The Ultimate TOTP/2FA Guide for Max Security Online!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Same here, i am switching to a different app than Authy. Authy → Aegis.

👍︎︎ 1 👤︎︎ u/Musti0611 📅︎︎ Dec 05 2021 🗫︎ replies
Captions
totp or time-based one-time password is one of if not the most popular form of two-factor authentication dramatically improving the security of your accounts but by golly as simple as these six digits are there's a lot going on that many people just don't seem to get if you can't tell from the video length if you're new to the world of 2fa this is your complete ultimate guide to understanding it and getting started in the best possible way this is longer video as i already mentioned definitely skip around i'll try to leave a decent table of contents if i can i've done my best to organize it but if you're new i would 100 watch all of it for the best results first why 2fa normally when you log into an account you'll enter your password cool this is something you know 2fa is going to combine this something you know with something you have that way if someone knows your password which can happen due to many reasons they still don't have the necessary authentication to gain access to your account many people watching have likely experienced this with a code which is sent to them via text message maybe through their bank this normally shows up as a four to eight digit number that you type into the service so in theory even if someone knew your login credentials your account is still safe because they don't have access to something only you have your phone that received the text again passwords are no and 2fa is half at least in a traditional textbook environment this is important because data breaches happen where your password may be exposed or even be brute forced but even if you have a well-established and secure password protocol you can still get phished by an attacker who steals your credentials on the site that looks like the real thing now 2fa can be that final layer of protection that can save your behind in some of these situations um in my book 2fa is just as important as a strong password and they mutually help each other keep you safe so now you know what 2fa is and what it does but what does it look like let's summarize the main options probably the most common is text based 2fa which we've already talked about more technically referred to as sms 2fa the pros are it's extremely easy to use for people since it speaks a universal language everyone texts everyone has a phone number everyone understands it it also does improve your security in most situations however there are several issues with sms first they require a phone number which many people in the privacy community don't appreciate since it means handing over your number to countless services second they are at risk to something called a sim-swapping attack where an attacker is able to intercept your codes that are sent to you with relative ease this was the attack that took down linus tech tips and boogie in the past third sms is easy to fish if someone already has partial access to your account let's say your google account and the last thing they need is a text-based 2fa code they can text you impersonating google next time they try to log in asking you to send them the code google just sent you via text we talked about this clever attack and go incognito which is our awesome course go check it out phishing is a universal issue not exclusive to sms that's not what i'm trying to say but sms is just one further channel that can be utilized for it which increases your risk a little bit of being phished fourth sms the protocol being used to send the message isn't just not end to end encrypted um meaning your carrier can view the message it actually has no encryption at all it's safe to assume that messages you send via sms are practically public information interceptable by anyone that's how i see it that's how you should see it and it's why you shouldn't use sms for anything remotely sensitive with your friends and family or really just anybody in fact a story broke out recently that a user's carrier injected ads into their google sms 2fa code which is just like really fun and beyond dystopian so on a scale of one to five i'd give sms 2fa like a 2. it's better than nothing in most situations but it has a lot of problems which we just covered next up there are 2fa ecosystems which are typically managed by companies who offer either like a verification prompt and or a time-based code inside the app the three most common examples i've seen are duo which can send you a notification prompt to approve access in your device or a code symantec vip access which is similar and google has its own little thing where it asks you to confirm you're logging in from a device that's already signed into that google account apple's 2fa across icloud functions this way as well and other services like telegram do this too the pros this is overall a much more secure solution than sms 2fa so in almost all situations from a strict security point of view this is probably the better way to go so far it also has the pro of ideally stress and ideally integrating well with whichever ecosystem it's a part of be it google apple telegram or whatever else you're doing ideally they implement it well so it's like oh it just works the first con this is dependent on each service and is by no means universal one service may choose to use duo another might use symantec or its own verification process and a third one might use like its own random thing it just makes it challenging for you to stick to a single workflow applicable to all services and it also means you're relying on possibly several services to do the same freaking task which is just annoyingly bloated and unnecessary and makes my minimal insides just freaking scream i hate it the second con you have no control here if google decides it's going to verify your account via a prompt on a device that's not