2 factor authentification: combine a thing you can forget with a thing you can lose.

There are actually 5 factors you can choose from: Something you know (password) Something you have (phone, token, whatever) Something you are (fingerprint, iris, etc) Somewhere you are (geolocation, proximity detection) Somewhen you are (only on specific days/times) The last two are rarely used, but ARE valid factors (a common thing for somewhere is being able to unlock your phone without a password as long as you're on your home wifi or within X distance of GPS coordinates).

Mike Pound and Brailsford are two of the people I can listen to ad infinitum. I'd love people like them as teachers. Actually, that's exactly what they are doing right now.

"correcthorsebatterystaple" you say?

Back in the mid 1980's when the company my partner worked for got computers in each office, someone in top management insisted they require all employees to use complex passwords, no real words were allowed and they had to be changed every week. Of course no one could remember these crazy passwords so management recommended they write them down on sticky notes and stick them on their monitors. That lasted about 3 months before some top secret government documents were stolen by someone on the cleaning crew.

If you're using Unix time, Timezones shouldn't factor in, as Unix time *should* be the same no matter where you are; The "time" where you are is then calculated after that.

I always found 2FA to be quite convinient, since it takes only bout 10 seconds to get my phone, open the app and type it in and I rarely have to do it. All the while it removes a huge security risk. Anyway that's what I thought until I lost my phone's data and had to reset everything.

I love you guys! I can work under my british accent watching your videos and also get some knowledge about my passion wich is computer programming. Keep up your fabulous work !

I'm glad Mike sorted the ghost cube on the shelf! He's a great lecture as one of my highest grades was in his security lecture :D

In one of the episodes, Data impersonates Picard's voice to commandeer the enterprise.

for some reason i watch exclusively the videos where DR Mike is talking

I love that the password was "correct horse battery staple".

meh boy mike has the most loveable facial expressions and way of speaking.. like idk its just soo nice to just watch

Thanks dude, this was very helpful, you're carrying my CS exam right now. :)

The video is 12:34 long. Well done :D

Pound that thumbs up button for Dr Mike

There is a problem with one version of 2 factor. A number of people have run into an issue where a hacker gets control of their phone number and then goes to various websites and clicks "reset password." Not only is the hacker in, but the original user is frozen out. Sometimes the hacker calls up the phone company, claims to work in a store and they are selling a new phone to a customer. If the operator is stupid, she may transfer the phone number to the hacker's phone.

"I mean you smash your phone the last thing you're thinking about is 'ah, I must save my Google authenticator passwords!'" (4:40) Really? That's the single thing I am the most scarred about losing my phone. Everything else is backed up to the cloud, so if I lose my phone the only real loss would be the physical device (which can be replaced with a a few hundred dollars) and the damn 2FA passwords (which I have over 20 of), which can be a REAL PAIN to recover. Theses days, I just keep a safe hard copy of the QR codes and instead of Google Authenticator, use Authy (which has some backup/recovery functionality).

I learned so many things that my university didn't really teach me in this channel Thank you guys

"put it aside for today" Man a biosecurity video would be so cool!

Is it really 2FA iftheyI can say “I forgot my password” and now my phone is enouth to get anyone into my E-Mail account and therefore all other accounts?

Timezones _shouldn't_ figure into it, because Unix time is always UTC. Any local time is derived from that according to those really complex rules Tom Scott explained. It may be a bit of a challenge on systems which do not keep their time in relation to that Unix time, but a lot of the popular OSes (e.g., Linux) do.

How does FIDO2 work? The flow of data is one way, so it's not a challenge/response mechanism. How does the server know the generated code is valid?

Do keys make you secure? like hardward, like the yubikey 5c nfc?

I've had my phone replaced before and just completely forgot that I needed to store these somewhere. Slightly concerned that every service let me reset it with basically no additional verification...

In StarTrek the thing to "have" is your personalized communicator. It has to be in the same room as the attemt is done from. More than once you see them tap their communicator first before they say their password. If you lost your communicator you probably can do it, but you have to "reprogram" the computer first.

If both the device and the server are set internally in UTC, how do timezones affect this method? UTC doesn’t use timezones.

