Most PRIVATE 2FA apps

00:00

2fa is essential for securing your

00:02

accounts it's where you add a second

00:04

verification method for your account so

00:06

that even if someone gets access to your

00:08

password there's still a barrier

00:10

stopping them from accessing your

00:12

account one popular 2fa method is an

00:15

authenticator app but some of the most

00:17

well-known authenticator apps are

00:20

actually collecting more data about your

00:22

activities than you may realize in this

00:24

video we're going to dive into what kind

00:26

of information they're collecting how to

00:28

give these apps less information when

00:30

you use them and we're also going to

00:32

explore some more private 2fa apps that

00:34

are also open source let's quickly recap

00:37

how 2fa authenticators or trtp apps work

00:40

basically in your account settings you

00:43

might have an option to add 2fa via an

00:45

authenticator app when you select this

00:47

option the website will give you a

00:49

secret seed either in the form of a long

00:51

string of digits or in the form of a QR

00:54

code that has that long string of digits

00:56

embedded in it you need to somehow enter

00:58

the code into the app and there are two

01:01

options either you enter it manually or

01:03

you scan the code talal and Tommy form

01:05

the security and privacy research Duo

01:07

misc and they explain to us that your

01:09

2fa app will take this seed combine it

01:12

with the current time and feed it into

01:14

an algorithm that spits out a new short

01:16

code every 30 seconds or so which you'll

01:19

type into the account website meanwhile

01:21

the account you're securing like your

01:23

Twitter or email will also have a copy

01:26

of that secret on their servers when you

01:28

try to authenticate they'll feed their

01:30

secret into an algorithm on their end

01:32

combined with the current time and also

01:34

spit out a code if the codes match then

01:37

you're in if not it would just reject

01:39

your call the 2fa app servers shouldn't

01:41

ever get access to your secret seed

01:43

really all the apps should be doing is

01:46

just some computation locally on the

01:48

device involving your seed in the

01:50

current time and spitting out codes for

01:52

you the app can functionally operate

01:54

perfectly without internet but it turns

01:57

out that some 2fa apps are doing more

01:59

than this sending all kinds of

02:01

information back to their servers in our

02:03

last video we showed you some malware

02:05

2fa apps that were actually stealing

02:08

your secret seed so that hackers could

02:09

access your 2fa codes too in this video

02:12

we're going to talk about a different

02:14

threat apps that aren't stealing your

02:16

codes but are collecting extra data

02:19

around your activities which a privacy

02:21

conscious person should be aware of it

02:23

is pretty much industry standard at this

02:25

point that each app has its own

02:27

analytics system they often use common

02:30

services such as Google Firebase there's

02:33

app center for Microsoft these analytics

02:35

aren't necessarily nefarious but are

02:37

they appropriate for something like a

02:39

2fa app when it comes to security tools

02:41

like authenticator apps anything you

02:44

would consider to be pretty private we

02:46

don't want to see analytics in it and if

02:49

there are analytics we want the option

02:50

to disable analytics for me it's very

02:52

sensitive that the app would send for

02:54

example the services that you're dealing

02:56

with so if you have an Amazon account

02:58

Twitter account Facebook account and

03:00

then it would link the services that you

03:02

use with your identity the misc team

03:04

analyzed the network traffic from the

03:06

most popular 2fa apps to find out what

03:08

information each was collecting and

03:10

which app was the most private we would

03:12

see if the app is sharing more

03:14

information more analytics than it is

03:16

required let's start with authy a

03:18

popular 2fa authenticator app that it

03:20

turns out collects a lot of information

03:23

from you to be able to use authi you

03:25

have to supply your email this is the

03:28

first thing that they request when you

03:29

open the app for the first time you need

03:31

to give your phone number and you need

03:32

to verify your phone number and when you

03:34

create your account they give you an ID

03:36

called S auth ID the user can see that

03:39

this ID belongs to them after the

03:41

verification of course this ID is going

03:43

to be tied with your email and your

03:46

phone number then there's the analytics

03:48

that's sent to all these servers and

