2-factor authentication

>use physical u2f
Just as dangerous, pal.

for someone to access your email they need the email password, then your phone, and the password to the phone.

before i turned on 2fa for gmail i would have some shitskin get in and try to spam all my contacts every few months. since i turned it on it hasn't happened once for about two years now.

>for gmail
Oy vey, the GMail user. How edgy.

I've be on the internets for 18 years and i've never had my email hacked... Maybe you just have a weak password or "common sense antivirus"

>This is just a scam to get your phone number, isn't it
Literally yes.

>never had my email hacked
Same experience here. Must be quite an achievement getting yr e-mail "hacked".

>People lose their phones all the time though

I'm glad I wasn't born a retard who manages to lose $1000 phones

Let's go with "niggers steal phones all the time" then.

>leaving your $1000 phone alone in a place where someone could steal it

lmao do you really think someone is going to spoof your SIM card user

Thread should have ended here

>This is just a scam to get your phone number, isn't it
Yes but who cares really

>andOTP

What's wrong with FreeOTP?
Genuine curiosity.

Getting access to someone's SIM seems to be fairly easy by contacting the company you have a contract with

freeotp is unmaintained

>This is just a scam to get your phone number, isn't it?
>Lets say you have my email and my password.
>Lets say you want to fuck my Blizzard account, or Bank account or any other.
>You use the email + pass......... and you need to write a pin code to enter. Now you are fuck. Because I have the phone.
If I did not have 2 factor authentication I would have been fucked, but now you are fucked, because I got an email that someone tried to enter my Bank account. Now I change the pass. Get fucked scrub.

Well in that case it increases the security of your account for the price of your phone number, which isn't much consider how easy it is to get those

oh

>Second, use a strong pwd manager that doesn't leak to the clipboard. Oubliette is quite an old one but probably the most reliable one.
Is keepass xc not good?

>sms messages to phone
>work email to phone
Phone is the 1 factor, steal the phone or get a copy of the sim card and you have access. It happened to LTT.

The only 2fa i have enabled is steam and thats just to get prime on csgo. Using a burner number

I though sim encryption was a thing

>keepass xc
On Krebs on Security & on Schneier, they say its o.k. Then again, they also they drink the Protonmail kool aid.

Two days ago, there was an article in WSJ saying that Dashlane was excellent.

If you want to use it across several devices, then you'll want to use one of them. If you are more security minded, Oubliette may be an option.

You can check it on www.tranglos.com in archive.org (year: 2006).

No other pwd manager has gotten IDEA encryption...

How is ishit more secure. It's OS is fully closed source. Apple can do anything they want and you wont even know. Afaik while android has some closed source modules you can modify it to be fully open source.

>what is being mugged
>what is pickpocketing
>what is niggers snatching it out of your hand and running away with it

>being mugged
pull out your gun and fucking shoot them
>pickpocketing
have some fucking situational awareness and don't look like an easy target
>niggers snatch and grab
again, shoot them

Just because they say you have to use google authenticator doesn’t mean you actually have to, the protocol used doesn’t require a license or have a copyright, so use something like Authy instead and make sure to be more careful about “””who””” you send your creds to

>Shooting someone running away from you with your shit is a good means of anti theft
You live in a fantasy land. You'd spend at least a year in and out of court once you get out of jail

Attached: v16i2exfp5g11.jpg (640x671, 51K)

>using insecure sms for 2fa
i shiggy diggy

>but do you really need that crap for your cat video watching youtube account
Probably not, so don't use it.

>pull out your gun and fucking shoot them
While a gun is pointed at you? Good fucking idea
>have some fucking situational awareness
Yes pay constant attention to your pocket instead of going about your day like a normal person. Retard
>and don't look like an easy target
Anyone is an easy target compared to muscle tyrone
>again, shoot them
>shooting someone in the back as they're running away from you
Lol you're gonna go to prison retard

t.Commies

It is perfectly reasonable to use your M249 SAW (pocket version) to spray bullets in the direction of a thief, running in a crowded area, like it's the right of every good and just American.

