If someone were to gain access to your Google account, they could take those tokens and compromise all the 2FA codes for your other accounts. That means your 2FA codes are just sitting exposed on Google's servers. Security researchers Mysk pointed out that Google has not implemented end-to-end encryption for Authenticator. Google has finally made that an option in Authenticator, but it did so in a haphazard way. Lost your phone? Just sync the 2FA tokens to a new device, and everything is back to normal. That's why backups are a desirable feature. The token is stored locally on your phone, so a broken or lost phone could lock you out of your accounts. When you set up a 2FA account, the service in question probably warns you at least two or three times to take care of your code generator. However, security researchers are now warning users to hold off using that feature until Google fixes a glaring security omission. Google Authenticator is a popular way to store two-factor codes, and a recent update added a long-awaited option to back up those codes. With this feature enabled, a threat actor would need your login credentials, as well as a one-time code to access your data. if anyone has instructions for other OS, you are welcome to contribute.Conventional wisdom holds that adding two-factor authentication (2FA) is the best way to secure your online accounts. Oathtool -totp -b #YOUR_GOOGLE_AUTH_SECRET calculating the current OTP based on your secret.install OAuth toolkit: (e.g., using Homebrew).the coded string should be something of the form: otpauth://totp/?secret=.Configure authenticator app to get the QR code and scan it (easiest way would probably be with an app on your phone.).Login to Google on your computer and enter your account settings > Signing in to Google > 2-Step Verification (exact directions may change over time.).if you still don't care, read on :) Generating OTP token from your computer Doing it manually are you keeping the QR code or the secret somewhere in your inbox? that kind of nullifies the "2 factor" idea. Of course, there are ways to bypass that as well, but that's way safer. while the "secret" of the 1st step is a password chosen by the user and has all the associated vulnerabilities (and the user is required to ^explicitly^ expose it periodically), the secret of the 2nd step is only stored on the secondary device, so it is exposed only for the initial setup of the process. To wrap it up: code the secret as a QR code to allow transferring the secret to a secondary device easily and without explicitly exposing the secret to the user, and create a utility that calculates a temporary "proof", given the secret and the current time. isn't having the proof equivalent to having the password? no, because each "proof" is time-limited, and only valid for a small time-frame (30 seconds). How do you do it? never ask the user for the password, instead ask for a "proof" the user has the password! but then. The answer is: create a password without ever letting the user knowing it! so what's the point in having another password that can be cracked in the same manner? OTP-based 2-steps authentication - the 2nd step:Ī password created by the user can be cracked in many ways. Generating OTP token from your computer.How does it work? motivation (and de-motivation).Follow the instructions here to generate Google 2 step authentication OTP without using your mobile.
0 Comments
Leave a Reply. |