I realize nobody likes being told they're doing something "wrong", but hopefully you were able to learn something new from this video. And special thanks to this week's sponsor, Trend Micro! Get 10% off using code ATS10 here: bit.ly/3WuF5Wc
👍🏻 That’s why most of the time when we set up 2FA the give us back up recovery codes to keep safe somewhere i like @Authy because its multi platform ios , android , windows , mac , linux it comes with backup password , so we can activate on any platform sim pin for banks sms 2fa not ok with biometric as in my opinion it should strictly for banking or govt. purpose sometime back iCloud was hacked and a celebrity lost all photos biometrics like fingerprint may be stolen too
Elon Musk recently alerted Twitter users that the phone SMS 2FA will be discontinued, and can only be used by Twitter Blue subscribers, and recommended Google Authenticator. I heard that Google Authent is not good to use. Do you have a recommendation on a good option for Twitter? Maybe do a video about this since this just happened and many are talking about this?
Pardon me, could you possibly help me solve my problem? USDT TRX20 is kept in my OKX wallet, and my phrase is (clean party soccer advance audit clean evil finish tonight involve whip action). Could you tell me how to move it to EXMO or OKX?
yes, it's strange not all banks require 2FA for online banking. I know a credit union that uses your account number as the username which I don't think is a good idea
I would say it depends where you live. In Croatia banking apps have really good 2FA or MFA systems in place. Even before apps for smartphones (with “m-tokens”) came out, e-banking authentication was done with physical token devices or e-card readers. Even now you can obtain those modes of authentication only by going in bank and it’s one time setup. If battery dies on token/e-card reader or you lose a phone. You need to go for setup in a bank. Tho you can reactivate m-token on phone app with physical token device or e-card reader.
When you think about it they need to be, Most Google accounts contain everything from passwords, locations, pictures, payment accounts, notes, etc. Someone hacks your bank account they take your money. They get into your Google account and they have access to your entire digital life.
As far as backing up I recommend putting the authenticator on every phone and tablet you own. I also recommend taking s a screenshot of that initial QR code that you scan in, giving it a site name and saving it to a couple disconnected USB flash drives and maybe a 3rd in a safety deposit box. This allows you to re-add those sites back into an authenticator should you have to.
Excuse me, can you please help me out with an issue I’m facing? USDT TRX20 is in my OKX wallet, and the recovery phrase is (clean party soccer advance audit clean evil finish tonight involve whip action). Can you help me transfer it to EXMO or OKX?
I've been using a dumb phone for years, and will continue to do so. In fact, the demand and purchases of them have massively increased recently. Cheap, cheerful, and reliable.
I am a little wary regarding biometrics. As I understand it, courts can compel someone to provide biometrics without concern of violating their rights. Passwords, on the other hand, may actually be forgotten (or better never known via password manager), so cannot be compelled. I guess it depends on the situation and if other security factors are also used in conjunction with it. Also, I have had problems using fingerprints in the past. I had it implemented on my phone for a while, but quite frequently it would not recognize me. I also have it set on one of my bank accounts for ATMs. It too often does not recognize me forcing me to try multiple times. My work PC uses facial recognition, but it too frequently does not recognize me causing periodic downtime. It is problematic when the actual person gets locked out of their own accounts.
Wrong, you are talking about police can’t force you to give them your finger prints or DNA without probable cause. That is usually for criminal investigation to prevent evidence become invalid in court, because anything not obtained legally or without the person in question’s permission in inadmissible in court. Its not about your rights and It doesn’t apply to situations like you agree to do it in bank or on your device setup for your own account’s security purposes.
@@ygt-cd3mg and yet it happens all the time. They can and will unlock your phone by holding it up to your face, or lying and saying you have to give them your fingerprint. There's no 5th amendment protection against being forced to use your biometrics. There is with a password.
@@BB-nn9en ok don’t misuse the law you heard but don’t know what it is. The core of 5th amendment is to prevent self-incrimination, which means if the police get your biometrics unlawfully aka forced you, then its no-longer court admissible anymore which means anything they found on your phone after that is unusable as evidence in the court of law. Same way, they can’t get your DNA without your consent, they can’t just push you on the chair and force your mouth open and swap your mouth.
unlocking devices and transfer money by fingerprint of drunk or unconsciousness person is easy-peasy and constantly practiced. Biometrics are not your.
I should add that I'm sick of my credit union, and healthcare providers, not offering 2FA except via text and e-mail. The credit union also restricts how complex my password can be. I understand that their reasons for that (people will write it down or forget it), but I use KeePass (secured with a very strong dicepassword that I've memorized) and store very strong passwords within it. It is infuriating that I can secure my Amazon and e-mail accounts more than my financial and health accounts! Argh!
The workaround I have found to circumvent services which only allow SMS 2FA or which do not allow to remove that option is to use a phone number such as a Google Voice number which is not tied to a real SIM Card, then ensure I also protect the Google account associated with the Google Voice number using a strong 2FA method.
3:49 In my opinion, storing TOTP in the same password manager as your password doesn't follow the best practice. It should be stored/accessible on/via a different technology. In this case, if an attacker breaks your password manager's database, he/she/they has access to both of your factors. The rest of the video is perfect and I like how you increase security awareness.
I agree with you. I think it’s a leap to assume that it’s common for people to have their PW database broken, but even still, it’s better to use a different device.
While you're right, it's still better security than sms or no 2FA. Using 2FA on a separate device can be a real hassle and will discourage the average user from doing anything. I'll get around to trying a Yubikey at some stage (although my key ring already jangles like a gaolers) but until then, I think 2FA codes in a PWM is an acceptable tradeoff.
It's true if you use an online PM but if you're using an offline one like Keepass and the password is different from all other password and also using somthing you have such as a key file or hardware key, it should't be a problem at all.