To aid your awareness cameras have been placed throughout the city, just call your friend, the NSA, and tell them there's something suspicious and they should monitor your surroundings.

To not look like an easy target glue eyes on your back. And the sides. Angry looking eyes. Eyes that scream "I'M WATCHING YOU AND I'M MAD ! YOU DON'T WANT ANY TROUBLE WITH ME, MATE !"

If you're really nifty you can also use one of these catches-on-fire smartphones and play honey pot all day. Your fellow citizens will silently thank you for your duty. Use an app for remote justice.

Attached: 1292144865211.jpg (393x315, 15K)

>Muh I want the most secure authentication for my smartphone
>Muh I am a trendy hipster doing e-banking on my smartphone
>Cares about 2FA whilst in the meantime Google & Apple get sent the keystrokes

You just don't do sensitive stuff on yr smartphone. And now, clean up your room!

Nobody gives a fuck about a random nigger. Take the phone back and walk away like nothing happened.

Physical two factor using a device like a yubikey is actually the only non-placebo two factor, and it provides real security.

>proprietary non a placebo

>it provides real security.
What happens if police search you & you have to hand them out the Yubikey? Can they copy it? Wld it compromise overall security? Am not that familiar with those keys.

Let’s say I drop my dick on your head and your brain doesn’t function properly anymore, what are you going to do with that password stored in your head?

Attached: CE89BBCF-A3A3-4BE6-B32E-8840382CBDA4.jpg (588x823, 117K)

(You)

Attached: angry-cat-21625122.jpg (800x533, 49K)

>This is just a scam to get your phone number, isn't it?

is better that re-using identical passwords of your Gmail, Jow Forums Pass(tm), medicare.gov login and other accounts. Yubikey physical keys are too expensive for the average people and I cannot login in medicare with yubikeys, only works with Gmail, Jow Forums and Github

Attached: finger-touch7-1000.png (1000x667, 727K)

>I Am not that familiar with those keys
because your are unemployed, any serious company now need physical keys when your use his intranet, unlock databases or make reports.

>website has 2fa
>2fa device is lost
>you can reset the 2fa by e-mail verification
What's the fucking point?

2FA protects you if your password is compromised, but screws you if you lose your phone.

If I lose my phone I can restore my account using my e-mail, which is also 2FA protected with a paper code backup.

>when your use his intranet,
Geezer. In that case, you already are in the building, having used your badge for access. And: typically, the stuff on intranet is not sensitive.

& now kleen up yr room, dixienigger.

>a paper code backup
Ahahaha, now that's edgy!

Attached: download.jpg (317x159, 6K)

>If you do something critical, do it on yr Win machine and not on the smartphone
Are you claiming that Windows is more secure than your smartphone? Are you retarded right now?

Attached: bill_nye.png (952x767, 589K)

Here's a present. TOTP and HOTP implemented in a short little python2 script. Play around with it.

Attached: Selection_005.jpg (582x361, 10K)

Smartphones have SSD, so xou cannot secure delete the data. Also, they are "phoning home". Using a Win machine, you can prevent all that.

From a forensic pov, Win machines are safest.

Attached: 2705206.main_image.jpg (1300x791, 98K)

#!/usr/bin/env python2

import sys
import hmac, base64, struct, hashlib, time

secret = sys.argv[1]

def get_hotp_token(secret, intervals_no):
key = base64.b32decode(secret, True)
msg = struct.pack(">Q", intervals_no)
h = hmac.new(key, msg, hashlib.sha1).digest()
o = ord(h[19]) & 15
h = (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000
return h

def get_totp_token(secret):
return get_hotp_token(secret, intervals_no=int(time.time())//30)

print(get_hotp_token(secret, intervals_no = int(time.time()) // 30))

An updated, non-jailbroken iphone is the most secure computing device available by far. With that, the only legitimate fear you have is the government and that's not what we're talking about here. If you think your windows machine is a better buffer between you and any malicious hackers or theft or what have you, you have a severely distorted perception of the threat.

>only legitimate fear you have is the government and that's not what we're talking about here.

