How though? And what data? Personally I don't trust Google Authenticator so I use Authy and other third party 2FA apps which just verify a timestamped code. I'm not aware of any mechanism which grants a service access to internal data solely from a 2FA code.
2FA is a generic term. It stands for "two factor authentication," which just means you have to have two separate factors in order to log in. For example, this could be both a password and a fingerprint, or a password and a hardware key, or a password and a location.
But when most people think of 2FA, they are talking about TOTP, or time-based one-time passwords. This is a common second factor in addition to a password or fingerprint. It's the one where you have an authenticator app like Google Authenticator and you have to enter in the code it provides, which changes every 15 seconds or so.
I'm assuming this is what you are talking about. This does not give the website you're logging into access to any data on the device you use to run the authenticator app.
The website doesn't "talk" to your secondary device at all, actually. In fact, as long as the clock on your device is accurate, your secondary device doesn't even need to be connected to in the internet. Moreover, you are not latched to a big tech company when you use this security feature. Google Authenticator is popular, but Google didn't create this system. The algorithm itself is open source and there are a shit-ton of apps that do the exact same thing, or you can code one yourself (it's not hard).
A quick rundown on how TOTP actually works: when you setup TOTP for a website you are given a key. This key is stored (ideally securely) on your secondary device and is also stored (ideally securely) on the website's server. Both your secondary device and the website's server have the same algorithm they use to combine your key and the current time to produce a passcode. This algorithm is "one-way," so it is virtually impossible to take a passcode and the time and get the key.
From here, the website server simply compares the passcode you submitted with the passcode the algorithm says. If it's correct, you can log in.
So, ultimately, that key you're given needs to be kept secure. All the time stuff goes completely out the window if your key is obtained by the hacker. It's no different than a password at that point. The beauty of it, though, is that you only deal with that key one time, then it's stored encrypted in your phone. Then the thing that you deal with every time you log in (the passcode) is constantly changing. So even if a hacker, for example, installed a keylogger on your device, they could still not get into your account.
TOTP 2FA is a great security tool. It is not inherently "watching you" or anything like that. You can verify because all of the algorithms are open source. Just download an authenticator app that you trust, or make one yourself. You don't have to use Google.
It’s not the actual TOTP/authentication process that does it. I understand why that improves security, so long as someone isn’t holding a gun to your head to make you enter the code.
It’s the installation of the app, and the back doors that stay even after you’ve deleted it. See: the Q posts about CIA algorithms staying even after you’ve deleted the Facebook/Instagram/Twitter applications from your phone.
I doubt the open source versions of 2FA have as much of a privacy leech problem, but I know Google and Meta do given the discussions I’ve had with people who work at those companies. They’ve resigned themselves to essentially destroying people’s privacy for a paycheck.
First of all, 2FA wasn't pushed in order to get you to download another app on your phone. For the vast majority of people, they already have control over apps all over your phone.
Secondly, if you don't trust Google Authenticator... how do you trust Android at all? Are you running an open source version you compiled yourself? Why would they need you to download an app in order to do this shit since they literally control the operating system on your phone?
Thirdly, there are a shit ton of authenticator apps. They are incredibly easy to do and make. It's not a matter of open source versions having "less" of a "privacy leech problem." They have zero problem. You can review the code and compile it yourself.
Sorry, but you're way off on this one. Google Authenticator may have some backdoor shit built into it, but that's not a reason to not use 2FA at all, and, chances are, they are getting the shit from you that they want some other way.
The things I use it for did not allow me the choice to use a third party authenticator. And, because I don’t have extensive compsci knowledge, I wouldn’t know how to set it up for everything in a way that works every time.
Are you suggesting I and every other average American are simply too lazy to build our own platforms? How dare we complain about the things shoved on us by big tech, when open source formats are out there?
My issue with 2FA is that there are now multiple points of contact—a computer, and some mobile device usually. Hell, Apple made me log into every single one of my devices recently just to log into a shared AppleID. The more devices I have to use to log into something, the bigger issue I have with it.
Yes, the platforms themselves are collecting data all the time. Yes, the platforms are problematic. Yes, there are other apps you can use for 2FA that don’t have the same collection and back door problems. No, they don’t work with everything and for everybody.
We should revisit this discussion if, after S2992 is passed, Google Authenticator ceases to be free like Google Maps.
Google/Facebook/Banks/whoever it is you’re using 2FA with essentially get access to the data on your secondary device.