currently on you you're kind of screwed this is one of my biggest fears actually in life because google still thinks for some reason that you're running a google account on a device even if you uninstalled google from the device because you didn't click the sign out button so for some reason google still thinks the device can be used as a prompt when you don't have access to it it just doesn't work and it's like damn it um the third con you are relying on likely essential service to be handling your security it's not unlikely that if every account you ever had did this form of 2fa at least one would suffer from an issue in its implementation that would put its users at risk for being lower security than an otherwise universal standard that's visible and i i guess auditable if that's a word to the world on a scale of one to five i'd put this at a three it's not a bad place to be and most of the concerns are theoretical ones rather than ones that are likely to negatively impact you in the real world not bad next up is just basic totp this video focuses on totp and i'll teach you more about how it works very soon but for now what you need to know is that totp would be something like google authenticator so an app where you you're going to scan a qr code and you're going to get a six digit code every 30 seconds that's only generated inside of your app i'm using google authenticator here as an example since it's the most common but google authenticator is actually completely non-proprietary not in an open source fashion just in the it doesn't do anything unique fashion because it's running on an open standard you can scan that qr code with any totp app and it'll function the same way we'll talk a lot more about this later which is why this video is so long we'll talk about how totp works duo and symantec seem to be totp apps but i don't consider them ones because they rely more on their ecosystem which locks you into only using their app we'll also talk about this more later it's very important the pros totp is secure probably the most secure option we've covered so far it's a universal standard so you can use the same app for all your services really easily everything is offline and can be handled with no internet connection but you have the flexibility of also making it online if you wanted to you can use any app of your choice it's easily compatible with every major operating system you can also very easily back up everything in the event you lose access to your app for whatever reason and it's insanely flexible you can have your code set up on multiple devices or just one and again it can be cloud-based or totally offline there's really just ultimate possibilities of what you can do with totp despite the flexibility though it's still extremely easy to use once you understand it and have it set up which is also not too bad to get as i'll prove later in this video that's why you're here the cons there aren't many i'd say the worst issue is if you don't fully understand how totp works and the best ways to use it you can end up in a nasty situation where you lose your phone that had all your codes and now you can't recover them and you're locked out of all of your accounts big sad big cry definitely go get some food since you're managing this you can more easily mess things up but that's why this video was made so you never have to make a mistake like that because it's going to be broken down wonderfully and you're going to have a great time bestie okay the second issue is totp despite being the most prominent and best universal standard we have in 2021 uh it's great um it's still not given enough respect by services online many services choose to go for options like duo rather than just offering their customers the better alternative or worse yet banks and other legacy industries that choose to only offer sms based 2fa to their customers and nothing else so long story short you're still reliant on each service to offer totp which for some reason is still not done by everyone in the world yet so the second con is the adoption rate of totp which is overall good but there's room for improvement overall totp is a four out of five in my book it's a pretty fantastic solution the final main option is hardware keys which we aren't going to talk too much about today since we'll save that for its own exclusive big breakdown video but just know that hardware keys are one of if not the most secure ways to go with 2fa assuming it's compatible with the majority of your services and devices which is typically not too big of an issue whatsoever the outlier services for this video are authy and lastpass and other crap password managers i hate authy and i hate lastpass and i will very thoroughly explain why that is once i explain totp and how it works and why these companies are completely evil it requires you to understand totp though so stick around because these companies suck those are our main options i don't know if you came to the same conclusion i did but it seems for the overwhelming majority of people totp via a local application seems to be a pretty solid option that you should probably go with and that's what this video is about how to get started with tftp and use it in the best possible way without further ado let's get into totp in-depth finally all right we're going to start this off with a demo you have an account you want to enable 2fa on via totp you're normally given a qr code to set it up right away there's a lot to break down here first let's talk about how you scan it many services will say 2fa via google authenticator but this is just how it's branded to keep it simple because most people associate totp to be just google authenticator and not the standard it really is totp is like email and google authenticator is like gmail totp and email are open standards and google authenticator and gmail are just popular services that use those standards when these sites say 2fa via google authenticator it's like saying send me your documents