03:50

there's a lot device information like

03:52

device type OS version but there's also

03:55

more sensitive information they are

03:57

collecting information about the

03:59

services that you use and they know

04:01

which accounts types you already have

04:03

Google is the service of the token that

04:06

we scanned during this experiment and of

04:08

course

04:10

can't go using whether it's Google or

04:12

Twitter or something else with your user

04:15

ID this data analytics that we see in

04:17

here this is not anonymous because it is

04:19

associated with the Sid and the SIDS

04:22

associated with the email and the phone

04:24

number which are already personal

04:26

information they are able to keep track

04:28

of what their own users are doing within

04:30

their own apps we don't think security

04:32

tools such as authenticators should be

04:34

using analytics and if the vendor really

04:36

wants to add analytics we believe it

04:38

should be anonymous in this case we can

04:40

see that these analytics events do

04:42

contain a unique identifier that can be

04:45

tied back to the user's account with

04:47

authy at least give the option for users

04:49

to disable analytics and all fee doesn't

04:51

there was no option in the app to turn

04:53

this off now do we think that authy is

04:55

using this information for some Grand

04:57

conspiracy of linking all the platforms

04:59

someone uses together in a giant

05:01

centralized database probably not if I

05:03

were to speculate they just really want

05:05

to know overall what are the more more

05:07

popular accounts how are users using

05:10

their app and so on typically analytics

05:12

it's not malicious it's just something

05:14

that

05:15

is pretty much industry standard at this

05:17

point we just have strong opinions about

05:19

which apps should be using analytics and

05:22

how analytics should be anonymous and

05:24

not user identifiable but even if there

05:27

is no Grand conspiracy I'd prefer that

05:30

an app not know which platforms I'm

05:32

using or what my phone number and email

05:34

address are authy is a very talkative

05:37

app meaning it sends data back to its

05:39

servers frequently if you're privacy

05:41

conscious it might not be the best app

05:43

for you now let's look at Microsoft

05:45

authenticator another popular 2fa app

05:48

the first thing to note about Microsoft

05:49

authenticator is that they mandate you

05:51

allow Microsoft to collect your data

05:53

before you can use their authenticator

05:55

if you decline to share your data they

05:58

tell you that you can't use the app not

06:00

a great start so what data do they want

06:02

from you there's information about your

06:04

device OS version they're even

06:06

collecting which mobile operator you use

06:08

so they mapping who your sell provider

06:11

is yes they're using something called

06:13

App Center to collect this starter which

06:16

is an Analytics tool developed by

06:18

Microsoft this is one of the standard

06:20

things that App Center collects it does

06:22

collect carrier information there's also

06:24

General usage data as in your behavior

06:26

each button clicked how you use the app

06:28

and on top of that Microsoft 2 collects

06:32

which platforms you're using you can see

06:34

here in the analytics proton which is

06:36

the account linked in this test

06:38

Microsoft is also contradictory

06:40

regarding whether all these analytics

06:42

are personally identifiable according to

06:44

the app's privacy label data collected

06:46

is linked to your real identity but then

06:49

in the app settings it says that the

06:51

data collected is non-identifying let's

06:53

take a look at the actual identifiers

06:55

they collect so that we can figure out

06:57

which one is true first there's the Sid

06:59

which is an ID that changes with each

07:01

session that would suggest that it might

07:04

be randomly generated and not personally

07:06

identifiable but they also collect

07:08

something called your shared device

07:10

identifier which is a persistent ID that

07:13

would allow them to aggregate analytic

07:15

across sessions if Microsoft links the

07:18

shared device identifier ID to the

07:20

user's identity then all these analytics

07:22

become identifiable but as you notice

07:24

there is an option for you to turn data

07:27

sharing off what happens if we toggle

07:29

that off we switched the analytics off

07:31

and we run the experiment again and we

07:33

saw that this information is being sent

07:35

nonetheless now the amount of data was

07:36

was reduced for example the app stopped

07:39

sending General usage data like she

07:41

clicked here scrolled here Etc and they

