Google Authenticator for 2FA

  • With today’s modern world where we should all be using password managers and authentication apps to further enhance our online security presence, it’s easy to fall into the trap of not being able to recover Google Authenticator if your device is lost or stolen.

    Whilst this sounds like a “it won’t happen to me”, never say never. Mobile devices are highly sought after in today’s world, and given that virtually everything we do online is from a mobile phone or tablet, it’s easy to become complacent. Sure, it’s available immediately if you need it, but what if you lose it ?

    What could happen ?

    Well, for one, you’ll be without your device meaning that if you rely on that same peripheral to access a password manager, or generate TOTP based 6 digit codes, you’re going to be in something of a “hole” to say the least. You can get access to most password managers via an online vault, but if that account you need to access was secured with 2FA or push authentication, and you no longer have the associated device, then you’re in for quite a rough ride without a means of recovery.

    This is where (for example, but not limited to) Google Authenticator will make you immediately fall on your sword if you don’t have copies of the backup codes, or the secure password seed used to create the pairing in the first place. Be honest - do you keep a record of backup codes ? I’m guessing you don’t 🙂

    It’s not actually possible to quickly and easily backup Google Authenticator, or the codes generated by it. It’s a simple process to transfer to another phone, but ONLY if you have the old device. If your phone or tablet is lost or stolen, and you have no means of proving who you are, then you are, for want of a better phrase, royally screwed.

    The Solution

    DON’T rely on Google Authenticator. Yes, it’s free. Yes, it’s simple, but if you lose your device, then you’ll quickly find out just how much of an inconvenience this is. I switched away from Google Authenticator years ago in favor of AUTHY (now known as Twillo). Not only can you have multiple devices, but there is a recovery mechanism whereby you can get access to your data on another device by simply going through the recovery process. The one caveat here is that the recovery requests need to be manually reviewed and approved.

    I went through this same exercise around 4 years ago when my phone literally froze up, then died. I sent the phone back to the manufacturer who informed me that the device was completely dead (it was an LG - never again) and that they would be shipping a replacement. Great, but what about the 2FA codes etc ? As it’s an Android device, I simply pulled all of the settings back from my Google Account. However, getting the codes back into AUTHY meant I needed to go through the recovery steps.

    These are pretty simple, but you need to be able to answer security questions in order to proceed. Another great addition in AUTHY is that you are periodically requested to enter the backup passcode so that backups of all your accounts can easily be taken

    A bit more information around that can be found here

    And here

    This article is from the same bunch who developed the Shield Security plugin for WordPress, and they provide the same stark warning as I do here ⚠

    Transferring out of Google Authenticator is a simple process, but requires re-enrolling your device via AUTHY (or another product) in each application or account you have secured.

    BitWarden and others have the ability to incorporate 2FA generation and security in their password manager apps for mobile devices. The huge benefit here is that this is replicated into the online vault, meaning the codes are also generated there, and you can still access your accounts without your phone. More info about that here

    Don’t get caught out by sticking with Google Authenticator 😕

  • @phenomlab thanks for the tips…

    in today’s world, password managers are becoming a must… I personally use 1password, and I am glad that it is automatically adding 2FA to the login info…

    Before that, I was using an app on my phone but was worried exact the same thing you mentioned above… Gladly password managers are keeping it synced across all devices…

  • @crazycells said in Google Authenticator for 2FA:

    password managers are keeping it synced across all devices…

    But not all of them sadly. In terms of Google Authenticator, the fact that the device cannot be “backed up” in the traditional sense is a pitfall you’d only realise once you’re in that particular situation - and then it’s probably too late.

  • Well… just on time…

    It looks like YUBIKEY 2FAs should be the gold standard from now on… but I am worried that I will lose my key… What happens in that case? Fortunately, I am using 1password. AFAIK their servers have never bridged before, and even if they do since everything is only decrypted on my computer, the information in the server will not be useful for hackers… and additionally they have $1 million bug bounty challenge…

  • @crazycells said in Google Authenticator for 2FA:

    What happens in that case?

    Not much it seems -even according to Yubico themselves

    And then there’s also this

    BitWarden has also yet to be hacked, and is also using device-only decryption - nothing is stored in the cloud. It’s worth noting also that Authy didn’t get hacked - Twillo, which owns them were the direct victim. If was their weak security that exposed Authy 😕

    And this article from 1Password is biased, and actually unfair as it relates to SMS passcodes which are subject to SIM Hijacking anyway - no matter what platform you use

    Personally I wouldn’t pay much attention to that. It’s scaremongering if you are using TOTP for example as this will change every 30 seconds and is much stronger.

  • @phenomlab yes, I think their source code is exposed… so, this is what could danger the app in the future I guess…

    yeah, I prefer TOTP rather than SMS based 2FA, however, most of the time I cannot pick, because the website only offers one or the other type…

    Somehow, US government sites or US banks usually go with SMS based (which is very annoying), and they do not offer TOTP…

  • @crazycells yes, this is something I see on a daily basis and despite how shockingly simple it is to conduct SIM jacking, it seems that several of the USA based banks are reluctant to switch to at least TOTP in the same sense as the USA has been extremely slow to adopt chip and pin - something Europe has been making use of for years.

    And they wonder why cheque and wire fraud is rife in America.

  • 13 Votes
    30 Posts

    Here’s a small modification to the chatBanner function that will place the message just above the composer/reply component meaning it is pinned at the bottom and always in view as a reminder. I’ve made this change to support the threadedChat I’m currently developing

    // Chat message banner function chatBanner() { var roomName = $("h5[component='chat/header/title']").text().trim(); var bannerContent; if (roomName === "Testing 3") { bannerContent = '<div id="chatbanner">This message will fire for chat rooms with the title of "Testing 3"</div>'; } else { bannerContent = '<div id="chatbanner">This session is for <strong>private discussion only</strong> between the chosen participants. Please do <strong>not</strong> place support requests here and create a <a href="#" onclick="app.newTopic();">new topic</a> instead.</div>'; } var chatMessagesContainer = $('[component="chat/system-message"]:last-of-type'); //var existingMessages = $('[component="chat/message"]'); var existingMessages = $('[component="chat/composer"]'); if (existingMessages.length === 0) { // If there are no messages, append the banner to the messages container chatMessagesContainer.first().after(bannerContent); } else { // If there are messages, add the banner after the last message // existingMessages.last().after(bannerContent); existingMessages.before(bannerContent); } }

    There are only two changes here:

    var existingMessages = $('[component="chat/message"]');


    var existingMessages = $('[component="chat/composer"]');




  • 1 Votes
    1 Posts

    I got hit with this today. As I have a Pro subscription to Font Awesome, this allows me to use a much wider range of fonts. Unfortunately, NodeBB only seems to list the free fonts, so in order to use the Pro icons, you have to manually type the font name you want (leave the fa- part off, as it’s not needed).

    No issues, so I went ahead and typed in the name. Below is the result


    Now, despite the icon not showing here, it does once you save and reload the site. Great - problem solved then?

    Yes - until you want to change the icon back…

    Highlight over an unchanged icon, and you’ll see the mouse pointer change meaning there is a link behind it


    However, hover over one you’ve changed by typing in the value manually, and you’ll see the link is gone


    Panic stations… headless chicken… major cussing session… No - there is a way out

    Fire up the dev tools (F12 for console), and press the select tool. Now select the element with the missing link


    In the resultant element list, follow the HTML until you reach


    change-icon-link hidden

    Now delete the hidden part, so you are left with just change-icon-link and press enter

    You’ll see that the alt text appears for the image, which is enough for you to be able to click the anchor, and change the icon



    There you go. Now enjoy how smug you feel that you’ve sorted this problem yourself 🙂

  • 3 Votes
    6 Posts

    Seems like Google is finally crawling this site. And, “crawling” in the sense that it’s still extremely slow …

  • 3 Votes
    5 Posts

    @DownPW Same here.

