I've been trying to research the privacy implications of using 2 factor authentication, specifically google authenticator. More generally I just want to gain an understanding of 2fa. I understand generally how it enhances security (one time passwords, requires access to your mobile). What I'm curious about is (1) what are the privacy implications of using Google Authenticator? (2) does Google Authenticator require a google account? (3) Are other 2fa apps (FreeOTP, etc) interoperable with google authenticator / sites designed to work with google authenticator? I haven't seen much talk about 2fa on Wilders so this might be a good place to start a general conversation on the topic as well.
Well, if you're wanting to be anonymous, or at least to keep your identity and location private, the mobile requirement is problematic. It's doable, but it requires (1) getting a mobile as anonymously as possible, (2) careful planning, and (3) long-distance travel (for location anonymity). I have no clue. Two-factor authentication has been discussed many times on Wilders
I use Yubikeys, and one of the initiatives they are part of, in conjunction with Google, is the FIDO consortium, and this is being trialled inside Google. One of the features of FIDO claims to be less leakage of private information that has been the case with existing 2FA schemes (including Google Authenticator). One of the worst techniques I see is the use of SMS, which I suspect is more about having the crown-jewels of your mobile identity known to the service, rather than being a good form of 2FA.
It's not about sites, for me. It's about them needing a mobile number. And that's a problem for two reasons. First, it's sometimes hard (depending on country) to get an anonymous mobile. And second, it's very hard to get location anonymity without long-distance travel. The topic has generally been about needing a mobile for text confirmation.
On the Richter scale of fobs, Yubikeys are cheap ($25), small and passive, and best of all, easy to manage/duplicate. I much prefer this to certificate-based keys which are way too much overhead for what I want. Wear mine on a lanyard round my neck - don't know what that does to my sartorial elegance but.... For my applications, they do both OTP (LastPass) and HMAC-SHA1 (windows 7 logon, and password safe).
On the theme of 2-FA I have one question and I'll be using this thread for it: Which one is better - Google authenticator or Yubikey? Also one question about google authenticator: - Does one need to be connected to the internet for it to work? (Perhaps for clock syncronization reasons?)
Easy, Yubikey But you're more likely to damage or lose your Yubikey. And Yubikeys are apparently not easily backed up <https://www.yubico.com/faq/backup-yubikey/>.
I think you need more precision in the question about Google authenticator. Probably you mean the old TOTP mechanism, which a variety of keys could do, including the Yubikey with a helper (Yubikey has no clock). If you're interested in Google authentication, U2F is much more interesting, again, recent Yubico keys have an implementation of this which I've posted in other threads. Recent versions of Chrome support an extension which gives the ability to use U2F for 2FA, which is what they've been using internally in Google for a while, and now works with public access to Google accounts. If you want to understand the Yubikeys, they support a variety of mechanisms, ranging from certificate based (and U2F), through OTP, and also HMAC-SHA1 and static which do not require network connection. Personally I use the Yubico OTP with Lastpass and the HMAC-SHA1 for Windows login and Password Safe. And I'm pretty happy with that. As far as backup is concerned, the HMAC-SHA1 is easy because it relies on a secret that you can put on another key. Anything that uses certificates or OTP secrets is harder, and requires registration of 2 or more keys with the service (one to backup). But this is why services such as Lastpass and Google authentication have recovery mechanisms. On the Richter scale of loss or damage, the Yubikey is pretty good, I've found them robust and I do keep them with me (as appropriate). I experimented before with X.509 keys and found them unmanageable for small-scale operations.
