[Discussion] Do you use Two Factor Authentication (2FA)?

[donald]

When 2FA started years ago I put it on everything that would allow it. It worked great and many security or password apps supported the feature as well. For those services that did not have external applications for 2FA, a text, automated call to your phone number, or an email sent to your email address would suffice.

Subsequently I lost my phone (and phone number!) and was locked out of everything due to most applications/services being tied to either the 2FA app of the device or to the specific telephone number of said lost device and device number.

It was a giant pain in the everywhere as I tried to re-connect to most of my services and apps. As a result I took 2FA off of the majority of applications and services and now use it sparingly with much better passwords only for critical applications and services.

I also have a second phone which has a copy of the authentication app I use, this allows me to lose one of the 2FA devices and still be able to use 2FA on the other phone. I find this works for me, but it means I have to have 2 separate phones. Not so much a big deal as one stays home and the other is my daily phone, it is an unattractive though elegant solution to the problem.

I may get a Yubikey. I need to look into them a bit further, perhaps I can similar to the phone setup keep 1 in a safe or safe location and the other key on my person.

Applications I have used:
Bitwarden
Lastpass
Twilo - Authy
Google Authenticator
Microsoft Authenticator
ToTP - Binarybot

Do you use 2FA? How? Which app do you use, if you can share that information? How is this all working for you?

[bbbhltz]

I use Aegis on my phone and in the past I've used pass-otp on my laptop.

The minor amount friction this causes (oh no, I need to get up off my couch, walk three steps to get my phone...oh calamity) is worth it every time I read about a hack. It isn't a magic shield, but it is reassuring to know that having 2FA activated adds another layer of security.

I might move to Bitwarden someday.

I was very surprised this year when one of my employers made 2FA mandatory. I decided to test out what would happen if I deactivated it, and 20 minutes later I had an email telling me to reactivate it.

[Hetzer]

Personally I prefer to just use stronger passwords. I literally have two (excl. anything hosted by me) accounts, both ain't confidential
Found mobile 2FA irritating, mainly because I have me phone buried all the time (since it's barely ever used)
I could live with e-mail 2FA though, since I have mail client on me daily driver so it's nothing more than few clicks and 10 seconds
But neither accounts I have support it, and again - there's no use of it in my case

[Uptorn]

I avoid anything that tries to correlate my activity to a phone number (PII).

The push for 2 factor auth, in many instances, is a convenient way for phone numbers to be harvested, catalogued and profited from data brokerage, while telling the user that it improves their security.

[bbbhltz]

SMS-based 2FA is a no-no. Gotta have an authentication app or software.

[cds60601]

Authenticator and Duo

[reinob]

I use Bitwarden (actually, Vaultwarden), so I keep my TOTP's accessible from any device. Whenever I sign up or enable 2FA I make a copy of the data (or QR code) so that I can add it to Vaultwarden as well as to Aegis (Android).

With Aegis you can also export the data to a file. I keep a copy (encrypted with gpg) on my home computer (and just in case another copy on a remote server), and have a script that decrypts the file and parses it using oathtool to dump my TOTPs code on the console, whenever I need them.

For some accounts (where available and convenient for me) I also register my 2 Yubikeys (one with me, the backup one at home). I still dislike passkeys, and find them very awkward to use.

[donald]

@reinob How is the Yubikey? Does it work better than having the apps? Convenient or just something else that will break?

[reinob]

TBH I don't think I actually need them, and I actually try to avoid using them (if I can use TOTP instead). I bought them because at some point Cloudflare and Yubikey had some offer where you could buy 2x for like USD 15, and wanted to test them. I also have two "SoloKeys" (one standard, one hacker edition).

Currently, I think of them as backup if nothing else works (so I can e.g. log in to Google if I have lost my phone and have no access to Bitwarden, etc.), so rather like "something else that will break" or "something that can save the day, if it works when I actually need it" :)

(Note that some sites allow only ONE key, so you cannot register an additional backup, etc. I also have the feeling that github tends to forget/mixup the keys, so when you decide to log in using a key they don't accept it.. and if you use Windows (like I have to for work) the whole thing is very weird, as Windows ("Hello") gets in the way rather than letting the browser handle it, so as it is, I have very little trust in these things).

(Note also that you can actually use the Yubikeys for cool stuff like ssh authentication, and openpgp. But even after having configured that, in the end it's not convenient to have to insert the thing whenever you need to ssh somewhere..)

[Shamak]

I use Google Authenticator. I keep meaning to use Authy but keep forgetting.

I too had a couple of accounts that I got locked out of when I switched phones and forgot to transfer over my 2FA to the new phone. One, NextCloud, I never used and so they eventually just canceled the account. The other, a patient portal, I somehow got back into by some kind of fluke. I canceled the 2FA on that one.

Now I don't use 2FA unless they have some kind of backup procedure such as using my home phone or giving me one-time codes I can print out or keep on my computer. Something separate from my cell phone. So it works fine under those conditions. I've used the backups a couple of times upon getting a new phone and they work fine.

I intend to go to Authy because they will back up your codes in the cloud so I won't have the problem of forgetting to transfer them over to a new phone.

I use Bitwarden for my passwords so I won't use it for my 2FA codes because then you have a single point of failure. If Bitwarden is compromised then the bad guys get both your passwords and 2FA codes.

[Shamak]

I intend to go to Authy because they will back up your codes in the cloud so I won't have the problem of forgetting to transfer them over to a new phone.

