• Google two-factor authentication. Why You Should Never Use Google Authenticator Again

    Protecting your accounts

    Just recently, many users hardly even thought about somehow additionally protecting their various accounts from access by strangers. As a rule, such combinations as login and password coped with this task perfectly. Yes, and for accounts by mail, in social networks and on the forums more protection was not required. But then they came to us! People began to quickly and fabulously get rich, and where there is big money, there are those who want to take it.

    News about hacking of exchanges and wallets, followed by the theft of millions and billions of $$$, began to appear regularly. In some cases, the services themselves were to blame, as they did not pay enough attention to safety and left holes in the fence. But in most cases, the fault lies with the users themselves: the password is 12345, and even one for all occasions (and so as not to forget), access to the network through a public Wi-Fi point(after all, it’s so convenient), and without subsequently logging out of your account (why, because then you have to log in again) and all this in front of everyone (and I have nothing to hide) - people love this, they know how, they practice it.

    Because of this, both the services themselves suffered, receiving complaints and inadequate reviews, and users, who were nervous and biting their elbows. And in order to minimize the occurrence of such situations, all crypto wallets began to universally implement such a protective function as two-factor authentication, or 2FA for short. But even now, many continue to persistently ignore it - either because of ignorance, or because of laziness, or because of something else.

    And as you may have guessed, today we will look at what this 2FA is and how to use it. And for example, let's take one of the most popular applications for this - Google Authenticator.

    What is 2FA and Google Authenticator

    2FA is a method of determining the authenticity of a user that requires passing through two levels of protection (rather than one, as before) before gaining access to the account. These are the degrees of protection:

    1. account password;
    2. unique digital code, which is generated by a special application installed on a mobile device.

    Google Authenticator is a 2FA application that generates a unique one-time 6-digit code every 30 seconds.

    I will show an example of an application for Android, but if someone has iOS, then it’s okay, everything is identical there. Now we will together enable 2FA on several crypto exchanges and consider the nuances that may exist.

    Two-factor authentication, Binance exchange

    Will start with TOP exchange, about which in lately everyone is talking.

    On it you can configure 2FA not only for input, but also for various actions, for example, for withdrawal, which is what we will do. To access two-factor authentication settings, go to the "Security" section, then to the "Two-Factor Authentication" tab:

    Opposite the "Funding" section, click the "Setup" button to access the settings:

    First, select the 2FA method - I chose "TOTP mode with using Google Authenticator". In this mode, a new one is generated every 30 seconds. unique code, and it is already familiar to us from the first two examples. Then I unchecked the replenishment of the balance, but left it on the withdrawal - if someone hacks my account and makes a deposit, then I will only say thank you to him, but for withdrawal the 2FA code will be needed. I left the algorithm for the code at the default SHA1, although you can choose more complex ones. I left the code length at 6 digits, although both 7 and 8 digits are available. After filling out the form, click “Continue”:

    In the upper field (1) we check again the options we selected earlier. In the center (2) there is a 16-digit key and a QR code - use what you like best. And in the line “One-time Password” (3) we enter the first generated code after the exchange account is connected to the application. Now don’t forget to take a screenshot of the screen to save the key and code. And only after that we press the “Confirm” button.

    So, using the example of three exchanges, we looked at how you can enable 2FA using the Google Authenticator application.

    For cryptocurrency wallets that support 2FA, everything will happen in a similar way, but there may be minimal differences. Therefore, having made such a link once on any one account, there should be no problems with other accounts.

    If you suddenly want to disable 2FA, then do all these steps again. Only by going through this entire path again will the services allow you to refuse the second level of protection.

    Possible problems

    Sometimes you may encounter a problem when your code will not work - and it seems like you are doing everything correctly, but at the same time, the next time you log into your account, you see the message - Incorrect code. This can happen because the timing is wrong. To fix this, go to the Google Authenticator app and click on the "..." button on the right top corner, to call up a menu in which select “Settings” (1), then “Time correction for codes” (2), then click the “Synchronize” button (3):

    In most cases this helps. If this does not work, then the only option is to write to support so that they deactivate 2FA for your account and you can log in using only your password. But be prepared for the fact that in return you may be asked for various information about your account - what is the balance, what coins are there, what operations have been carried out recently, what was bought, what was sold, etc.

    The next problem that everyone may face is when something happens to your mobile device. It can be stolen, it can break, you can accidentally delete both the Google Authenticator application itself and any account in it.

    Let's deal with the last point first. You can have one account in the application or hundreds of different ones. And so as not to delete the one you need by mistake (and it won’t happen by accident), I recommend not leaving the default names, but renaming the accounts (just write the name of the service, as in the screenshot above). Then it will always be clear what kind of account it is and the risk of accidental deletion will be eliminated.

