Search the Community

Hi, I've been using Google Authenticator for a number of years now for most TOTP 2FA codes (Also have Microsoft's authenticator for some work-related things that require that specific app). I'm also a sysadmin and today I was helping a user with some authentication issues. He's using Google Auth on the iPhone... and it began forcing him to set up cloud storage account on the phone. There's a chance he fumbled something, although I was watching and didn't see that, so I'm wondering if some versions of the app are now forcing people to store their TOTP seeds in Google's cloud? The app was updated very recently (the icon changed), but I can still see on my phone that it is not storing in the cloud (cloud with a slash through it in the upper right corner). (I strongly prefer local storage of TOTP seeds, in case that isn't obvious.) Has anyone else experienced being forced by Google Authenticator to use cloud storage? Or was this a random user error? (Or is their app using dark patterns?)

UPDATE: Thankfully I'm a pack rat and I found an old Huawei phone from three upgrades ago that had my authenticator app setup. I'm back in but still not impressed with the whole ordeal and technically this is still an issue for many others. I apologize for the bait-clicky title but I need eyes on this from any of you who can help or may have contacts at the right people at Meta/Facebook who can resolve this issue. TLDR: A factory reset on my phone caused me to lose access to my Google Authenticator 2FA. You can not recover your authenticator codes because they are not tied to your Google Account, they are tied to the device (which now no longer exists due to factory reset). While I was able to restore and set up new Authenticator codes for all other websites and apps, Facebook's recovery process is bugged and there is no way to recover my account. This has caused me to lose access to my 16-year personal FB account as well as Facebook Ads management on the several businesses I oversee and manage. FB self-help articles, troubleshooting, and even FB Business Meta Pro team have been unable to resolve my issue. The ASK: I need to contact a real person from Facebook login team who can Identify my identity and remove my 2FA authentication from my account so that I can restore it. Hopefully, this can also serve as a PSA to anyone out there who either loses their phone or doesn't transfer their Google Authenticator data to a new device At this point I'm reaching out to the community in the odd chance that some of you know someone at Facebook in the Login/security team who can help. Or maybe the team @LinusTech can shed some light on this glaring issue. I can't be the only person who's ever lost access to their Google 2FA EDIT: SO F**** Ironic, YESTERDAY April 24th Google annoucned that Google Authenticator is finally adding account syncing for 2FA Codes. This still sadly doesn't help me resolve my issue today. Details Personal account of 16 years: https://www.facebook.com/xXHappyJonXx/ This account has Facebook 2FA as well as SMS and email verification setup. This account also manages the following business accounts and pages: https://www.facebook.com/HPAMotorsports - Currently has Ads running, Our company's Customer service ticketing program is also tied to the FB Messenger chat which needs to be reauthorized. https://www.facebook.com/cotybuilt https://www.facebook.com/GoVADpro https://www.facebook.com/www.moosh.media - My personal Freelance business https://www.facebook.com/LUSAsoccer - The local non-profit community club As you can see, there's a lot of history, data, time, and money tied up to this personal account and I have essentially been locked out of my personal data. The Cause Of The Issue I brought my phone to a Samsung service centre to get my screen fixed. I anticipated needing to factory reset my phone so I did a cloud backup at the time to save my data. What I failed to do was transfer my Google Authenticator app to another device. While I was able to restore my other Google Authenticator accounts using other methods of identificationSMS/email etc. Facebook's account recovery codes via SMS and email only allow you to reset your password. If you have 2FA enabled, it still asks for the 2FA code, even if you have access to your email and phone number. See below. View Full Size Image: https://drive.google.com/file/d/1q3-UmtYXXsXscjDfz80hJFhD4orMr4Zg/view?usp=share_link On PC Full size image: https://drive.google.com/file/d/1K0k7qww-mFqtgibCztkl2qVjJS8Tiltc/view?usp=share_link I have tried every article to recover my account but all of those lead to setting up a new password. It does not remove your 2FA access so logging in with a new password just presents you with the request for a code as you see above. In my efforts to troubleshoot I have also tried "My Account is Hacked" to see if I can re-secure my account. The closest I got was to This page here where you are asked to provide a different email than the one tied to your facebook account to secure it. I provided the email, got a security code to input, and I was greeting with this fantasitc /s page: I've seen other's people online have options to upload an ID at this point to provide identity confirmation, however for me, i have NO OPTIONS to choose from. I have reached out to our Meta Pro Team that handles the advertising where I was actually able to speak to someone on the phone. They said they would "open a case" and get back to me in 48-72 hours. I never heard back. I've tried multiple times again via email explaining everything above and I keep getting the same responses. At this point I'm reaching out to the community in the odd chance that some of you know someone at Facebook in the Login/security team who can help. Or maybe the team @LinusTech can shed some light on this glaring issue. I can't be the only person who's ever lost access to their Google 2FA

