I know its been said he dozens of times before, but if your looking for 2FA options, don't settle on Google Authenticator or SMS unless there is no other choice. The list of worst to best are as follows:No 2FA - Bad because anyone with your userid/password may gain authority over your exchange account.SMS 2FA - Bad because any employee of your mobile company can port your number to themselves and possibly succeed in a password reset.Google Authenticator (TOTP) - Bad because the codes are universal tokens good for many seconds. Any keylogger or phishing site could use those few seconds to impersonate you to get a login token good for hours, days or even weeks of account access.U2F / FIDO2 (Yubikey/Trezor/Ledger) - No U2F/FIDO hack has ever been theorized or observed. This technology is the only reliable 2FA, all others are flawed as listed above.Even better than all of the above listed methods are to simply keep your funds on a hardware wallet and off any exchange. Not your keys, not your coins.A recent example of a GA 2FA hack.A recent example of a SMS 2FA hack.
Submitted October 30, 2019 at 03:49AM
No comments:
Post a Comment