Jump to content

Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

 

Please note: Unfortunetely due to some server side issues, registration via Hotmail / Outlook email addresses do not work, members are requested to use some other email addresses like Gmail to register here.


Sign in to follow this  
nsan3

2FA Discussion (Google's vs Authy's)

Recommended Posts

nsan3    264
nsan3

Hi guys,

 

For sometime now the concept of 2FA has intrigued me, and I see that Google's and Authy's applications are the most sought out by 2FA enthusiasts. 

 

Now what worries me is the backup-plan, which means what can be done if the phone is lost? Can saving the QR Code securely be a valid solution?

 

I could see that there is a slight issue with the concept of saving the QR Code. Imagine the QR Code of [email protected] has been saved onto the PC in a secured location. Using Phone-A, the QR code was scanned by the installed Google Authenticator and things are moving smoothly. Now if you install Google Authenticator on Phone-B and scan the same QR code of [email protected], you will notice a slight difference in the timeout period of the QR codes with-respect-to Phone-A and Phone-B. Let me be more precise, that is, on Phone-A the timeout period would be 20 seconds, whereas on Phone-B the timeout period would be 24 seconds. Same scenario was checked with Authy on Phone-A and Google Authenticator on Phone-B as well, both of them had a timeout difference of 3-4 secs between them.

 

Please let me know your thoughts on this guys.

Share this post


Link to post
Share on other sites
Batu69    18,607
Batu69

Moved from software chat forum.

  • Like 2

Share this post


Link to post
Share on other sites
christantoan    37
christantoan

I think most of the sites that utilize 2FA checks at least 3 codes, the previous code, the current code, and the next code.

Since 2FA codes are time sensitive, so I think the time out difference between your 2 devices could be because different time settings

 

CMIIW though

 

BTW, the 2FA method you mentioned is TOTP code method, there are other methods as well, like Google push to phone notification

Edited by christantoan
  • Like 1

Share this post


Link to post
Share on other sites
DKT27    6,716
DKT27

Google offers backup codes to be saved somewhere and used if required I think.

  • Like 1

Share this post


Link to post
Share on other sites
christantoan    37
christantoan

Also, Google can send one-use-codes to other mobile phone or email too

  • Like 1

Share this post


Link to post
Share on other sites
nsan3    264
nsan3
3 hours ago, christantoan said:

Also, Google can send one-use-codes to other mobile phone or email too

Hi buddy, could you help me understand how can we accomplish this. Just wanted to know if it helps once the phone is lost.

Share this post


Link to post
Share on other sites
christantoan    37
christantoan
29 minutes ago, nsan3 said:

Hi buddy, could you help me understand how can we accomplish this. Just wanted to know if it helps once the phone is lost.

Go to your Account Security page and add your recovery email/phone

Share this post


Link to post
Share on other sites
Dodel    392
Dodel
4 hours ago, nsan3 said:

Hi buddy, could you help me understand how can we accomplish this. Just wanted to know if it helps once the phone is lost.

 

When you first setup 2fa with G,  you are given 10 x 8 digit keys in the form of xxxx - xxxx, you can only use each one of these keys once.

 

You attempt to sign into your google account via the internet web thingy, and then state you don't have access to your phone (lost / reset), proceed to use one of the above backup codes, enter your G account :).


Edit : On your query about a / b phone, you can't use the same cypher in a keypair for example.

Edited by Dodel

Share this post


Link to post
Share on other sites
nsan3    264
nsan3
3 hours ago, Dodel said:

Edit : On your query about a / b phone, you can't use the same cypher in a keypair for example.

Hi there, I didnt quite understand the last line about keypair. Please could you elaborate on the same. I have seen people saying about saving the QR Code physically or virtually in a couple of forums so hence I had tried out the technique.

Share this post


Link to post
Share on other sites
nsan3    264
nsan3

Guys need your help over here please. Thank you.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×