How secure is google-authenticator as 2FA?

60 views
Skip to first unread message

namem...@scryptmail.com

unread,
Feb 15, 2019, 12:44:35 AM2/15/19
to qubes...@googlegroups.com, qubes...@googlegroups.com
Hi Qubes fellows,

On reading content on 2FA, something comfuse me, so I'd like to understand better by posting here:

one type of OTP,a TOTP like google authenticator, bases on a shared secret key, since key
can be seen in mail box, it's not quite safe, is it saved in mail box as well?
(does it also travel on internet? which makes it even worse?)
a U2F software can do it's work without this app, so it doesn't look like a good choice.

If this is the case, why so many web mail even some promising ones still chose google-authenticator as 2FA?

Although gmail itself can add yubikey as enhence for TOTP, I don't see how that's safer.
because with or without press the yubikey button, an U2F software can generate same 6-digit-number as password to enter here.

Today most of webmails would say they use 2FA, but not introduce in details
which protocol it uses. some claim it use yubikey, so is OTP here that use k ey pair instead of
the shared secret key? which is much better.

I don't find many webmail use Yubikey as 2FA on OTP,if any of you find something is rather relaible,
recommend very welcome, THANK YOU.


22...@tutamail.com

unread,
Feb 17, 2019, 6:51:24 PM2/17/19
to qubes-users
As I see it Namem...no expert but I would say:

1)Yubikey most secure (I have seen other similar devices that might be more secure)
2)Google Authenticator (also similar type apps that are non google are also available
3) Text message (almost useless in my opinion but better then nothing)

In my experience all of these are not really effective if the OS, browser (or the connection) is compromised. I also suspect the OS, browser or connection are more suseptable to an attack then the 2 step used.

Some other "secure" email options:
Protonmail (authenticator only)
FastMail can use a Yubikey (but Australian)
Tutanato (authenticator only...however they recently added a recovery key in case you get locked out vs an email recovery option)
Google/Gmail (pretty secure but I just don't trust google...US company)

If you find something better (besides hosting your own email) I am all ears...maybe use an air gapped ipod and use that for your authentication apps?

Not sure I answered your question, nor is this a Qubes specific question but hope this helps...

Reply all
Reply to author
Forward
0 new messages