[Discussion] Do you use Two Factor Authentication (2FA)?

[donald]

When 2FA started years ago I put it on everything that would allow it. It worked great and many security or password apps supported the feature as well. For those services that did not have external applications for 2FA, a text, automated call to your phone number, or an email sent to your email address would suffice.

Subsequently I lost my phone (and phone number!) and was locked out of everything due to most applications/services being tied to either the 2FA app of the device or to the specific telephone number of said lost device and device number.

It was a giant pain in the everywhere as I tried to re-connect to most of my services and apps. As a result I took 2FA off of the majority of applications and services and now use it sparingly with much better passwords only for critical applications and services.

I also have a second phone which has a copy of the authentication app I use, this allows me to lose one of the 2FA devices and still be able to use 2FA on the other phone. I find this works for me, but it means I have to have 2 separate phones. Not so much a big deal as one stays home and the other is my daily phone, it is an unattractive though elegant solution to the problem.

I may get a Yubikey. I need to look into them a bit further, perhaps I can similar to the phone setup keep 1 in a safe or safe location and the other key on my person.

Applications I have used:
Bitwarden
Lastpass
Twilo - Authy
Google Authenticator
Microsoft Authenticator
ToTP - Binarybot

Do you use 2FA? How? Which app do you use, if you can share that information? How is this all working for you?

[bbbhltz]

I use Aegis on my phone and in the past I've used pass-otp on my laptop.

The minor amount friction this causes (oh no, I need to get up off my couch, walk three steps to get my phone...oh calamity) is worth it every time I read about a hack. It isn't a magic shield, but it is reassuring to know that having 2FA activated adds another layer of security.

I might move to Bitwarden someday.

I was very surprised this year when one of my employers made 2FA mandatory. I decided to test out what would happen if I deactivated it, and 20 minutes later I had an email telling me to reactivate it.

[Hetzer]

Personally I prefer to just use stronger passwords. I literally have two (excl. anything hosted by me) accounts, both ain't confidential
Found mobile 2FA irritating, mainly because I have me phone buried all the time (since it's barely ever used)
I could live with e-mail 2FA though, since I have mail client on me daily driver so it's nothing more than few clicks and 10 seconds
But neither accounts I have support it, and again - there's no use of it in my case

[Uptorn]

I avoid anything that tries to correlate my activity to a phone number (PII).

The push for 2 factor auth, in many instances, is a convenient way for phone numbers to be harvested, catalogued and profited from data brokerage, while telling the user that it improves their security.

[bbbhltz]

SMS-based 2FA is a no-no. Gotta have an authentication app or software.

[cds60601]

Authenticator and Duo

[reinob]

I use Bitwarden (actually, Vaultwarden), so I keep my TOTP's accessible from any device. Whenever I sign up or enable 2FA I make a copy of the data (or QR code) so that I can add it to Vaultwarden as well as to Aegis (Android).

With Aegis you can also export the data to a file. I keep a copy (encrypted with gpg) on my home computer (and just in case another copy on a remote server), and have a script that decrypts the file and parses it using oathtool to dump my TOTPs code on the console, whenever I need them.

For some accounts (where available and convenient for me) I also register my 2 Yubikeys (one with me, the backup one at home). I still dislike passkeys, and find them very awkward to use.

[donald]

@reinob How is the Yubikey? Does it work better than having the apps? Convenient or just something else that will break?

[reinob]

TBH I don't think I actually need them, and I actually try to avoid using them (if I can use TOTP instead). I bought them because at some point Cloudflare and Yubikey had some offer where you could buy 2x for like USD 15, and wanted to test them. I also have two "SoloKeys" (one standard, one hacker edition).

Currently, I think of them as backup if nothing else works (so I can e.g. log in to Google if I have lost my phone and have no access to Bitwarden, etc.), so rather like "something else that will break" or "something that can save the day, if it works when I actually need it" :)

(Note that some sites allow only ONE key, so you cannot register an additional backup, etc. I also have the feeling that github tends to forget/mixup the keys, so when you decide to log in using a key they don't accept it.. and if you use Windows (like I have to for work) the whole thing is very weird, as Windows ("Hello") gets in the way rather than letting the browser handle it, so as it is, I have very little trust in these things).