    In case of theft or breakdown of the device, in order not to be left with nothing, always save QR codes as a picture, and 16-digit keys in text form or copy them onto paper. I talked about this in the example with the Binance exchange. If you have the code and key saved in a safe place, then you can always access your account by installing the Google Authenticator application on a new device.

    If you again do everything correctly, but the codes do not work, then contact support.

    Do you want to make money on crypto? Subscribe to ours!

    Two-Step Verification enhances account protection. If enabled, two components are used for login:

    • Something that only you know (for example, a password).
    • Something that only you have (for example, a phone or an electronic key).

    Step 1: Set up two-step verification

    1. Open the Google Account page.
    2. Safety.
    3. In the section Sign in to your Google account click Two-Step Verification.
    4. Select Begin.
    5. Follow the instructions on the screen.

    Select the second stage of authentication

    When setting up the second stage of authentication, you can choose one of several confirmation methods: notification to phone, SMS, voice call or electronic key.

    After you provide your username and password on the login page, Google will send a 6-digit verification code to your phone. Enter it in the appropriate field on the screen. You can choose how it is more convenient for you to receive codes: with via SMS or voice call.

    Electronic key

    - This small device, with which you can confirm that the Google account belongs to you. If necessary, simply connect it to your phone, tablet or computer.

    Electronic key provides additional protection and allows you to log in without a phone.

    Notice from Google

    When you log in to your account the phone will come notification. Confirm that it is you by selecting "Yes". If you click "No" Google will understand that someone else is trying to log into your account, and will prevent attackers from hacking it.

    – safer and quick way login to your account than the confirmation code.

    Step 2: Set up backup methods

    Set up backup methods to log into your account in case you forget your password or lose your phone. To do this, follow these steps:

    1. Open the Google Account page.
    2. From the left navigation bar, select Safety.
    3. In the section Sign in to your Google account Click "Two-Step Verification."
    4. Select Begin.
    5. Click Choose another method.
    6. Select the appropriate option, for example:

    Step 3: Change your account recovery information

    Using a backup address email and phone number, you can restore access to your account if it is hacked or you forget your password.

    How to add or change a recovery email address

    1. Open the Google Account page.
    2. Personal information.
    3. In the section Contact information select E-mail.
    4. Specify or update backup address email.

    How to add or change a backup phone number

    1. Open the Google Account page.
    2. On the left navigation bar, click Personal information.
    3. In the section Contact information select Telephone.
    4. Provide or update your backup phone number.

    Anyone who uses Google services, whether GMail mail or any other service, I've probably heard of additional method protecting your account from theft and hacking called “two-step authentication”. This method adds an additional code to the required entry of the user account name and password, which can be obtained from one of available ways(via SMS, voice call, smartphone application) and must be specified during authentication. Thus, even if the villain gets your account name and password, he still will not be able to do anything with the account itself and the top-secret data located in it.

    Many people refuse to use two-step authentication because they are afraid that it is very difficult and generally inconvenient to enter an additional code every time. In fact, it is not necessary to set up two-step authentication easily and constantly enter codes on frequently used computers, and the knowledge that your data is reliably protected is well worth the possible minor inconveniences.

    Two-step verification via SMS and voice call

    So let's go to security settings for your Google account. There is an item called “Two-Step Verification” with the status “Disabled”. Feel free to click the “Change” button. At this and subsequent stages, Google may ask you to re-enter your account password. This is normal and there is nothing wrong with it.

    appears before us beautiful picture, which clearly illustrates the principle of two-step authentication. If desired, watch a video with additional information, and then click “Proceed with setup.”

    Now we need to specify the phone number to which account access codes will be sent. Then we select the option for delivering codes: via SMS or by incoming call. SMS is somehow more practical. Click “Send code”.

    An SMS will be sent to your number with six-digit code confirmation that must be indicated on next stage. Enter and confirm.

    Reliable and unreliable computers

    Next comes a very important part of the setup. Google asks you to determine whether the computer you're using is reliable. at the moment. The point is that for reliable computers, entering the code to log into your account is enough to do once every thirty days. Reliability here refers to whether other people have access to this computer.

    Perhaps, in this situation, only a home machine can be called a reliable computer, and only on the condition that no one but you uses it. We safely mark work and other computers as unreliable, that is, uncheck the “ Reliable computer" Click “Confirm”.

    App and device passwords

    The next step is creating passwords for applications. This is necessary because some applications access your Google Account outside of the browser. The process of creating passwords is much simpler than it might seem. Moreover, you only need to create these passwords once and do not have to remember them.

    So, click the “Create passwords” button and at the same time remember which devices and applications access our Google account. For each such device and application, you need to come up with an identifier, that is, a name.

