• Activity
  • Votes
  • Comments
  • New
  • All activity
  • Showing only topics with the tag "2fa". Back to normal view
    1. For those who have tried YubiKey for personal use, is it worth it?

      I saw people talking about YubiKey here a few weeks ago so I got curious. Unfortunately, I’m not seeing a lot of helpful reviews for it. I’m personally getting tired of having to take my phone...

      I saw people talking about YubiKey here a few weeks ago so I got curious. Unfortunately, I’m not seeing a lot of helpful reviews for it.

      I’m personally getting tired of having to take my phone anytime I need 2FA for Okta but I don’t have a lot of super important accounts to secure so I’m going back and forth in deciding whether the 100+ euro investment (to get two so that there’s a duplicate) would be worth it.

      How do you use your YubiKey in your personal life and do you think it’s worth your use case ?

      35 votes
    2. What are my options for two-factor authentication that doesn't require a backing service (cloud/SMS)?

      I'm not new to two-factor authentication (2FA) as a concept, but available options and how they'd fit into a workflow has always felt somewhat opaque. Everytime I've been required to use 2FA, I've...

      I'm not new to two-factor authentication (2FA) as a concept, but available options and how they'd fit into a workflow has always felt somewhat opaque. Everytime I've been required to use 2FA, I've used SMS despite knowing how insecure that really is.

      GitHub's 2FA requirement is about to lock me out of my personal account, so I figured it's time to get a grasp on this:

      • What second factors are available to me and what do the workflows looks like?
        • Preferably these second factors wouldn't require me to sign up for some associated service.
      • What are my options for redundancy?
        • Can I have multiple second factors?
        • Where are you supposed to keep recovery codes? (I've read that keeping them in your password manager essentially defeats the purpose)
      • What happens if I screw up and lose my second factor? With services that just have password requirements, you can use your email to reset, are there analogous systems for 2FA?
      18 votes
    3. What to do if I've lost my 2FA?

      My phone abruptly died, and it turns out I did not back up my 2FA codes. I have 2FA turned on for Tildes, and while I am still logged in, I can't turn off 2FA without 2FA, so if I ever have to log...

      My phone abruptly died, and it turns out I did not back up my 2FA codes. I have 2FA turned on for Tildes, and while I am still logged in, I can't turn off 2FA without 2FA, so if I ever have to log in again I'm screwed. I didn't save backup codes, of course, because I'm a fool (and I never figured out a good/safe way to store backup codes somewhere different than my password manager). What should I do?

      I went into "Set up account recovery" in my personal settings, and I entered in my email address there. It says that if I can send and receive email from that address, I will be able to reset my password. But I already have a working password, what I don't have is working 2FA. Would a password reset do anything useful in my situation?

      If there is nothing anyone can do at this point, how should I use my remaining time on this doomed Tildes account?

      UPDATE: Admin turned off 2FA for me, so this account is no longer doomed. Thank you!

      21 votes
    4. How safe am I? (self hosting)

      I have a server running Unraid at home. I have ~20 docker containers running at the moment with almost all of them only available within my local network. I just stood up an instance of Seafile on...

      I have a server running Unraid at home. I have ~20 docker containers running at the moment with almost all of them only available within my local network. I just stood up an instance of Seafile on the server to act as a google drive replacement. Still in the early test phase before I commit to throwing important stuff on there. I have my domain proxied through Cloudflare so none of my local ports are exposed to the internet. Seafille has complicated passwords set for admin and user accounts (generated with Bitwarden, hot damn I love that app). I also enabled 2FA on each account. I know that I can further clamp it down using some of Cloudflare's extra access controls but in my admittedly limited experience, those all cause issues getting an app to authenticate with the service. Web apps don't have this issue of course.

      So am I ok with this setup? I can encrypt the data before uploading easily as it's a built in feature of Seafile. Or would it be better to just run with local only and run a VPN to access when I'm outside?

      I figure just about any effort along these lines I trust more than Google with my data. But I may be overconfident in that perhaps. I'm still learning the ropes with Linux and self-hosting in general.

      17 votes
    5. Google Authenticator now supports Google Account synchronization

      After 11 years of life, Google Authenticator has added cloud backups for OTP keys in version 6.0. Google Security Blog: Google Authenticator now supports Google Account synchronization This is...

      After 11 years of life, Google Authenticator has added cloud backups for OTP keys in version 6.0.

      Google Security Blog: Google Authenticator now supports Google Account synchronization

      This is surprising news to me, because historically Authenticator had no way to backup keys by design. Here's a 2017 quote from a Google engineer who maintains Authenticator:

      There is by design NO account backups in any of the apps. [source]

      This design choice always made sense to me, as the point of 2FA is that you've got (1) something you know, and (2) something you have. The second factor should be tied to a physical device. If you lose the physical device, the second factor should be gone, and you'll need to use one of those 10-ish backup codes that we all definitely keep somewhere safe. I'm quite befuddled that Google is reversing this design choice and walking back their previously strong, security-centric design for the sake of user convenience in the case of a lost phone. I used to advise my friends and family to choose Google Authenticator over Authy for this specific reason.

      If you want further reading, here's a PCWorld article with an altogether different tone than Google's announcement: Google Authenticator’s long-awaited cloud 2FA feature carries hidden risk

      11 votes
    6. 2FA not working?

      tildes.net isn't accepting my 2FA codes on login. I used a recovery key and disabled 2FA, but now I can't re-enable it for the same reason (I generate a code with the new secret key given but it...

      tildes.net isn't accepting my 2FA codes on login. I used a recovery key and disabled 2FA, but now I can't re-enable it for the same reason (I generate a code with the new secret key given but it gets rejected). I've checked on other sites and it doesn't seem to be a problem with generated 2FA codes on my end, leading me to believe something may be misconfigured on the server (maybe the tildes.net system clock is off or something?).

      Anyone else experiencing this?

      Edit: Still not really sure why I couldn't get it to work initially, but after giving it some time the problem went away.

      4 votes
    7. Could security key 2FA be implemented on Tildes?

      I am wondering if this could be implemented as a 2FA method on Tildes. Although not super mainstream, I think it is the gold standard for account security. Is there anyone else interested in this...

      I am wondering if this could be implemented as a 2FA method on Tildes. Although not super mainstream, I think it is the gold standard for account security. Is there anyone else interested in this option?

      8 votes
    8. What would be a good security setup for me?

      So: I keep all my passwords in my password manager (Bitwarden) All my 2FA codes are generated by AndOTP on my phone. My 2FA backup codes are also in Bitwarden, which I think is a bad idea, because...

      So:

      • I keep all my passwords in my password manager (Bitwarden)
      • All my 2FA codes are generated by AndOTP on my phone.
      • My 2FA backup codes are also in Bitwarden, which I think is a bad idea, because that defeats the purpose of 2FA. So where should I put those?
      • I have my Bitwarden 2FA backup code in my wallet and in a safe at my house. Is that a good idea for the other backup codes?
      • Is there anything I'm forgetting here?
      8 votes
    9. Two-factor authentication for home VNC via Signal

      For my particular use case I share my home PC with my spouse and since I'm the more tech-savvy of the two I'll need to occasionally remote in and help out with some random task. They know enough...

      For my particular use case I share my home PC with my spouse and since I'm the more tech-savvy of the two I'll need to occasionally remote in and help out with some random task. They know enough that the issue will usually be too complex to simply guide over the phone, so remote control it is.

      I'm also trying to improve my personal efforts toward privacy and security. To that end I want to avoid closed-source services such as TeamViewer where a breach on their end could compromise my system.

      The following is the current state of what I'm now using as I think others may benefit from this as well:

      Setup

      Web

      I use a simple web form as my first authentication. It's just a username and password, but it does require a web host that supports server side code such as PHP. In my case I just created a blank page with nothing other than the form and when successful the page generates a 6 digit PIN and saves it to a text file in a private folder (so no one can simply navigate to it and get the PIN).

      I went the text file route because my current hosting plan only allows 1 database and I didn't want to add yet another random table just for this 1 value.

      Router

      To connect to my home PC I needed to forward a port from my router. I'm going to use VNC as it lets me see what is currently shown on the monitor and work with someone already there so I forward port 5900 as VNC's default port. You can customize this if you want. Some routers allow you to SSH into their system and make changes that way so a step more secure would be to leave the port forward disabled and only enable it once a successful login from the web form is disabled. In my case I'll just leave the port forwarded all the time.

      IP Address

      To connect to my computer I need to know it's external IP address and for this I use FreeDNS from Afraid.org. My router has dynamic DNS support for them already included so it was easy to plug in my details to generate a URL which will always point to my home PC (well, as long as my router properly sends them my latest IP address). If your router doesn't support the dynamic DNS you choose many also allow either a download or the settings you would need to script your own to keep your IP address up to date with their service.

      Signal

      Signal is an end-to-end encrypted messenger which supports text, media, phone and video calls. There's also a nifty command line option on Github called Signal-cli which I'm using to provide my second form of authentication. I just downloaded the package, moved to my $PATH (in my case /usr/local/bin) and set it up as described on their README. In my case I have both a normal cell phone number and another number provided by Google Voice. I already use my normal cell phone number with Signal so for this project I used Signal-cli to register a new account using my Google Voice number.

      VNC

      My home PC runs Ubuntu 18.04 so I'm using x11vnc as my VNC server. Since I'm leaving my port forwarded all the time I most certainly do NOT want to leave VNC also running. That's too large a security risk for me. Instead I've written a short bash script that first checks the web form using curl and https (so it's encrypted) with its own login information to check if any PIN numbers have been saved. If a PIN is found the web server sends that back and then deletes the PIN text file. Meanwhile the bash script uses the PIN to start a VNC session with that PIN as the password and also sends my normal cell the PIN via Signal-cli so that I can login.

      I have this script set to run every minute so I'm not waiting long after web login and I also have the x11vnc session set to timeout after a minute so I can quickly connect again should I mess something up. It's also important that x11vnc is set to auto exit after closing the session so that it's not left up for an attacker to attempt to abuse.

