2 factor authentification: combine a thing you can forget with a thing you can lose.

Mike Pound and Brailsford are two of the people I can listen to ad infinitum. I'd love people like them as teachers. Actually, that's exactly what they are doing right now.

There are actually 5 factors you can choose from: Something you know (password) Something you have (phone, token, whatever) Something you are (fingerprint, iris, etc) Somewhere you are (geolocation, proximity detection) Somewhen you are (only on specific days/times) The last two are rarely used, but ARE valid factors (a common thing for somewhere is being able to unlock your phone without a password as long as you're on your home wifi or within X distance of GPS coordinates).

Back in the mid 1980's when the company my partner worked for got computers in each office, someone in top management insisted they require all employees to use complex passwords, no real words were allowed and they had to be changed every week. Of course no one could remember these crazy passwords so management recommended they write them down on sticky notes and stick them on their monitors. That lasted about 3 months before some top secret government documents were stolen by someone on the cleaning crew.

I always found 2FA to be quite convinient, since it takes only bout 10 seconds to get my phone, open the app and type it in and I rarely have to do it. All the while it removes a huge security risk. Anyway that's what I thought until I lost my phone's data and had to reset everything.

If you're using Unix time, Timezones shouldn't factor in, as Unix time *should* be the same no matter where you are; The "time" where you are is then calculated after that.

"correcthorsebatterystaple" you say?

In one of the episodes, Data impersonates Picard's voice to commandeer the enterprise.

I love you guys! I can work under my british accent watching your videos and also get some knowledge about my passion wich is computer programming. Keep up your fabulous work !

I'm glad Mike sorted the ghost cube on the shelf! He's a great lecture as one of my highest grades was in his security lecture :D

I love that the password was "correct horse battery staple".

Love Dr Pound! More videos with him please!

for some reason i watch exclusively the videos where DR Mike is talking

meh boy mike has the most loveable facial expressions and way of speaking.. like idk its just soo nice to just watch

I learned so many things that my university didn't really teach me in this channel Thank you guys

Pound that thumbs up button for Dr Mike

The video is 12:34 long. Well done :D

Authy allows you to have your 2FA be shared between multiple devices.

Thanks dude, this was very helpful, you're carrying my CS exam right now. :)

In StarTrek the thing to "have" is your personalized communicator. It has to be in the same room as the attemt is done from. More than once you see them tap their communicator first before they say their password. If you lost your communicator you probably can do it, but you have to "reprogram" the computer first.

"put it aside for today" Man a biosecurity video would be so cool!

2FA gives an extra layer of protection and you can easily enable it for various services

Nobody: Computerphile: Ah let’s start talking about passwords-

TOTP will forever be 'Top of the Pops'

There is a problem with one version of 2 factor. A number of people have run into an issue where a hacker gets control of their phone number and then goes to various websites and clicks "reset password." Not only is the hacker in, but the original user is frozen out. Sometimes the hacker calls up the phone company, claims to work in a store and they are selling a new phone to a customer. If the operator is stupid, she may transfer the phone number to the hacker's phone.

Nice gentleman, a lot of briefing for enthusiast. Thanks.

I love when Mike explains cryptography. It would be nice to see more about OTP and the XOR function behind it.

"I mean you smash your phone the last thing you're thinking about is 'ah, I must save my Google authenticator passwords!'" (4:40) Really? That's the single thing I am the most scarred about losing my phone. Everything else is backed up to the cloud, so if I lose my phone the only real loss would be the physical device (which can be replaced with a a few hundred dollars) and the damn 2FA passwords (which I have over 20 of), which can be a REAL PAIN to recover. Theses days, I just keep a safe hard copy of the QR codes and instead of Google Authenticator, use Authy (which has some backup/recovery functionality).

Nice xkcd reference xD

Timezones _shouldn't_ figure into it, because Unix time is always UTC. Any local time is derived from that according to those really complex rules Tom Scott explained. It may be a bit of a challenge on systems which do not keep their time in relation to that Unix time, but a lot of the popular OSes (e.g., Linux) do.