You can prevent SIM swapping by locking your SIM card via your carrier. Verizon let me do this through my account on their website. I also have a PIN for my SIM card that requires me to enter it every time I reboot my phone. (It's a different PIN than the one to unlock my phone.) Using unencrypted SMS for 2FA is still vulnerable to man-in-the-middle attacks, but it's pretty straightforward to mitigate the risk of SIM swapping.
Hey Josh. Not sure if you've heard, but there's a huge RUclips channel called Think Media (2.33 million subscribers) whose podcast channel (85.5k subscribers) was hacked just a few days ago. In a recent video, they even explained they had 2FA - and it still got hacked. I thought to mention them because of the similar circumstances to what this video is about. By the way, thanks for the video 🙏
Did they mention what kind of 2FA authentication was used? Cause I know that sms 2FA is the one that is easy to get around by just sim jacking to get the text
I don't care to use SMS messages to get codes for another reason. What if somehow you lose access to that phone number? (suppose you change your number) Do you have a list of all the places you used it for access? I prefer to use a security key. Also, I have three of them on any account that allows it. I'm too paranoid to just have two.
One mistake of technicality, you incorrectly used the term 2FA once in the video. At around 5:55, you say using biometrics instead of 2FA. You correctly described biometrics as "something you are" just before that. The thing is, that "instead of 2FA" really should have been "instead of something you have". 2FA just means using two of the "something you know (pw)", "something you have (yubikey or phone/email)", and "something you are (biometrics)". 2FA does not mean using an authenticator, hardware key, or SMS/email. Password plus biometrics is just as valid of 2FA as password plus Yubikey.
I have concerns regarding usage of biometrics that I'd love to see a video from you about;assuming you haven't addressed these issues already... My concerns revolve around end of life issues. That is, if everything important is protected by 2fa that requires biometrics to open, how will my executor be able to access these accounts upon my death. I love your videos! Keep 'em coming!
On my phone biometrics is an option. If I lost my finger I could just type in the password, the fingerprint reader just makes it faster. If you are using biometrics for 2fa, you can set up other options like an authenticator, and yubikeys. Then you would have 3 ways to get in.
Most 2FA, including biometrics, can and should be backed up by codes or seed phrases that allow for account access. Even Apple allows you to set up a “Legacy Contact” who can access your account after death.
All great advice. That said, my biggest problem with "who you are" authentication is worrying about my next-of-kin being locked out of important things they'll need to deal with when my biometrics are no longer available. I can give a trusted contact access to my password vault or backup key.
Josh, I don't know if you have touched on this before, but For the past 6 years, I have been using a Nymi Band (biometric fingerprint/EKG touchless device) as a multifactor (3FA?) security passport. I have physically hacked it so that it is part of the the bottom strap for my Smartwatch. When I approach my PC/laptop, it unlocks them. Same With my Android phone. I have created browser code to only allow my financial websites/apps to be opened when in proximity to the device. Problem is, most of this requires custom coding as FIDO2 simply isn't supported for most situations. And honestly, its overkill for anything less than strict obligatory compliance environments - and is probably why its mostly used in these types of organizations. But Nymi would be something for you to take a look at if you haven't already.
After watching some of your videos I have switched to 1Password and purchased two Ubikey. My issue is carrying the Ubikey with me all the time. Any suggestions? Also, how do I get my Mac to ask for Ubikey when I login? Thank you
I use Microsoft Autheticator and logged in with MS.. my concern is if I can be sure that they all are backed up, when i have the set it to backup automaticaly...
I wonder about one thing. If SMS based 2FA isnt safe then is it also not safe to have your phone numbery as a recovery option? For example for a Google account? Should we completly get rid all phone numbers in our accounts?
0:51 When I was shopping for a new bank (I'm in the EU), I was really convinced by open bank, a subsidiary of Spanish Santander. Everything was what I was looking. However, When I saw that they only offered SMS I honestly couldn't believe my eyes. Most banks I encountered don't even offer it as an option anymore so your list kind of surprises me. Is it an American thing? I looked up ING (duch I think), Sparkasse, ComDirect, and DKB (all German).
Biometrics appear to be an excellent solution with one concern. I believe Finger recognition has an equivalent concern as Sim swap. In this case the smartphone is lost or stolen. Then someone lifts off the fingerprint on the phone. Kind of like sticking a paper on the back with the password in full view. One can argue this is extremely rare and nothing to worry about so no worries. Sim swapping a very rare occurrence is becoming part of the basic toolkit of hackers. Facial recognition is probably safer unless one has the tendency to squeeze the phone against one's face.
Thank you so much for your hard work! 😊 Need some advice: 🙏 I only have these words 🤔. (behave today finger ski upon boy assault summer exhaust beauty stereo over). How do I use this? 🤨
I was using Microsoft authenticator on my iphone but after it failed to recover codes from icloud I switched to google authenticator is printing google authenticator qr code enough for backup and recover ?
Security keys. I carry NFC YubiKey 5 on my key-chain and it's extremely convenient. For the backups I have a passord-protected TOTP app (andOTP) (if the website allows multiple types of second-factors).
You very often don’t provide adequate explanations for your statements. It isn’t clear to me at all why it was easy to login into Dorsey’s Twitter account by receiving 2FA codes. The phone company may negligently transfer your telephone number but it doesn’t know your twitter login password. Please elaborate.
I think, for a broad audience, this is a good video with good advice. The people who are criticizing you for giving bad advice and your advice creating more security vectors are wearing their tinfoil hats too tight. If you are, say, a dissident in some totalitarian regime, your threat level is extremely high and the more difficult you make it for yourself, the more difficult it will be for the FSB or the FBI. But if you are a regular person, having a reasonable amount of security, e.g., some form of 2FA (preferably TOTP, even if stored in your password manager) will make it more difficult for bad actors.
Good secure solution except that hardly any banks or brokerage houses in the USA support using a Yubikey, so its utility is limited by what options are available from the website you're trying to protect with 2FA.
