While not feasible to implement by the normal person, Kevin Mitnick’s Art of Invisibility is an incredible read about the lengths you’d have to go to to really erase as much of yourself from surveillance as possible.
On a different note, realizing two-factor-authentication was introduced as a “safety tool” but truly just keeps more tabs on you and takes more of your data was one of my first red pills as an adult.
I was raised in a conservative household, but things like this were seen as measures against identity theft—which still happens all the time—and therefore good.
How though? And what data? Personally I don't trust Google Authenticator so I use Authy and other third party 2FA apps which just verify a timestamped code. I'm not aware of any mechanism which grants a service access to internal data solely from a 2FA code.
2FA is a generic term. It stands for "two factor authentication," which just means you have to have two separate factors in order to log in. For example, this could be both a password and a fingerprint, or a password and a hardware key, or a password and a location.
But when most people think of 2FA, they are talking about TOTP, or time-based one-time passwords. This is a common second factor in addition to a password or fingerprint. It's the one where you have an authenticator app like Google Authenticator and you have to enter in the code it provides, which changes every 15 seconds or so.
I'm assuming this is what you are talking about. This does not give the website you're logging into access to any data on the device you use to run the authenticator app.
The website doesn't "talk" to your secondary device at all, actually. In fact, as long as the clock on your device is accurate, your secondary device doesn't even need to be connected to in the internet. Moreover, you are not latched to a big tech company when you use this security feature. Google Authenticator is popular, but Google didn't create this system. The algorithm itself is open source and there are a shit-ton of apps that do the exact same thing, or you can code one yourself (it's not hard).
A quick rundown on how TOTP actually works: when you setup TOTP for a website you are given a key. This key is stored (ideally securely) on your secondary device and is also stored (ideally securely) on the website's server. Both your secondary device and the website's server have the same algorithm they use to combine your key and the current time to produce a passcode. This algorithm is "one-way," so it is virtually impossible to take a passcode and the time and get the key.
From here, the website server simply compares the passcode you submitted with the passcode the algorithm says. If it's correct, you can log in.
So, ultimately, that key you're given needs to be kept secure. All the time stuff goes completely out the window if your key is obtained by the hacker. It's no different than a password at that point. The beauty of it, though, is that you only deal with that key one time, then it's stored encrypted in your phone. Then the thing that you deal with every time you log in (the passcode) is constantly changing. So even if a hacker, for example, installed a keylogger on your device, they could still not get into your account.
TOTP 2FA is a great security tool. It is not inherently "watching you" or anything like that. You can verify because all of the algorithms are open source. Just download an authenticator app that you trust, or make one yourself. You don't have to use Google.
It’s not the actual TOTP/authentication process that does it. I understand why that improves security, so long as someone isn’t holding a gun to your head to make you enter the code.
It’s the installation of the app, and the back doors that stay even after you’ve deleted it. See: the Q posts about CIA algorithms staying even after you’ve deleted the Facebook/Instagram/Twitter applications from your phone.
I doubt the open source versions of 2FA have as much of a privacy leech problem, but I know Google and Meta do given the discussions I’ve had with people who work at those companies. They’ve resigned themselves to essentially destroying people’s privacy for a paycheck.
While not feasible to implement by the normal person, Kevin Mitnick’s Art of Invisibility is an incredible read about the lengths you’d have to go to to really erase as much of yourself from surveillance as possible.
On a different note, realizing two-factor-authentication was introduced as a “safety tool” but truly just keeps more tabs on you and takes more of your data was one of my first red pills as an adult.
I was raised in a conservative household, but things like this were seen as measures against identity theft—which still happens all the time—and therefore good.
Can you elaborate on the 2FA thing? How exactly does that keep tabs on you?
Google/Facebook/Banks/whoever it is you’re using 2FA with essentially get access to the data on your secondary device.
How though? And what data? Personally I don't trust Google Authenticator so I use Authy and other third party 2FA apps which just verify a timestamped code. I'm not aware of any mechanism which grants a service access to internal data solely from a 2FA code.
That's not true.
2FA is a generic term. It stands for "two factor authentication," which just means you have to have two separate factors in order to log in. For example, this could be both a password and a fingerprint, or a password and a hardware key, or a password and a location.
But when most people think of 2FA, they are talking about TOTP, or time-based one-time passwords. This is a common second factor in addition to a password or fingerprint. It's the one where you have an authenticator app like Google Authenticator and you have to enter in the code it provides, which changes every 15 seconds or so.
I'm assuming this is what you are talking about. This does not give the website you're logging into access to any data on the device you use to run the authenticator app.
The website doesn't "talk" to your secondary device at all, actually. In fact, as long as the clock on your device is accurate, your secondary device doesn't even need to be connected to in the internet. Moreover, you are not latched to a big tech company when you use this security feature. Google Authenticator is popular, but Google didn't create this system. The algorithm itself is open source and there are a shit-ton of apps that do the exact same thing, or you can code one yourself (it's not hard).
A quick rundown on how TOTP actually works: when you setup TOTP for a website you are given a key. This key is stored (ideally securely) on your secondary device and is also stored (ideally securely) on the website's server. Both your secondary device and the website's server have the same algorithm they use to combine your key and the current time to produce a passcode. This algorithm is "one-way," so it is virtually impossible to take a passcode and the time and get the key.
From here, the website server simply compares the passcode you submitted with the passcode the algorithm says. If it's correct, you can log in.
So, ultimately, that key you're given needs to be kept secure. All the time stuff goes completely out the window if your key is obtained by the hacker. It's no different than a password at that point. The beauty of it, though, is that you only deal with that key one time, then it's stored encrypted in your phone. Then the thing that you deal with every time you log in (the passcode) is constantly changing. So even if a hacker, for example, installed a keylogger on your device, they could still not get into your account.
TOTP 2FA is a great security tool. It is not inherently "watching you" or anything like that. You can verify because all of the algorithms are open source. Just download an authenticator app that you trust, or make one yourself. You don't have to use Google.
It’s not the actual TOTP/authentication process that does it. I understand why that improves security, so long as someone isn’t holding a gun to your head to make you enter the code.
It’s the installation of the app, and the back doors that stay even after you’ve deleted it. See: the Q posts about CIA algorithms staying even after you’ve deleted the Facebook/Instagram/Twitter applications from your phone.
I doubt the open source versions of 2FA have as much of a privacy leech problem, but I know Google and Meta do given the discussions I’ve had with people who work at those companies. They’ve resigned themselves to essentially destroying people’s privacy for a paycheck.