Best password ever Mike (correcthorseb)

Yeah, if only we had a video on time zones... perhaps with a guy in a red t-shirt? (imho the best video EVER!)

The one time generated password might just be a regular password in the sense that it uses a pre shared key, but at least this pre shared key is not susceptible to any sort of social engineering or phishing attack, like a normal password is

Who is this guy?? He should be an educator. Fantastic speaking and explanatory skills! And btw, to whom is he speaking? Is he being interviewed/ Why else does he looks past the camera?

12:24 In _ST:TNG,_ we've seen that the system can be fooled, although it does take some special circumstances. There's that one episode (4x03, "Brothers") where Data goes haywire and hijacks the _Enterprise_ by imitating Picard's voice. And then he turns the security against the crew by locking all command functions with a security code much longer than most humans would be able to remember.

I have also wondered the same thing about Star Trek. Recently, I've been trying to figure out if it's really a password that the commander is speaking, or maybe some sort of verification code that they didn't use something like "initiate self-destruct" in a sentence.

To survive through the repair scenario, always keep an 'old phone' in your cupboard that will work with your current SIM card.

11:00 timezones - the bane of programmers existence!!!!

You could have stored all your TOTP keys in a separate database of a password manager and, once you phone has broken down, you'd ask a friend for a substitute phone for a few weeks if they have a spare obsolete model, and you'd install the password manager there and the TOTP base. Your story about the two weeks without TOTP is actually what happens when you know enough to set up a password manager and use a password database regularly but forget to set up proper backup system BEFOREHAND. If you TOTP base exists only on your phone and doesn't get backed up regularly and often enough, then when you phone breaks you'll lose it, so find out how to better sync and backup stuff from your many clients. And better use cloud + encryption for one of the backup copies, but also have a few local ones. And maybe store the backups in such a way so that you'd have 3 (2 local and 1 in the cloud) up-to-date ones and 3 (2 local and 1 in the cloud) 1 day or so late, and also have version control for all your backups, that way, even if you do something wrong and the new backup isn't right, the version control will have the previous version and the 1 day late scheme will save you from re-writing a backup repo with a repo that has a corrupted index. Check out BorgBackup.

Is it really 2FA iftheyI can say “I forgot my password” and now my phone is enouth to get anyone into my E-Mail account and therefore all other accounts?

best channel. best content. your explanation is best. but please give subtitles for this video.

Interesting topic! I'm curious about the difference between 2-Step Verification and 2-Factor Authentication, and what criteria define them? For instance, hackers have been able to take over people's phone numbers and intercept the security texts - thereby fullfilling the possession factor without physical accesss to your phone. (I've seen claims, that texts therefore only count as 2SV and not 2FA, but I don't know, if this definition is correct.) And would an app like Google Authenticator be impervious to this kind of trickery?

@computerphile Correction: Retina scan, voice recognition, and password is still just 2FA because the first two are the same factor. 5:42

Those 16 digit codes that we are given when we set up 2FA on an app such as Binance, or similar. Can we re-view them/check if they are correct somehow?

Warm reminder: if you are using iPhone, you can turn off message previews under notifications -> messages -> Show previews (scroll to bottom) -> set to "When Unlocked". To prevent people get your phone and allow them to get the one time code. Now at least they also need to know your pin to unlock the phone first.

How does FIDO2 work? The flow of data is one way, so it's not a challenge/response mechanism. How does the server know the generated code is valid?

there actually is an episode of Star Trek: The Next Generation, where Captain Picard falls victim to a phishing attack! ("Ship in a Bottle", season 6). i find that especially noteworthy as back when it was made it was the early 1990s, before such a practice became something of note. idk if the term "phishing" even was invented back then, though it might have been... of course, the voice imprint as second factor doesn't help a lot if you can record the audio of him saying the password (or when you can outright synthesize the voice)...