2FA gives an extra layer of protection and you can easily enable it for various services

TOTP will forever be 'Top of the Pops'

11:03 Timezones DONT cause a problem. Unix time is in UTC time, and timezones are handled by the computer and it's own locale configuration. Unix time does not keep timezone data.

So what can I do to stop the same thing that happened to you from happening to me regarding google authenticator?

0:43 2FA 2:15 Combination. 3:45 Multifactor authentication. 5:34 2FA as a subset.

@computerphile Correction: Retina scan, voice recognition, and password is still just 2FA because the first two are the same factor. 5:42

how did we get from "more factors help" to "oh and the additional factor cannot just be random, let's look at this HMAC" ?

Thanks for the analysis! 🔍 Just a small off-topic question: 😅 I only have these words 🤔. (behave today finger ski upon boy assault summer exhaust beauty stereo over). I don't know what they are. What should I do with them? 🤷‍♀️

Please enable captions, I'm a deaf

Who is this guy?? He should be an educator. Fantastic speaking and explanatory skills! And btw, to whom is he speaking? Is he being interviewed/ Why else does he looks past the camera?

You could have stored all your TOTP keys in a separate database of a password manager and, once you phone has broken down, you'd ask a friend for a substitute phone for a few weeks if they have a spare obsolete model, and you'd install the password manager there and the TOTP base. Your story about the two weeks without TOTP is actually what happens when you know enough to set up a password manager and use a password database regularly but forget to set up proper backup system BEFOREHAND. If you TOTP base exists only on your phone and doesn't get backed up regularly and often enough, then when you phone breaks you'll lose it, so find out how to better sync and backup stuff from your many clients. And better use cloud + encryption for one of the backup copies, but also have a few local ones. And maybe store the backups in such a way so that you'd have 3 (2 local and 1 in the cloud) up-to-date ones and 3 (2 local and 1 in the cloud) 1 day or so late, and also have version control for all your backups, that way, even if you do something wrong and the new backup isn't right, the version control will have the previous version and the 1 day late scheme will save you from re-writing a backup repo with a repo that has a corrupted index. Check out BorgBackup.

12:24 In _ST:TNG,_ we've seen that the system can be fooled, although it does take some special circumstances. There's that one episode (4x03, "Brothers") where Data goes haywire and hijacks the _Enterprise_ by imitating Picard's voice. And then he turns the security against the crew by locking all command functions with a security code much longer than most humans would be able to remember.

I have also wondered the same thing about Star Trek. Recently, I've been trying to figure out if it's really a password that the commander is speaking, or maybe some sort of verification code that they didn't use something like "initiate self-destruct" in a sentence.

Also, biometric markers, no matter if it's a fingerprint, a face image, voice print or gait recognition, are never useful as an authenticator - because an authenticator (as in "your password") must have the ability to be changed, but you can't change your biometric markers. Which makes them useful only as the identifyier, that is the "user name" part of the authentication process. So if you swipe your finger or hold your face into a camera, and it recognizes who you are and then asks you for authentification (no matter how many factors), that would be acceptable for a service that is allowed to know you real identity. However, if it knows who wants to log in and then uses your biometric marker to log you in automatically, that is just stupidly unsafe. And yes, we all do it - I even installed fingerprint-gui on my laptop as a convenience feature, instead of having to type my password for every time I want to sudo something. But that works only locally, not over the interent.

Those 16 digit codes that we are given when we set up 2FA on an app such as Binance, or similar. Can we re-view them/check if they are correct somehow?

The one time generated password might just be a regular password in the sense that it uses a pre shared key, but at least this pre shared key is not susceptible to any sort of social engineering or phishing attack, like a normal password is

@Comupterphile. I am wrong for presuming that 2FA to work, I must have a KEY that corresponds to my Facebook profile to gain access? My situation is that my account was hacked and then the activated the 2FA feature that I hadn't previously used. Facebook confirmed that I was hacked, but since I was logged out on my other devices, I can't access the key. I've contacted FB, but they've been giving me a hard time... They won't deactivate/bypass the feature and won't send me text authentication instead... What can I do?