    Among the most likely devices/applications will likely be an Android smartphone/tablet (if available). We write a name for the password (for example, “My Android”), and then click “Create a password.”

    The system will generate a password that must be entered instead of the current password for your Google account on your mobile device.

    You also need to create a password for the settings and parameters synchronization function Chrome browser(for example, named "Chrome Sync"). If you are using separate application Google Talk, then you will need a password for it too. As a result, you will have a list of passwords with names. In the future, if necessary, you can change or cancel any of the created passwords for applications and devices.

    Completing setup

    In fact, two-step verification is already working, and now when you try to log in to your mail and other Google service After entering your login and password, this screen will appear in front of you asking you to enter the code.

    If we go back to Google account security settings, then now the “Two-Step Verification” item has the status “Enabled”.

    Related additional actions

    By the way, while you are at settings page, don’t be lazy to go to the “Password Recovery Options” section and make sure that you have a phone number for situations when you have forgotten your account password, or your account has been hacked.

    Also make sure you remember the security question/answer to gain access to your account.

    Alternative ways to receive codes

    You might want to use alternative way receiving codes to log into your account. To do this, you need to return to the security settings page Google account, then click the “Change” button next to the “Two-Step Verification” item.

    In the window that appears, there is a section “How to receive codes.” Here you can add additional number to receive codes in case you don't have access to your main phone number.

    Google Authenticator

    If you have a smartphone running iOS, Android or mobile device from RIM, then you can install special application Google Authenticator, which will replace incoming SMS with codes.

    Let's look at how the authenticator works using Android as an example.

    Following the instructions, download the Google Authenticator application from the Play Store onto your smartphone. When you launch the application, you will be offered 2 setup methods: manually entering your account and password, or scanning the QR code, which is located on the page with instructions for installing the application.

    If you select the QR code option, the authenticator may prompt you to install a scanner application. We agree and bet. After that, scan the QR code on the settings page and enter the code generated by the application.

    In the future, if you need to enter a code, you just need to launch the application and enter the generated code.

    leaf way

    A situation can happen to anyone when the phone is forgotten at home, and along with it an authenticator application and the ability to receive SMS. In such a case, it is useful to play it safe and use backup codes.

    You can simply write them down on a piece of paper and print them out, then carry them in your wallet. Each such code is one-time use, and when the printed codes begin to run out, it is enough to request the generation of a new pack of codes.

    We hope this guide helps you.

    Hi all! Today we will talk about protecting your account via Google Authenticator. We will show you how to properly connect an authenticator on your computer and use it with or without a phone.

    Recently, protecting personal data and accounts has become very important. More and more users are trying to enable verification additional parameters when logging in and strengthening the protection of accounts. One of best programs For mobile authentication is Google Authenticator.

    What is this and how to connect?

    Google Authenticator- This mobile application, which provides two-factor protection for accounts by creating additional code, which must be specified before logging into your account. This program can be used to protect your account Google posts, VKontakte pages and other accounts.

    Main features of the program:

    1. Generating new codes without connecting to Internet networks or cellular communications;
    2. Supports multiple accounts and users;
    3. Easy GA setup and minimalist interface;
    4. Support on Android, iOS and BlackBerry.

    The GA app works well enough simple and effective- you download from Play Market the program itself, then in account settings, where supported two-factor authentication, enable this option. Launch the application on your phone and use the camera to recognize the QR code, or enter the specified key, after confirmation, enter the updated access code.

    You can add the device through which you open the page to the list of trusted ones, so that don't enter the code all the time.For example, such authentication for a Google account can be enabled on the account security settings page. To log into Contact, you can also set up verification via Google Authenticator. More details in the video:

    Google Authenticator on your computer online?

    Many users are interested in whether it is possible to install this application on a PC and use it directly on Desktop. I was able to run the authenticator through the emulator Nox App Player.

    Such emulators create an identical copy of an Android device on a computer and allow you to run almost all applications and many games through it. There are emulators to choose from - Nox, BlueStacks, Andy, Droid4x. I chose Knox. It turned out to be very easy, fast and free. Plus, it makes me happy greater compatibility Android applications and a wide selection of settings.

    To launch successfully, you will need to do everything point by point:


    The program works and performs all functions, but there is a small problem with scanning QR codes. The fact is that the webcam mirrors such a code and it is not recognized. I fixed this problem in the following way: I took a screenshot and threw it into the normal Pain t, enlarged the image and made display horizontally. Everything was recognized immediately and I connected without problems.

    There is no such thing as enough security. On the other hand, using buggy or weak protection can give you a shaky illusion of security while leaving you vulnerable to all sorts of threats.