If both the device and the server are set internally in UTC, how do timezones affect this method? UTC doesn’t use timezones.

Surely, though, the Star Trek computer simply tracks everyone's location? This has happened in many episodes where a member of the crew would ask the computer "Where's Riker?" and it would give them his current location on board the ship. So you'd have the idea that, when you get on board, the ship identifies who you are - say, by biometrics (which, of course, if they take the transporter to board the ship, then you've got the perfect biometric that the transporter buffer has them stored right down to the atom, to confirm who they are on an atomic level) - and then, whilst on board, the computer's always tracking everyone with its internal sensors. Once it knows that that heat signature is Commander Riker, then it can follow that heat signature around the ship with its sensors to be aware of where Riker is at all times. And if that heat signature starts ordering commands, then it knows that it's Riker already. So, really, the voice recognition is just a double check - just in case, in tracking people wandering about the ship, it didn't at some point get confused as two people got very close together and mixed them up - which leaves you with the idea that the password is actually a sanity check. And by sanity check, I literally mean a check of that crew member's sanity. It's not authentication, but rather a deliberately inconvenient "are you sure?" prompt, so they can't set off the self-destruct accidentally, but have to really very deliberately mean it.

Do keys make you secure? like hardward, like the yubikey 5c nfc?

Is there any need for this if you use really long randomly generated passwords which can't be cracked or stolen in a password manager? Also if you have a recovery code stored somewhere if 2fa fails on you then all an attacker needs is that code right?

Also, biometric markers, no matter if it's a fingerprint, a face image, voice print or gait recognition, are never useful as an authenticator - because an authenticator (as in "your password") must have the ability to be changed, but you can't change your biometric markers. Which makes them useful only as the identifyier, that is the "user name" part of the authentication process. So if you swipe your finger or hold your face into a camera, and it recognizes who you are and then asks you for authentification (no matter how many factors), that would be acceptable for a service that is allowed to know you real identity. However, if it knows who wants to log in and then uses your biometric marker to log you in automatically, that is just stupidly unsafe. And yes, we all do it - I even installed fingerprint-gui on my laptop as a convenience feature, instead of having to type my password for every time I want to sudo something. But that works only locally, not over the interent.

Stay on track.

@10:56 About time zones problem: that's why EPOCH or UTC is used, for this kind of applications... :-) My big concern on data exchange nowadays is focused on different character encoding troubles...

0:43 2FA 2:15 Combination. 3:45 Multifactor authentication. 5:34 2FA as a subset.

I've had my phone replaced before and just completely forgot that I needed to store these somewhere. Slightly concerned that every service let me reset it with basically no additional verification...

so my master password is 11 characters long with symbols, upper and lower case letters and digits. would this be considered strong or weak?

Best passwords I've used, (I don't use this exact, but the same concept), follows this general idea: Land0Of1The1Free2And3Home5Of8The13Brave! A sentence from something that is easy to remember, the words Titleized, separated by numbers from a sequence you know, end by a special character. Super easy to remember, extremely hard to crack

Hi, I think this is a great video for my followers and so is it ok to share?

Turned down an offer for studying Computer Science at Nottingham, these videos really make me regret that choice

how did we get from "more factors help" to "oh and the additional factor cannot just be random, let's look at this HMAC" ?

I only remember passwords being said aloud on Star Trek TNG, they were self destruct codes. Hard to use twice. :D

I don't think timezones matter, as Google Authenticator and similar apps use UTC, it would be a nightmare otherwise. HMAC OTP can also be sync by server trying N future codes to find one provided by client. Thanks for the excellent video!

4:48 That is why there is one time use code sent to your account after you use MRS so you can use it to login back and copy the 2fa secret to the auth app

11:03 Timezones DONT cause a problem. Unix time is in UTC time, and timezones are handled by the computer and it's own locale configuration. Unix time does not keep timezone data.