via gmail please you don't really have to use gmail it's just lingo that people are for some reason using in short you can use any 2fa app when setting this up be it microsoft's authenticator or maybe something open source like aegis on android which is our main go-to recommendation for android users our site has a 2fa section that is continually updated with the newest apps for you to use so go check that out and that's step one you got to choose a good app i would stick to our site's recommendations for a good selection you can't really go wrong with those now what exactly is this qr code because it's not just some magic thing the qr code is really just a short string of text which we will be calling your seed for this video and it's a phenomenal term not just because it's sexual let's say you have a physical seed for a sunflower and you're able to duplicate this seed perfectly so that you now have copies of the exact same seed that will sprout the same exact flower every time you plant it so like that seed create the flower the same flower every time and you have an infinite number of seeds in theory likewise the string of text creates your totp codes that disappear every 30 seconds if you import this key into your app delete the entry altogether then create the entry again in the same app it's going to show you the same code it would have shown you before the deletion to take this a step further i have two completely different apps on two different devices i imported that same seed into each of them and they both give the same code in other words this seed is really the magic sauce here if you have this seed you can get your code at any point in time big mental note big like as this is obviously a backup solution for us we'll talk about later so that qr code is just a visual representation of your seed that's it it allows your app to conveniently get your seed without you needing to type it out manually but like you can type it out manually too if you don't believe me and you want to try it yourself and verify what i'm saying you can also verify this by scanning the qr code with just a generic qr code scanner app which should just give you the seed in plain text which should match the seed listed out by the service which not every service does but most do and that is what seeds are once you have an established app on your device next time you log into a service it'll ask you for your 2fa code right it's going to go like oh hey are you who you say you are where is your 2fa code just open up the app and enter the code before the 30 second timer resets 2fa is just that simple to establish and that's fundamentally how it works very simple so now at this point you understand why it's just a universal standard because any app any program anything can be developed to read and handle the seed if you have that string of text you have what you need to gain access to your account so also make sure you guard that very safely because that spec really is what your 2fa is you can import this string into any app on each of your devices you can keep it on just one device or you can even import it into like a cloud-based password manager like bit warden and your local authenticator apps as well for whatever reason the point is this is completely in your control and you can do so much with it um as long as you keep it safe again that's a very important note here i'd recommend to the overwhelming majority of people to just if they're getting started to keep their 2fa codes on a single device inside a single app to simplify their workflow i'd also keep it away from the cloud again 2fa is something you have and putting it in the cloud especially via a method that's not implementing proper zero knowledge encryption is severely hurting that idea and its benefits since it's no longer something you have but something someone else has now some of you who are a bit witty have already figured something out if all my codes are living on a single device which is totally offline what happens if i lose my device or something bad happens to it does this just mean i lose access to all my accounts you'd be correct this is an excellent observation so let's talk about backups the first option you have for backups is simply backing up your seed somewhere you can keep a document of each seed that you have and then encrypt that using something like veracrypt um just don't leave it unencrypted in plain text on your machine again your seed really is your access to your account the easiest thing to do is save the seed as you're enabling 2fa for the account which most services display if they don't display the seed you can use a qr code scanner to still get the seed you can also add it after the fact assuming your 2fa application allows you to view your seats sneak peek to why authy and lastpass suck don't forget the simple solutions as well writing out your 2fa seeds isn't a terrible option and lives still by the philosophy of something you have very well this whole seed backup is a bit messy but it works you'll have a list somewhere digitally or physically that's encrypted of course if it's digital with seeds to each service if your phone blows up someday and you no longer have access to it you just get out your document import the seed into another authenticator app and you now have all your codes back with no issues whatsoever you can repeat this process an infinite amount of times and it's always going to end in your favor the second option is a bit more dependent on the app or program you choose aegis has a wonderful encrypted export option where you click export and it gives you an encrypted file you move this to a safe place away from your device and now you have a backup and you're totally done you can always re-import this into aegis but re-importing into other clients isn't necessarily a guarantee depending on the client either way this is nice and convenient but is a little more dependent on which app you're using and how well it plays along with others