    Using only passwords, in general, is something we've figured out since the Internet came into existence. We are making progress towards a world without passwords, but at the same time, many websites are offering additional security for user accounts using (2FA).

    In general, there are 2 types of such authentication: Temporary One-Time Password (TOTP) and Universal Two-Factor (U2F). You may already be familiar with the first type, since it is the most commonly used: during login, you are prompted to enter a one-time password generated by your smartphone application, a separate hardware device, or sent via SMS. The method is simple, but there are several simple ways, making it dangerous.

    I've seen warnings like “my phone has been hacked” from three people from Silicon Valley/Bitcoin environment/venture crowd. Be on the lookout and enable 2FA.

    How does TOTP work?

    Temporary one-time password, mostly popularized Google app Authenticator, confirms your identity based on shared secret. This secret should be known to you and your provider.

    When you log into a website using your account, your device generates a unique code based on the general secret and current time. Then you need to manually enter this code. The server generates exactly the same thing, based on the same secret, in order to successfully compare and confirm the authorization request.

    Both sides generate the same hash, from the same source data, sharing a secret at the time of registration.

    What is wrong with TOTP?

    The method is very easy to use, however, it is not without several vulnerabilities and inconveniences.

    1. You need to manually enter the code during authorization (login)

    2. Too cumbersome backup. You need to go through many steps to back up a secret. Besides, good services usually provide backup codes rather than explicitly asking for secrecy. If you lose your secret and login along with backup code, you will have to complete the entire TOTP registration process again.

    3. Backup codes are sent over the Internet, which is completely unsafe.

    4. You and the provider have the same secret. If an attacker hacks a company and gains access to both the password database and the secrets database, he will be able to penetrate any account completely unnoticed.

    5. The secret is revealed in plain text or QR code. It cannot be represented as a hash. This also means that the secret is most likely stored in the form text file, on the provider's servers.

    6. The secret may be revealed during registration, since the provider needs to give you the generated secret. When using TOTP, you need to trust the providers' ability to protect the privacy of the secret. But ?

    How does FIDO/U2F work?

    The U2F standard, developed by the FIDO Alliance, was created by technology corporations like Google and Microsoft, inspired by the vulnerabilities found in TOTP. U2F uses public key cryptography to verify your identity (Reddit – “Explain like I'm five years old”). In contrast to TOTP, in this option you are the only one who knows secret(private key).

    The server sends you a request, which is then signed with a secret (private) key. The resulting message is sent back to the server, which can confirm identity thanks to the presence of your public key in its database.

    Benefits of U2F:

    1. A secret (private key) is never sent over the Internet

    None confidential information will not be published, thanks to public key cryptography.

    2. Easier to use. There is no need to use one-time codes.

    3. Privacy. No personal information is associated with the secret.

    4. Backup is theoretically easier. However, it is not always possible; for example, you will not be able to backup Yubikey.

    Since, in the case of U2F, there is no secret shared between the two parties and no confidential databases stored by the provider, a hacker cannot simply steal all the databases and gain access. Instead, he should hunt individual users, and this is much more costly in terms of finances and time.

    Moreover, you can backup your secret (private key). On the one hand, this makes you responsible for your own security, but on the other hand, you no longer need to trust some company to protect your secrets (private keys).

    TREZOR – U2F “our way”

    TREZOR is a small stand-alone hardware solution designed to store private keys and act as an isolated computing environment. Originally designed as a secure hardware wallet for Bitcoin, its applications have expanded significantly due to the extensibility of asymmetric cryptography. Now, TREZOR can serve as a secure hardware token for U2F, you will also have to additionally confirm the login by pressing a button on the device.

    Unlike some other tokens, TREZOR always uses unique signature for each registered user account. Among other things, the device takes U2F to a whole new level:

    1. Easy to backup and restore. TREZOR asks you to write down the so-called “recovery seed” on a piece of paper when you first start the device. This is the only one-time process among all others on the device. The recovery seed represents all the secrets (private keys) generated by the device and can be used at any time to “recover” your hardware (or hardware) wallet.

    2. Unlimited number of U2F personalities, all of them are saved within a single backup.

    3. The secret is safely stored in TREZOR. No one will ever recognize him, since he cannot leave the device. Neither viruses nor hackers can steal them.

    4. Phishing protection with on-screen confirmation. The wallet always displays the URL of the website where you are logging in, as well as what exactly you want to authorize. You can ensure that the information sent to the device is what you expected.

    5. Additional information on using U2F during setup, use and recovery of TREZOR can be found in our blog post, or in the User Documentation.

    The secure characteristics of asymmetric cryptography correlate with the TREZOR security philosophy. With U2F support in the wallet, we encourage users to take all available measures to protect their accounts and personal data online.

    Read more: