3 MISTAKES You're Making with 2-Factor Authentication (2FA)

I realize nobody likes being told they're doing something "wrong", but hopefully you were able to learn something new from this video. And special thanks to this week's sponsor, Trend Micro! Get 10% off using code ATS10 here: bit.ly/3WuF5Wc

It's really odd that google accounts are more secure than bank accounts. I really hope that'll change some time relatively soon. fingers crossed 🤞🤞.

As far as backing up I recommend putting the authenticator on every phone and tablet you own. I also recommend taking s a screenshot of that initial QR code that you scan in, giving it a site name and saving it to a couple disconnected USB flash drives and maybe a 3rd in a safety deposit box. This allows you to re-add those sites back into an authenticator should you have to.

Love your videos! look forward to the next one! Thank you

I am a little wary regarding biometrics. As I understand it, courts can compel someone to provide biometrics without concern of violating their rights. Passwords, on the other hand, may actually be forgotten (or better never known via password manager), so cannot be compelled. I guess it depends on the situation and if other security factors are also used in conjunction with it.
Also, I have had problems using fingerprints in the past. I had it implemented on my phone for a while, but quite frequently it would not recognize me. I also have it set on one of my bank accounts for ATMs. It too often does not recognize me forcing me to try multiple times. My work PC uses facial recognition, but it too frequently does not recognize me causing periodic downtime. It is problematic when the actual person gets locked out of their own accounts.

After watching some of your videos I have switched to 1Password and purchased two Ubikey. My issue is carrying the Ubikey with me all the time. Any suggestions?
Also, how do I get my Mac to ask for Ubikey when I login?
Thank you

I should add that I'm sick of my credit union, and healthcare providers, not offering 2FA except via text and e-mail. The credit union also restricts how complex my password can be. I understand that their reasons for that (people will write it down or forget it), but I use KeePass (secured with a very strong dicepassword that I've memorized) and store very strong passwords within it. It is infuriating that I can secure my Amazon and e-mail accounts more than my financial and health accounts! Argh!

Hey, just found your videos. They are great. Didn't find any on using SSH Certificates. Going to make a push at my company to start using them. Have any feelings on them?

Thanks for your great video and tips josh.

Can the Yubico keys be used for ADVANCED DATA PROTECTION via Apple iCloud?

Where does one buy those special keys that you plugged into your la top?

I use Microsoft Autheticator and logged in with MS.. my concern is if I can be sure that they all are backed up, when i have the set it to backup automaticaly...

Love the channel. Would also suggest backing up authenticator qr codes to encrypted drives or cryptomator and cloud.

As Always, perfect security tips, I'm really waiting for your videos.
There is a related thing I want to ask, Is it a good practice to store TOTP tokens in my password manager (side by side of my passwords)?

I was using Microsoft authenticator on my iphone but after it failed to recover codes from icloud I switched to google authenticator is printing google authenticator qr code enough for backup and recover ?

Hey Josh, so what do you think about using ESIM with a pin? Would that change your thoughts around using SMS text? Also how about using Google voice texting?

My bank and CC bank only offer sms also. It is frustrating.

While many online systems offer 2FA, not all require it be enabled. I think it is a good idea to enable to protect your from being hacked

I wonder about one thing. If SMS based 2FA isnt safe then is it also not safe to have your phone numbery as a recovery option? For example for a Google account? Should we completly get rid all phone numbers in our accounts?

Josh, I don't know if you have touched on this before, but For the past 6 years, I have been using a Nymi Band (biometric fingerprint/EKG touchless device) as a multifactor (3FA?) security passport. I have physically hacked it so that it is part of the the bottom strap for my Smartwatch. When I approach my PC/laptop, it unlocks them. Same With my Android phone. I have created browser code to only allow my financial websites/apps to be opened when in proximity to the device. Problem is, most of this requires custom coding as FIDO2 simply isn't supported for most situations. And honestly, its overkill for anything less than strict obligatory compliance environments - and is probably why its mostly used in these types of organizations.
But Nymi would be something for you to take a look at if you haven't already.

