HACKER Q&A
📣 janxgeist

What are the risks of 2FA?


For the longest time I've had a password system that worked for me. I knew all of it's risks and how to mitigate them.

Now, apps and websites force 2FA on me in the name of better security.

But I don't 100% understand these systems, and I feel like I can't be the only one.

Mostly, I'm scared of losing access to things that are important for my business.

Some random questions:

- if I use an authenticator app, like Google Authenticator, how does that even work? What happens if Google decides to close my account? How do I backup these apps?

- if I use SMS authentication, what happens if I lose my phone number? Ie through an error of the phone company, or myself.

- in general: are there any 2FA systems that are as clear and easy to understand as my old system (keepass + backups + long, always different passwords for every service)?

  👤 moasda Accepted Answer ✓
Thanks for the question, I have similar concerns. If you enable 2FA on a website it mainly asks you to scan a QR code and confirm it with a OTP value. This works fine until you lose you phone and have no full backup accessible without 2FA. This could be a time bomb for security oriented users.

I know, when activating 2FA the website also shows some recovery codes etc. But I can imagine that most non-tech users don't know what to do with them and ignore them.

I fully agree that you should understand how 2FA basically works and how you can recover. For me it works like this:

- KeePassXC / KeePassDX file synced on several devices + backup

- andOPT App with an encrypted backup of the exported JSON data, accessible without 2FA

This setup is easy to understand for me und I know how to recover if I lose my phone or my PC SSD gets damaged. I do not trust Google or other cloud services with fancy sync features.

👤 viraptor
> if I use an authenticator app, like Google Authenticator, how does that even work?

The authenticator oath tokens are generated in a standard way, usually as TOTP (https://en.wikipedia.org/wiki/Time-based_One-Time_Password). You can use any authenticator and they'll work the same.

> What happens if Google decides to close my account? How do I backup these apps?

Your authenticator should not be bound to any account. Make sure your can export your data or setup a new one.

You can make a backup by saving the QR code you use initially, or the text code you're provided at the time.

In case of other issues, each service should give you some kind of emergency access. Usually emergency access codes you can save / print out.

👤 jqpabc123
2FA adds another layer to the security cake --- one that is often beyond your control. A 3rd party (your bank for example) usually decides that 2FA is acceptable.

Instead of protecting your password (which is fairly easy to do), now you have to protect some device from failing or being lost or being taken over by hackers (which is less easy to do).

When (not if) your phone fails, is lost or some hacker ports your number to a different phone --- then you're screwed worse than you ever were with passwords. A simple phone call is unlikely to fix it.

👤 plasma
You could use the Authy app (that lets you sync between systems too and turn it off after setting it up) which helps with backups — Google Auth won’t export anything.

A little less secure but helps defend against losing the keys.