Nominet 2FA Two Factor Authentication...

[mally]

Trying to log in to online services on a weekend with a ne mobile phone. My Authenticator details haven't transferred so need to contact Nominet. They only work weekdays

 

[jasman]

It's worth setting up an extra 2fa auth app on a second device. I think you can have up to 5 for a Nominet account. Then if you change your phone, you can still log in with the second device and set up the new phone's 2fa key.

 

[DJ]

You can also set it up on your chrome browser which is much more convenient.

Do you still have your old phone, the app should still work without a sim card?

 

[Systreg]

@Pedigree, do you mean the Authy app on Chrome?

If so, that app has been showing a no longer supported message for about 3 years, although it still worked for logging in, but from this Dec 22nd, Google is removing the app from Chrome completely, and people still using that app need to install the desktop version instead.

[Edited to add]

https://support.authy.com/hc/en-us/articles/360042973993-Authy-for-Chrome-App-Extension-End-of-Life

 

[super-whois]

I use this web extension, and it works well:
https://authenticator.cc/

 

[jasman]

A word to the wise. Some of these apps ask for the URL or name of the website using 2fa when you create an entry for its particular 2fa key. This is not actually needed as the key and the time are all that are needed to generate the login code. The URL or name of the website are just asked for to create a label in the app in case you log in to lots of different 2fa websites, so you can identify which profile is for which website.

Therefore I would advise you to give a false URL/ name because A) it is possible the app may send the key and website info to the app creator if it has been coded by a rogue, and B) if you lost your phone or it got hacked etc and someone gained access to the app they would be able to generate 2fa codes and the app would tell them which website the code is for!

This is particularly insecure if you are foolish enough to have the browser remember the website password as well as they would then have everything they need to log in.

Often a QR code is provided by the website using 2fa and read by the app. This contains the key and the website name, to save you typing it in. But again, this is a bad idea for the same reasons.

It is of course also more risky to have the app on your pc (or the same device you are logging into the website with), in case that device gets compromised. But you could keep a copy of a second spare 2fa key somewhere safe in case you lose/ change your phone, so you could install one of the 2fa apps and with the 2nd spare key get into Nominet so you can set up a new key for your new phone.

 

[DJ]

@Systreg

This is the same one as I use:

I use this web extension, and it works well:
https://authenticator.cc/

@jasman I presume they would not have access to the password if a qr code was scanned? I knew having it on my browser made it less secure if somebody gained access to my computer, but I never thought about the extension being a risk also?

Cheers!

 

[jasman]

No, the QR code would not contain your password, just the 2fa key and the website details which in my opinion are better deleted/ edited to be something different so if a criminal gained access to the app they wouldn't know what website that 2fa code was for (or they would think it's for a different website e.g. you could call the Nominet one Facebook or something like that). If you do use the QR code and discover it's not possible to edit the website details then why bother with the QR code. It's really not much effort to just type the key into the app manually instead of using the QR code.

The browser extension isn't necessarily a risk per se, but obviously the whole point of 2fa is that a criminal would need both 2fa code and password to log in. So if the device you log on with (and enter the password with) is a different device to the one generating the 2fa code, then if they had compromised or stolen one they would not have the other so you have that extra layer of security.

 

[Systreg]

@Pedigree, with the Authy app being removed from Chrome on Dec 22nd, have you deleted it and installed the desktop version?

I haven't done mine yet, and am wondering, when changing to the desktop version, does it also move the current token from the Authy app to the desktop version, anyone know?

I'm hoping it's just a case of downloading the desktop version and it's good to go to be able to login to Nominet, without all the tokens needing to be reset.

 

[jasman]

Say a criminal pickpockets someone's phone and manages to get into it somehow. Whilst trawling through the apps he finds the 2fa app with a profile called "Godaddy". He visits godaddy.com in the browser and finds the site has remembered the password. Or if not, he goes into the owner's email app, notes down the email address and does a password reset at godaddy. Then he's in and it's goodbye domains. But if the 2fa profile wasn't called Godaddy, if it was called Facebook or something it wouldn't be so easy.

 

[DJ]

@Pedigree, with the Authy app being removed from Chrome on Dec 22nd, have you deleted it and installed the desktop version?

I haven't done mine yet, and am wondering, when changing to the desktop version, does it also move the current token from the Authy app to the desktop version, anyone know?