I lose my fingerprints with certain types of work gloves( i dont use them since 1 year 1 month), those kind of autheticationt cant work on me, i restored it, but I have to do some more momentasone furoate ointment I think its dangerous to do it, because what if I lose my fingerprint again? and it changes for me, random drying etc
Secure sometimes isn't convenient. Trust me - your life is not going to fall apart if you lose your 2FA key and you have to wait until you return home to get your back.
Authy has a solution to the stolen phone problem IF you have set it up properly. Their "multi-device" capability permits you to install the Authy app on multiple devices and sync your authorized account keys across all. THEN, turn off the "multi-device" option so that only your phone is used to get 2FA codes. (as normal) but if your phone is stolen, you can login to your Authy account to enable one of the other devices to get 2FA codes (and later, upon purchase of your new phone, setup your new phone with all of your Authy data). FWIW, I would never use face recognition to login to my 2fa software.
I really appreciate your efforts! I need some advice: My OKX wallet holds some USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). What's the best way to send them to Binance?
Apple recently implemeted security keys as their second factor instead of OTP. Sure I switched. But this doesn't seem to work with Firefox for Windows. I mean when I try to log in to iCloud, it asks for my email, my password and yubikey, but I can't plug it in and use it. Mind you, the key itself works with Firefox on other websites. Who is here to blame and where to ask for help?
I would like to see a video about backup for authenticators apps because i find the concept confusing. What's involved? Can i export something from the app and import into a different app? Do i need to register two devices against the same web site? Do in need to use different apps? I get the feeling that "backup" means something completely different for authenticators than it does for conventional data, but i am just guessing about that. Some practical guidance would be appreciated.
Mistakes people make with passwords are not changing them frequently enough, writing them down and using the same passwords for multiple accounts. Biometrics are unchangeable and are necessarily reused again and again and with fingerprints you leave them around everywhere.
@@reefhound9902 The advice about frequently changing passwords has changed since I wrote this comment. Now it is not recommended to change passwords frequently unless there has been a data breech or reason to believe it may have been compromised.
If you use 2 yubikeys you can keep one in a safe. Then if you loose one you still have one. But if you add an authenticator, and backup codes, then you can use those if you loose both keys.
If you lose your key, that’s definitely inconvenient. But we’re talking about one very specific, very unlikely issue that can easily be resolved by just not losing your key 😆
@@AllThingsSecured -- I'd love to use Yubikey solutions, but nearly all of the online sites where I'd want to use it don't support FIDO / Yubikey multi-factor authentication. Like my Samsung phone account, my celluar service, my utility companies, banks, brokerage houses, credit cards, social security, Experian and the other credit bureaus etc. None support anything but crude SMS 2FA. My bank will sell me an old-tech USB stick from RSA for $25 which is good for only my bank. Whoop-de frickin' doo. And Yubikey type solutions can be quite inconvenient for couples who have joint bank accounts / logins or use financial apps like Quicken. I am guessing that financial institutions already take enough support calls on 2FA problems via the SMS method, and they're reticent to implement better 2FA with Authenticator apps or hardware keys. So at the moment, the "best" protection for most online sites is still a secure password manager and long, random passwords on sensitive accounts. This is the unfortunate reality, despite the solid work to develop FIDO standards over the past 15 years.
Which service for... 1. non-techie old man 2. very concerned about privacy (more than security really) 3. already using 1Password (but bank doesn't permit this as 2FA) 4. frequently change SIMs (in'l traveller) 5. not keen on big tech
Hey, just found your videos. They are great. Didn't find any on using SSH Certificates. Going to make a push at my company to start using them. Have any feelings on them?
PayPal has a terrible security hole and I cannot convince them their process is wrong and NOT secure to SIM swapping. Even with authenticaiton setup, due to an error in their process, you can still get by the 2FA (but I will not say how here). Maybe you can convince them!
Face id I always thought would feed your details better to big tech, plus all the more handy for better social control. (Coming sooner than you think to your country). Password managers? I ain't that stoopid
It's incredibly frustrating when some sites/services do not allow you to block sms 2FA. Like what's the darn point of auth app when all that can be sidestepped by ESN/SIM swap.
The workaround I have found to circumvent services which only allow SMS 2FA or which do not allow to remove that option is to use a phone number such as a Google Voice number which is not tied to a real SIM Card, then ensure I also protect the Google account associated with the Google Voice number using a strong 2FA method.
I would only use face ID or finger print if it's heavily essential like something to do with the government or my bank... or the hospital Unless I fully understand how it works, I don't like the idea of that information being stored.
thank you so much! was receiving them by sms for my PayPal account. Now its asking me , when i log in, "how would you like to receive the code (or something like that) and i can select the app or sms (i made the app primary choice in settings yet it still asks if i want to receive via an sms. Should i remove the sms option (can do)? BUT im just hesitant to remove the backup sms option in case for some reason the app didn't work, crashes or was glitchy (atm the app doesn't pop up to show me the authenticator code- have to go to the app and see the code which is constantly changing- is that normal? im sure it normally pops up with the code for my email etc. But it didn't with PayPal ... I hope all this makes sense! let me know if you need clarification! Its late at night so perhaps im not explaining my self well!)
As Always, perfect security tips, I'm really waiting for your videos. There is a related thing I want to ask, Is it a good practice to store TOTP tokens in my password manager (side by side of my passwords)?
Hi, I completely agree that relying solely on 2FA and codes to phones isn’t sufficient or very secure. I’m a fan of using APPS for added security but rather have physical key. However, a significant issue is that not all websites provide these options to their users. This leaves many individuals vulnerable despite their best efforts to secure their accounts. If the companies not int the game then I cannot play.
Speaking about SMS. Why do these still exist? if there's a way better option called RCS. And no many mobile phone providers support it, everyone loves old stone age SMS messages.
