Authenticator apps aren't much better. Look at their privacy policies. Installing Microsoft Authenticator means giving them your location data 24/7 and allows the to collect even more data on you than giving Twitter your phone number did. Do you really think they aren't going to use that data for anything else? I don't believe that anymore than I believed Twitter.
Personally, I'd rather deal with the hassle of carrying around multiple hardware tokens than give companies a continuous stream of data about my personal life to use against me.
Afaik, TOTP is standardized, so you should be able to use any authenticator app for 2FA. Idk about Microsoft, but I haven't encountered any service that doesn't allow you to bring your own TOTP app.
Bitwarden (and probably others) store the TOTP secrets and are persistent. This isn't a recommendation per se, I'm not sure how I feel about it being stored in the cloud, but it is a bit friendlier.
Sure, but this still requires a certain level of "awareness" for this technology.
It's sort of the same problem PGP suffered from. It's technically great, but cumbersome for non-technical people to use (particularly in a safe way), so people will avoid it.
2FA needs to be simple and easy to achieve mass adoption.
Making people install special apps for just one service, or find out one day they're permanently locked out of their facebook account (or far worse) is simply going to hurt adoption.
If your grandmother can't make it work on her own, then it's not good enough. I'm not advocating SMS is the best option for 2FA, I'm just pointing out the alternatives are currently not up to snuff.
I think this is good advice but it also shows why using TOTP as a default 2FA mechanism (instead of SMS) is a tough sell. How many people are set up to store a TOTP seed in a location other than their authenticator app? How many people even know what a TOTP seed is? I would wager that the vast majority of non-HN readers think of TOTP as a QR code that you scan into an authenticator app, if they are even familiar with authenticator apps.
SMS, for all its security shortcomings, is at least something that the vast majority of people understand already.
> SMS, for all its security shortcomings, is at least something that the vast majority of people understand already.
But of course SMS suffers of the same problems as naive use of TOTP: Lose your phone, you're locked out of every account you have.
So in the worst case, TOTP is as bad as SMS. But, with some awareness/education TOTP is far superior if the user doesn't fall into the trap of attaching the TOTP seed to a phone.
i.e. for the aware user, TOTP is far better. For the naive user, TOTP is no worse than SMS. Thus, always favor TOTP.
Email would be preferred. SMS shouldn’t be the default. If I lost my TOTP tokens, I should be able to go through a tougher path with an email verification step to get in to redo my tokens. What I don’t want is for them to send me an SMS to verify me. What if I’m in a different country? What if I don’t have cell service? What if I don’t have access to my phone and that’s why I’m rotating all my stuff?
No, it's tied to the app because the initial secret is destroyed after you set it up. Every single Authenticator App I've used (which is not all of them admittedly), requires manual backups - typically in some printed form.
All of my other apps automatically back themselves up, or Apple/Google backs things up for me. When I get a new phone or wipe my phone... after logging into all my account I fully expect my Authenticator app to show up on my home screen and have all my codes in there exactly as I left it before.
This is a huge pitfall for the unaware... you will lose all of your codes, and potentially access to whatever services or things they were protecting.
Authy, 1password, bitwarden, and others back themselves up. If not having a cloud backup is a negative for you, pick a TOTP app that does have it - it’s not a failure of TOTP that the few apps you’ve used don’t back up (or you aren’t aware they do).
> No, it's tied to the app because the initial secret is destroyed after you set it up.
TOTP is not tied to any app. When you set it up, save the TOTP seed in a secure place that you control. There is no need to rely on any app, which would be too fragile to consider.
This is good advice, and I will look into Bitwarden for myself personally, but this isn't a great solution for non-techies... which is the problem with anything that is not SMS 2FA.
We all agree SMS 2FA is not as secure as we'd like it to be... but no alternative exists. It's the classic sliding scale between usability and security. The most secure system is one you cannot use... and the most usable system is one with no security. We need something that is very usable, and still secure... perhaps a tall ask but that is indeed what we're after.