(Note also that you can actually use the Yubikeys for cool stuff like ssh authentication, and openpgp. But even after having configured that, in the end it's not convenient to have to insert the thing whenever you need to ssh somewhere..)

[Shamak]

I use Google Authenticator. I keep meaning to use Authy but keep forgetting.

I too had a couple of accounts that I got locked out of when I switched phones and forgot to transfer over my 2FA to the new phone. One, NextCloud, I never used and so they eventually just canceled the account. The other, a patient portal, I somehow got back into by some kind of fluke. I canceled the 2FA on that one.

Now I don't use 2FA unless they have some kind of backup procedure such as using my home phone or giving me one-time codes I can print out or keep on my computer. Something separate from my cell phone. So it works fine under those conditions. I've used the backups a couple of times upon getting a new phone and they work fine.

I intend to go to Authy because they will back up your codes in the cloud so I won't have the problem of forgetting to transfer them over to a new phone.

I use Bitwarden for my passwords so I won't use it for my 2FA codes because then you have a single point of failure. If Bitwarden is compromised then the bad guys get both your passwords and 2FA codes.

[Shamak]

I intend to go to Authy because they will back up your codes in the cloud so I won't have the problem of forgetting to transfer them over to a new phone.

Turns out that Google Authenticator will do the same thing now plus it's easier to transfer your accounts to a new phone so I'm staying with Google Authenticator. But I won't be using the cloud for backups after all. Less exposure.

[kent_dorfman766]

I agree with the general concensus on here that personal cellphone 2fa is a bad thing. I think we all know why: privacy/tracking-data...but unfortunately joe-sixpack lacks the sophistication to understand the dangers of the wireless leash (smartphone) so those of us who do know better are metaphorically screwed by the herd momentum.

I've had potential clients/employers lose interest in me because I balked at beign asked to use personal devices for such things as opposed to them issuing me a FOB or cellphone. I'm immediately identified as a "problem child"

[Hetzer]

I agree with the general concensus on here that personal cellphone 2fa is a bad thing. I think we all know why: privacy/tracking-data...but unfortunately joe-sixpack lacks the sophistication to understand the dangers of the wireless leash (smartphone) so those of us who do know better are metaphorically screwed by the herd momentum.

I've had potential clients/employers lose interest in me because I balked at beign asked to use personal devices for such things as opposed to them issuing me a FOB or cellphone. I'm immediately identified as a "problem child"

Being free means the guilty...
Nobody in me environment understands my decisions as well (though I always tell 'em when they again blame me for it). Everybody says either that I'm paranoid, that is "inevitable" or that they don't care. They won't even try to listen

By the way, just recently got forced to use SMS 2FA because o' splendid bank I happen to have account on. When I tried to detach my phone number I couldn't do any non-trusted (I mean, to somebody I didn't mark as "trusted") transaction because of lacking phone number to send 2FA onto. I had to go to bank in order to unlock my card... And have that bloodey phone number attached again.
Even better, they recently announced that it'll be mandatory to even log in. So I won't be even able to check how much I do have without that stupid phone
The worst is that I can't just screw it because of domain registrar and marketplace platform I sell on (I could sell without it, but everyone want that stupid "buy now" option which has a fee that can be paid only with card). And sooner or later I'll be obliged to pay taxes, which are gettin' harder and harder to be paid with real currency. How nice...

[Uptorn]

I've had potential clients/employers lose interest in me because I balked at beign asked to use personal devices for such things as opposed to them issuing me a FOB or cellphone. I'm immediately identified as a "problem child"

You can try to play the angle of strict separation of work and personal digital hygiene. After, all you wouldn't want to put company data at risk by handling it on a device they didn't provision.