Yes, it is!

Attached: 143680456244125.png (1280x715, 268K)

Yubikey - botnet and not opensource.
Your keys and passwords up to China servers and CIA niggers storage.

2 factor authentication is just another tactic that the elite use to keep you using their services. Limiting one phone number per account makes them in control of what exactly you're doing online. Having a 16 digit random capital letter, lowercase letter, number, symbol password and preventing brute force by limiting the amount of tries is more than enough protection for your account. What would be even better is encrypting the whole account and using your password as the only way to read it. Again, this wouldn't benefit the Illuminati.

>not opensource.

You nailed it!

Just like the Ironkey some yrs ago!

>dreamstime
>not even photostock, which is shit anyway

Back to plebbit with you.

Attached: 1533498861632.jpg (551x363, 42K)

It's embedded hardware designed to not be tamperable. You have to trust someone eventually unless you're going to print the silicon yourself.

If you weren't retarded you password protected the otp module, so nobody who just steals the key can generate codes. If you store rsa keys on it those are pin protected too. They can use u2f module, but that's why you use two factor. Something you know + something you have. The first line of defense is still your normal passwords.

Employee cards are typically just rfid. They're trivially cloned. A yubikey can't be cloned unless you do it on initialization. Remember to keep paper codes for your email so you can get back in your shit if you lose the key, because otherwise you might be fucked.

You guys keep talking about 2FA using your phones. Why would you do it like that? Do you like getting hacked?
theregister.co.uk/2018/08/15/att_sued_cryptocurrency/
Guy had 2FA on his AT&T phone, they pulled some sim card switcharoo and dude lost millions in crypto.
If you're gonna use 2FA, make it a dedicated app like google authenticator or andOTP if you don't trust G. Anything but never SMS/phone call. That's just fucking stupid.

This is baseless paranoia. Yubikeys never communicate to anything except the host device. Find even a little bit of proof before spouting nonsense.

I'd say even a phone app is questionable since phones are usually vulnerable to all kinds of shit. There are a lot of hardware 2fa devices out there now. Pick one.

>I'd say even a phone app is questionable since phones are usually vulnerable to all kinds of shit. There are a lot of hardware 2fa devices out there now. Pick one.
True that. I just use an old phone in airplane mode. Of you can use something really simple like the Python code I posted here which spits out the 6 digit code for either HOTP or TOTP. Just save it to a file and run it like
$ ./auth.py
Then you don't have to trust anybody at all

It's far less questionable than using SMS authentication since the attacker would have to exploit two different systems to log in to your account instead of just calling Verizon.

>An old phone in airplane mode.
That's a pretty decent "free" solution. Nice.
And the idea isn't trusting the otp generator, it's trusting that nobody has ever swiped your seed. Having an essentially air gapped device accomplishes this for otp.

The idea is that if your phone gets compromise the attacker has literally everything if you use an otp app. They almost certainly have your email since everyone uses email from their phone, and they have your otp seed. They also have all your rsa keys if you sign your mail.

If you store your keys on a hardware module the attacker won't see your private keys. Recovery becomes much easier because the attacker can only abuse active sessions and can't change your password. When you figure out you've been pwned you just force power off the device, change passwords from somewhere else, and wipe the device.

It's also nice in case you accidentally walk into the ocean with your non-waterproof phone in your pocket... Which has certainly never happened to me. But hypothetically a yubikey or similar key is very durable and will still be just fine, so you can get back in your shit without a problem.

>yes goy we didnt open source of secure hardware. trust us goy, with our propitiatory firmware. We support open source cause we make opensource applets

It's literally impossible to verify the design and hardware are the same anyway. You can either take the defense against probably everyone, but maybe just everyone but the NSA, or you can take nothing.

You do know that you can get back your phone number by asking your carrier to give you a new sim card and then put that in your new phone without issues right? Or are you just a brainlet?

Most likely he had some keylogger running

Not to mention that it's usually used as two factor authentication, meaning you have to know your password and own a specific physical device.

If you use something like Google Authenticator then you can set up an account on multiple devices with the app.