Given that my phone fails to recognise my fingerprint 50% of the time I don't think I would want to rely on it solely.

I lose my fingerprints with certain types of work gloves( i dont use them since 1 year 1 month), those kind of autheticationt cant work on me, i restored it, but I have to do some more momentasone furoate ointment
I think its dangerous to do it, because what if I lose my fingerprint again? and it changes for me, random drying etc

Web sites would do well to use persistent cookies to reduce 2FA usage. That "trust this device" checkbox indicates this is active.

I don't care to use SMS messages to get codes for another reason. What if somehow you lose access to that phone number? (suppose you change your number) Do you have a list of all the places you used it for access? I prefer to use a security key. Also, I have three of them on any account that allows it. I'm too paranoid to just have two.

Hey Josh. Not sure if you've heard, but there's a huge RUclips channel called Think Media (2.33 million subscribers) whose podcast channel (85.5k subscribers) was hacked just a few days ago. In a recent video, they even explained they had 2FA - and it still got hacked. I thought to mention them because of the similar circumstances to what this video is about.
By the way, thanks for the video 🙏

I have concerns regarding usage of biometrics that I'd love to see a video from you about;assuming you haven't addressed these issues already... My concerns revolve around end of life issues. That is, if everything important is protected by 2fa that requires biometrics to open, how will my executor be able to access these accounts upon my death.
I love your videos! Keep 'em coming!

You can prevent SIM swapping by locking your SIM card via your carrier. Verizon let me do this through my account on their website. I also have a PIN for my SIM card that requires me to enter it every time I reboot my phone. (It's a different PIN than the one to unlock my phone.)
Using unencrypted SMS for 2FA is still vulnerable to man-in-the-middle attacks, but it's pretty straightforward to mitigate the risk of SIM swapping.

I would like to see a video about backup for authenticators apps because i find the concept confusing. What's involved? Can i export something from the app and import into a different app? Do i need to register two devices against the same web site? Do in need to use different apps? I get the feeling that "backup" means something completely different for authenticators than it does for conventional data, but i am just guessing about that. Some practical guidance would be appreciated.

Which is more secure for 2FA, Google Prompts or Authy Authenticator App?

All great advice. That said, my biggest problem with "who you are" authentication is worrying about my next-of-kin being locked out of important things they'll need to deal with when my biometrics are no longer available. I can give a trusted contact access to my password vault or backup key.

You have to also have the password. What good would it be to get my text?

Just purchased two yubikey 5 nfc keys so will be watching plenty of RUclips trying to learn as much as I can why waiting on delivery of the keys

Have you made any video's about Ledger?

I wpnder why spme shopping Apps like flipkart still dont have 2FA

I have friends works in the construction industry that have a hard time with fingerprints or face goggles! Other suggestions on 2FA? Thank you!

0:51 When I was shopping for a new bank (I'm in the EU), I was really convinced by open bank, a subsidiary of Spanish Santander. Everything was what I was looking. However, When I saw that they only offered SMS I honestly couldn't believe my eyes. Most banks I encountered don't even offer it as an option anymore so your list kind of surprises me. Is it an American thing? I looked up ING (duch I think), Sparkasse, ComDirect, and DKB (all German).

I heard the keys dont work on banking sites. Is this true for all banks?

Do you only advertise for products that u actually use?

I'd like to hear your thoughts about what users do when they are away from home and they loose their device or it's stolen.

Salut, comment allez vous ?
Voilà j'ai un compte qui a été supprimé de Google authenticator que je n'arrive plus à récupérer. Votre serait utile merci

You very often don’t provide adequate explanations for your statements. It isn’t clear to me at all why it was easy to login into Dorsey’s Twitter account by receiving 2FA codes. The phone company may negligently transfer your telephone number but it doesn’t know your twitter login password. Please elaborate.

