2FA or 2-Factor Authentication is a great security tool if you use an open source tool with method called TOTP. On the other hand, if you use Google Authenticator — or even worse, regular SMS texts — then it’s easy for predators to hack and surveillance you. The government and Google want to see what you’re doing, so if you not only show them, but verify your identity and physical location with an SMS SIM card, then you’ve become a bitch slave of the Empire. But if you really want to learn privacy, then subscribe for free to our new content by email, by Session messenger, via RSS feed, our Ethereum push notification channel, or on Nostr.
SMS 2FA Sucks
SMS texts are the easiest 2FA method for random hackers to compromise. There’s a technique known as SIM swapping which allows a hacker to switch SIM cards, so his or her device can receive your SMS texts. This can then be used to compromise your 2FA.
Also, SMS SIM cards leak your real exact physical location when it connects to a cellphone tower. In addition, you’ve given the mobile service provider the information to know what services or websites you’re using.
Another reason SMS 2FA is horrible is that the SIM card is often tied to your identity. And even if it isn’t directly under your KYC name, then by giving your physical location, someone can often infer your identity and see who’s standing next to you. Just from the phone number and SIM card, you’re now identified to the website or service just for 2FA security.
In summary, doing 2FA with an SMS SIM card is dramatically less private and less secure than TOTP. TOTP has no negatives, and we highly recommend it. If an annoying website or service demands SMS 2FA, then we recommend either a dedicated anonymous VoIP line or use of an online cryptocurrency SMS verify service.
We have articles on getting long-term anonymous phone service here.
And an article on temporary anonymous SMS verification services for cryptocurrency here.
Ditch Google Authenticator
Many websites asking for 2FA will not use the phrase “TOTP” and instead say “Google Authenticator.” Anytime that Google Authenticator is mentioned, any trusted open source TOTP will work. Websites request Google Authenticator because Google is better at marketing.
KYC is less secure
Often out of ignorance, people associate real identity verification as being more secure. But in reality this is untrue because once you associate an account with a real person, then social engineering, SIM card swapping, and identity-based password guessing become possible. In addition, the physical location of password databases can become known.
If you’re using an anonymous account, then purely the TOTP protocol and encryption method on the password system are relevant.
Reject large proprietary companies
Also many people, out of ignorance, favor technology services from large corporations because they assume them to be more secure. They presume that the large company can be trusted with their identity information.
In reality, large companies may be bureaucratic, enabling hackers to prey on their inefficiencies. For example, recently Uber and Rockstar Games were hacked with social engineering. The Uber hack released not only the financial information of customers but also to where the customers had traveled.
Google allegedly was hacked by Russians at the time Hillary Clinton aide Jon Podesta’s emails were released by Wikileaks. (If you believe it really was an internal leak and not a hack, then you’d be suggesting that the US government intelligence agencies lied?!)
Microsoft’s Password database manager for government accounts was hacked by Iranians. The local governments had to pay Bitcoin as ransom to get control back. This further demonstrates that large companies like Microsoft and Google can not be trusted to safely store your data or identity.
Reject Google
We do NOT recommend the use of omnipotent Google Authenticator for numerous reasons. First it’s not open source, so who knows what malicious tracking Google is doing. Google’s track record regarding privacy is piss poor, so why should you trust these malicious clowns?
Second, Google Authenticator will prevent you from getting the backup phrase which can be used to transfer the 2FA account to either a different authenticator phone app or a desktop client. The only thing that Google’s app will let you do is transfer the app to a different Google Authenticator account. So essentially Google has locked you into the Google ecosystem, and once you are dumb enough to use Google Authenticator, you can’t switch to an open source one without the website giving you a brand new backup phrase (which it may be unwilling to do and/or require KYC).
Third you want to avoid doing 2FA on a phone that you carry around. A phone is real easy to accidentally lose or be stolen; you might leave it in an unsafe place.
Conclusion
In our next article, we’ll learn how to do 2FA on a PC using KeePass XC. And if you really want to learn how to become a ghost, subscribe for free to our new content by email, by Session messenger, via RSS feed, our Ethereum push notification channel, or on Nostr.