What about 2FA browser extensions?

This is the second time that I see you mention this, but this ain't nothing special right, I mean it already exists, no? I suppose the third factor is biometrics, which makes sense because when you think about it, with 2FA apps, hackers can still capture or even guess the one time password.

https://rublon.com/blog/what-is-3fa-three-factor-authentication/

 

MS authenticator actually forces me to do it, since it does not allow a cloud backup to multiple devices, so I have to painstakingly input all codes into my backup phone as well.

 

I think that European Union classified three factors in european payment system law few years ago

EU Now Requires Multi-Factor Authentication for Online Payments
February 17, 2021
https://www.onelogin.com/blog/eu-mfa-online-payments

 

In theory. Many webpages get payments without any verifications at all, because ... I do not know?! The eshops are considered trusted, regardless who pays them? I do not like it, but it is not like I can not do anything about it.

 

Are you talking about debit/credit cards? I'm not sure how are they classified, and I don't use it except hotel bookings.
I usually choose between two options: pay-by-link or some new system that allows me to pay be typing into web page digits from banking app. First option redirects to banking site, which indeed uses 2FA. Second option is based on banking app activated on particular phone. Long story short banking app protected by PIN and activated, thus linked, on particular phone is 2FA. So yeah, I don't complain about payment authentication.

 

You know what I don't get it? I was playing around with my YubiKey on my Gmail and Yahoo Mail account, and I noticed that on Yahoo Mail you can only use one 2FA method, but they allow you to recover via mobile phone and back up email address. And Gmail allows you to login with both YubiKey and authenticator app at the same time.

Gmail also has the back up email address and mobile phone recovery options. Plus they also give you back up codes if you lose access to your authenticator. So I assume in case some hacker has your username and password, but he doesn't have your YubiKey or 2FA code, he could still get in, but he needs control over your phone number and back up email address right?

 

That is why I have removed SMS as a recovery method from accounts, since it can be easily abused (even remotely without simjacking), but email as a recovery is sort of OK, because the hacker would need to get access to it via 2FA.

 

There were threads on this very forum proving that recovery e-mail is not enough to recover Google Account

 

Yes, SMS as recovery is not a good idea, but I believe both Google and Yahoo force you to add a mobile phone number before you can register a security key. But perhaps I can still remove it. But the main problem with 2FA is that it's a hassle. So it makes a lot of sense to build a 2FA authenticator into the browser itself, like Safari (macOS) has done. This way it autofills your username/password and 2FA code everytime you login with one click. And about security keys, it would make more sense that you would have to only touch it if you want to login, so without the need for any PIN code.

OK, so is this good or bad? The thing is, I'm trying to figure out if you can really stop a dedicated hacker with tools like 2FA authenticators and security keys. Because if they can simply bypass them via phone SMS or they hack your back up email address, then what is the point?

 

That should be possible with a security key that uses biometrics instead of a PIN for user verification:

https://www.yubico.com/products/yubikey-bio-series/

 

If you can't recover your own account by backup e-mail then most likely attacker couldn't either. Mind it that I speak only about e-mail and Google account. I don't know how it would go with Yahoo or Microsoft account.

 

I should look into the YubiKey Bio series, but what I meant is that it seems like currently you have to keep plugging in your security key and touch the NFC chip and then also enter a PIN code. But I haven't tested it extensively yet. For now I have chosen to trust my own laptop, so both Gmail and Yahoo mail won't ask for the security key. On all other machines they will, of course. But I believe 2FA should become more streamlined in general. I mean, some let you use multiple 2FA methods, and others only one, it's a bit confusing. And I was wrong, Yahoo Mail does allow you to register multiple security keys.

 

Yes, I see what you mean. But I do wonder how easy it is to recover your own account. Like I said, both Gmail and Yahoo Mail ask for your mobile phone number and 2 other backup email addresses, what more do they want.

But back to my topic, I noticed that the Authenticator extension is quite popular, but I also read quite a few bad reviews. But it's probably not a good idea to let some unknown extension handle 2FA codes, I mean they can steal your secret codes and perhaps even your passwords. I see that just about all password managers nowadays offer browser extensions that can also generate 2FA codes. The only difference is that they need to be running in memory all of the time, that's why I prefer a built-in browser option. I hope Vivaldi will add this in the future, just like Safari.

https://chromewebstore.google.com/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai?hl=en

 

BTW, about the PIN code on YubiKeys, I now understand that security keys can also be used as passkeys. Smart move from Yubico and Google, because otherwise passkeys would ruin the whole hardware security business. So in the future, you can store those passkeys on security keys like YubiKey or Google Titan.

 

Already possible! (I'm doing this for a few services)

 

Yes, I saw a YouTube video weeks ago, it should already be possible on for example Google accounts. I can't fully visualize it, but I'm guessing that you will only have to plug in your security key and enter the pincode. Or if you have the YubiKey Bio version, you could use the fingerprint scanner. How do you like it so far, and have you stored those passkeys also in the cloud?

 

Yes, I went for convenience over security and stored them in the cloud as well...

I prefer using the cloud ones (always available) and consider the hardware keys to be a backup.

 

I use a somewhat unconventional method.

Downloaded an offline generator from:
https://github.com/jaden/totp-generator

Then run it locally by clicking `index.html` from within the folder.



Of course keep your secret keys somewhere safe in a password protected archive.

 

Yes, I'm also still trying to figure out how I will use passkeys, but now that I think of it, it isn't any different from passwords, which you can store locally on devices and/or on the cloud.

I didn't really understand what this is all about, to be honest. What are the advantages, security wise?

 

(sorry; edited my post to say: offline generator)
Well, I just presume it is safer, because it is not an extension in the browser or some external 'app' you have to trust.

The source code fully transparent.

I downloaded it, because I sometimes also use it in a browser that doesn't support modern web extensions (Pale Moon).

 

Yes, but it's still a website that you have to trust? I rather use a more popular third party app for this stuff. I still hope that Vivaldi will implement a built-in 2FA authenticator. I mean, you have no choice but to trust your browser.