Hacker News new | past | comments | ask | show | jobs | submit login

What is better? Authenticator apps/hardware devices?



Most Dutch banks (except for ING, which does still use SMS) use hardware devices that use the chip on your debit card to authenticate. You unlock the chip with your PIN, enter the challenge code supplied by the banking website for the transaction, and the device shows you a one time code you enter in the banking website. This is a decade old technology that works rather well.


Same in Ireland. In France I've also seen a combination of SMS and pre-shared secret (SMS asking for a code from a grid printed in a small card you can store in your wallet).


Authenticators are fine but u2f keys are better because they protect against phishing.


Not to mention you lose your Authenticator if you upgrade/lose/break your phone, but U2F keys are (practically) forever.


    adb backup com.google.android.apps.authenticator2
all the codes are stored in the sqlite3 database which you can open with standard command line tools.

there are also more user friendly backup apps such as helium, but adb works quite nicely.


Last I checked, adb backup doesn't backup the secrets. Has that changed?


I don't know but I've been using this technique for a year or two now with great success. The Google authenticator just stores its secrets in the salute db every app gets.


Autocorrect kicked in there... sqlite* (it is absurdly difficult to put an asterisk at the end of a message on HN. it seems to require a trailing whitespace[1] for it to show up, however the input is trimmed, so...)

[1] https://news.ycombinator.com/formatdoc


Have you tried a restore on a factory-reset device?


I have not, but I have extracted the backup with https://sourceforge.net/projects/adbextractor/ and inspected the contents, visually confirming the secrets are there. Even if a restore doesn't work, I can re-enter them manually from the information in the sqlite database. However I fully expect a restore to work.


Thats exactly why I copy and save every 2fa QR Code in my KeePass database, along with backup codes. Phone changed? No worries, install Google Auth, rescan those QRs, and voila, your 2fa system is back and running !! :)


Most 2FA services that allow authenticators offer recovery codes. I keep the recovery code saved in my password manager, and if I ever lost my phone I use that to log into the site and then get a new QR code.


Yes, that's also a way, but why not save the QR code first time you see it, instead of loosing it, resetting with recovery code, and then again getting a new one? Recovery codes are fine, and should be kept safe and such, but also the Original QR code can also be saved and screenshot. That way, phone lost? open database, load QR code, scan in new phone.


Authy allows multiple devices (and encrypted backups) - that ensures fairly good security (if good password is chosen) and availability, doesn't it?


What is a good u2f key you'd recommend?


I have used Yubico's U2F key since shortly after they came out (Nov 2014). They are very robust and relatively cheap. Moreover, in contrast to some cheaper keys, they require physical confirmation by a finger press.


Feitian NFC-compatible is nice because you can set up your Google Account on an Android phone with it: https://www.amazon.com/gp/aw/d/B01M1R5LRD/

If you're into cryptocurrency, the Trezor will also act as a U2F device.


"What is better? Authenticator apps/hardware devices?"

Mobile signature (SIM-based)(0) is the most secure method as far as I've seen in banks. Citing wiki: "supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against the man in the middle attack."

0. https://en.wikipedia.org/wiki/Mobile_signature




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: