October 14, 2021

Twitch underwent a breach losing all of its user data. Now people are starting to talk more about MFA, but is MFA really that reliable?

I use google authenticator because I don’t trust Authy or literally any other company to keep the 2FA backups safe. But is it still ok to put all my trust in google authenticator and rely on it as the last resort in case all goes wrong? Is it not possible to somehow have access to my dynamic TOTP (That keeps changing every 10sec) and use the password, User ID that someone got from a breach to log into my twitch? I personally don’t know much about the underlying algorithms on a time based otp app, but I want to know if by installing a spyware or RAT or any other kind of malware, can someone just steal the shared seed phrase (The gibberish phrase that the websites give you to create these 2FA tokens in your authenticator apps)? As far as I know the G-Auth app stores the shared seed phrase locally and using the current time it gives me a new OTP every 10 seconds which can be used to login to my accounts using the password. If the G-Auth app doesn’t store it in an encrypted state then a spyware should be more than enough to steal the seed phrases and have these passwords accessed by anyone anywhere anytime. I mean even the companies like twitch who have these accounts also need to store the seed phrase locally on their servers so they can match and confirm the TOTP that I enter during login. Wouldn’t the attacker also gain access to these seed phrases during such a fatal breach (I mean their source codes were leaked, I don’t see why the seedphrases would be kept any more securely).

After thinking about all these possibilities, is buying a hardware key (Like Yubico or something) The only feasible option in case you’re super paranoid and want to do everything humanely possible to keep your digital life secure?

Comments

k_rock923

MFA with a hardware token Yubikey, etc. is pretty reliable – for the problem of MFA.

The “unreliable” piece is thinking of MFA as anything more than *one* security layer.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.