You can actually use TOTP offline. Even when you set up the shared secret initially, this is transfered via qr code and the authenticator device does not need internet to receive it. That said, I recommend hardware security keys regardless :) Don't be nervous, just get a backup and keep it safe somewhere. This is the way!

Haha, thank you! Ah, I didn't even think of that added benefit of it. Google has an "Advanced Protection Program" that I want to make a video about. I want to sign my YT account up for it, and it requires two hardware keys so that all other methods can be disabled. I've been hesitant for the "what if" scenarios and I lose access to my account. So I get it, haha.

Hmm, that's interesting. Do you go to the bank and create it there, or do you have software you download and create it yourself? When you say it's required for all banking activity, does that include purchases and transactions? Or only activity where you're transferring, deposition, or withdrawing money?

@@sideofburritos So the last time I had to open a bank account. I needed to make a username and make a temporary password (number based, usually 4 digets). Then when I get to my personal computer, I will download the banks app, input the username and temporary password. It will ask for a USB. Which it will place a certificate on the USB. So when ever you need to use the bank you need to use that certificate(online banking). That certificate is needed in basically all interactions on the banks site. Including password changes. That certificate is only valid for 1 year and needs to be re-created once a year. With a new password(an old password can be used, until the bank changes its minimum requirements for the password. The last time that happened was when they required special keys(. ! *). They sometimes also updated the password length requirement (in the last 9 years once or twice). And in recent years. They have added otp and calls. When they call you, you need to input the bank code from the pc. Same system as otp if not mistaken. Now for internet shopping. Everytime you buy something from a western site or a Korean site(there are exceptions, but 99%). When you get to the payments section, it will send you to the banks verification page. Where you need to input a different password word.(if it is your first time doing this you need set it up. And from then after(and when creating it) you need or phone call and or the usb(in some cases). To sum up you need 2 passwords and a USB that has a digital certificate that is only valid for one year. Sorry typing on my phone. Email me if you need to be more in depth. Or need clarification. Hope that helps. :)

Thanks! I'm planning on it!

Haha, thank you!

This was a great story 🤣, glad you found it, and thanks for sharing.

They announced this a few months ago -proton.me/blog/security-keys unfortunately, you still can't disable the less secure MFA methods. From what I understand, they need to have all their apps support hardware keys before they can let you disable the other methods. That being said, I think it would be good to have a video on “securing X account” or some other common services people use.

Glad to hear! Congrats on ditching the iPhone! Good question on the sensor toggle. GrapheneOS has both the sensor and network toggle that stock Android OS doesn't have. This week's video will be on the topic, so hopefully that'll answer the question.

@@sideofburritos thanks a lot!!! best regards!

GCAM definitely has more features, but I use the GrapheneOS camera app primarily. I would say I use my mobile device 20% of the time and my computer 80%. I hate typing on the small screen. My hope is that GrapheneOS will support the Pixel tablet when it's released someday, and I would like to then use that primarily with a keyboard.

@@sideofburritos Have you tried a Chrome OS computer? $1200 to $2600 depending on perks. The problem is Graphene is not built for PC. Yet. My business associate bought a Chromebook for $1300 and he loves it after years with Apple limitations and hardware issues. Plurilock is in Canada. They offer two MFA solutions. Adapt and Defend. That is all I know for now. Thanks

@@ArtOfHealth I've been using a chromebook lately. (Your price points seem very high for those btw.) I think they might be the most secure desktop computers you can possibly use right now. Chrome os inherits the strong application sanboxing of the chrome browser. It is fundamentally based on linux (even lets you run virtualized linux very easily), but actually employs verified boot and disk encryption properly, neither of which can be said of any major linux distro. By design, it's really easy to power down chromebooks and come back right where you left off, which allows you to easily take full advantage of its strong encryption at rest and verified boot to combat malware persistence. It also applies updates seamlessly in the background, mitigating users who don't want to be interrupted to update. Boggles the mind that no one else has figured this out yet, even though smartphones have worked this way for years. I would love to see a proper non google build of chromium os at some point, mainly so that it can be used without a google account, but unfortunately we don't have that yet. I still have come to the conclusion that it is the best option for me.

@centauri I agree it's the most secure desktop option available. The major deterrent for me right now is the privacy aspect of it, but the security it offers is attractive.

@@centauri936 Thank you very much!

You're welcome! Hmm, perhaps. Some others have requested videos on those OS's. You are correct, they do support a wider range of devices which is good for those who can't obtain the Pixel.

I can see your point, but TOTP provide *some* phishing protection vs the backup codes. You'll regularly be using the TOTP code, and if that gets phished it's only valid for 30-60 seconds. If you had a second password, that could be phish much easier, and it would be valid indefinitely.

More to come!

I saw an article that Apple is going to "kill the password" a few weeks ago. Just looked more into it after you mentioned it, and I agree. Looks like "Passkeys" will be built on WebAuthn, so that's great they didn't try to roll their own. The good thing about big tech is they're able to push other companies into adopting methods much quicker than they would on their own. It's not always for the best, but I think this will be.

Hmm, I know it has the "Encryption" option where it encrypts the vault. But I haven't been able to find anything to make the secrets irretrievable. Is that a different setting? Thank you! I agree about Authy, not a huge fan of that. Especially the whole cloud storage (I believe that's what it uses) for MFA codes.

Wow. I'm glad you were able to get control back at least. I won't why they won't give you any more info? Perhaps someone got social engineered, and they don't want to share?

@@sideofburritos probably someone on the inside did it and they're trying to avoid admitting fault. Fortunately, my SIM is the add-a-line and I try not to use SMS 2FA but I still do in some places. T-mobile corporate completely blew me off, not even a denial., ignored me completely. Regular CSR would only say the fraud team will investigate.

I thought about it, but I'm not really a fan of that option. For how much I wipe my phone and reinstall it, it wouldn't be practical. I think for some it can be a great to use, but that day you erase your phone because of some strange behavior you just lost your MFA device. With a separate piece of hardware it's always “there”. At least that's my theory on it.

Hopefully more companies are pushed into supporting it, it really is the way to go.

It does works via. the browser. You need to have Sandboxed Google Play services installed for it to function at this time.

Hmm, I think my answer on that would be the famous "it depends". If you have a cloud password manager like I do, probably more towards C (maybe B-), especially since I can view the secrets in it. I still think even that setup it better than the push notifications. If you have something offline/local, I would say it would be more so B tier.