Turns out that Google Authenticator will do the same thing now plus it's easier to transfer your accounts to a new phone so I'm staying with Google Authenticator. But I won't be using the cloud for backups after all. Less exposure.

[kent_dorfman766]

I agree with the general concensus on here that personal cellphone 2fa is a bad thing. I think we all know why: privacy/tracking-data...but unfortunately joe-sixpack lacks the sophistication to understand the dangers of the wireless leash (smartphone) so those of us who do know better are metaphorically screwed by the herd momentum.

I've had potential clients/employers lose interest in me because I balked at beign asked to use personal devices for such things as opposed to them issuing me a FOB or cellphone. I'm immediately identified as a "problem child"

[Hetzer]

I agree with the general concensus on here that personal cellphone 2fa is a bad thing. I think we all know why: privacy/tracking-data...but unfortunately joe-sixpack lacks the sophistication to understand the dangers of the wireless leash (smartphone) so those of us who do know better are metaphorically screwed by the herd momentum.

I've had potential clients/employers lose interest in me because I balked at beign asked to use personal devices for such things as opposed to them issuing me a FOB or cellphone. I'm immediately identified as a "problem child"

Being free means the guilty...
Nobody in me environment understands my decisions as well (though I always tell 'em when they again blame me for it). Everybody says either that I'm paranoid, that is "inevitable" or that they don't care. They won't even try to listen

By the way, just recently got forced to use SMS 2FA because o' splendid bank I happen to have account on. When I tried to detach my phone number I couldn't do any non-trusted (I mean, to somebody I didn't mark as "trusted") transaction because of lacking phone number to send 2FA onto. I had to go to bank in order to unlock my card... And have that bloodey phone number attached again.
Even better, they recently announced that it'll be mandatory to even log in. So I won't be even able to check how much I do have without that stupid phone
The worst is that I can't just screw it because of domain registrar and marketplace platform I sell on (I could sell without it, but everyone want that stupid "buy now" option which has a fee that can be paid only with card). And sooner or later I'll be obliged to pay taxes, which are gettin' harder and harder to be paid with real currency. How nice...

[Uptorn]

I've had potential clients/employers lose interest in me because I balked at beign asked to use personal devices for such things as opposed to them issuing me a FOB or cellphone. I'm immediately identified as a "problem child"

You can try to play the angle of strict separation of work and personal digital hygiene. After, all you wouldn't want to put company data at risk by handling it on a device they didn't provision.

[kent_dorfman766]

I despise 2FA, not because it's a bad idea, but because it's used as another vector for data mining of personal info. I don't mind (and even applaud) my bank using 2FA (via text PIN code) to make sure it's me logging onto their site, but I expect them to have my cellphone number.

What I cannot stomach is google, apple, website forums, online retailers, employers, etc expecting me to gladly give them additional hooks for 2FA since they are not trustworthy. That brings up a much larger issue. True security does not require trust, but sheeple have been groomed to believe that simply pushing the trust factor up the ladder is acceptable.

Anyone who understand math stats would understand the following analogy: you tell someone a secret and there is a chance they will tell someone else...now suppose that for them to abide by the terms of that secret that they must trust someone else to help them comply. There is then a chance that their confidant will leak the secret. Math stats show that the more entities involved, the greated the propability that the secret is not kept secret. The probabilites become quazi-cumulative (remember combinatorial math? A or B or C...)

So, when you find that your employer is sharing your HR records with a third party company instead of doing it in-house, and that outsourced company cannot even be held financially responsible for breaches because your employer agrees to indemnify them as part of the contract? Well...

Another related issue is when your employer expects you to put company apps on your cellphone for stuff like secure comms, 2FA, location trackign etc. Why don't people wake the frack up and demand that the employer shoulder the burden of providing company owned phones for that (phones that have no link back to the employee other than and employee ID number)?

Sorry Donald. You had to get me started. LOL

Eagerly awaiting all the folks to tell me how full of it I am, not becuase I'm wrong, but because they do know better but sold out their personal security and don't want to admit it.

[Alikmiankoli]

Yes, I use two-factor authentication (2FA) for all my important accounts. It's an important step for added security. I use Google Authenticator for my main apps and a combination of solutions for others.

[Onsemeliot]

I am also mostly annoyed be the fact that everyone uses 2FA as an excuse to get my phone number. For my bank account I use a TAN card reader. The bank didn't want anyone to order it (they hid the option rather well) but it reluctantly allowed me to go for it. I think it was a legal requirement in Austria at least for a while. But they try hard to get everyone to use the mobile app instead and I think they stopped offering this option.
For citizen related online stuff I have a Yubikey connected to my eID account, but I also feel it is not a very smooth experience. The popup window for it on Debian stable GNOME opens to small and therefore I need to enlarge it before I can actually use it.

[Uptorn]

mobile app

I get somewhat of a sick feeling in my gut every time I see this phrase floated as an expectation. Not even exaggerating. My thoughts immediately go to "okay, how am I going to dodge it this time?"

It's almost 2025 and I haven't yet been forced into buying a disgusting proprietary phone.

[LouisR4]

To avoid issues related to exposing my real phone number, I prefer using a temporary private number. I get all my numbers from AnonymSMS. What I like most is that these numbers are based on real SIM cards and work perfectly for 2FA verifications, so I keep my personal number safe.

[Onsemeliot]

To avoid issues related to exposing my real phone number, I prefer using a temporary private number.

How do you get temporary numbers? And isn't that an issue when it is used for 2FA? Or do you use it the other way around: people need to call you with different numbers while you do have a constant number just for authentication?