Yeah, if only we had a video on time zones... perhaps with a guy in a red t-shirt? (imho the best video EVER!)

Turned down an offer for studying Computer Science at Nottingham, these videos really make me regret that choice

@10:56 About time zones problem: that's why EPOCH or UTC is used, for this kind of applications... :-) My big concern on data exchange nowadays is focused on different character encoding troubles...

so my master password is 11 characters long with symbols, upper and lower case letters and digits. would this be considered strong or weak?

why wouldnt 2fa be read first then the password. So that people couldnt social engineer your password?

Is there any need for this if you use really long randomly generated passwords which can't be cracked or stolen in a password manager? Also if you have a recovery code stored somewhere if 2fa fails on you then all an attacker needs is that code right?

Interesting topic! I'm curious about the difference between 2-Step Verification and 2-Factor Authentication, and what criteria define them? For instance, hackers have been able to take over people's phone numbers and intercept the security texts - thereby fullfilling the possession factor without physical accesss to your phone. (I've seen claims, that texts therefore only count as 2SV and not 2FA, but I don't know, if this definition is correct.) And would an app like Google Authenticator be impervious to this kind of trickery?

I love when Mike explains cryptography. It would be nice to see more about OTP and the XOR function behind it.

I noticed some apps like discord have backup codes displayed on the actual app just in case you do not have access to your authenticator apps. Is this a security flaw? It seems like it could be. Feels like it defeats the purpose.

I watched the video but still don't get what he's saying. How does replacing something only you know (password) with something anyone can get (thanks to the magic of SIM jacking) any more secure?

Talk about DES and AES

Discord had one time password to diable the 2FA should you loose it ideally they are kept someplace phyiscally safe or in such a way that if someone finds it they have no idea what these numbers are like you call the file gameshark-codes.txt or something

4:48 That is why there is one time use code sent to your account after you use MRS so you can use it to login back and copy the 2fa secret to the auth app

Love Dr Pound! More videos with him please!

for some reason this reason doesnt play with sound for me :( other videos work just fine..

it's not so much identify you are who you say you are, it is more knowing some information that is harder to know. for instance if you have access to a mobile phone, you have access to ALL the apps on that phone, be that an authenticator app, a stored password database, that doesn't mean the person is you. but it is harder for some other person on the other side of the world having access.

What is the appropriate way to store the secret key when using Google Authenticator?

Ever since i seen a white-hat hacking expo were a security expert showed that he could intercept text messages, i dont use my phone for password recovering or 2FA unless its the only option.

Steamguard... :/ Why every time? Sheesh.

there actually is an episode of Star Trek: The Next Generation, where Captain Picard falls victim to a phishing attack! ("Ship in a Bottle", season 6). i find that especially noteworthy as back when it was made it was the early 1990s, before such a practice became something of note. idk if the term "phishing" even was invented back then, though it might have been... of course, the voice imprint as second factor doesn't help a lot if you can record the audio of him saying the password (or when you can outright synthesize the voice)...

I know I'm several months late, but I wish you'd touched a bit more on the increased vulnerability to phishing MFA can lead to. If you know you have MFA set up for an account, receiving an email which states "a login attempt was made, if it wasn't you, click here to change your login information" might make you more likely to follow the link without checking the email address itself or other signs of phishing. Then you've clicked the link and filled in your "old" login info and now the phisher has that info.

Best password ever Mike (correcthorseb)

Nobody: Computerphile: Ah let’s start talking about passwords-

Warm reminder: if you are using iPhone, you can turn off message previews under notifications -> messages -> Show previews (scroll to bottom) -> set to "When Unlocked". To prevent people get your phone and allow them to get the one time code. Now at least they also need to know your pin to unlock the phone first.

Why does it matter how the OTP is created? As long as it's > 8 characters and it's only going to be used once, it shouldn't matter how you create it.

Which previous video was he referring to?