Hey Josh, so what do you think about using ESIM with a pin? Would that change your thoughts around using SMS text? Also how about using Google voice texting?
eSIMs definitely seem to offer better protection against SIM swap attacks and are probably about as secure as using something like Google Voice, which isn't bad either.
Biometrics are not that good of a tool actually. Even if we are not speaking about forced unlocking. I personally witnessed struggles of a person that got so used to face unlock on Iphone when this thing suddenly stoped working and demanded a password that was long forgotten. All finantial apps were practically blocked in the middle of an exhibition while shopping😅 It took a while to restore access😅
I think the way the world it's going to be able to use fingerprint on facial recognition much longer that will be somehow hacked next. My daughter's phone has open with my face already
Your idea of a Backup for a 2FA device is flawed by design! There is no reasonable way to keep a device which is updated, in a totally separate secure location, because YubiKey doesn't offer any means to backup a device! So, the by design either you have to track and store the secret you will use to keep the backup, which keeping that secret secure becomes its' own security issue, as well as means you don't have a backup for some period of time. Or you have the backup device on site so you create it as soon as you create the account, which means it isn't in a secondary location. YubiKey's look great, but this backup conundrum is a real problem that I don't see a solution for as of yet. YubiKey has proposals on how this could be done, but it isn't implemented and available yet. 2FA is not being widely used because it has basic usability flaws like this inability to create a backup. (This inability makes it both very secure... but impractical... so therefore the security it offers is a bit meaningless!)
Excellent video! I left a like. Can anyone provide some help here? my OKX wallet contains USDT TRX20, and I have the recovery phrase (clean party soccer advance audit clean evil finish tonight involve whip action). How do I transfer it to EXMO or OKX?
At least you don't have Citizens! They use PUBLIC RECORDS and GIVE 2FA to all those numbers AND you CAN'T REMOVE them. Hope your Ex and the next person to get your home phone don't want access to your bank account!
What are the risks of using face recognition?? Perhaps I am too paranoid but … not sure I want my biometrics stored on any smartphone … Is me? Or is everyone really trying to get my information?? (LOL)
Your videos are unmissable but I would point out that the references to a sponsor have become intrusive. Also, no mention in this video to the benefits of receiving messages and or texts by landline.
Thank you very much for your reply. For information, I receive voiced six-digit PINs - surely a case of 2FA? - from my two building societies, here in the UK. The system works flawlessly. @@AllThingsSecured
Chase bank is horrible. If you trigger their fraud algos, they'll close your accounts and refuse to take your calls to explain how you get your money out of their horrible bank. Many who get hit with this situation won't get their money in less than 12 months, and that's after spending dozens of hours trying to find someone at the bank who can actually help you.
Regarding biometrics, the control of your fingerprint and facial image is not as tight as you may think. While you sleep, your younger child, your wife, your lover, any kind of malicious person can easily swipe your finger on the fingerprint reader of your smartphone. It can take a picture of your face. If you are not asleep, this same person can put a gun to your head and force you to authenticate yourself. Please do not move the red circle from your smartphone/notebook to YOU. It is not pleasant to be a target.
I realize nobody likes being told they're doing something "wrong", but hopefully you were able to learn something new from this video. And special thanks to this week's sponsor, Trend Micro! Get 10% off using code ATS10 here: bit.ly/3WuF5Wc
👍🏻
That’s why most of the time when we set up 2FA the give us back up recovery codes to keep safe somewhere
i like @Authy because its multi platform
ios , android , windows , mac , linux
it comes with backup password , so we can activate on any platform
sim pin for banks sms 2fa
not ok with biometric as in my opinion it should strictly for banking or govt. purpose
sometime back iCloud was hacked and a celebrity lost all photos
biometrics like fingerprint may be stolen too
Elon Musk recently alerted Twitter users that the phone SMS 2FA will be discontinued, and can only be used by Twitter Blue subscribers, and recommended Google Authenticator. I heard that Google Authent is not good to use. Do you have a recommendation on a good option for Twitter? Maybe do a video about this since this just happened and many are talking about this?
Pardon me, could you possibly help me solve my problem? USDT TRX20 is kept in my OKX wallet, and my phrase is (clean party soccer advance audit clean evil finish tonight involve whip action). Could you tell me how to move it to EXMO or OKX?
It's really odd that google accounts are more secure than bank accounts. I really hope that'll change some time relatively soon. fingers crossed 🤞🤞.
I agree.
yes, it's strange not all banks require 2FA for online banking. I know a credit union that uses your account number as the username which I don't think is a good idea
@@davinp The reason why bank accounts stick to apps instead of security keys, is that no security key can advertise you a bank loan ;)
I would say it depends where you live.
In Croatia banking apps have really good 2FA or MFA systems in place.
Even before apps for smartphones (with “m-tokens”) came out, e-banking authentication was done with physical token devices or e-card readers.
Even now you can obtain those modes of authentication only by going in bank and it’s one time setup.
If battery dies on token/e-card reader or you lose a phone. You need to go for setup in a bank. Tho you can reactivate m-token on phone app with physical token device or e-card reader.
When you think about it they need to be, Most Google accounts contain everything from passwords, locations, pictures, payment accounts, notes, etc. Someone hacks your bank account they take your money. They get into your Google account and they have access to your entire digital life.
As far as backing up I recommend putting the authenticator on every phone and tablet you own. I also recommend taking s a screenshot of that initial QR code that you scan in, giving it a site name and saving it to a couple disconnected USB flash drives and maybe a 3rd in a safety deposit box. This allows you to re-add those sites back into an authenticator should you have to.
That’s another great method of backup.
it’s not great if your photos are automatically stored in the cloud unencrypted…
Excuse me, can you please help me out with an issue I’m facing? USDT TRX20 is in my OKX wallet, and the recovery phrase is (clean party soccer advance audit clean evil finish tonight involve whip action). Can you help me transfer it to EXMO or OKX?