07:44

stopped sending which platform you're

07:45

using like proton Twitter Etc but they

07:48

are indeed still sharing data like your

07:51

device information your phone carrier

07:53

and they're even still collecting your

07:55

persistent shared device identifier that

07:58

was the interesting part about the

08:00

Microsoft authenticator because you

08:01

switch the usage data off yet it sends

08:04

this thing these apps they're still

08:06

sending analytics even though the user

08:08

has opted out from analytics this is

08:10

still a lot of information for no

08:12

analytics so if you're one of those

08:13

great busy people who thinks that opting

08:16

out of data sharing should actually opt

08:18

you out of data sharing Microsoft

08:20

authenticator probably isn't the best

08:22

choice for you now let's look at Google

08:24

Authenticator this was a tricky one when

08:26

analyzing the app traffic to the misc

08:28

team it appeared that Google was not

08:30

collecting activity from within the app

08:32

your behavior inside the app was not

08:35

being communicated to Google servers we

08:37

couldn't detect anything about what kind

08:39

of service you're scanning or how many

08:41

services for example if you add multiple

08:43

accounts one from Amazon the other one

08:45

from Google another from Twitter

08:46

Mastodon it would not share this

08:48

information with Google Google did send

08:50

some things like crash reports but other

08:52

than that we were surprised to see that

08:54

actually it doesn't seem to send

08:56

anything indeed surprising behavior for

08:58

a company that is renowned for

09:00

collecting as much data about users as

09:02

it can and it also seems to contradict

09:04

what is self-disclosed in their privacy

09:06

label if you were to look at the Privacy

09:08

label on the App Store they do mention

09:10

that the dual link usage data and

09:13

identify some Diagnostics during account

09:14

and hence to a user's identity but

09:17

Exodus privacy confirmed that they too

09:19

found no trackers in Google

09:20

Authenticator they did say that they did

09:22

a static analysis of Google

09:23

authenticators APK which stands for

09:26

Android package kit and is the file

09:27

format used by Android to distribute and

09:30

install applications and in this

09:31

analysis found tracker signatures but

09:34

this is not proof of activity of these

09:36

trackers on the other side of things the

09:38

application could contain trackers that

09:40

Exodus privacy doesn't know about yet

09:42

they do associate this thing with a

09:44

cookie ID which is shared among all the

09:47

Google apps that you have installed on

09:49

your iPhone and there might be other

09:50

tracking methods that we're missing

09:52

there are ways to do this especially if

09:54

you have multiple Google apps installed

09:56

on your phone so while Google

09:57

Authenticator actually seems okay tread

10:00

carefully because Google has a terrible

10:02

track record when it comes to tracking

10:04

users now let's look at some more

10:06

private alternatives for your 2fa app we

10:08

explored a bunch of Open Source options

10:10

to see how they compare free OTP is a

10:13

popular open Source trtp app developed

10:16

by Red Hat it's available for both

10:18

Android and iOS devices and supports

10:20

multiple accounts free OTP is available

10:23

on the Google Play Store F Droid and

10:25

Apple App Store there's also a fork of

10:27

it called free OTP plus that allows you

10:29

to export or import settings to Google

10:31

Drive has a more modern UI and also

10:33

allows biometric or pin authentication

10:36

to secure the app Exodus privacy said

10:38

that they found zero trackers in freeotp

10:41

and the misc team confirmed that they

10:43

couldn't detect any network traffic

10:44

according to the privacy policy of

10:46

freeotp they do not collect any data

10:49

from your mobile device and permissions

10:50

are very narrow in how they're used free

10:53

OTP seems like a solid choice for an

10:55

authenticator app next we have Aegis

10:57

authenticator another open source totp

11:00

app this is only available for Android

11:02

but has some good qualities including a

11:04

built-in QR code scanner Aegis

11:06

authenticator is available on both the

11:08

Google Play Store and F Droid and the

11:10

totp secrets are stored in an encrypted

11:13

Vault for added secure ready Aegis also

11:15

has biometric support and integration

11:17

with Guardian projects Ripple which

11:19

allows you to delete the Vault if you

11:21

hit the panic button which is a really

11:23

cool feature Exodus privacy reports that

11:25

