2FA Discussion (Google's vs Authy's)

[nsan3]

Hi guys,

 

For sometime now the concept of 2FA has intrigued me, and I see that Google's and Authy's applications are the most sought out by 2FA enthusiasts. 

 

Now what worries me is the backup-plan, which means what can be done if the phone is lost? Can saving the QR Code securely be a valid solution?

 

I could see that there is a slight issue with the concept of saving the QR Code. Imagine the QR Code of [email protected] has been saved onto the PC in a secured location. Using Phone-A, the QR code was scanned by the installed Google Authenticator and things are moving smoothly. Now if you install Google Authenticator on Phone-B and scan the same QR code of [email protected], you will notice a slight difference in the timeout period of the QR codes with-respect-to Phone-A and Phone-B. Let me be more precise, that is, on Phone-A the timeout period would be 20 seconds, whereas on Phone-B the timeout period would be 24 seconds. Same scenario was checked with Authy on Phone-A and Google Authenticator on Phone-B as well, both of them had a timeout difference of 3-4 secs between them.

 

Please let me know your thoughts on this guys.

[Batu69]

Moved from software chat forum.

[christantoan]

I think most of the sites that utilize 2FA checks at least 3 codes, the previous code, the current code, and the next code.

Since 2FA codes are time sensitive, so I think the time out difference between your 2 devices could be because different time settings

 

CMIIW though

 

BTW, the 2FA method you mentioned is TOTP code method, there are other methods as well, like Google push to phone notification

[DKT27]

Google offers backup codes to be saved somewhere and used if required I think.

[christantoan]

Also, Google can send one-use-codes to other mobile phone or email too

[nsan3]

3 hours ago, christantoan said:

Also, Google can send one-use-codes to other mobile phone or email too

Hi buddy, could you help me understand how can we accomplish this. Just wanted to know if it helps once the phone is lost.

[christantoan]

29 minutes ago, nsan3 said:

Hi buddy, could you help me understand how can we accomplish this. Just wanted to know if it helps once the phone is lost.

Go to your Account Security page and add your recovery email/phone

[Dodel]

4 hours ago, nsan3 said:

Hi buddy, could you help me understand how can we accomplish this. Just wanted to know if it helps once the phone is lost.

 

When you first setup 2fa with G,  you are given 10 x 8 digit keys in the form of xxxx - xxxx, you can only use each one of these keys once.

 

You attempt to sign into your google account via the internet web thingy, and then state you don't have access to your phone (lost / reset), proceed to use one of the above backup codes, enter your G account :).

Edit : On your query about a / b phone, you can't use the same cypher in a keypair for example.

[nsan3]

3 hours ago, Dodel said:

Edit : On your query about a / b phone, you can't use the same cypher in a keypair for example.

Hi there, I didnt quite understand the last line about keypair. Please could you elaborate on the same. I have seen people saying about saving the QR Code physically or virtually in a couple of forums so hence I had tried out the technique.

[nsan3]

Guys need your help over here please. Thank you.