I've been using a dumb phone for years, and will continue to do so.
In fact, the demand and purchases of them have massively increased recently.
Cheap, cheerful, and reliable.
I am a little wary regarding biometrics. As I understand it, courts can compel someone to provide biometrics without concern of violating their rights. Passwords, on the other hand, may actually be forgotten (or better never known via password manager), so cannot be compelled. I guess it depends on the situation and if other security factors are also used in conjunction with it.
Also, I have had problems using fingerprints in the past. I had it implemented on my phone for a while, but quite frequently it would not recognize me. I also have it set on one of my bank accounts for ATMs. It too often does not recognize me forcing me to try multiple times. My work PC uses facial recognition, but it too frequently does not recognize me causing periodic downtime. It is problematic when the actual person gets locked out of their own accounts.
I’m not aware of the legal requirements of biometrics, but I completely understand your hesitancy.
Wrong, you are talking about police can’t force you to give them your finger prints or DNA without probable cause. That is usually for criminal investigation to prevent evidence become invalid in court, because anything not obtained legally or without the person in question’s permission in inadmissible in court. Its not about your rights and It doesn’t apply to situations like you agree to do it in bank or on your device setup for your own account’s security purposes.
@@ygt-cd3mg and yet it happens all the time. They can and will unlock your phone by holding it up to your face, or lying and saying you have to give them your fingerprint.
There's no 5th amendment protection against being forced to use your biometrics. There is with a password.
@@BB-nn9en ok don’t misuse the law you heard but don’t know what it is. The core of 5th amendment is to prevent self-incrimination, which means if the police get your biometrics unlawfully aka forced you, then its no-longer court admissible anymore which means anything they found on your phone after that is unusable as evidence in the court of law. Same way, they can’t get your DNA without your consent, they can’t just push you on the chair and force your mouth open and swap your mouth.
unlocking devices and transfer money by fingerprint of drunk or unconsciousness person is easy-peasy and constantly practiced. Biometrics are not your.
I should add that I'm sick of my credit union, and healthcare providers, not offering 2FA except via text and e-mail. The credit union also restricts how complex my password can be. I understand that their reasons for that (people will write it down or forget it), but I use KeePass (secured with a very strong dicepassword that I've memorized) and store very strong passwords within it. It is infuriating that I can secure my Amazon and e-mail accounts more than my financial and health accounts! Argh!
Amen!
The workaround I have found to circumvent services which only allow SMS 2FA or which do not allow to remove that option is to use a phone number such as a Google Voice number which is not tied to a real SIM Card, then ensure I also protect the Google account associated with the Google Voice number using a strong 2FA method.
3:49 In my opinion, storing TOTP in the same password manager as your password doesn't follow the best practice. It should be stored/accessible on/via a different technology. In this case, if an attacker breaks your password manager's database, he/she/they has access to both of your factors.
The rest of the video is perfect and I like how you increase security awareness.
I agree with you. I think it’s a leap to assume that it’s common for people to have their PW database broken, but even still, it’s better to use a different device.
While you're right, it's still better security than sms or no 2FA. Using 2FA on a separate device can be a real hassle and will discourage the average user from doing anything. I'll get around to trying a Yubikey at some stage (although my key ring already jangles like a gaolers) but until then, I think 2FA codes in a PWM is an acceptable tradeoff.
It's true if you use an online PM but if you're using an offline one like Keepass and the password is different from all other password and also using somthing you have such as a key file or hardware key, it should't be a problem at all.
My bank and CC bank only offer sms also. It is frustrating.
You can prevent SIM swapping by locking your SIM card via your carrier. Verizon let me do this through my account on their website. I also have a PIN for my SIM card that requires me to enter it every time I reboot my phone. (It's a different PIN than the one to unlock my phone.)
Using unencrypted SMS for 2FA is still vulnerable to man-in-the-middle attacks, but it's pretty straightforward to mitigate the risk of SIM swapping.
The problem I've heard is that sometimes the people at the carriers sometimes get careless and still hand out sims without verifying
Hey Josh. Not sure if you've heard, but there's a huge RUclips channel called Think Media (2.33 million subscribers) whose podcast channel (85.5k subscribers) was hacked just a few days ago. In a recent video, they even explained they had 2FA - and it still got hacked. I thought to mention them because of the similar circumstances to what this video is about.
By the way, thanks for the video 🙏
Did they mention what kind of 2FA authentication was used? Cause I know that sms 2FA is the one that is easy to get around by just sim jacking to get the text
Often it is the session Cookie thar gets stolen. No 2FA will help in those cases, as they must be valid for some time...
I don't care to use SMS messages to get codes for another reason. What if somehow you lose access to that phone number? (suppose you change your number) Do you have a list of all the places you used it for access? I prefer to use a security key. Also, I have three of them on any account that allows it. I'm too paranoid to just have two.
One mistake of technicality, you incorrectly used the term 2FA once in the video. At around 5:55, you say using biometrics instead of 2FA. You correctly described biometrics as "something you are" just before that. The thing is, that "instead of 2FA" really should have been "instead of something you have". 2FA just means using two of the "something you know (pw)", "something you have (yubikey or phone/email)", and "something you are (biometrics)". 2FA does not mean using an authenticator, hardware key, or SMS/email. Password plus biometrics is just as valid of 2FA as password plus Yubikey.
I have concerns regarding usage of biometrics that I'd love to see a video from you about;assuming you haven't addressed these issues already... My concerns revolve around end of life issues. That is, if everything important is protected by 2fa that requires biometrics to open, how will my executor be able to access these accounts upon my death.
I love your videos! Keep 'em coming!
On my phone biometrics is an option. If I lost my finger I could just type in the password, the fingerprint reader just makes it faster. If you are using biometrics for 2fa, you can set up other options like an authenticator, and yubikeys. Then you would have 3 ways to get in.