      System Flow

      Once everything is setup and working this is what it's like for me to connect to my home PC:

      1. Browse to my web form and login
      2. Close web form and wait for Signal message
      3. Launch VNC client
      4. Connect via dynamic DNS address (saved to VNC client)
      5. Enter PIN code
      6. Close VNC when done

      Code

      Here's some snippets to help get you started

      PHP for Web Form Processing

      <?php
      // Variables
      $username = 'your_username';
      $password = 'your_password_super_long_and_unique';
      $filename = 'path_to_private_folder/vnc/pin.txt';
      
      // Process the login form
      if($action == 'Login'){
      	$file = fopen($filename,'w');
      	$passwd = rand(100000,999999);
      	fwrite($file,$passwd);
      	fclose($file);
      	exit('Success');
      }
      
      // Process the bash script
      if($action == 'bash'){
      	if(file_exists($filename)){
      		$file = fopen($filename,'r');
      		$passwd = fread($file,filesize($filename));
      		fclose($filename);
      		unlink($filename);
      		exit($passwd);
      	} else {
      		exit('No_PIN');
      	}
      }
      ?>
      

      Bash for x11vnc and Signal-cli

      # See if x11vnc access has been requested
      status=$(curl -s -d "u=your_username&p=your_password_super_long_and_unique&a=bash" https://vnc_web_form.com)
      
      # Exit if nothing has been requested
      if [ "$status" = "No_PIN" ]; then
        # No PIN so exit; log the event if you want
        exit 0
      fi
      
      # Strip non-numeric characters
      num="${status//[!0-9]/}"
      
      # See if they still match (prevent error messages from triggering stuff)
      if [ $status != $num ]; then
        # They don't match so probably not a PIN - exit; log it if you want
        exit 1
      fi
      
      # Validate pin number
      num=$((num + 0))
      if [ $num -lt 100000 ]; then
        # PIN wasn't 6 digits so something weird is going on - exit; log it if you want
        exit 1
      fi
      if [ $num -gt 999999 ]; then
        # Same as before
        exit 1
      fi
      
      # Everything is good; start up x11vnc
      # Log event if you want
      
      # Get the current IP address - while dynamic DNS is in place this serves as a backup
      ip=$(dig +short +timeout=5 myip.opendns.com @resolver1.opendns.com)
      
      # Send IP and password via Signal
      # Note that phone number includes country code
      # My bash is running as root so I run the command as my local user where I had registered Signal-cli
      su -c "signal-cli -u +google_voice_number send -m '$num for $ip' +normal_cell_number" s3rvant
      
      # Status was requested and variable is now the password
      # this provides a 1 minute window to connect with 1-time password to control main display
      # again run as local user
      su -c "x11vnc -timeout 60 -display :0 -passwd $num" s3rvant
      

      Final Thoughts

      There are more secure ways to handle this. Some routers support VPN for the connect along with device certificates which are much stronger than a 6 digit PIN code. Dynamically opening and closing the router port as part of the bash script would also be a nice touch. For me this is enough security and is plenty convenient enough to quickly offer tech support (or nab some bash code for articles like this) on the fly.

      I'm pretty happy with how Signal-cli has worked out and plan to use it again with my next project (home automation). I'll be sure to post again once I get that ball rolling.

      13 votes
    10. Two-factor authentication is now available

      Another excellent open-source contribution has been deployed today - @oden has added two-factor authentication support (via TOTP apps like Google Authenticator). Here's the code, if anyone wants...

      Another excellent open-source contribution has been deployed today - @oden has added two-factor authentication support (via TOTP apps like Google Authenticator). Here's the code, if anyone wants to take a look.

      If you want to set it up for your account, the link is available on the settings page. If you do, please please please write down or store the backup codes that it gives you after you enable it. If your phone dies or you otherwise lose access to your 2FA device, you won't be able to recover access to your Tildes account.

      On that note, I wanted to ask for input about whether I should be willing to bypass 2FA for people if they've set up the email-based account recovery. People will lose access to their 2FA device and not have the backup codes, and I don't know if just telling them that I can't help them is truly the best thing to do. Allowing it to be bypassed does lower the security, but sometimes it's a reasonable trade-off. One possibility is adding a security option that people could enable for maximum security, like "Do not bypass 2FA for me under any circumstance, I promise that I've kept my backup codes".

      Let me know what you think about that, as well as if you have any concerns or notice any issues with the feature. Thanks again, @oden!

      74 votes
    11. 2-factor authentication

      A lot of the newer websites and services now offer 2FA so I was wondering if Tildes has any plans to do that? No idea how hard it would be to implement but I feel like that would be a welcome...

      A lot of the newer websites and services now offer 2FA so I was wondering if Tildes has any plans to do that? No idea how hard it would be to implement but I feel like that would be a welcome addition for many people.

      I'd also be happy to hear people's thoughts on this an if you guys think the website actually needs this. In my mind more security is always better than less security.

      36 votes