your explanation is best. but please give subtitles for this video.
Can I have please the names of the books over his head ?
Several times now, they have done a SIM swap and the hackers got hold of the text message with the code and then logged in. After this, our company will never use SMS text for MFA again.
Lol. Well you're not wrong about the Star Trek Password thing being a bit... Problematic.
I mean, Data took control of the ship by replicating Picard's voice, and repeating his command codes.
Though I assume Data's reproduction of Picard's voice is a bit more precise than that, it's akin to breaking the security for all the key ship's systems by using a tape recorder.