Hello everyone. Could you please tell me, is it safe to have such 2FA applications on your clearnet device and use them for authentication on .onion resources or other clearnet sites that you want to keep in secret from your real identity? As far as I understand, 2FA key given by the resource you use is the only information that these applications have. Its impossible to trace origin of such key, which site it belongs to or exact account on that site unless you name it something like “Joe’s amazon account” and someone directly tracks your 2FA app and finds it out. In that case, I dont see any real problem using it, but maybe I’m missing something crucial?
Possible de-anonymization when using the following apps on a non-torified device:
- authy requires an internet connection
- Symantec VIP requires an internet connection
Google authenticator desktop application replacement:
keepassxc can be used as a replacement for Google Authenticator (actually TTOP, Time based One Time Password) on desktop computers on Windows, Qubes OS (recommended), Linux (recommended) or Mac.
Bad idea using third party services for 2FA or anything that requires anonymity.
2 Likes
It’s common sense. If you involve a third party in anything it’s very likely they know who you are despite torifiying. That makes 2FA location hidden not pseudonymous and definitely not anonymous.
Physapp via Whonix Forum:
Thank you for your reply. I’ve read this before, it says that internet connection can lead somehow to de-anonymization, but it still unclear for me how it could be possible in that certain cituation. I mean, its OK if Authy knows my ip when its impossible to recognize origin of 2FA token I’ve got in my app’s account. Maybe I don’t understand something, so could you explain it in details, please? Torification is good, but I’m looking for a rational solution, not a paranoid one.
Both the service you sign up to and $authy or similar are involved in
account creation. Service you sign up to has your (torified) IP address,
account name, password, 2FA secret. $authy or similar has your
non-torified IP address and 2FA secret. So it’s not hard to link these
two together if the service you sign up to and $authy or similar cooperate.
It’s a really bad idea to combine a pseudonym used in a torified
workstation with any device or VM that that can do lower assured
torified or non-torified connections.
If you want anonymity with 2FA then I’d recommend not using proprietary apps like Google Authenticator or Authy.
If you use Android then I’d recommend andOTP. It doesn’t require an internet connection or creating an account as everything is stored locally.
1 Like