Surely, though, the Star Trek computer simply tracks everyone's location? This has happened in many episodes where a member of the crew would ask the computer "Where's Riker?" and it would give them his current location on board the ship. So you'd have the idea that, when you get on board, the ship identifies who you are - say, by biometrics (which, of course, if they take the transporter to board the ship, then you've got the perfect biometric that the transporter buffer has them stored right down to the atom, to confirm who they are on an atomic level) - and then, whilst on board, the computer's always tracking everyone with its internal sensors. Once it knows that that heat signature is Commander Riker, then it can follow that heat signature around the ship with its sensors to be aware of where Riker is at all times. And if that heat signature starts ordering commands, then it knows that it's Riker already. So, really, the voice recognition is just a double check - just in case, in tracking people wandering about the ship, it didn't at some point get confused as two people got very close together and mixed them up - which leaves you with the idea that the password is actually a sanity check. And by sanity check, I literally mean a check of that crew member's sanity. It's not authentication, but rather a deliberately inconvenient "are you sure?" prompt, so they can't set off the self-destruct accidentally, but have to really very deliberately mean it.

I notice you use Samsung Android. Do you know “how safe” is Apple’ Notes and Numbers encrypting passwords?

Please, I down load 2factor authenticator and start using it without registering, and now the one time password is no more in the app, it all wipe off. How can I get the app working again.

Surely Unix Epoch is the same in all time zones though?

Do you have a video about how fingerprint authentication works?

Now please tell us about push based (to mobile phone) 2 factor authentication, e.g from Microsoft

Please enable Captions....

Hi, I think this is a great video for my followers and so is it ok to share?

I am Only using Google prompt and Backup Codes so i am safe right?

I just got buggered by Duo. Phone broke and was unable to restore backup. Now I'm locked out of Facebook. Buggered.

To survive through the repair scenario, always keep an 'old phone' in your cupboard that will work with your current SIM card.

Nice xkcd reference xD

11:00 timezones - the bane of programmers existence!!!!

Can I have please the names of the books over his head ?

Could you make a video about why implementing SMS 2FA is now considered poor practice?

I'm curious to know how he logged into his Twitter account again, since it seems like there's no way around it, if you've lost your phone with Google Authenticator on it

A friend of mine had his Android phone break on him, which then made it impossible to log back into his Google account from his PC becaue he couldn't acknowledge the second factor on his phone. He had to get another phone first and then he could use his account and his email again. He turned off 2FA after that experience.

Authy allows you to have your 2FA be shared between multiple devices.

Don't use google authenticator, without writing down backup codes or something like that, because there is no way to back up the shared secret after it has been configured, which means if you factory reset your phone the codes you've got set up are gone, even if your settings are backed up. Even if you have backup codes, this is still a total pain in the ass to go and reset everything, and set up new codes everywhere... There are a number of open TOTP apps on F-Droid, as well as commercial services which provide better usability (though in my opinion they all fall short in terms of trustworthyness).

Is he related to Rimmer from red dwarf?

I hate to be pedantic, but TOTP HMAC is 2SV, not 2FA. There is a second step to logging in, not a second factor to logging in. A true second factor would be a Yubikey. The only XFA, where X > 2, that I know of that actually works is MIRACL.

Same happened to me with Google authenticator, never again, use Authy if you lose your phone just initiate session on other defice to get access to your 2fa

Twelve and a half minutes to explain that 2-FA is 2-Fluoroamphetamine?

12:34 I like it

Oh, another problem is SMS authentication. A website recently had a hacking incident, where someone called up the website owner's phone company, convinced them they were the owner of the phone, and had the number moved to another SIM card. So when they tried to reset the person's password and received an SMS to verify their identity, the message was sent to the attacker's phone instead. This probably would not have happened if the 2-factor authentication wasn't through SMS, and instead through something like Google's Authenticator App, but it just shows that the biggest point of weakness in any security system you can think of is the Human element. Aka, Social Engineering.

also if you don't have a cell phone and the company does 2fa through text message then that is completely pointless because you can't recieve text messages.

best channel. best content. your explanation is best. but please give subtitles for this video.

What if you don't have a phone?

Best passwords I've used, (I don't use this exact, but the same concept), follows this general idea: Land0Of1The1Free2And3Home5Of8The13Brave! A sentence from something that is easy to remember, the words Titleized, separated by numbers from a sequence you know, end by a special character. Super easy to remember, extremely hard to crack

I'm sad that the password in the graphic wasn't hunter2