My problem is even finding the 2FA to enable it, then if I do then goin on further frm there setting things up the right way!!

Couldn't you backup your authenticator keys on a password manager?

Well, a lot of biometrics checks in consumer electronics are actually much easier to crack than SMS2FA... We did this in pentests in the past...

Biometrics appear to be an excellent solution with one concern. I believe Finger recognition has an equivalent concern as Sim swap. In this case the smartphone is lost or stolen. Then someone lifts off the fingerprint on the phone. Kind of like sticking a paper on the back with the password in full view. One can argue this is extremely rare and nothing to worry about so no worries. Sim swapping a very rare occurrence is becoming part of the basic toolkit of hackers.
Facial recognition is probably safer unless one has the tendency to squeeze the phone against one's face.

I use OTP with yubikey. In my opinion, this does not reduce security in any way because the codes are not stored on the phone.

Please explain how to get 2FA? Your explanation was very eloquent but “where does one start”? How do you scan a code when there is no code to scan?

So are biometrics better than SMS 2FA? It seems that every time I enable FaceiD the 2FA goes away.

I believe I allowed my Google account to keep backups of my Google authenticator. Bad idea?

As long as banks keep using sms based 2FA there is no way we can ditch it completely

Keep your old phone to backup your auth app. Put your auth app on your laptop.

3:49 In my opinion, storing TOTP in the same password manager as your password doesn't follow the best practice. It should be stored/accessible on/via a different technology. In this case, if an attacker breaks your password manager's database, he/she/they has access to both of your factors.
The rest of the video is perfect and I like how you increase security awareness.

Would you recommend this for crypto platforms

thank you so much! was receiving them by sms for my PayPal account. Now its asking me , when i log in, "how would you like to receive the code (or something like that) and i can select the app or sms (i made the app primary choice in settings yet it still asks if i want to receive via an sms. Should i remove the sms option (can do)?
BUT im just hesitant to remove the backup sms option in case for some reason the app didn't work, crashes or was glitchy (atm the app doesn't pop up to show me the authenticator code- have to go to the app and see the code which is constantly changing- is that normal? im sure it normally pops up with the code for my email etc. But it didn't with PayPal ... I hope all this makes sense! let me know if you need clarification! Its late at night so perhaps im not explaining my self well!)

Face id I always thought would feed your details better to big tech, plus all the more handy for better social control. (Coming sooner than you think to your country). Password managers? I ain't that stoopid

Apple recently implemeted security keys as their second factor instead of OTP. Sure I switched. But this doesn't seem to work with Firefox for Windows. I mean when I try to log in to iCloud, it asks for my email, my password and yubikey, but I can't plug it in and use it. Mind you, the key itself works with Firefox on other websites. Who is here to blame and where to ask for help?

I think, for a broad audience, this is a good video with good advice. The people who are criticizing you for giving bad advice and your advice creating more security vectors are wearing their tinfoil hats too tight. If you are, say, a dissident in some totalitarian regime, your threat level is extremely high and the more difficult you make it for yourself, the more difficult it will be for the FSB or the FBI. But if you are a regular person, having a reasonable amount of security, e.g., some form of 2FA (preferably TOTP, even if stored in your password manager) will make it more difficult for bad actors.

I would only use face ID or finger print if it's heavily essential like something to do with the government or my bank... or the hospital
Unless I fully understand how it works, I don't like the idea of that information being stored.

how do people that do not have access to a computer or a cell phone or mobile device suppose to use 2fa?

Mistakes people make with passwords are not changing them frequently enough, writing them down and using the same passwords for multiple accounts. Biometrics are unchangeable and are necessarily reused again and again and with fingerprints you leave them around everywhere.

I am not using yubkeys and I have them because : if I go out of town for work and loose the keys … what do I do !??

It's incredibly frustrating when some sites/services do not allow you to block sms 2FA. Like what's the darn point of auth app when all that can be sidestepped by ESN/SIM swap.