I have 2FA on for Steam, and use Bitwarden(used to use Lastpass but switched recently, deleted lastpass account so even if that DB was compromised I'm on a new local instance), with a 40 character Password, numbers, letters, symbols etc. Almost every week now I get a notification of a successful login with my username and password from random IPs. I change my pw after these notifications come in. I cannot see any way that this is possible without there being some issue at steam where there is some leak? I have no clue, steam support doesn't have anything except how to regain a hijacked account, which mine isn't. I also have gone through most of my accounts to change any passwords that haven't been updated in over a year. I attempted to post on r/steam but mods don't like actually giving support, and it seems you can't actually message them so, why not ask my fellow people here. If anyone has any ideas how this could be happening I'm all ears!

Over the past several years i have been happily using Authenticator Plus, im not sure when but i found it had stopped syncing with my google drive and looking into why i found that the app has basically been abandoned. aaand then the on device backup failed. So, slightly annoyed but oh well i started moving my keys over to another app, i then remembered WHY i had started using this particular app in the first place... Blizzard authenticator ! . this old app i had been using had the easiest implementation of the Blizzard 2FA i had found back then AND it had cloud backup AND it was supposed to work with yubikeys ! I have had a look around, and i see so many new options to use in terms of 2FA but nobody has an EASY way to add a blizzard 2FA . some have encryption , some have cloud backup and im not even sure if any work with yubikey. Im looking at Aegis authenticator currently but i dont see any plain easy way to add a blizzard key. Is there any other app that i could use ?

I figured I would do a quick write up on this as I just utilized this method to backup all of my OTP's to another service while still using Authy's. Step 1.) Download Google Chrome (and enable developer mode) Doc on DevMode - https://developer.chrome.com/docs/extensions/mv3/faq/#faq-dev-01 Step 2.) Download Authy Extension https://chrome.google.com/webstore/detail/authy/gaedmjdfmmahhbjefcbgaolhhanlaolb?hl=en It will claim it is deprecated, but just continue as normal and validate your account with another device and authenticate with your master password to unlock all of your OTP's. Step 3.) Open chrome://extensions/?id=gaedmjdfmmahhbjefcbgaolhhanlaolb in chrome. There should be a backpage listed there, if the application is running then main.html will be displayed. If not, make sure to load the extension and have it running on your Desktop PC. Step 4.) Click main.html and make sure it is in console mode. Step 5.) C+P the following Code into the console: appManager.getModel().forEach(function(i){ if(i.markedForDeletion === false){ console.log('otpauth://totp/'+i.name+'?secret='+i.decryptedSeed+'&issuer='+i.accountType); } }); Step 6.) Profit - you should get outputs similiar to the following: otpauth://totp/WebsiteHere - Description?secret=YOURSecretOTPCodeStringHere&issuer=VENDOR/SOURCE (MAY VARY) Step 7.) Copy and paste your secret strings into bitwarden, lastpass, 1Password, or wherever you are migrating too. (your choice). - Or simply use this trick to backup your codes if you didn't from the get go.

I recently got my twitter account hacked so purchased a Yubikey 5 NFC (before the recent sponsorship went out) and i realised that i don't actually know of a full guide on how to use one. I'm on iOS for tablets and Android for my phone, MacOS on the go and Windows at home so I have no idea where to fully start. Any pointers of some full on guides would be good, especially with things like 1Password support

Why doesn't lttstore.com have 2FA? We save our addresses and card numbers with that website. LMG has always talked about and encouraged all his views to use to 2FA but they don't have it for their own online store!? I also can't find any given reason why LMG haven't implemented 2FA either. Now with all that said I have take precautions knowing their is no 2FA and just in general don't trust any website. I use Privacy.com to make a card just for LTT Store which is also always paused until I want to make a purchase. But that doesn't mean LTT store shouldn't have a 2FA option. Does anyone know why there isn't one? I have been able to find an answer.

