2FA

[GeoffF100]

I have been thinking about tightening up the security on my gmail account with 2FA. I could use my mobile phone as the authentication device, but a secure key that I can plug into a USB socket on my desktop PC running Linux would be better. Google sells its Titan secure keys for £30 including postage. Amazon has cheaper secure keys, but Amazon does not have a good reputation.

Vanguard supports secure key 2FA in the US, and Vanguard UK says that it is working on alternatives to the current SMS 2FA. Other UK investment platforms and banks? Do not hold your breath.

Any experience? What do you do?

[Urbandreamer]

Did you say your gmail account?

Is not the obvious choice Google authenticator?
https://en.wikipedia.org/wiki/Google_Authenticator

I don't use it for gmail, but it is required to access my google account and one of my stock broker platforms.

[Lootman]

I have had 2FA on my gmail account for over a year now. It was imposed on me but I am fine with that.

It does not involve the usual thing of sending me a code. Rather it produces a screen on my phone and invites me to hit a button to confirm it is me trying to access my gmail.

One good thing is that you can designate more than one phone number. Both my phones get the confirmation invite, and accepting either works.

[GeoffF100]

Firstly, let's make it clear what I am talking about here, "How to Lock Down Your Google Account With a Security Key":

https://www.pcmag.com/how-to/how-to-loc ... curity-key

There are possible problems with Linux, but they appear to be easily fixed, "Add a Titan Security Key on a Linux system":

https://support.google.com/titansecurit ... 8044?hl=en

For Google Authenticator, Wikipedia says:

"Google provides Android,[3] Wear OS,[4] BlackBerry, and iOS[5] versions of Authenticator."

Google Authenticator is considered to be less secure than a hardware security key and there does not appear to be an easy way of getting it to work on Linux.

Judging from the adverts on eBay, my mobile phone has a residual value of about £50. I could buy a new phone and use my old phone as a dedicated authentication device, "Use your phone's built-in security key":

https://support.google.com/accounts/ans ... %3DAndroid

I access gmail via my mobile phone and a Raspberry Pi. (I do not like accessing email on the same machine that I use for accessing financial accounts.) Communication with the authentication phone is via Bluetooth, so it should not need a WiFi or cellphone connection on that device. Disadvantages are (apart from not needing a new phone) that a mobile phone has to be kept charged and is more difficult to hide than a security key. Furthermore, if a burglar finds a mobile phone, he is likely to steal it, whereas if he finds a little device that looks like a USB flash drive, he will probably leave it alone.

Google's Titan security key (for £30 including postage) appears to be my best option here:

https://store.google.com/product/titan_ ... y?hl=en-GB

[Infrasonic]

https://www.zdnet.com/article/best-security-key/

[tacpot12]

I use 2FAS as an alternative to the Google Authenticator, and prefer it as it requires a PIN number to open the App. This means that should someone looking over my shoulder see me enter the PIN that unlocks my phone, they can't grab my phone and have access to any of the tokens that the Authenticator has.

I have a U2F Security key (a HyperFIDO Mini) that I use with for certain services, but I don't use it with Google as I don't like the way that Google requires you to use Microsoft Hello to use secuirty keys. I use the 2FAS Authenticator and back up the tokens to a cloud storage service, in case I lose access to my phone. Having a second phone purely as an authentication device is a sensible strategy and one I have considered myself.

[GeoffF100]

I have a U2F Security key (a HyperFIDO Mini) that I use with for certain services, but I don't use it with Google as I don't like the way that Google requires you to use Microsoft Hello to use secuirty keys..

Microsoft Hello seems to be a way of signing into a Windows device. Does Google would use it to sign into a Google account from Android or Linux? It seems very odd if it does. What is the problem with Microsoft Hello anyway?

[GeoffF100]

An important loose end is how to recover if I lose my secure key, "Sign in if you lost your security key":

https://support.google.com/accounts/ans ... r-password

Backup codes seem to be the easiest recovery option, "Sign in with backup codes":

https://support.google.com/accounts/ans ... %3DDesktop

When will I need to use my security key? "Use a security key for 2-Step Verification":

https://support.google.com/accounts/ans ... %3DAndroid

"You’ll be asked for your security key or another second step any time you sign in from a new computer or device."

Hopefully, I now know what I need to know. A Goggle Titan key still seems to be the option that is least likely to give me problems getting up and running. It also has USB A, USB C and NFC connectivity and can store 256 keys, which will be useful if UK financial firms start offering secure key verification.

[Infrasonic]

Buy more than one hardware key and register them both at the same time.

Use different hardware keys for different purposes, e.g. you might want a biometric key for an older PC/laptop without that as a native local log in/app authorisation option.

You can run the full panoply of 2FA in parallel with most of the majors like Google/MS in case of failure of any one - so security keys + 2FA apps + secondary email + SMS can all potentially co-exist although the latter two should really be a last resort.

