What bothers me is that many websites still rely on crappy SMS based 2FA. It also bothers me that Google and Microsoft still haven't released authenticators for desktops, I do not like to use my smartphone for 2FA. And it also bothers me that many websites don't support hardware based 2FA like YubiKey. I'm not sure what to think about biometric based 2FA like Windows Hello. I guess it makes sense if you have to authenticate yourself and you don't have access to your own devices like PC, smartphone and USB security key. Of course, assuming that the device actually supports Windows Hello via fingerprint scanner or face ID.
I think using a different device such as a smart phone is more secure since it's a lot less likely that an attacker is going to have your phone as well as account credentials. It looks like Windows Hello facial recognition can be bypassed, but it sounds a like very sophisticated attack. Personally I'd like it if authentication via smartphone was implemented for Windows login. https://www.cyberark.com/resources/...an attacker,images to the authenticating host.
No, the thing is that a hacker should not be able to access the 2FA code. So even if let's say authentication is done on your laptop without a second device like smartphone or USB key, they still can't access your account. See link, I would love to see this stuff to become a standard security feature on all major websites. However, what if you need to login on a device not owned by you, that's were your smarthone or USB security key comes into play. But what if you for whatever reason don't have access to them? Then the only good option is Windows Hello with its biometric features, eventhough it can be bypassed of course. https://blog.dashlane.com/dashlane-intel-u2f-windows-password-manager/
I feel like a loss of my U2F key (or not having it with me) SHOULD mean I am absolutely locked out without it. Most sites allow you to pre-authenticate 5 physical keys if you want to. At that point I MUST present one of those keys or I am locked out. To have ANY convenient workaround is to weaken the cloak of security ---- IMO. For people that cannot obtain more then one key there usually is a simple free option. e.g. on Tutanota email - with U2F active --- a user has the option to generate a super long recovery code as backup. That code can be stored in a safe place but using it is far more difficult than having a backup physical key in a safe or wherever!
So you wouldn't want to have multiple ways to login to your account via 2FA? The thing is, I personally always use my own devices for stuff like online shopping, banking, social media and webmail, so for me a security key or desktop authenticator makes sense. But I was just brainstorming a bit about what if you do need to login into these services on laptops/desktops not owned by you, and you don't have access to your security key or smartphone authenticator. Then Windows Hello makes the most sense.
I am really sorry I have been gone for awhile. I always have a security key with me or at least hidden in the car, which is always close by. Any form of two factor other than a physical key can be hacked although stuff like TOTP is pretty tough to crack. TOTP with Authy wins as second choice. You mentioned not having an Authenticator with you but that would mean you don't have your phone with you. Most people are never without their phone, LOL!
No problem, I was also not active the last few weeks. But I can completely understand your point of view, the thing is I was talking about some kind of emergency that you don't have access to your security key and smartphone, perhaps you got robbed or something. And let's say you are at the library and really need acces to your email in 10 minutes time because otherwise you won't be getting your dream job. How to solve this problem, know what I mean? Is it possible to buy a new security key in some electronics store and somehow register it, would this be an option?
In order to register a security key (e.g. Yubi Key) you MUST already be logged into the account to authenticate it with the provider. Many accounts allow you to authenticate 5 keys ahead of time. You mentioned some issues with desktops and authenticators. I use Authy on my FF browsers without any issues at all. With Authy YOU decide which devices are TRUSTED in settings. You could have a spouse/friend with an Authy TOTP on their phone for your account. Then you would simply call them and ask them to give you the six digit code during sign in (its time based so they give you the code and you enter it IMMEDIATELY. Lots of safe ways to accomplish what you are asking for. Hope this makes sense, but if not come back and ask. Once you do it a few times its soooooooo easy and SAFE.
OK thanks for the info. Perhaps I should take a look at Authy, the problem is that it's a third party app that always needs to be launched or needs to be running in the background. Too bad that they cancelled the Authy extension. And it makes sense that you can't simply register a new security key if you lost one.
Authy stays locked on my Androids. You only get a few attempts to enter the correct PIN or you get logged out completely. If you use a decent PIN what are the odds that someone can enter it correctly in say 5 attempts? About ZERO actually. Further, you can authenticate several other devices as allowed to use your Authy account. After setting things up you then turn OFF the ability for ANY other device to use your Authy in any way. Its rock solid. Remember your Authy TOTP (or any other TOTP software) is useless by itself. You still need the correct password and username.
To clarify, I meant that in order to use Authy on your PC it needs to run in the background or you need to launch it every time which is a bit unhandy in my view, the app feels a bit heavy. Would be cooler if the app was more lightweight, perhaps WinAuth is a better choice for me.
Cannot answer to Desktop Authy. I keep Authy on my Android and that way when I attempt to login using my computer the final authentication using the Authy code comes from a separate device ----- > providing slightly better security.
Yes I understand, but I almost never use my smartphone. So I will probably buy a YubiKey and will also use Authy for desktop for certain webservices. I haven't had malware on my system for the last 25 years or so, so I doubt that malware is going to bypass 2FA on my system. I see no need to use my smartphone for 2FA, it's a hassle for me.
OK I see, so it does the same as Authy? I did notice that it's a 80MB download for the Windows app, let's hope that it's not heavy.