[SOLVED] 2FA question

[Mattprendo]

Hi,

New member, trying to get a better understanding of 2FA. So Google sends me a "yes" or "no" to my phone to see if its me so I can log on. Other websites will send me a 6 digit code to manually enter so then I can log on. What is the difference? I understand very basic 2FA protocols and I know Google is pushing 2FA out to all its users shortly. I was debating about getting a Yubikey but this questions gives me a tic and I can't get past it until I know if its the same or different.

 

[USAFRet]

The google yes/no is to verify you are you.
They already know your phone number.
If someone else were trying to log into your account, that Y/N would not be sent to them...you would select No, and they would not be able to log on.

The 6 digit is just another way of doing the same thing.

 

[avg9956]

2FA - An additional thing you need to have in order to authenticate.
Apart from your password, you will need another "thing" to authenticate yourself which can be a 6 digit code sent to your phone (SMS 2FA), a Yes or no google notif sent to your phone (Google notifs), a yubikey (hardware 2FA)

SMS 2FA is easily hackable with sim swap attacks, given the increased level of sophistication of hacking attempts these days. Its not just your usual social engineering attempt to your SMS provider of "hey its me I lost my sim, can I have it replaced"? kind of thing no longer.

PS. I encrypted my gmail recently with yubikey as well, its well worth it. Make sure to buy 2 yubikeys and register them both so if one yubikey breaks you have the other to use.
Also disabled SMS 2FA as an option in Google, because SMS 2FA is a very easy attack vector that can be exploited.

You can also enroll in Google's "Advance Protection Program", but that forces you to use a password and a hardware key to be able to log-in to gmail. Downside is, you might forget bringing the 2FA key if you want to login to an internet cafe.

 

[Mattprendo]

Thank you. Thats what I figured. So yeah, I think I am going to get one of those Yubikeys now lol. I've already been hammered for 2 of T-mobiles data breaches, sim swapping worries me with that. Sometimes I know there is a delay or a lag that I've expirenced so I think its time to go hardware this time.

 

[avg9956]

Yes, make sure you disable SMS 2FA as an authentication.
Also I disabled Phone as a recovery option as well. If your phone somehow gets compromised with your gmail login, it can increase the available vectors an attacker can exploit. Mobile phones aren't immune to malware anymore and if you are logged in or have logged into your phone with your gmail account, it can get compromised. I use a spare gmail account for my phone too.

Use another gmail with hardware keys as a recovery option.