New essential Android apps thread

[Orcvader]

Planning to move to MS's authenticator app as well, got a new phone but realise Google has no way of transferring to a new device. It works pretty nicely as well when you log in with your MS account, similar to how Google prompts to check your phone when signing with Google.

I have Authy but only because Twitch seems to use it.

 

[AndyCr15]

Why would it be less secure? You've already got 2FA on your MS account to start with. Security is no different to any other account with 2FA on.

IMO USB keys outside of a secure corporate environment are overkill and just hinders time and convenience.

Because if they get your MS password, they're in and can then use your 2FA on other accounts? How does it 2FA if it is the 2FA? Text message?

 

[mrk]

Because if they get your MS password, they're in and can then use your 2FA on other accounts? How does it 2FA if it is the 2FA? Text message?

Yes or email. Either way your active authentication app will get the prompt and you'll simply decline the attempt.

As I said, no less secure than any other 2fa solution and a non issue.

 

[AndyCr15]

Well, I would say email auth was less secure than a key and even text auth. Again, if they get your email password and you email auth, they're in and have all your 2FA via a restore? This is all I mean by Google's is probably a little more secure as they can't do that. It's convenience over security at an acceptable level though.

 

[Malevolence]

Just tried to add UPlay's 2FA to the Microsoft Authenticator and it won't allow it (QR Code just will not scan), has to be Google Autenticator for UPlay. Tying it to just the one app is about as retarded as those companies who don't allow you to use certain characters in your login and/or password and limit you to 16 characters.

 

[mrk]

No it's still secure. How can they get into your email if it too is secured by 2fa? There's no way they can hijack your 2fa app as they need 2fa in the first place to get into the secondary auth whether it's email, and if it's text then they need your phone.

Again, this is a total non issue.

 

[Orcvader]

Just tried to add UPlay's 2FA to the Microsoft Authenticator and it won't allow it (QR Code just will not scan), has to be Google Autenticator for UPlay. Tying it to just the one app is about as retarded as those companies who don't allow you to use certain characters in your login and/or password and limit you to 16 characters.

I just added my Ubisoft account to the MS authenticator without any issues.

 

[mrk]

Same, I have Uplay on there too no problems. Must be the way the QR code is displayed on your particular screen in combo with your phone camera not playing ball with each other. You can confirm it's a screen issue if you screenshot then printout the QR code on paper, then scan the paper version.

 

[b00merang69]

I'm really interested in good alternatives to google authenticator myself, moving phones is an absolute pain.

I use Last Pass Authenticator (backup/restore and saves to my account) and set Google to 2nd choice (for fallback in case of fault) in my LastPass account and unlike Google it locks so only you can open if with your Fingerprint.

Have my LastPass/Google/MicroSoft/Amazon/UbiSoft and it also works for this site, can also do a Push on certain devices so you do not need type in the code.

 

[AndyCr15]

No it's still secure. How can they get into your email if it too is secured by 2fa? There's no way they can hijack your 2fa app as they need 2fa in the first place to get into the secondary auth whether it's email, and if it's text then they need your phone.

Again, this is a total non issue.

So... 2FA app is secured by your 2FA app? Right... so when you don't have your 2FA app as you lost your phone... Okay, so your MS account is secured by email... which is secured by your 2FA app... which you don't have because you lost your phone...? It's not a big issue. I'm just saying it could be slightly less secure if your MS account is backed up online as maybe someone finds a way to restore it.

I use Last Pass Authenticator (backup/restore and saves to my account) and set Google to 2nd choice (for fallback in case of fault) in my LastPass account and unlike Google it locks so only you can open if with your Fingerprint.

Oh cool, I didn't know LastPass did this? Is it in the standard app? Do you need to have paid premium?

 

[b00merang69]

I am paid up but AFAIK they change their policy a while back so free basically does most of the same, you would need to read up on it.

https://www.lastpass.com/

 

[uvarvu]

The Microsoft Authenticator is very good. Mine is linked with my work and personal Microsoft accounts. I also have my 1Password code stored there which makes it easier when moving to new devices. All the other codes are stored in 1Password in the same vein as the lastpass post above.

 

[mrk]

So... 2FA app is secured by your 2FA app? Right... so when you don't have your 2FA app as you lost your phone... Okay, so your MS account is secured by email... which is secured by your 2FA app... which you don't have because you lost your phone...? It's not a big issue. I'm just saying it could be slightly less secure if your MS account is backed up online as maybe someone finds a way to restore it.

No you've missed the point of 2FA redundancy. When you enable 2FA for any account you back up the recovery codes should you ever need them in such an event as you lose your phone and can't use the app. If you fail to read the instructions about backup up the recovery codes when setting up 2FA on any account, that's your fault and nobody else. The only way someone can access your MS account (which has 2fa enabled) is if they have your phone, and it's unlocked, and they know your password as well so they can enter the 2FA code. There is no other way and the chance of all those things aligning for any would-be thief are probably as high as you winning the Euro Millions.

As I said, this is a total non issue and this discussion is an absolute worst case scenario, of which I have never read a case of online or heard of in the history of 2FA in this manner.

 

[AndyCr15]

The only way someone can access your MS account (which has 2fa enabled) is if they have your phone, and it's unlocked, and they know your password as well so they can enter the 2FA code.