Hi! I had my Instagram account setup with 2FA using Microsoft Authenticator. I had to reset my phone and doing so lost Microsoft Authenticator backup when I logged back in. I don't have the backup codes and now I can't login into my account. Anyone knows how to solve this? Instagram only redirects me to 'Help Center' that doesn't have a solution and I can't find any other solution... Thanks

I work at a non-for-profit in their IT department and we currently are looking to alternative methods for 2FA when it comes to accessing accounts used by multiple users such as social media. The current suggestion is using 1Password or something similar. But I have always been curious if there are alternative solutions and what are they? We even thought about a shared device with some form team viewer or something maybe? Very much open to suggestions! Thank you! :)

Summary Twitter recently announced that only Twitter Blue subscribers will be able to use text message 2FA. Claiming possible abuse of the system for the reason of limiting to paid users only. Found out when I opened the app this morning and was prompted to remove or change my 2FA method. The use of physical security keys or authentication apps will still be allowed. Unsure whether text message 2FA can still be used as a backup. Quotes My thoughts I feel like the reasoning behind the change feels a bit like BS, essentially saying oh you need to pay for the service to use a less secure 2FA process. I personally use text as I often forget about moving or disabling 2FA on my devices before resetting my phone or upgrading. It also seems that text won’t be able to be used in situations where you don’t have access to your physical key or authentication app. I feel this may leave some users less protected if they don’t want to have to go out and get a security key or start using an authentication app. Sources https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter

Hi guys.. Last week, just a day after I signed for a premium account, my spotify was hacked. Someone changed my email, and the type of account to family. After searching the web, I found multiple threads of this type of behavior. So after contacting them and getting everything sorted, I started researching security measures to prevent this from ever happening again. And to my surprise, I found out that Spotify has no 2-Factor Authentication what-so-ever! Futher than that, just last month, they decided to cancel this all together as non essential function. https://community.spotify.com/t5/Live-Ideas/2-factor-authentication/idi-p/1017889 How can a company of this size care so little about security? I'm dumbfounded by this... Any of you had this kind of experience with them?

So I got tired of using the Authenticator app from Google for my 2fa needs and decided that I would try one of the various hardware options. After a bit of research I chose the OnlyKey because it seemed to offer the best selection of features but I am sad to say that I regret the purchase and will be returning it. This thing has a ton of issues. 1) The setup GUI looks like it was written for Windows 95 and is a Chrome app, no independent setup interface exists (unless you are willing to do it directly with code in Python). 2) On three separate computers Google will not recognize it as a Yubikey device and thus will not associate it with a Google Account. 3) Despite advertising support for multiple YubiKey OTP's it will only actually support a single YubiKey OTP at any given time. 4) The troubleshooting and setup guides are utterly anemic, to the point where you can't even find a simply YouTube tutorial about how to set up the thing. Needless to say, I will be returning this $40 turd but that doesn't solve my need for a similar product that actually works as advertised. So any suggestions?

Hi guys. So, lately I've been trying to update all of my passwords and better secure my various online accounts, and I was looking into using 2FA on my phone, but my phone is old and no longer getting security updates. I don't have the money to upgrade right now, and I was wondering if setting up Two Factor Authentication on it would be a good thing or bad.

According to ZDNet there is a malware currently in development that can grab screenshots from your Google Authenticator to get access to its 2FA codes. Article: https://www.zdnet.com/article/google-could-have-fixed-2fa-code-stealing-flaw-in-authenticator-app-years-ago/ "This malware called Cerberus has this feature currently under development" - Researchers from "ThreadFabric" discovered. But it might not be long until it is out in the wild. The core feature that allows this attack (except from being infected with the malware in the first place - DOH) is the capability to take screenshots of Google Authenticator - a feature that Android itself has a flag for to prevent this from happening. Google just never applied this flag to the Google Authenticator (facepalm). The best part is, that Google was informed about this bug back in 2014 and didn*t fix it yet (double facepalm). See here: https://wwws.nightwatchcybersecurity.com/2020/03/03/google-authenticator-for-android-allows-screen-capture/ I hope Google fixes this bug now that the impacts are getting closer. It does not protect you from all harm that can be done by hackers when they successfully installed malware on your Android device, but it will make it harder for them and maybe mitigate some of the damages they can do. EDIT: More on that topic from ZDNet: https://www.zdnet.com/article/using-google-authenticator-heres-why-you-should-get-rid-of-it/

A user is suing Apple, claiming that Apple's 2 Factor Authentication system takes too long and is disruptive to users. The plaintiff also claims that Apple's 2 Factor authentication system is abusive because you cannot switch back to a less secure sign in method for 14 days after enabling 2FA on an iCloud account. So yes, Jay here is upset that the default option for setting up sign in options for iOS and Mac devices is to use 2FA. Further Jay is upset that it takes so long to verify who he is. Yes, harm is being done by ensuring that your account is secure that that people cannot hack your iCloud account and gain access to information that could literally ruin your business or your life. I'm sorry that the ~8 seconds it takes to log in with 2FA prevents that. Perhaps if Apple were not to enable 2FA by default, this guy would be ok with his account being easily hackable? (of course not, he would probably sue!) You just can't please people. This is a perfect example of someone just looking to make a quick buck at the expense of a business. Its low, its slimy, and anyone who does it defiantly has 0 class. The plaintiff is also exaggerating reality (and possibly straight up lying), calming that logging in with 2FA enabled takes up to 5min, when in reality it takes about 5 seconds. In reality, after a user has trusted devices enabled on their account, when they attempt to log into a service that uses their Apple ID, their Trusted devices are immediately pinged to allow the log in, and the after the log in is approved the user must enter a 6 digit pin displayed on a trusted device into the device they are trying to log into. The log in is complete once the servers verify the pin matches. This process takes approximately 8 seconds. Here is the case behind his money grab: Hopefully the case gets thrown out and this guy can go get a job. Source: https://appleinsider.com/articles/19/02/09/apple-being-sued-because-two-factor-authentication-on-an-iphone-or-mac-takes-too-much-time

This tool named Modlishka is a reverse-proxy that can intercept your login and your Two-Factor-Authentification (like the method used with the popular Google Authenticator) to give attackers access to your protected accounts. Several german websites were reporting information about this tool: German: https://www.golem.de/news/modlishka-phishing-tool-umgeht-zwei-faktor-authentifizierung-1901-138674.html https://www.zdnet.de/88351325/tool-hebelt-zwei-faktor-authentifizierung-aus/ https://winfuture.de/news,106885.html English: https://www.theinquirer.net/inquirer/news/3069049/2fa-bypassing-tool-modlishka-is-on-github-for-all-to-use This tool is on github in the open now, so it can be used by everybody to create great phishing sites: https://github.com/drk1wi/Modlishka The argument of the author is - according to zdNet.de - , that without making this public, nobody would change the current process or even think about another, maybe better solution. The only way to not being hacked this way is to always check the URL and certificate of the website you're typing your data into, which can be tricky when you only get a small browser window without a visible URL to log in and some apps don't present the URL or certificate at all. A way around this is to use a hardware dongle that supports U2F for example, but these are not very convenient and cannot be used with all devices. Never feel too safe, questargon P.S.: This is NOT a new flaw, as pointed out below. It just makes it easier for third parties ("script kiddies") to exploit this vulnerability.

After switching to lastpass I quickly realized that it is capable of autofilling 2fa codes which sounds great in theory. What I don't like is that Lastpass is a single point of failure. Sure, the 2FA codes still protect me if someone managed to compromise the password of one site, but if my entire lastpass account were compromised the two factor codes would be worthless. What I'd like to do instead is use a separate service for 2FA. I've tried Authy but it doesn't have any autofill features like lastpass does and has potential sim swapping concerns. I know opinions will vary but what other 2FA services would work well alongside lastpass?

So I have been using Lastpass for years now and have always used Google Authenticator. Recently upgraded from my Galaxy S9+ to the Pixel 4 XL and gawd it was a pain to migrate over all my 2fa accounts... Is using Lastpass's authenticator cloud backup a good idea? It still requires the Lastpass 2fa code but I'm worried about it being a single point of failure, where if somone gains access to my Lastpass account, they also get all my 2fa codes. Even though they would need my Lastpass 2fa code. Am I overthinking this?

I'm not sure where to put this, no other sub seems any more applicable than general. Could a member of staff contact me via PMs? I'm having some account trouble, and i'm not sure WindSpeed sees PMs send via the Contact Us button. Delete if wrong. Thanks.

Hi, I've tried contacting someone via the online form as well as using the email address "forum@linusmediagroup.com " (I found this in an old email, so it may be inactive currently) about the issue I'm having getting into my original account, I've not had any replies. The problem I've got is that the entry for the LTT forum has gone from my Google Authenticator. I'm not sure why, I must have accidentally removed it at some point. But that means I cannot get into the account, so I was hoping to have the 2FA removed so I can get back into the account and setup the 2FA again.I still use the email that is associated with the account, and both attempts at resolving this were done using that email. I don't want to give the accounts name out here, but will be happy to give details over PM if needed. Thanks.