If you have your secret key, it’s straightforward to do what google authenticator does, and generate a token. If they do this, they can intercept your texts, and all is lost.įor that reason, if security matters its best to avoid SMS based MFA.
But it has a severe disadvantages in that SIM Swapping can be used by criminals to social engineer the phone company into letting them take control of your phone number. This form of auth is simple to use, since people have their phones on them all the time. In the past, the most common form of 2FA/MFA was SMS based one-time codes. I have found out that LastPass (not Authenticator, just the password storing plugin) has this feature. (This article is not security advice, I’m not qualified to give that, but again, be careful where you store your MFA secret key or what’s the point of having it!) Side Note: You Shouldn’t Use SMS as a Authentication Factor But also, now a new option is open for me: I can programmatically generate the OTP tokens. Now if I break another YubiKey, or brick my phone, I can always generate codes using the secret key, or easily re-add it to my new phone. This Virtual MFA secret key needs to be treated securely because anyone with it can generate the one-time-passwords that I’m using for multi-factor authentication. I stored it in LastPass but it could have been stored on paper in a safe, or in Earthly Secrets.
I set up a virtual MFA device in AWS and before adding it to google authenticator on my phone, using the QR code, I grabbed the secret key and stored it somewhere secure. Time-based one-time passcodes (TOTP) are a form of two-factor authentication (2FA) that add additional security for each login. (FYI: Previously this was often called 2FA, two-factor-authentication.) MFA Setup in AWS LastPass now offers the ability to create a time-based one-time passcode (TOTP) in the LastPass vault for Enterprise and Identity users. If you have something valuable online, something that can be stolen or turned into bitcoin you should set up multi-factor authentication for it. But Alex gave me a great solution to this problem – securely store the MFA secret key. ACM 22, 11 (1979), 612-613.Previously, I’d had a slightly bad time with YubiKeys: My computer fell and crushed my key. In Proceedings of the SIGCHI conference on human factors in computing systems. It's not what you know, but who you know: a social approach to last-resort authentication. Stuart Schechter, Serge Egelman, and Robert W Reeder.In Proceedings of the 13th ACM conference on Computer and communications security. Fourth-factor authentication: somebody you know.
John Brainard, Ari Juels, Ronald L Rivest, Michael Szydlo, and Moti Yung.How it works: Backup and restore for Microsoft Authenticator. Google Authenticator for Android (Open Source Version). Announcing Cloud Backup for LastPass Authenticator: Easier multifactor security for everyone. TOTP: Time-Based One-Time Password Algorithm. Duo Restore - Guide to Two-Factor Authentication.
0 kommentar(er)