How though? And what data? Personally I don't trust Google Authenticator so I use Authy and other third party 2FA apps which just verify a timestamped code. I'm not aware of any mechanism which grants a service access to internal data solely from a 2FA code.
That's not true.
2FA is a generic term. It stands for "two factor authentication," which just means you have to have two separate factors in order to log in. For example, this could be both a password and a fingerprint, or a password and a hardware key, or a password and a location.
But when most people think of 2FA, they are talking about TOTP, or time-based one-time passwords. This is a common second factor in addition to a password or fingerprint. It's the one where you have an authenticator app like Google Authenticator and you have to enter in the code it provides, which changes every 15 seconds or so.
I'm assuming this is what you are talking about. This does not give the website you're logging into access to any data on the device you use to run the authenticator app.
The website doesn't "talk" to your secondary device at all, actually. In fact, as long as the clock on your device is accurate, your secondary device doesn't even need to be connected to in the internet. Moreover, you are not latched to a big tech company when you use this security feature. Google Authenticator is popular, but Google didn't create this system. The algorithm itself is open source and there are a shit-ton of apps that do the exact same thing, or you can code one yourself (it's not hard).
A quick rundown on how TOTP actually works: when you setup TOTP for a website you are given a key. This key is stored (ideally securely) on your secondary device and is also stored (ideally securely) on the website's server. Both your secondary device and the website's server have the same algorithm they use to combine your key and the current time to produce a passcode. This algorithm is "one-way," so it is virtually impossible to take a passcode and the time and get the key.
From here, the website server simply compares the passcode you submitted with the passcode the algorithm says. If it's correct, you can log in.
So, ultimately, that key you're given needs to be kept secure. All the time stuff goes completely out the window if your key is obtained by the hacker. It's no different than a password at that point. The beauty of it, though, is that you only deal with that key one time, then it's stored encrypted in your phone. Then the thing that you deal with every time you log in (the passcode) is constantly changing. So even if a hacker, for example, installed a keylogger on your device, they could still not get into your account.
TOTP 2FA is a great security tool. It is not inherently "watching you" or anything like that. You can verify because all of the algorithms are open source. Just download an authenticator app that you trust, or make one yourself. You don't have to use Google.
It’s not the actual TOTP/authentication process that does it. I understand why that improves security, so long as someone isn’t holding a gun to your head to make you enter the code.
It’s the installation of the app, and the back doors that stay even after you’ve deleted it. See: the Q posts about CIA algorithms staying even after you’ve deleted the Facebook/Instagram/Twitter applications from your phone.
I doubt the open source versions of 2FA have as much of a privacy leech problem, but I know Google and Meta do given the discussions I’ve had with people who work at those companies. They’ve resigned themselves to essentially destroying people’s privacy for a paycheck.
First of all, 2FA wasn't pushed in order to get you to download another app on your phone. For the vast majority of people, they already have control over apps all over your phone.
Secondly, if you don't trust Google Authenticator... how do you trust Android at all? Are you running an open source version you compiled yourself? Why would they need you to download an app in order to do this shit since they literally control the operating system on your phone?
Thirdly, there are a shit ton of authenticator apps. They are incredibly easy to do and make. It's not a matter of open source versions having "less" of a "privacy leech problem." They have zero problem. You can review the code and compile it yourself.
Sorry, but you're way off on this one. Google Authenticator may have some backdoor shit built into it, but that's not a reason to not use 2FA at all, and, chances are, they are getting the shit from you that they want some other way.
I never said I don’t use 2FA at all.
The things I use it for did not allow me the choice to use a third party authenticator. And, because I don’t have extensive compsci knowledge, I wouldn’t know how to set it up for everything in a way that works every time.
Are you suggesting I and every other average American are simply too lazy to build our own platforms? How dare we complain about the things shoved on us by big tech, when open source formats are out there?
My issue with 2FA is that there are now multiple points of contact—a computer, and some mobile device usually. Hell, Apple made me log into every single one of my devices recently just to log into a shared AppleID. The more devices I have to use to log into something, the bigger issue I have with it.
Yes, the platforms themselves are collecting data all the time. Yes, the platforms are problematic. Yes, there are other apps you can use for 2FA that don’t have the same collection and back door problems. No, they don’t work with everything and for everybody.
We should revisit this discussion if, after S2992 is passed, Google Authenticator ceases to be free like Google Maps.