Most 2FA, including biometrics, can and should be backed up by codes or seed phrases that allow for account access. Even Apple allows you to set up a “Legacy Contact” who can access your account after death.
Yes, access by trusted individual if something should happen is critical.
I would like to see more about preparing for legacy contacts and end of life issues
All great advice. That said, my biggest problem with "who you are" authentication is worrying about my next-of-kin being locked out of important things they'll need to deal with when my biometrics are no longer available. I can give a trusted contact access to my password vault or backup key.
There are secure backup options (seed phrases kept in a vault, password manager emergency contact, etc.) that mitigate these risks.
Josh, I don't know if you have touched on this before, but For the past 6 years, I have been using a Nymi Band (biometric fingerprint/EKG touchless device) as a multifactor (3FA?) security passport. I have physically hacked it so that it is part of the the bottom strap for my Smartwatch. When I approach my PC/laptop, it unlocks them. Same With my Android phone. I have created browser code to only allow my financial websites/apps to be opened when in proximity to the device. Problem is, most of this requires custom coding as FIDO2 simply isn't supported for most situations. And honestly, its overkill for anything less than strict obligatory compliance environments - and is probably why its mostly used in these types of organizations.
But Nymi would be something for you to take a look at if you haven't already.
Just purchased two yubikey 5 nfc keys so will be watching plenty of RUclips trying to learn as much as I can why waiting on delivery of the keys
Can the Yubico keys be used for ADVANCED DATA PROTECTION via Apple iCloud?
Where does one buy those special keys that you plugged into your la top?
Thanks for your great video and tips josh.
My pleasure!
Love the channel. Would also suggest backing up authenticator qr codes to encrypted drives or cryptomator and cloud.
Yea, that's a good idea if you can. Thanks, David!
After watching some of your videos I have switched to 1Password and purchased two Ubikey. My issue is carrying the Ubikey with me all the time. Any suggestions?
Also, how do I get my Mac to ask for Ubikey when I login?
Thank you
Couldn't you backup your authenticator keys on a password manager?
If you set them up at the same time, sure. But it’s difficult to export from an existing Authenticator app to a password manager after the fact.
@@AllThingsSecured Gotcha, I just meant the backup password that you can generate with Authy
I use Microsoft Autheticator and logged in with MS.. my concern is if I can be sure that they all are backed up, when i have the set it to backup automaticaly...
I wonder about one thing. If SMS based 2FA isnt safe then is it also not safe to have your phone numbery as a recovery option? For example for a Google account? Should we completly get rid all phone numbers in our accounts?
0:51 When I was shopping for a new bank (I'm in the EU), I was really convinced by open bank, a subsidiary of Spanish Santander. Everything was what I was looking. However, When I saw that they only offered SMS I honestly couldn't believe my eyes. Most banks I encountered don't even offer it as an option anymore so your list kind of surprises me. Is it an American thing? I looked up ING (duch I think), Sparkasse, ComDirect, and DKB (all German).
Given that my phone fails to recognise my fingerprint 50% of the time I don't think I would want to rely on it solely.
Biometrics appear to be an excellent solution with one concern. I believe Finger recognition has an equivalent concern as Sim swap. In this case the smartphone is lost or stolen. Then someone lifts off the fingerprint on the phone. Kind of like sticking a paper on the back with the password in full view. One can argue this is extremely rare and nothing to worry about so no worries. Sim swapping a very rare occurrence is becoming part of the basic toolkit of hackers.
Facial recognition is probably safer unless one has the tendency to squeeze the phone against one's face.
Thank you so much for your hard work! 😊 Need some advice: 🙏 I only have these words 🤔. (behave today finger ski upon boy assault summer exhaust beauty stereo over). How do I use this? 🤨
I was using Microsoft authenticator on my iphone but after it failed to recover codes from icloud I switched to google authenticator is printing google authenticator qr code enough for backup and recover ?
I have friends works in the construction industry that have a hard time with fingerprints or face goggles! Other suggestions on 2FA? Thank you!
Security keys. I carry NFC YubiKey 5 on my key-chain and it's extremely convenient. For the backups I have a passord-protected TOTP app (andOTP) (if the website allows multiple types of second-factors).
@@pasikavecpruhovany7777
Thank you!
Yup, same answer. The security key is good.
You very often don’t provide adequate explanations for your statements. It isn’t clear to me at all why it was easy to login into Dorsey’s Twitter account by receiving 2FA codes. The phone company may negligently transfer your telephone number but it doesn’t know your twitter login password. Please elaborate.
forgot password > sms 2fa
it’s pretty simple that’s probably why he didn’t need to explain it further
Love your videos! look forward to the next one! Thank you
Web sites would do well to use persistent cookies to reduce 2FA usage. That "trust this device" checkbox indicates this is active.
I think, for a broad audience, this is a good video with good advice. The people who are criticizing you for giving bad advice and your advice creating more security vectors are wearing their tinfoil hats too tight. If you are, say, a dissident in some totalitarian regime, your threat level is extremely high and the more difficult you make it for yourself, the more difficult it will be for the FSB or the FBI. But if you are a regular person, having a reasonable amount of security, e.g., some form of 2FA (preferably TOTP, even if stored in your password manager) will make it more difficult for bad actors.
I use OTP with yubikey. In my opinion, this does not reduce security in any way because the codes are not stored on the phone.
Good secure solution except that hardly any banks or brokerage houses in the USA support using a Yubikey, so its utility is limited by what options are available from the website you're trying to protect with 2FA.
Isn't it best to have the 2FA sent to a different phone account - obs on a different phone?
While many online systems offer 2FA, not all require it be enabled. I think it is a good idea to enable to protect your from being hacked
I lose my fingerprints with certain types of work gloves( i dont use them since 1 year 1 month), those kind of autheticationt cant work on me, i restored it, but I have to do some more momentasone furoate ointment
I think its dangerous to do it, because what if I lose my fingerprint again? and it changes for me, random drying etc
I'd like to hear your thoughts about what users do when they are away from home and they loose their device or it's stolen.
Secure sometimes isn't convenient. Trust me - your life is not going to fall apart if you lose your 2FA key and you have to wait until you return home to get your back.
Authy has a solution to the stolen phone problem IF you have set it up properly. Their "multi-device" capability permits you to install the Authy app on multiple devices and sync your authorized account keys across all. THEN, turn off the "multi-device" option so that only your phone is used to get 2FA codes. (as normal) but if your phone is stolen, you can login to your Authy account to enable one of the other devices to get 2FA codes (and later, upon purchase of your new phone, setup your new phone with all of your Authy data).
FWIW, I would never use face recognition to login to my 2fa software.
I really appreciate your efforts! I need some advice: My OKX wallet holds some USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). What's the best way to send them to Binance?
Apple recently implemeted security keys as their second factor instead of OTP. Sure I switched. But this doesn't seem to work with Firefox for Windows. I mean when I try to log in to iCloud, it asks for my email, my password and yubikey, but I can't plug it in and use it. Mind you, the key itself works with Firefox on other websites. Who is here to blame and where to ask for help?
Please explain how to get 2FA? Your explanation was very eloquent but “where does one start”? How do you scan a code when there is no code to scan?
I would like to see a video about backup for authenticators apps because i find the concept confusing. What's involved? Can i export something from the app and import into a different app? Do i need to register two devices against the same web site? Do in need to use different apps? I get the feeling that "backup" means something completely different for authenticators than it does for conventional data, but i am just guessing about that. Some practical guidance would be appreciated.
Mistakes people make with passwords are not changing them frequently enough, writing them down and using the same passwords for multiple accounts. Biometrics are unchangeable and are necessarily reused again and again and with fingerprints you leave them around everywhere.
Frequently changing passwords is exactly why people write them down.
@@reefhound9902 The advice about frequently changing passwords has changed since I wrote this comment. Now it is not recommended to change passwords frequently unless there has been a data breech or reason to believe it may have been compromised.
I wpnder why spme shopping Apps like flipkart still dont have 2FA
I am not using yubkeys and I have them because : if I go out of town for work and loose the keys … what do I do !??
@Bello Cr yeah …but 340miles away can be an issue ;)
If you use 2 yubikeys you can keep one in a safe. Then if you loose one you still have one. But if you add an authenticator, and backup codes, then you can use those if you loose both keys.
If you lose your key, that’s definitely inconvenient. But we’re talking about one very specific, very unlikely issue that can easily be resolved by just not losing your key 😆
@@AllThingsSecured -- I'd love to use Yubikey solutions, but nearly all of the online sites where I'd want to use it don't support FIDO / Yubikey multi-factor authentication. Like my Samsung phone account, my celluar service, my utility companies, banks, brokerage houses, credit cards, social security, Experian and the other credit bureaus etc. None support anything but crude SMS 2FA. My bank will sell me an old-tech USB stick from RSA for $25 which is good for only my bank. Whoop-de frickin' doo. And Yubikey type solutions can be quite inconvenient for couples who have joint bank accounts / logins or use financial apps like Quicken.
I am guessing that financial institutions already take enough support calls on 2FA problems via the SMS method, and they're reticent to implement better 2FA with Authenticator apps or hardware keys. So at the moment, the "best" protection for most online sites is still a secure password manager and long, random passwords on sensitive accounts.
This is the unfortunate reality, despite the solid work to develop FIDO standards over the past 15 years.
Which service for...
1. non-techie old man
2. very concerned about privacy (more than security really)
3. already using 1Password (but bank doesn't permit this as 2FA)
4. frequently change SIMs (in'l traveller)
5. not keen on big tech
Hey, just found your videos. They are great. Didn't find any on using SSH Certificates. Going to make a push at my company to start using them. Have any feelings on them?
You have to also have the password. What good would it be to get my text?
Which is more secure for 2FA, Google Prompts or Authy Authenticator App?
Salut, comment allez vous ?
Voilà j'ai un compte qui a été supprimé de Google authenticator que je n'arrive plus à récupérer. Votre serait utile merci
PayPal has a terrible security hole and I cannot convince them their process is wrong and NOT secure to SIM swapping. Even with authenticaiton setup, due to an error in their process, you can still get by the 2FA (but I will not say how here). Maybe you can convince them!
Face id I always thought would feed your details better to big tech, plus all the more handy for better social control. (Coming sooner than you think to your country). Password managers? I ain't that stoopid
Keep your old phone to backup your auth app. Put your auth app on your laptop.
Well, a lot of biometrics checks in consumer electronics are actually much easier to crack than SMS2FA... We did this in pentests in the past...
As long as banks keep using sms based 2FA there is no way we can ditch it completely
Have you made any video's about Ledger?
So are biometrics better than SMS 2FA? It seems that every time I enable FaceiD the 2FA goes away.
you cannot have both.
Do you know how to turn it off?
It's incredibly frustrating when some sites/services do not allow you to block sms 2FA. Like what's the darn point of auth app when all that can be sidestepped by ESN/SIM swap.
Yea, I know what you mean.
The workaround I have found to circumvent services which only allow SMS 2FA or which do not allow to remove that option is to use a phone number such as a Google Voice number which is not tied to a real SIM Card, then ensure I also protect the Google account associated with the Google Voice number using a strong 2FA method.
My problem is even finding the 2FA to enable it, then if I do then goin on further frm there setting things up the right way!!
I would only use face ID or finger print if it's heavily essential like something to do with the government or my bank... or the hospital
Unless I fully understand how it works, I don't like the idea of that information being stored.
thank you so much! was receiving them by sms for my PayPal account. Now its asking me , when i log in, "how would you like to receive the code (or something like that) and i can select the app or sms (i made the app primary choice in settings yet it still asks if i want to receive via an sms. Should i remove the sms option (can do)?