I know I'm several months late, but I wish you'd touched a bit more on the increased vulnerability to phishing MFA can lead to. If you know you have MFA set up for an account, receiving an email which states "a login attempt was made, if it wasn't you, click here to change your login information" might make you more likely to follow the link without checking the email address itself or other signs of phishing. Then you've clicked the link and filled in your "old" login info and now the phisher has that info.

Do you have a video about how fingerprint authentication works?

12:34 I like it

In my dad's house... every electronic device is called a "doofer"... everything from the TV Remote, to the washing machine... :D

Which previous video was he referring to?

Discord had one time password to diable the 2FA should you loose it ideally they are kept someplace phyiscally safe or in such a way that if someone finds it they have no idea what these numbers are like you call the file gameshark-codes.txt or something

What is the appropriate way to store the secret key when using Google Authenticator?

for some reason this reason doesnt play with sound for me :( other videos work just fine..

@Comupterphile. I am wrong for presuming that 2FA to work, I must have a KEY that corresponds to my Facebook profile to gain access? My situation is that my account was hacked and then the activated the 2FA feature that I hadn't previously used. Facebook confirmed that I was hacked, but since I was logged out on my other devices, I can't access the key. I've contacted FB, but they've been giving me a hard time... They won't deactivate/bypass the feature and won't send me text authentication instead... What can I do?

Surely Unix Epoch is the same in all time zones though?

Please enable captions, I'm a deaf

Talk about DES and AES

Demolition Man. Just putting that out there.

I hate to be pedantic, but TOTP HMAC is 2SV, not 2FA. There is a second step to logging in, not a second factor to logging in. A true second factor would be a Yubikey. The only XFA, where X > 2, that I know of that actually works is MIRACL.

Can I have please the names of the books over his head ?

Look for the mobile and Chrome extension called Authy, which is much better than Google Authenticator, as it allows you to sync between all your devices.

Thanks for the video =)

In Star Trek I think there is a kind of synchron-translator system that may obfuscate the told password.

Oh, another problem is SMS authentication. A website recently had a hacking incident, where someone called up the website owner's phone company, convinced them they were the owner of the phone, and had the number moved to another SIM card. So when they tried to reset the person's password and received an SMS to verify their identity, the message was sent to the attacker's phone instead. This probably would not have happened if the 2-factor authentication wasn't through SMS, and instead through something like Google's Authenticator App, but it just shows that the biggest point of weakness in any security system you can think of is the Human element. Aka, Social Engineering.

The video started off so well but then needlessly complicated.

Ever since i seen a white-hat hacking expo were a security expert showed that he could intercept text messages, i dont use my phone for password recovering or 2FA unless its the only option.

Now please tell us about push based (to mobile phone) 2 factor authentication, e.g from Microsoft

It looks like his watch is/was broken and he had to repair it. The card on our table spelling "Tick King" says many things ;)

I notice you use Samsung Android. Do you know “how safe” is Apple’ Notes and Numbers encrypting passwords?

2FA is a must for financial systems. Most other systems work well with strong passwords.

Same happened to me with Google authenticator, never again, use Authy if you lose your phone just initiate session on other defice to get access to your 2fa

A friend of mine had his Android phone break on him, which then made it impossible to log back into his Google account from his PC becaue he couldn't acknowledge the second factor on his phone. He had to get another phone first and then he could use his account and his email again. He turned off 2FA after that experience.

Authy FTW! You can export an encrypted backup!

why wouldnt 2fa be read first then the password. So that people couldnt social engineer your password?

Perhaps in Star Trek their communicator provides an exact location, and it verifies both the voice and the location of the voice match.

Nice midi woodblock for phone tapping sfx lol

Steamguard... :/ Why every time? Sheesh.

Name of C++ book on the shelf?

My brain cells just died listening to his explanations lols

Please, I down load 2factor authenticator and start using it without registering, and now the one time password is no more in the app, it all wipe off. How can I get the app working again.