and their backup and re-import processes if you're using totp inside a password manager it likely has its own backup solution as well lots of ios based 2fa apps do end to encrypted backups via icloud or they may offer their own local backup options as well to summarize this is kind of a toss-up depending on what system you're using but most apps have some kind of backup solution that may work well for you which can be combined with the first backup solution of just backing up your seats now i want to take a major pause in this video for a big lpt major knowledge bomb based on everything you've been told so far and it's kind of a personal story um i remember way back in the day i had my wonderful 2fa app with maybe 10 accounts i got a brand new phone and i needed to move my codes to the new device i didn't really know how 2fa worked very well back then and i just assumed oh well i guess i need to log into each service individually disable 2fa on each one of them then re-enable 2fa on my new device and that's what i did it was a royal pain in the ass with 10 services and it only gets more infuriating the more services you have now you know based on the information i've supplied to you in this video as i wish i did back then this is all completely unnecessary just get the seed from your old 2fa app and import it into your new one the codes will be exactly the same and this can be done without even an internet connection and it has zero interaction with any of your accounts nothing will happen it's zero downtime it's fantastic i know it's so basic after you've been told how this works but i feel we've all been there and it's totally okay if you've done this too now you know that this seed is everything and this is a perfect demonstration for why understanding how to otp works is extremely important and makes it such a powerful tool otherwise you'd probably hate it and think it's inconvenient and it sucks understanding and knowledge is good so let's talk about the in the room let's really talk about authy and lastpass and why they are literally the root of all evil when it comes to 2fa authy has a compelling product because it offers convenient cloud syncing between your devices with a more traditional account based setup similar to other totp apps you scan a qr code inside of authy and now it's in your authy account accessible anywhere yay however what happens if you don't want to use authy anymore and move to something else you want to back up your totp entries locally for yourself in the event you need your seeds for something or maybe you want to move it to another local device for whatever reason you literally lose access to your authy account for unexplained reasons or just any other unfortunate events that require your seed if any of these things happen to you you is what authy says because they don't give you your seed that's right auntie gives you your flower the end product that six digit code we talked about but there's no way authy officially allows you to reclaim your seed which is that same one that you use when you registered for the 2fa entry it has it it uses it but if you forget to get your seed when registering for 2fa it's just gone this is done on purpose to lock you into their ecosystem and it's their attempt to undermine a universal standard because they know that people will not want to leave their ecosystem if it's too hard to do so which is why they don't give you the seat add on to the fact authy is not open source and requires a phone number to use and i would simply caution everyone away from it altogether especially when there are clearly superior options people rave about the convenience of cloud synced 2fa codes through authy but how often do you really switch or add new devices if you want your 2fa codes on all your devices just import the seeds into each device it doesn't take very much time to set up and once it's set up it's super easy and also if you really need the cloud syncing and just to have it be on the fly use something better than authy i know bit warden has 2fa support on their paid accounts pay for something that'll do it for you and still give you access to your seeds because authy is a piece of crap speaking of another crappy thing authy does is they automatically enroll people into authy accounts via a phone number through services like gemini and twitch who only offer totp via authy that's right that's your only option if you're using gemini the cryptocurrency exchange if you try to enable 2fa they don't offer traditional totp it's only done through authy even though authy uses totp to do its own thing ah it's just infuriating some people even report that enabling 2fa creates an authy account for them automatically with no obvious consent authy is single-handedly trying to capitalize and profit on a string of text literally a string of text that should belong to no one except you so seriously please stop using ati people there's a wonderful third party tool i found that claims to unofficially get your seats from other if you're currently in the ati ecosystem get the hell out of there get your seeds out of there while you still can and move to a better service authy is an absolute cancer and i will die on that hill because they suck let's go to lastpass they have like a million things i can't stand about them but in the interest of time let's just say their core issue for this video is the same one as authy which is they don't let you view or export your seeds under any circumstances once you import your seeds into lastpass it's now theirs you can't reclaim it there might be some third-party tools to do it but you just can't do it through lastpass and this is done on purpose again to make you locked in their ecosystem so you never feel like you can leave your two options for services like these are to view and back up your seats when you're enabling 2fa on each account like we talked about earlier the second option if you forgot to do that is to use third-party open source tools to