BUT im just hesitant to remove the backup sms option in case for some reason the app didn't work, crashes or was glitchy (atm the app doesn't pop up to show me the authenticator code- have to go to the app and see the code which is constantly changing- is that normal? im sure it normally pops up with the code for my email etc. But it didn't with PayPal ... I hope all this makes sense! let me know if you need clarification! Its late at night so perhaps im not explaining my self well!)
The app I’m using doesn’t do push notifications for certain websites etc. think I will get another authenticator too…
Do you only advertise for products that u actually use?
Would you recommend this for crypto platforms
2FA? Absolutely. If a key is possible, that's best, and always be sure to back it up.
As Always, perfect security tips, I'm really waiting for your videos.
There is a related thing I want to ask, Is it a good practice to store TOTP tokens in my password manager (side by side of my passwords)?
Pretty?
Hi, I completely agree that relying solely on 2FA and codes to phones isn’t sufficient or very secure. I’m a fan of using APPS for added security but rather have physical key. However, a significant issue is that not all websites provide these options to their users. This leaves many individuals vulnerable despite their best efforts to secure their accounts. If the companies not int the game then I cannot play.
Speaking about SMS. Why do these still exist? if there's a way better option called RCS. And no many mobile phone providers support it, everyone loves old stone age SMS messages.
Hey Josh, so what do you think about using ESIM with a pin? Would that change your thoughts around using SMS text? Also how about using Google voice texting?
eSIMs definitely seem to offer better protection against SIM swap attacks and are probably about as secure as using something like Google Voice, which isn't bad either.
I really infuriates me that Chase doesn't allow physical keys for 2FA. It also doesn't allow for long pasphrases to be used as passwords.
You lost me. Is the fingerprint secure? Secure from who? Facial recognition? Can't they just use a picture? Passwords are much safer. Right?
I have 3 backups of all my codes.
Biometrics are not that good of a tool actually. Even if we are not speaking about forced unlocking. I personally witnessed struggles of a person that got so used to face unlock on Iphone when this thing suddenly stoped working and demanded a password that was long forgotten. All finantial apps were practically blocked in the middle of an exhibition while shopping😅 It took a while to restore access😅
I believe I allowed my Google account to keep backups of my Google authenticator. Bad idea?
SMS text is not secure. It is the least secure of all 2FA methods
My iPhone 14 doesn’t use a SIM card. 🤷♀️
I think the way the world it's going to be able to use fingerprint on facial recognition much longer that will be somehow hacked next. My daughter's phone has open with my face already
Microsoft Authenticator was supposed to backup my codes. But it didn't.
Your idea of a Backup for a 2FA device is flawed by design! There is no reasonable way to keep a device which is updated, in a totally separate secure location, because YubiKey doesn't offer any means to backup a device! So, the by design either you have to track and store the secret you will use to keep the backup, which keeping that secret secure becomes its' own security issue, as well as means you don't have a backup for some period of time. Or you have the backup device on site so you create it as soon as you create the account, which means it isn't in a secondary location. YubiKey's look great, but this backup conundrum is a real problem that I don't see a solution for as of yet. YubiKey has proposals on how this could be done, but it isn't implemented and available yet. 2FA is not being widely used because it has basic usability flaws like this inability to create a backup. (This inability makes it both very secure... but impractical... so therefore the security it offers is a bit meaningless!)
I found a serious problem with 2fa, my sim card is broken and I m locked out of doing anything useful.
How about Norton?
What about it?
@@AllThingsSecured the difference between both
Excellent video! I left a like. Can anyone provide some help here? my OKX wallet contains USDT TRX20, and I have the recovery phrase (clean party soccer advance audit clean evil finish tonight involve whip action). How do I transfer it to EXMO or OKX?
At least you don't have Citizens! They use PUBLIC RECORDS and GIVE 2FA to all those numbers AND you CAN'T REMOVE them. Hope your Ex and the next person to get your home phone don't want access to your bank account!
What I think? I want to NEVER depend on which device nor which devices. NEVER!
What are the risks of using face recognition?? Perhaps I am too paranoid but … not sure I want my biometrics stored on any smartphone …
Is me? Or is everyone really trying to get my information?? (LOL)
Different people have different threat profiles. I won’t judge you for not trusting biometrics.
Your videos are unmissable but I would point out that the references to a sponsor have become intrusive. Also, no mention in this video to the benefits of receiving messages and or texts by landline.
Sorry you feel that way. I have to keep the lights on somehow!
Also, you can't receive 2FA codes over a landline.
Thank you very much for your reply. For information, I receive voiced six-digit PINs - surely a case of 2FA? - from my two building societies, here in the UK. The system works flawlessly. @@AllThingsSecured
Just making it more and more complicating to understand.
Chase … can’t be as worse as MBNA:))
Maybe not 😂
Chase bank is horrible. If you trigger their fraud algos, they'll close your accounts and refuse to take your calls to explain how you get your money out of their horrible bank. Many who get hit with this situation won't get their money in less than 12 months, and that's after spending dozens of hours trying to find someone at the bank who can actually help you.
No facial recognition nor voice
Regarding biometrics, the control of your fingerprint and facial image is not as tight as you may think. While you sleep, your younger child, your wife, your lover, any kind of malicious person can easily swipe your finger on the fingerprint reader of your smartphone. It can take a picture of your face. If you are not asleep, this same person can put a gun to your head and force you to authenticate yourself. Please do not move the red circle from your smartphone/notebook to YOU. It is not pleasant to be a target.
Go blockchain problem solved.
This an ad, don't watch it.
You are doing 2FA wrong. What a stupid title.
Thanks
You talk too much. Too confusing. Got nothing of it.