I'm hoping it's just a case of downloading the desktop version and it's good to go to be able to login to Nominet, without all the tokens needing to be reset.

I'm using this one: https://authenticator.cc/

 

[Ben Thomas]

1password is the best, been using it for years now with no hassle, no breaches, no nothing. One login, supports 2FA and other stuff. Great.

 

[Systreg]

I downloaded the Authy desktop version, but it didn't save my Nominet token from the previous Authy for Chrome version I had.

Nominet have reset my account today so I can login again, and they said:

Once logged in you will be prompted to set 2FA back up on your new devices should you wish to do so. Please note, you can set this up on up to 5 devices.

I only had the Authy 2FA on my laptop before, but like the idea of now being able to use Authy 2FA to login on my phone if I'm out and about, but have not got a clue how to do that, can someone advise, please?

I have Authy on my laptop, so I assume that when I next login to Nominet, it'll give me a new token to manually add to the Authy app?

What about my phone, though, guessing I'd need to download the Android Authy app, but is there an option to login to the same account on Android as the app on my desktop, where the stored Nominet token can he used on phone and laptop?

Any advice appreciated, thanks.

 

[Ben Thomas]

I have Authy on my laptop, so I assume that when I next login to Nominet, it'll give me a new token to manually add to the Authy app?

No, the code refreshes every 30 seconds in Authy. You then have 30 seconds to use the code with Nominet. This is the same with all 2FA codes except ones received via text.

What about my phone, though, guessing I'd need to download the Android Authy app, but is there an option to login to the same account on Android as the app on my desktop, where the stored Nominet token can he used on phone and laptop?

Any advice appreciated, thanks.

I, too, used Authy when I first ventured into 2FA. I found it difficult to use and if I remember correctly, you need to be careful you don’t lock yourself out of your account. You’ll need to add another device using the device already connected to Authy before you can use the phone app. Unless they’ve changed it since I last used it about 5 years ago.

 

[Systreg]

I have Authy on my laptop, so I assume that when I next login to Nominet, it'll give me a new token to manually add to the Authy app?

No, the code refreshes every 30 seconds in Authy. You then have 30 seconds to use the code with Nominet. This is the same with all 2FA codes except ones received via text.

Yes, I know the code that Authy gives to enter Nominet lasts 30 seconds, I asked does Nominet give me a token to add to the Authy app, because there's a button on the Authy app to add token.

It's 5 years since I first installed Authy and I can't remember how it set tokens at set up.

 

[Ben Thomas]

Yes, well the first time you set up 2FA you will likely be provided with a QR code that you can scan (screen recording permissions likely necessary) or you can usually request a long code which you can input into your chosen tool and it’ll turn it into a 6 digit code. You then use that code to set it up within Nominet. Each time you log in; the code will be different. But you will never have to set it up again.

 

[Systreg]

Thanks Ben, so another question, I've never used a QR code before, do I take a photo of it or is there some specific app that I'd need for that?

Didn't have to use a QR code for Authy 5 years ago, I know that much.

What a load of fecking about to login to a website, every single site I've used for 21 years is enter email and password, boom, job done, but this 2FA crap

 

[Ben Thomas]

It’s better to use 2FA, it’s surprisingly easy to bypass most password logins alone. Especially if your password isn’t all that great. Security hygiene has come a long way!


Once you’re used to adding the codes in and setting the initial code up it’s will become easier.

But I’d look at 1Password for long term as it’s much easier. Think Authy but much friendlier UX.

On 1Password there an icon that looks like a QR code that I click and it basically opens a screen recording facility built into 1Password that captures the QR code on screen. Unfortunately, with Authy, you need the mobile application installed, logged in and authorised to be able to set up and scan via QR codes.

I would try and use the long setup token, too much faffing about to add the app.

 

[rob]

On 2FA I would remove it from any Twitter accounts for now - got booted out of one of my verified ones as the 2FA sms wasn't sending from twitters end, someone had the bright idea of turning off the microservices there apparently... !

 

[Ben Thomas]

On 2FA I would remove it from any Twitter accounts for now - got booted out of one of my verified ones as the 2FA sms wasn't sending from twitters end, someone had the bright idea of turning off the microservices there apparently... !

Slightly off-topic, but I noticed Google Recaptca was down the other day and that had a similar effect. Literally couldn’t get into any services that required captcha verification from Google, it was crazy.