This is entirely my point. We use 2FA in case someone gets our passwords... You said 2FA for your MS account might be through email... which is passworded? It can't be MS 2FA'd if you're trying to access your MS 2FA and so can't use it at this point?

Why would they need your phone? Again, this is my point. Someone gets a password, installs MS Auth on their own phone, intercepts the 2FA as they have your email password and off they go with your auth restored?

 

[mrk]

My email isn't with MS, it's with Gmail, which is 2FAd and has a load of recovery codes should my 2FA solution (both app and SMS) isn't accessible. The same applies to other services such as Twitter etc.The point you are trying to make is that someone who uses an MS account with the MS auth app and backs up to there. Even still if someone gets your MS account password somehow, then they still need an active 2FA app with the MS account added i order to install the 2FA app to then be able to restore your backed up 2FA accounts in the app.

Whatever way, after what feels like the fifth time, this is a non issue. You're proposing a scenario that simply doesn't happen in the real world.

 

[AndyCr15]

then they still need an active 2FA app with the MS account added i order to install the 2FA app to then be able to restore your backed up 2FA accounts in the app.

Okay, so now your using a scenario where you use a second 2FA app to auth MS... I've said several times I was going from you saying it was 2FA'd by email... but sure, keep changing it to suit the situation you want to talk about, not the point I'm making.

 

[mrk]

No I said the email 2fa is a backup, I don't know if you've ever tried to log into an account with 2FA enabled but you get the choice to set up multiple ways to recover your account if you can't access it by the usual methods, a secondary email is one that's verified, an SMS is another as are backup codes presented to you when you enable 2FA. Certainly this is the case for Google accounts. There is no "2nd 2fa app" and I'm quite puzzled where you got that idea.

It's simple If your account password for a service in your 2FA app has its password found out by someone, they won't be able to get into it. If your MS account password is known by someone else, they won't be able to recover your 2FA accounts after installing MS Authenticator because the initial steps to add the MS account via 2FA into the app have not been completed. They will hit a dead end. If you cannot access your MS 2FA app because you lose your phone, you simply use the backup options to get back into your MS account, re-enable 2FA once you've got the replacement phone and have installed the Authenticator app, then restore the backup.

At no point in any of this can anyone other than you get into the Authenticator and start 2FAing your accounts to get in unless you divulge your backup codes or something equally silly like that.

 

[AndyCr15]

No I said the email 2fa is a backup, I don't know if you've ever tried to log into an account with 2FA enabled but you get the choice to set up multiple ways to recover your account if you can't access it by the usual methods, a secondary email is one that's verified, an SMS is another as are backup codes presented to you when you enable 2FA.

Yes, and you're only as strong as the weakest option here, which email would likely be if your passwords are vulnerable (which they are in this scenario of 2FA being needed to keep someone out of your account)

There is no "2nd 2fa app" and I'm quite puzzled where you got that idea

From here look...

then they still need an active 2FA app with the MS account added i order to install the 2FA app to then be able to restore your backed up 2FA accounts in the app.

So, to recap my very simple point...

Because if they get your MS password, they're in and can then use your 2FA on other accounts? How does it 2FA if it is the 2FA? Text message?

Yes or email. Either way your active authentication app will get the prompt and you'll simply decline the attempt.

You originally said you could get into your 2FA by receiving a code to an email address, which I said wasn't very secure if someone has your email password. If you're saying that email is protected by another 2FA, fair enough, but then you've just said, no it isn't, stressing very clearly there is no 2nd 2FA app?

 

[mrk]

Mountain & molehill spring to mind.

The SMS/Text verification if you can't use the app is a backup recovery option. You set these up and they're verified. Why is this an issue to you and why is it less secure? All these services have their own secondary auth or recovery methods.

MS account:

You originally said you could get into your 2FA by receiving a code to an email address, which I said wasn't very secure if someone has your email password. If you're saying that email is protected by another 2FA, fair enough, but then you've just said, no it isn't, stressing very clearly there is no 2nd 2FA app?

Yes the email account is secured via 2FA in the same 2FA app, in my case the MS Authenticator app. If I want to, I can get into my account without the app using a backup recovery method be it SMS/email to another verified account as per above. Why is this less sure again? Nobody can ever get into the other accounts if they have the password because they are secured with 2FA, not a 2nd 2FA app, but a secondary authentication method. Which is the whole principle of 2FA.

I don't want to repeat what's been repeated countless times now, nobody can get into your account if it's secured by a secondary authentication. They cannot recover your MS Authenticator backup if all they have is your MS account password. The only time they can is if you do something stupid, like add an account as a recovery method that is not 2FA secured. But that's on you, exactly as I posted above.

 

[AndyCr15]

Tbh, I've not read all of that because you're clearly ignoring what I've been saying... you're only as strong as your weakest point. In your screenshot you have three email address that a hacker/bad person can use instead. If they have access to one of those emails, they're in. That's my hole point, thanks for helping.

**EDIT** Also, not all the emails can rely on MS 2FA as that would give you the potential to be totally locked out... but you also said there is no other 2FA app being used, so one must be vulnerable.

I'll unsub for a couple days. We're going round in circles here, better to leave it tbh.