If you're going down the Linux/BSD route do more homework around hardware keys, you might find you need the latest kernel versions to use the latest security protocols, which depending on the distro won't necessarily be in default use yet.

There's a ton of YT tutorials doing step by step guides to basic hardware key setup and use + esoteric variables more applicable to SME environments.

[GeoffF100]

Buy more than one hardware key and register them both at the same time.

I do not believe I that need them. SMS is not the most secure method of 2FA, but it is all that is available for my financial accounts. SMS has the risk that I will lose my mobile phone or have it stolen. I should be able to get a new SIM with the same number from 1p mobile within a few days, but it would not be convenient. Perhaps I should buy a cheap dumb phone for 2FA, and keep it hidden away at home. The Vodafone PAYG 1 tariff is a possibility for that:

https://www.vodafone.co.uk/mobile/pay-a ... ans/payg-1

However, the T&Cs say: "Losing the mobile equipment If your mobile equipment is stolen, damaged, destroyed or lost, we do not have to give you any refund for any services that you have paid for in advance or for the cost of the mobile equipment. You must contact us immediately so that we can suspend your services to prevent further calls being made using your mobile equipment." I do not like the look of that, but perhaps I would still be able to keep my number.

A security key would make my Google account more secure. The only other account that would benefit is my Outlook account, which I use as my gmail recovery account and for one of my file backups. I only access it once a month. It does not seem worth using a security key for that account. The data is not sensitive, and I have other backups. If I buy a dumb phone, is it even worth buying a security key for the Google account? Probably.

[GeoffF100]

Further thoughts are:

(1). If I leave my phone at home, keep it in "Do not disturb" mode and hidden in a locked cabinet.

(2). If I take my mobile phone with me, keep it hidden away and in "Do not disturb" mode whenever possible.

If my phone is stolen nonetheless, I should get a new SIM with my old number back within a few days. A thankfully rare but worrying scenario is that where muggers not only steal my phone but demand my PIN and password too. That should not put my mobile number at risk, but it would put my Google account at risk. A secure key hidden at home would prevent my Google account being stolen. A secure key is a one off cost, and there may be other uses for it in the future. It looks a like a good buy.

[Lanark]

Authy

Mainly because I don't trust Google not to just suddenly sunset authenticator when they realise they aren't making money from it.

[GeoffF100]

I have been checking my assumptions, and have made a horrifying discovery. If someone steals my phone and forces me to give them my PIN and password, 2FA with a security key will not stop them from changing my password, "Change or reset your password":

https://support.google.com/accounts/ans ... roid&oco=1

Nothing about 2FA. That implies 2FA only occurs when logging in on a new device. This is hopeless.

[GeoffF100]

Perhaps the solution to this problem is to set up another gmail account and use that as the account on my phone. I can then link my existing email account to the new one, "Get Gmail features for your other email accounts":

https://support.google.com/mail/answer/ ... %3DDesktop

Hopefully, that would protect my existing email address from being hijacked. Yes, a mugger could demand passwords for linked email addresses, but that seems very unlikely. Most likely he will just want the password so that he can factory reset the phone and resell it.

[GeoffF100]

In theory, you need your Google account credentials to do a factory reset, but the web is full of posts and tools to circumvent that, and indeed the need for a PIN. I guess that is why so many mobile phones are stolen.

[GeoffF100]

Google has a procedure for recovering your account if you believe that someone else is using it:

https://support.google.com/accounts/tro ... ts=2402623

A security key cannot do any harm here.

[GrahamPlatt]

Why 2FA by SMS is unsafe

https://www.bleepingcomputer.com/news/s ... for-1-000/

[ukmtk]

I have 2FA on Amazon + Google. On Linux.
I use my mobile - even though it's not ultra secure it's fine for most people - especially if they are not in the public eye.
Note that once you have done it once you can say to trust the device you're on - so you don't have do it every time.
I'm assuming these use a cookie for this. Occasionally after a Firefox update I have do a 2FA again. Not very frequently though.

[ukmtk]

At work we use Microsoft Authenticator for 2FA.
I also have a hardware device like a calculator that does similar.
It saves me having my mobile on all the time (I only use the phone to track sport or when out shopping).
You might find you could use Microsoft Authenticator for the 2FA?
It's an app on your phone that is secured by your phone security.

[dionaeamuscipula]

At work we use Microsoft Authenticator for 2FA.
I also have a hardware device like a calculator that does similar.
It saves me having my mobile on all the time (I only use the phone to track sport or when out shopping).
You might find you could use Microsoft Authenticator for the 2FA?
It's an app on your phone that is secured by your phone security.

Its an app on my iPhone which helps with the security on it by demanding I log back into my outlook account several times a day. And then falling over when I try to actually use it for any authenticatin'

DM (did I ever say that I was at the UK launch of Word for Windows? oh please yourself)