extract them manually which like let's be real shouldn't be a thing in the first place and they're also not guaranteed to always work semantic vip access actually does a very similar thing to authy where they it's still built on the same totp standard it has a seed and it has a six digit code but they don't give you the seed and they use their own proprietary way of setting it up but there's actually a great tool that can export the seeds from semantic vip access that you can then import into your normal todp app i verified that this worked this is now the system i use for my brokerage account so when i log into my brokerage account i use a traditional 2fa app and i don't have to use the crappy semantic vip access app so if you're currently using symantec vip access get off of it as well you can get off of these services authy lastpass duo symantec if you get a hold of this video take notes and stop functioning in an anti-consumer way thank you very much teclor we are we are strongly against this we are going to discourage everyone we know until the end of time to stop using your services and to get off of your services until you allow people to export their seeds which is rightfully theirs you're being real about this and that's kind of the end of the rant section of this video let's recap everything we know so far totp is really just a string of text that text is a universal standard that any authenticator app can handle the qr code that you use when you set this up is just a visual representation of that string of text and you should back up that string of text somewhere when you're setting up 2fa on each of your accounts you should choose an app that allows you to view and export your seed in the event you want to easily switch and migrate to a different app or device this way you actually truly own your totp ideally you also use something that is open source because like why not if you want your codes accessible on multiple devices just import the same seed on multiple devices and try to avoid cloud syncing especially if things aren't end to end encrypted one thing to mention is some password managers handle 2fa like bitwarden this is fine i know it's very commonly discouraged but i would like to challenge that the main concerns 2fa prevent are unauthorized access to an account where a password is already compromised a password is most likely going to be compromised via a phishing attack or a data breach and not due to an isolated attack against an individual's password manager especially if they're using a good password manager with end-to-end encryption so for a majority of situations 2fa inside your password manager is still a massive security gain even if you're putting your eggs in one basket is it less secure than its own dedicated app absolutely is that drop-off insecurity likely to ever impact you unlikely since most people aren't having to worry about an individual isolated attack against their passer manager so while i do discourage using 2fa inside your password manager i do challenge the idea that it's absolutely horrible and you should never do it um one thing i am fully on board for is using 2fa in an offline only password manager like keepass i think that's really chill it's still less secure than being in its own little thing but it still sticks to the something you have philosophy of 2fa much better than the cloud-based password manager and finally i want to mention that as nice as totp is you will not get 100 of your services to use it just realistically many services don't offer tftp and use only sms some services use their own system and some services don't even have 2fa at all unfortunately i want to make sure you're realistic and understand you're going to have a healthy mix of several 2fa methods as for which accounts to use 2fa for absolutely a must no questions asked for your important accounts like banks finances bills and personal emails but ideally all accounts you have that offer 2fa should be using 2fa it's important so in conclusion totp is a wonderful universal standard that you can do a lot with i don't think people quite realize how amazing those six numbers really are and everything they can do with them which is why i wanted to make this video i also don't think people realize um how much authy lastpass and all these other proprietary solutions that still use the open standard but don't let you use it in an open way they just absolutely suck they're convenient but i really do want to challenge you to completely get away from them because they don't have your best interest at heart and it will likely catch up with you someday since i doubt you're gonna stick with other for the rest of your life and when you need to move off of it there's not really an easy way to do that if you liked this guide and how we explain things um definitely subscribe i appreciate you working with the setup i am traveling um we make a ton of privacy and security related content to make it as easy as possible for people and i really hope this helped you out if you want to support us we accept monero on our support page as well as more exclusive perks that are found on our patreon page we really appreciate all of our patrons you guys are awesome thank you for watching and see you next time on tech [Music] lore wow [Music]
Info
Channel: Techlore
Views: 31,722
Rating: undefined out of 5
Keywords: TOTP guide, 2FA guide, TOTP tutorial, SMS 2FA, authy, best TOTP, totp app, two factor authentication, 2 factor authentication, two-factor authentication, google authenticator app how to use, google authenticator app tutorial, 2FA tutorial, vip access app, vip access symantec register, account 2fa tutorial, microsoft authenticator, aegis, AndOTP, best 2fa app, bitwarden, password manager, duo 2fa, setup, review, how to, multi factor authentication, authy app, open source, Yubikey
Id: iXSyxm9jmmo
Channel Id: undefined
Length: 28min 11sec (1691 seconds)
Published: Sun Aug 22 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.