  • 2 Votes
    2 Posts

    As an aside to this, there is also the command of tasklist which will provide a list of processes running on your machine, or a remote machine you are looking to query.


    There is also a useful list of switches below, plus the ability to format into a table, or CSV.

  • 2 Votes
    3 Posts

    @DownPW odd indeed. Looks like it’s spawning, immediately dying, then spawning again.

  • 4 Votes
    2 Posts

    @phenomlab this is useful 👍 thanks

  • Invalid CSRF on dev install

    Moved Solved Tips
    2 Votes
    1 Posts

    I wanted to create a DEV instance of sudonix, so went ahead and registered, installed NodeBB, then recovered the database.

    All good - apart from the fact that I consistently got the dreaded csrf invalid message… 😠

    Here’s the log extract

    2022-03-21T14:15:25.859Z [4571/91294] - info: Initializing NodeBB v1.19.5 2022-03-21T14:15:27.761Z [4571/91294] - info: [] Restricting access to origin:* 2022-03-21T14:15:27.858Z [4571/91294] - warn: [plugins] "@nodebb/nodebb-plugin-user-level" is active but not installed. (node:91294) Warning: Accessing non-existent property 'padLevels' of module exports inside circular dependency (Use `node --trace-warnings ...` to show where the warning was created) 2022-03-21T14:15:28.637Z [4571/91294] - warn: [plugins/load] DEPRECATION The hook has been deprecated as of v1.15.3, and slated for removal in v2.1.0. Please use instead. The following plugins are still listening for this hook: * nodebb-plugin-write-api 2022-03-21T14:15:28.724Z [4571/91294] - info: [plugins/spam-be-gone] Settings loaded 2022-03-21T14:15:28.734Z [4571/91294] - info: [reputation-rules] settings loaded 2022-03-21T14:15:28.925Z [4571/91294] - info: [api] Adding 4 route(s) to `api/v3/plugins` 2022-03-21T14:15:28.936Z [4571/91294] - info: [router] Routes added 2022-03-21T14:15:28.947Z [4571/91294] - info: NodeBB Ready 2022-03-21T14:15:28.948Z [4571/91294] - info: Enabling 'trust proxy' 2022-03-21T14:15:28.950Z [4571/91294] - info: NodeBB is now listening on: 2022-03-21T14:15:47.488Z [4571/91294] - error: [plugin/iframely] Could not parse embed: Failed to lookup view "partials/iframely-widget-card" in views directory "/home/". Url: Missing translation "2factor:title" for language "en-GB" Missing translation "qanda:topic_solved" for language "en-GB" Missing translation "qanda:topic_solved" for language "en-GB" Missing translation "qanda:topic_solved" for language "en-GB" Missing translation "qanda:topic_solved" for language "en-GB" Missing translation "qanda:topic_unsolved" for language "en-GB" Missing translation "qanda:topic_solved" for language "en-GB" Missing translation "qanda:topic_solved" for language "en-GB" Missing translation "qanda:topic_solved" for language "en-GB" Missing translation "qanda:topic_solved" for language "en-GB" Missing translation "qanda:topic_solved" for language "en-GB" Missing translation "qanda:topic_solved" for language "en-GB" Missing translation "qanda:menu.solved" for language "en-GB" Missing translation "qanda:menu.solved" for language "en-GB" 2022-03-21T14:15:48.899Z [4571/91294] - error: POST /logout invalid csrf token

    Tried clearing cache, no dice. Tried incognito mode, no dice.

    After some significant head scratching, it suddenly dawned on me that the cookie domain would need to be reset as this is a PROD database replica in a new domain.

    To do this.

    Open the mondogb console Select your database - in my case use sudonixdev; Issue this command db.objects.update({_key: "config"}, {$set: {cookieDomain: ""}}); Restart nodebb

    Problem solved - able to login 🙂