2 Factor Authentication

Discussion in 'privacy technology' started by JackReacher, Sep 29, 2014.

  1. JackReacher

    JackReacher Registered Member

    Joined:
    Mar 17, 2012
    Posts:
    67
    Location:
    South of the North Pole
    I've been trying to research the privacy implications of using 2 factor authentication, specifically google authenticator. More generally I just want to gain an understanding of 2fa. I understand generally how it enhances security (one time passwords, requires access to your mobile).

    What I'm curious about is (1) what are the privacy implications of using Google Authenticator? (2) does Google Authenticator require a google account? (3) Are other 2fa apps (FreeOTP, etc) interoperable with google authenticator / sites designed to work with google authenticator?

    I haven't seen much talk about 2fa on Wilders so this might be a good place to start a general conversation on the topic as well.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Well, if you're wanting to be anonymous, or at least to keep your identity and location private, the mobile requirement is problematic. It's doable, but it requires (1) getting a mobile as anonymously as possible, (2) careful planning, and (3) long-distance travel (for location anonymity).
    I have no clue.
    Two-factor authentication has been discussed many times on Wilders :)
     
  3. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    I use Yubikeys, and one of the initiatives they are part of, in conjunction with Google, is the FIDO consortium, and this is being trialled inside Google. One of the features of FIDO claims to be less leakage of private information that has been the case with existing 2FA schemes (including Google Authenticator).

    One of the worst techniques I see is the use of SMS, which I suspect is more about having the crown-jewels of your mobile identity known to the service, rather than being a good form of 2FA.
     
  4. JackReacher

    JackReacher Registered Member

    Joined:
    Mar 17, 2012
    Posts:
    67
    Location:
    South of the North Pole
    Thanks for the answers.

    Mirimir -

    I'm not looking for true anonymity on my smartphone just privacy and a degree of anonymity. I know it is almost impossible to remain anonymous on mobile. I just don't like leaking more information to advertisers, trackers, etc, than I have to. Especially to Google. Specifically I'm considered about the amount of data Google stores on me. It just makes me feel uncomfortable. Theoretically what would their 2fa servers see. The site I enable 2fa on and that's it?

    I must have missed most of the posts on 2fa. I'll keep searching.

    DeBoetie -

    I like Yubikey, I haven't used it before but I like the concept. However a free solution would be nice and I would prefer not to carry around anything extra (i.e. Yubikey). I tend to agree with you about SMS though I think lots of sites just do it for simplicity specifically the ones that mandate 2fa.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    It's not about sites, for me. It's about them needing a mobile number. And that's a problem for two reasons. First, it's sometimes hard (depending on country) to get an anonymous mobile. And second, it's very hard to get location anonymity without long-distance travel.
    The topic has generally been about needing a mobile for text confirmation.
     
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    On the Richter scale of fobs, Yubikeys are cheap ($25), small and passive, and best of all, easy to manage/duplicate. I much prefer this to certificate-based keys which are way too much overhead for what I want. Wear mine on a lanyard round my neck - don't know what that does to my sartorial elegance but....

    For my applications, they do both OTP (LastPass) and HMAC-SHA1 (windows 7 logon, and password safe).
     
  7. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    On the theme of 2-FA I have one question and I'll be using this thread for it:

    Which one is better - Google authenticator or Yubikey?

    Also one question about google authenticator:

    - Does one need to be connected to the internet for it to work? (Perhaps for clock syncronization reasons?)
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    I think you need more precision in the question about Google authenticator. Probably you mean the old TOTP mechanism, which a variety of keys could do, including the Yubikey with a helper (Yubikey has no clock).

    If you're interested in Google authentication, U2F is much more interesting, again, recent Yubico keys have an implementation of this which I've posted in other threads. Recent versions of Chrome support an extension which gives the ability to use U2F for 2FA, which is what they've been using internally in Google for a while, and now works with public access to Google accounts.

    If you want to understand the Yubikeys, they support a variety of mechanisms, ranging from certificate based (and U2F), through OTP, and also HMAC-SHA1 and static which do not require network connection. Personally I use the Yubico OTP with Lastpass and the HMAC-SHA1 for Windows login and Password Safe. And I'm pretty happy with that.

    As far as backup is concerned, the HMAC-SHA1 is easy because it relies on a secret that you can put on another key. Anything that uses certificates or OTP secrets is harder, and requires registration of 2 or more keys with the service (one to backup). But this is why services such as Lastpass and Google authentication have recovery mechanisms.

    On the Richter scale of loss or damage, the Yubikey is pretty good, I've found them robust and I do keep them with me (as appropriate). I experimented before with X.509 keys and found them unmanageable for small-scale operations.
     
    Last edited: Dec 8, 2014