I had find an alternate way to set up 2FA using other methods than using an app, which I can't, or SMS, which is insecure. To explain this dilemma, I have a Yubi Security key (actually two) but you it seems you have to first set up 2FA using another method before you can add the keys.  Using SMS is insecure and I can't use a smartphone app because of the age of my (not so) smartphone.

On Fedora 29 and using Firefox I eventually found an add-on to Firefox that does what I want. This was of course after I had to search for and install, some native Linux app's to do the inital setup, both of which required getting the source from GitHub, and compiling one of them. The other was a Python script which just needed to be run.

The Firefox extension is https://authenticator.cc and is open source so should be relatively secure. It requires no dodgy permissions to access any of your files, which is also good.

Authorising with google requires a Chrome browser, once authorised Firefox will use 2FA and your Yubi security key.

Success then setting up 2FA for: github, gitlab, dropbox and google.

Twitter is being awkward and insisting on a phone number, which I don't want to give them as from what I've read it's maybe safer not to. Recent news about not trusting Twitter with my 'phone number supports this decision.

So how secure is all this? Surely if you use your smartphone and SMS as a backup then anyone can attempt to use that instead of your Yubikey and gain access the old fashioned way, yes? Dunno.

Last changed: 17. March, 2019 at 09:44

Comments