>but do you really need that crap
Its also about identity theft. I have had somebody log into my steam account once from somewhere in Brasil, with the correct passport. 2 factor authenification detected a possible fraud and locked the account until I verified with the second factor. Otherwise it could have been gone and I wouldnt even have noticed because I wasn't using steam for a while.

>Shooting someone in the back equals prison
It depends on the circumstances. For ex. if the nigger is armed then that's armed robbery, which is a felony. Most proper states allow lethal force to prevent the commission of a felony.

When was the last time google got hacked?

>Muh Yubikey cannot be cloned
>Muh Yubikey is military strength

But it's sealed with epoxy and proprietary technology. Basically, a black box.

Attached: if-you-could-remember-your-yubikey-that-would-be-great.jpg (400x400, 112K)

at that point they're using social engineering to get your information which no level of security and 2fa is going to protect against

>You'd spend at least a year in and out of court once you get out of jail
YOU live in a fantasy land that you think defending yourself will get you put in jail in any civilized country

If they're running away, you're no longer defending yourself, you're trying to murder them.

Data breaches. He probably used the same password for his gay porn account as his email and the host's data was probably stolen.

True, I was just saying that that particular method of defeating 2FA seems (through the cases I've heard) to be fairly simple

>getting your property back from a violent and dangerous criminal is murder
fucking brainlet tier eurocucks

Proportional force, retard. Even in US using lethal force for self defense will land you in prison for years unless your life is in imminent danger.

Americans are so willing to kill for stuff, not even self defence but stuff, that it's no wonder your statistics in the matter are fucking awful.

If it were up to me, I would implement a total zero-tolerance policy for violent behavior, and dump the both the aggressor and victim in perpetual solitary confinement with aggression reducing drugs.

don't fucking take shit that doesn't belong to you tyrone
maybe in some super cucked state like california

>maybe in some super cucked state like california
Maybe in literally every state. There's no state where it's legal to kill someone who is running away from you unless you're a cop.

You're lucky to even be given the opportunity an exception to the state's monopoly on force for your trinkets.

>don't fucking take shit that doesn't belong to you tyrone
Stealing is illegal where I'm in, but there's no death penalty for it

So, gents, the conclusion is: Let's all use Oubliette on Win. Thank you & Godday.

Attached: HatTipCartoon.jpg (320x320, 15K)

So is your CPU, HDD, RAM and literally anything with a chip that's hooked onto anything meaningful. Are you seriously this retarded?
EVERYTHING YOU USE YOU TRUST.

It's ALL stamped out in China with a million opportunities for someone to insert something malicious. Yubico could release full diagrams of literally everything right now and it wouldn't make a lick of different. You. Cannot. Verify. It.

Didn't work for Yahoo

>EVERYTHING YOU USE YOU TRUST.
Fair enough. I can configurate Windows, install a specific encryption & secure file erasing software. Same goes for pwd manager, where I even can choose the algorithm. I trust the stuff that I can configure myself.

Why should I add complexity by getting a fucking Yubikey that - in addition to my 64 GB memory stick - I also have to carry with me? What should an extra layer of complexity render safer?

I just don't trust that Yubikey stuff. Also, recently, a faulty batch of Yubikeys has been shipped. The company meekly wrote: "We have recently discovered that a small subset of the YubiKeys that were distributed for this promotion were shipped out misconfigured, and therefore will not work. The serial number that you submitted is one of those keys. Because of that, we are providing you with a new branded YubiKey 4. Please send your preferred mailing address and we will get the replacement sent out as quickly as possible."

"We are very sorry for any inconvenience we have caused. Thank you for your support. If you have any further issues, please respond to this message or you can open a new support case at yubi.co/support."

Also, problems have been reported with Win 10.

Useless crap, imo. Totally overhyped. Just like Protonmail.

Attached: Hand-with-a-plaster-and-cat-baring-teeth-732565.jpg (590x350, 58K)

>Didn't work for Yahoo

See, that's what I mean!

Compatible with nothing, just like the AMDs or the Compaqs 30 years ago.