[kwlug-disc] 2FA Google Authentication and Best Practices with passwords

Chris Irwin chris at chrisirwin.ca
Sun Feb 6 05:47:14 EST 2022 

On Fri, Feb 04, 2022 at 06:21:26AM -0500, Darren Pond wrote:
>At last I was prepared for this as just the previous weekend I had 
>updated my password collection, 190 and counting which I keep on a Libr 
>spreadsheet in KDE Linux vault and second paper copy at my brothers 
>house.

My wife and I both use Bitwarden. We're joined in an Organization so we 
can select passwords to share between us. All our passwords are random. 
The only passwords we actually know are local login, email, and 
bitwarden itself (they're not random, but long and complex).

I periodically do an export that I keep in my local backups.

There's an advantage to using a password manager via browser extension: 
It knows what site you're on, even if you don't. So it won't put your 
paypal.com password into paypa1.com. You might not catch a phishing scam 
yourself. This is particularly helpful during checkout processes when 
sites helpfully open a paypal popup where you can't see the address bar.

At work we use Keepass. We don't use any browser integration, as 
typically we're not logging into websites.

>This new to me Google Authentication at first look was ok seems like a 
>good idea. Until you lose access to your cell phone or consider how 
>your Personal Executors and Powers of Attorney family members will 
>tackle your asset and find all the information that we deemed Password 
>worthy.

I have two-factor auth enabled for every account where it is an option, 
in the following order of precidence:

U2F/Yubikeys > TOTP > Email > App-based > SMS

Yubikeys are just super convenient. Just press the token and you're 
logged in. Fast and secure.

TOTP codes are very common. They can be phished if you're not careful 
(The window for expliting that is limited). The actual app I use on my 
phone is called "AndOTP". It's open source, and allows you to export 
your codes -- so you can back them up, and not be locked out if you lose 
your phone. There's desktop apps that let you import these as well, 
though I don't use one personally.

App based auth sucks, because it is tied to an instance on your phone 
only.

SMS is the least secure second factor option. it's naturally the one 
typically supported by financial institutions.

I have a friend who actually did have his SIM duplicated, allowing 
somebody access to all SMS codes, and the ability to start resetting 
passwords on accounts. Luckily for him, they were mostly interested in 
making international phone calls. It's a lot of trust in a mechanism 
that can be defeated by an inattentive clerk at a cell phone kiosk.

>The Google Authentication 2FA is pain to me as I want to use my Desktop 
>KDE linux with a nice large screen and keyboard instead of being pulled 
>back to the cell phone each time. Once I open the program that I need 
>the 2FA its a struggle to get back to Desktop to continue to work.

This isn't a big impact on my workflow, but probably because my primary 
sites use tokens and I just touch them and move on.

As mentioned, there are apps that can import andotp backups on linux.

Additionally, both Bitwarden and Keepass can store your TOTP tokens.  
Whether you're comfortable keeping your second factor in the same place 
as your first is up to you... (I believe this feature requires a 
subscription in bitwarden).

>Keepass also looks like a convenient option for not so important PW 
>that we use all the time. Still have yet to figure out how to get it to 
>work on KDE and Firefox.

Why "not so important PW"? It's a trustworthy piece of software.  

I have no experience whatsoever with any browser integration.

>Is Yobikey a solution or is this just another weak link in cyber and social
>security. like oops I lost the key. Or does any know where dad may have
>left the key.

U2F tokens like yubikeys are the *most* secure second factor we 
currently have.  They're fast and they're immune to phishing. I wouldn't 
call them a weak link.

Yes, you actually need the device (and ideally, you'll have two in case 
you lose one). But it's probably the *easiest* option -- either it's in 
the computer, or on a keychain. It had to be somewhat within reach.

Probably the *best* option, regardless of what you pick, is to simply 
document it and keep it somewhere either pre-discussed (behind the loose 
baseboard in the closet) or discoverable (with your Will). Just 
something like:

   "XXX contains a usb key and yubikey. USB key has a monthly backup of 
   passwords and OTP codes. Use app X and Y. yubikey is the backup key, 
   the Primary yubikey is on my keyring."

-- 
Chris Irwin

email:   chris at chrisirwin.ca
   web: https://chrisirwin.ca

More information about the kwlug-disc mailing list