Until then... regular people will continue to use SMS for 2FA. We should be happy people are at least comfortable with SMS 2FA instead of not using 2FA at all.
i agree that the authenticator app stuff is fraught for the average user.
> No, it's tied to the app because the initial secret is destroyed after you set it up. Every single Authenticator App I've used (which is not all of them admittedly), requires manual backups - typically in some printed form.
i scan the QR codes with a normal code reader, and then put the information into keepassxc. i can view the secret, generate codes, do whatever, and it's all with decent open source stuff and stored in a file i can back up.
Your authenticator apps won't be backed up. They require you to export them to a QR code or some other printed format... then "restored" once you setup your new phone.
Probably a security policy thing more than a technology thing... but the result is the same. TOTP is dangerous for the wrong user.
For the past several years both macOS and iOS have TOTP built into the password manager. It’s non-obvious how to set it up and doesn’t auto-prompt readily like password management does, but I’ve moved all of my TOTP over and have a backup, it’s synced to all my devices, and I don’t need a dedicated TOTP app.
Steam is another big one. They require you to use the Steam mobile app and it's the only way to do 2FA - no QR code. I've since dropped 2FA for Steam altogether.
Actually, that option has existed forever, since even before the app-based MFA.
However, if you use the "less secure" email MFA then steam places limits on your account that don't exist with the app MFA, like a forced delay on executing trades.
If you've got the steam mobile app for Android for 2fa and want to move to a different app that supports steam 2fa (aegis, winauth, etc), use steam auth on multiple devices, or simply move to a new device without a temporary trade block, version 2.1.4 of the steam app will allow you to perform adb backups; Android backup extractor will allow you to convert the backup to a standard tar file to extract the secrets if you want to.
Unfortunately, Sendgrid and other users of Authy with no alternative 2FA systems in place lock you into the Authy app or SMS as the fallback. There are some, very limited, workarounds for this but still requires you to have the app in Authy.
———————
On a recent find apparently Authy (the app not the sms fallback) has a weird, uh, “feature?”, where my 2fa, for example, for Sendgrid will unlock all of my Sendgrid accounts, which I personally find mildly concerning.
If you load your Sendgrid Authy 2FA on a rooted android phone, you can extract the TOTP secret that powers it under the hood and put it in Bitwarden like you prefer.
Ultimately with any service you’re only protected by your contract and the PR value of a breach of trust. Unless you’re using an open source app and rolling your own sync, an app where trust is paramount (1Password), or one where a misstep is a huge media hit (Apple), you’re at the mercy of that company.
Microsoft fwiw, probably uses location to spot fraud and is unlikely to breach user trust imo.
I have. I worked for an enterprise that used OneLogin could only use the OneLogin Protect app for 2FA. I thought 1Password was broken but I tried a different app with my phone camera and it said the QR code was invalid.
So don't use Microsoft Authenticator. There are many options without the privacy problems with the MS App (which, IMO are overblown, but whatever). Go run your own if you want to be absolutely private. I'm happy with 1Password for managing it.
Are you using Microsoft Authenticator in a corporate environment/profile? I just checked my personal install (Android) and it does not require any permissions (location is denied).
read the contents of your USB storage
modify or delete the contents of your USB storage
Location
precise location (GPS and network-based)
Contacts
find accounts on the device
Storage
read the contents of your USB storage
modify or delete the contents of your USB storage
Camera
take pictures and videos
Identity
find accounts on the device
add or remove accounts
Other
receive data from Internet
run at startup
draw over other apps
prevent device from sleeping
create accounts and set passwords
view network connections
close other apps
control vibration
use accounts on the device
full network access
As with most (all?) Android apps, support for permission requires user consent; Camera, "Files and media" and Location are all set to "Not allowed" on my device. From what I can tell based on Microsoft's help page, location may be a requirement of a work/school account and as far as I can remember, I've never been prompted for the location permission - it's possible I denied access if I was, but the app works without it.
From Microsoft's Authenticator help page:
"You will see a prompt from Microsoft Authenticator asking for access to your location if your IT admin has created a policy requiring you to share your GPS location before you are allowed to access specific resources"
There's one big data leak which Android/iOS deliberately don't let you control: internet access. TOTP apps don't need it, and yet.
The Microsoft app does have a mode which uses the internet to push a message saying "Is this you logging in?", which is weaker than TOTP but feeds into their "AI threat detection engine" mantra. It seems to fall back to TOTP if there is no network.
The problem with android is that it's designed to leak your data like a sieve, so permissions are overbroad and all or nothing. Most people will accept any and every prompt for a permission they're told is required in order to use the app, even when the app doesn't always need it to function.
MS is clearly using this to their advantage and asking for everything they can provide even a thin justification for, but even if you're just giving them a fraction of what they're asking for it's still far worse than handing over a cell phone number. My work considered requiring Microsoft Authenticator but after enough people balked at handing over so much data to MS they caved and we got simple little keychains that do nothing but spit out numbers and can't collect our contacts, our location, or start listening using a microphone. It's hard to beat that.
There are free, open-source, and privacy-respecting options for TOTP 2FA that don't require a mobile phone plan.
You can use something like KeepassXC (desktop) or something like KeepassDX or Aegis (on F-Droid on Android) for your OTP authentication app to manage 2FA for Google, Amazon, eBay, Dropbox, etc. and there are other options as well.
Just wanted to add emphasis on Aegis. I've been using Aegis for Google, GitLab, PSN, domain management. No issues.
And it has zero permissions needed (aside from camera which is granted on a need basis for scanning qr codes). And also works fine without ever having a Internet connection.
Vaultwarden has TOTP support built in, and there are like a dozen open source TOTP authentication apps out there. There's no reason you have to use an app that invades your privacy for TOTP.
Sadly, it uses rust nightly, making setup bleeding edge.
And node, meaning it's a security nightmare.
There are likely other options I guess, but for something of this level (keys to your, or a company's kingdom!), I'd want to see a project with an arm long history, loads of review, etc.
Ah, good point. I'm able to build Vaultwarden with stable Rust, so maybe it's just a requirement for development. Vaultwarden lifts web-vault from Bitwarden, which uses Node, but you aren't required to run it with web-vault.
They do ask on Android it seems. Not sure if this text is common across all apps seeking location permission.
> Optional App functionality, Fraud prevention, security and compliance
However I’m not surprised such apps keeping double standards between iOS and Androids. Apple spanks (or spanks harder) the apps that ask permissions frivolously or block functionality behind permissions unnecessarily just to collect data.
For e.g I use TrueCaller on iOS without giving Contacts permission, but on Android the app features are blocked without it. Not sure of now but earlier Ola/Uber didn’t work on Android without location permission but on iOS they did and still do. Many such examples.
> Authenticator apps aren't much better. Look at their privacy policies.
For the most part, "authenticator app" means TOTP, which isn't proprietary.
Which is beautiful because you don't actually need any app for it. Just save the TOTP seed. There are plenty open source implementations to compute the one-time code when you need it.
That's not the problem with SMS for 2FA. The problem with SMS for 2FA is that cell phone accounts were never intended to serve as what amounts to a high security authenticator service, and cell phone companies are resistant to this newfound 'responsibility', somewhat understandably so.
By default, someone can call up your cellular provider, claim to be you, pass trivial to no security questions, and request a replacement SIM be mailed out, or that your number be ported to another device. Or they can slip a bit of cash to any employee who works at any cell phone store that sells service for your carrier.
SMS 2FA isn't better than just a password. It's objectively worse, dramatically increasing the attack surface. Compromise someone's cell phone account and you are virtually guaranteed access to their bank/retirement/investment accounts, email, social media, etc. And they are virtually powerless to do anything about it for at least a few hours while they scramble to, say, get phone service working again and rush to contact everyone they can think of. By the time you're able to even get to your bank to talk to a branch manager and show all sorts of proof of identity, your accounts could be long since cleaned out.
Some providers finally are offering secondary passwords for porting/SIM replacement, that sort of thing. Absolutely call them and request your account be locked down as much as possible, ask to specify a secondary password, etc.
> It's objectively worse, dramatically increasing the attack surface
Any 2FA - no matter how weak - should in theory not be weaker than no 2FA. In practice of course these things can often be used as the only factor to "recover" access to an account so yes, weak 2FA like SMS can make things worse.
My car is old enough to just have onstar which is physically disconnected. My phone I avoid adding personal data to (outside of messaging), I limit my browsing, and I've done what little I'm allowed to in terms of locking it down and removing unwanted features. Ultimately though, it's a necessary evil I'm still hoping to find a solution for.
> But I gotta ask. How are they using your personal data against you?
the answer is that they'll use your data against you in any way that they can if it works to their advantage in any way.
Companies don't care about you and your needs, they care about themselves and making money. The reason there is a multi-billion dollar industry around the collecting, buying, and selling of even the most mundane aspects of your life is that companies have seen that all that data can be leveraged against you to give them money and power and one way or another that usually comes at your expense.
Often they use the data they collect to manipulate you. Maybe they want to get to you buy something you wouldn't otherwise, maybe they want to shape your political opinions. Maybe they just sell your data out to others directly or they use that data to make it easier for others to exploit you.
It doesn't matter if it's Facebook selling your data to Cambridge Analytica so that they can try to swing an election, a group of activists who buy up lists of people who have visited abortion clinics so they can harass them, or a company or data broker letting people buy lists of individuals with low IQs and poor education, or lists of people who are likely to suffer from dementia so they can be targeted with scams, it's all using the data you barely noticed you were handing over.
Even when it's not intentional algorithms are constantly searching for ways to exploit you in the moment you're at your weakest. They can detect when someone who is bi-polar is entering a manic phase and push airline tickets to them since people in that state tend to make last minute travel plans. They can detect when you're tired, heartbroken, or under a lot of stress and anxiety and target you aggressively at those times using one trick after another to find whatever works best (both using what has worked for others like you and tailoring their methods to you individually), and they do it all without ever being explicitly programed to. The algorithms just maximize for results, and the ends justify the means while giving corporations plausible deniability for even the most egregiously exploitative means their algorithms employ.
In the US, companies like Google, Microsoft, Facebook, your ISP and cell phone company routinely turn data over the state with both three letter agencies and local police departments sucking up all the data they can. It's a huge violation of our rights and a threat to our freedoms.
Even the most well-intentioned company collecting your personal data is likely not doing enough to secure that data, and whatever data they hold onto is just waiting to be abused when a less scrupulous person takes over, or to be handed over when the company is bought or absorbed into another, or to be sold should the company ever go bankrupt or become desperate enough for the money.
One way or another, the data you hand over will be used against you, and worse you'll have no idea when it happens. Today people are turned down for jobs and denied rental contracts because of the data collected on them. They are charged more for the same products they buy online than what other people are paying. They are told a company's polices are one thing, while other customers are told they are something else. Their insurance premiums are being raised based on this data. Companies have even been shown to use this data for things as trivial as leaving some people on hold longer than others, but nobody is ever told the reason why those things happen. You have most likely already paid more than someone else, had your time wasted, been denied something, been mislead, or been rejected based on the personal data you've handed over.
Nobody is using your data to protect you or put more money in your pocket. It is always used to serve someone else regardless of what that does to you.
I wondered the same thing about needing access to the cameras and microphones. Turns out they justify it by saying it's for reading QR codes (as if phones had no other way to do this).
Personally, I'd rather deal with the hassle of carrying around multiple hardware tokens than give companies a continuous stream of data about my personal life to use against me.