One mistake of technicality, you incorrectly used the term 2FA once in the video. At around 5:55, you say using biometrics instead of 2FA. You correctly described biometrics as "something you are" just before that. The thing is, that "instead of 2FA" really should have been "instead of something you have". 2FA just means using two of the "something you know (pw)", "something you have (yubikey or phone/email)", and "something you are (biometrics)". 2FA does not mean using an authenticator, hardware key, or SMS/email. Password plus biometrics is just as valid of 2FA as password plus Yubikey.

Microsoft Authenticator was supposed to backup my codes. But it didn't.

Which service for...
1. non-techie old man
2. very concerned about privacy (more than security really)
3. already using 1Password (but bank doesn't permit this as 2FA)
4. frequently change SIMs (in'l traveller)
5. not keen on big tech

How about Norton?

I think the way the world it's going to be able to use fingerprint on facial recognition much longer that will be somehow hacked next. My daughter's phone has open with my face already

My iPhone 14 doesn’t use a SIM card. 🤷‍♀️

Speaking about SMS. Why do these still exist? if there's a way better option called RCS. And no many mobile phone providers support it, everyone loves old stone age SMS messages.

I really infuriates me that Chase doesn't allow physical keys for 2FA. It also doesn't allow for long pasphrases to be used as passwords.

Biometrics are not that good of a tool actually. Even if we are not speaking about forced unlocking. I personally witnessed struggles of a person that got so used to face unlock on Iphone when this thing suddenly stoped working and demanded a password that was long forgotten. All finantial apps were practically blocked in the middle of an exhibition while shopping😅 It took a while to restore access😅

SMS text is not secure. It is the least secure of all 2FA methods

I found a serious problem with 2fa, my sim card is broken and I m locked out of doing anything useful.

At least you don't have Citizens! They use PUBLIC RECORDS and GIVE 2FA to all those numbers AND you CAN'T REMOVE them. Hope your Ex and the next person to get your home phone don't want access to your bank account!

You lost me. Is the fingerprint secure? Secure from who? Facial recognition? Can't they just use a picture? Passwords are much safer. Right?

Just making it more and more complicating to understand.

Chase … can’t be as worse as MBNA:))

What I think? I want to NEVER depend on which device nor which devices. NEVER!

What are the risks of using face recognition?? Perhaps I am too paranoid but … not sure I want my biometrics stored on any smartphone …
Is me? Or is everyone really trying to get my information?? (LOL)

Your videos are unmissable but I would point out that the references to a sponsor have become intrusive. Also, no mention in this video to the benefits of receiving messages and or texts by landline.

No facial recognition nor voice

Your idea of a Backup for a 2FA device is flawed by design! There is no reasonable way to keep a device which is updated, in a totally separate secure location, because YubiKey doesn't offer any means to backup a device! So, the by design either you have to track and store the secret you will use to keep the backup, which keeping that secret secure becomes its' own security issue, as well as means you don't have a backup for some period of time. Or you have the backup device on site so you create it as soon as you create the account, which means it isn't in a secondary location. YubiKey's look great, but this backup conundrum is a real problem that I don't see a solution for as of yet. YubiKey has proposals on how this could be done, but it isn't implemented and available yet. 2FA is not being widely used because it has basic usability flaws like this inability to create a backup. (This inability makes it both very secure... but impractical... so therefore the security it offers is a bit meaningless!)

This an ad, don't watch it.

Regarding biometrics, the control of your fingerprint and facial image is not as tight as you may think. While you sleep, your younger child, your wife, your lover, any kind of malicious person can easily swipe your finger on the fingerprint reader of your smartphone. It can take a picture of your face. If you are not asleep, this same person can put a gun to your head and force you to authenticate yourself. Please do not move the red circle from your smartphone/notebook to YOU. It is not pleasant to be a target.

You are doing 2FA wrong. What a stupid title.

You talk too much. Too confusing. Got nothing of it.