Why you shouldn’t scan two-factor authentication QR codes!
Scenario 1. Thief found a home safe key in a park with a full house address labeled on the key. All he has to do is find a way to break into a victim’s house and unlock a safe box with this key. Not a big deal for a professional thief.
Scenario 2. Now let’s take the same situation but without an address on a key. Thief will be stumped trying to figured out the owner. Thief might get access to outdoors cameras or stay around in the park for a few weeks to figure out regular visitors hoping that some of them lost the key. But anyway thief will have to break into a few houses in order to find a target safe. And by the time he does it, there should already be a new safe box with a new key.
The difference between these scenarios is that in the second one a potential victim didn’t expose sensitive information to a public that can compromise a system. That brings us to the main point of this article.
You shouldn’t scan 2-factor authentication (2FA) QR codes if:
- security is your primary goal for using 2FA and not just a company requirement
- you use separate email addresses for different aspects of life (personal, work, banking, etc)
- you don’t use both your computer and a mobile device to log into same services.
Here is a deal, most services that allow 2FA also include completely unnecessary data in their QR codes like domain name and your email address.
But in order to log into your account, all you need is any TOTP-generator app and an appropriate secret key. That’s all. So all additional data becomes a security vulnerability that can be exploited.
Spoiler: if a service says that it supports Google Authenticator for 2FA, it actually means that you can use any TOTP (Time-Based One-Time Password) app like Authy, Authentication Plus, FreeOTP, LastPass, etc.
Warning: be careful with Authy’s “multi-device” feature, because it can introduce some risks.
The problem is that after scanning 2FA QR code most authentication apps:
- don’t allow you to change both domain name and email address
- or they allow to change only email address but not a domain name
- or they allow to change both of them, but there is an option to reset it to default values, which can be exploited.
Now imagine that you’ve lost your phone or installed some malicious software that exposed your data to a potential hacker.
Scenario 1. A hacker will get your 2FA secret key with a domain name and an email address, so all he has to do is break or intercept your password.
Scenario 2. Now let’s take the same situation but without a domain name and email address in your authentication app. So before breaking your password hacker will have to find out a domain name and your email address which will dramatically slow him down. If you didn’t expose that email address elsewhere, hacker might even give up on you (unless you are a really big fish).
So the only benefit of having a domain name and an email address to be written down in the authentication app is that you won’t forget them, but that’s a questionable benefit unless you have 50 different accounts with 2FA enabled. And don’t forget that you can always add custom notes that don’t expose your email addresses.
Now when we agree not to scan 2FA QR codes, let’s think how can we enable 2FA without introducing potential security vulnerabilities.
Most services provide secret key together with QR code, so you can just type in this key into your authentication app and use appropriate settings if your app requires that. In most cases default settings will be good to go:
- Time-based (TOTP)
- 30 seconds interval
- 6 digits passcode
- SHA1 algorithm (has been broken in 2017, but is still used for TOTP)
Warning: don’t forget to save your secret key in a safe place because you will need it again when changing or losing a mobile device.
Already scanned QR codes
If your primary goal is security, then it’d be better to add again your existing accounts to your authentication app using only security keys and custom notes and delete old ones after making sure that both show same passcodes.
There is no security key
Some services show only QR code without any secret key when user tries to enable 2FA. That’s a very questionable decision, but those companies probably have their own reasons.
Here are a few workarounds depending on a level of security that you want to achieve:
You can use any QR reader because typical 2FA QR code is nothing more but an URL with domain name, email address and a secret key. After scanning you can just manually type a secret key into your authentication app so it won’t store any unnecessary data.
Example of scanning this typical 2FA QR code with any QR reader:
So you just need to type HXDMVJECJJWSRB3H into your authentication app. And it’s case-insensitive, so you can use hxdmvjecjjwsrb3h as well.
But your mobile device can already be compromised and will send data to a potential hacker after scanning a QR code with a QR reader. If that’s a possibility, then you can use your friend’s device to scan a 2FA QR code with any QR reader and manually type a secret key into authentication app on your device. But that still will expose your data to a potential hacker if your friend’s phone was compromised.
So if you are a secret agent, activist, rich businessman, politician, popular actor or just overly paranoid bitcoiner, then you need an ultimate solution:
- Register a fake email address that doesn’t require a mobile verification
- Open a desired service where you want to enable 2FA
- Change your real email address to a newly created fake one
- Click to enable 2FA and get a QR code
- Take your friend’s phone
- Get any QR reader app that doesn’t save history
- Make sure that QR reader has access only to your camera
- Turn on an airplane mode
- Scan a QR code with your friend’s phone
- Write down a 2FA secret key
- Clear app cache on your friend’s phone
- Delete that QR reader app
- Type a 2FA secret key into an authentication app on your phone
- Add custom notes that don’t expose a domain name or an email address
- Enable 2FA at a desired service with a passcode from authentication app
- Change a one-time fake email address back to your real email address
- Turn off an airplane mode on your friend’s phone
- Clap up to this article and get some rest (you need it)
In this case even if a potential attacker will get your secret key and a domain name from your friend’s phone, he still won’t have your real email address, because you changed it to a fake one while requesting a 2FA QR code.
Fully compromised, but still safe
Here is a funny thing, if you follow recommendations above, you will add an extra level of security, so you might be pretty safe even with both computer and a mobile device being compromised until you keep them separate.
One hacker can have an access to your mobile device and thus have all passcodes, but he won’t be able to break into your accounts without knowing domain names, email addresses and passwords.
Another hacker can steal all the credentials from your computer, but he won’t be able to bypass 2FA step without having access to your 2FA passcodes.
One-time recovery codes
Previously it was important to keep your one-time recovery codes when using hardware offline authentication tokens like RSA, because there was no other easy way to log into your account in case of a token lost. I even memorized a few of them in case of emergency. But that was a long time ago.
Since we decided to manually enter 2FA secret keys instead of scanning QR codes, then there is no real need for recovery one-time codes anymore.
In case of a phone lost, you just need to find any other TOTP-generator app on any device (including PC), then type in your carefully saved 2FA secret key and get a passcode as usually. Then don’t forget to disable and re-enable 2FA with your new phone.
But if a service gives you one-time recovery codes, you can still save some of them is case of an extreme situation when you have to access your account in a public without exposing your authentication token or something like that.
Just don’t forget that recovery codes are also a security vulnerability ;)
Just a few hours ago everything was fine, but now I see a number which is equal to ~10% of my initial balance that I…medium.com
If you found this article useful, help make a world a bit safer place by 👏 clapping (you can clap up to 50 times).