they found zero trackers in Aegis and

11:27

the misc team confirmed in their testing

11:29

that Aegis doesn't send any trackers the

11:31

Aegis privacy policy states that they

11:33

don't collect any data from your device

11:35

and that the usage of the camera

11:36

permissions is narrow Aegis is another

11:39

solid choice for an authenticator app if

11:41

you're on Android and OTP is another

11:43

free and open source totp app and as its

11:46

name implies it is also Android

11:48

exclusive one thing to note is that it's

11:50

no longer actively maintained as the

11:52

developer doesn't have time but many

11:54

still say that it's a good choice for an

11:56

authenticator app and it also has zero

11:59

trackers and doesn't collect any data

12:01

use unmaintained code at your own risk

12:03

we also looked at 2fas another open

12:05

source two-factor authenticator that is

12:08

available for both IOS and Android but

12:10

according to Exodus privacy reports it

12:12

does contain trackers the misc team

12:15

confirmed this that it sends for example

12:17

frequent Google analytics data but

12:19

according to them it's nothing really

12:21

sensitive in terms of all the different

12:23

2fa product choices now that you have

12:25

more information about how they do or

12:27

don't use your data you can pick the app

12:29

that you feel best aligns with your

12:31

personal privacy and security stance and

12:34

this is going to vary from person to

12:35

person some people will choose to go

12:37

with the most well-known products

12:39

because they want to avoid any

12:41

lesser-known apps that might be scams if

12:43

they're not too bothered by analytics

12:45

data then it's not necessarily a lower

12:49

security option for them if you're more

12:51

careful you really don't want any

12:53

analytics data then yes something like

12:54

an open source solution that you trust

12:56

that you vetted that others have vetted

12:59

would be a better option because you

13:01

know that they're not sending analytics

13:03

data because you can actually see what

13:05

the app is doing and just because

13:06

something is open source it doesn't make

13:08

it immediately trusted so don't just

13:10

choose an app because it says that it's

13:12

open source make sure that it's well

13:14

vetted and has a good reputation there

13:16

are many open source options out there

13:19

the thing is that once you publish your

13:20

app to the store it's very hard to

13:22

verify that the code which is open

13:24

source is the same as the code that you

13:26

submitted to the store the final part of

13:28

this video is on how to decrease the

13:30

amount of data you send off regardless

13:32

of which app you choose when you first

13:34

input into your 2fa app the string of

13:37

random digits that is your secret seed

13:39

you can choose to type it in manually or

13:41

to scan a code that has the seed

13:43

embedded in it that's secret seed it's

13:45

long it's hard to type and stuff so this

13:47

is why they use QR code it's very

13:49

convenient to just scan with the camera

13:51

and then you get the C to your app so if

13:53

you trust the app and you want to let it

13:55

access your camera scanning might be a

13:57

good option but there's actually all

13:58

kinds of other data that might have been

14:00

added to that QR code you can't tell

14:03

just by looking at a QR code what data

14:05

or instructions are actually embedded in

14:07

it but if you really want to you can

14:09

actually just use any QR code scanner

14:12

app and see what's actually in the QR

14:13

code in a typical QR code for one of

14:16

these 2fa apps there's usually standard

14:18

information about your account that will

14:20

allow the app to easily autofill the

14:22

descriptions your username normally is

14:24

included inside the QR code your data

14:27

and login screen and service and issue

14:29

and all these things they are inside the

14:31

the QR code this is optional data for

14:34

you so that you know that this C that

14:36

you're scanning to which account it

14:37

belongs and which issuer has issued this

14:40

code but you can change it you can

14:41

delete it it's no problem it is really

14:43

optional so if you're using an app that

14:45

you know will send this information back

14:47

to their service you can actually edit

14:49

the information in the QR code and

14:51

create a new one before scanning it into

14:53

the app or another option is just typing

14:56

in the seed manually in which case no

14:58

other information will be Auto filled

15:00

you'll have to type it in manually too

15:01

when you enter the code manually they

15:03

prompt you to ask you what is this code

15:06

for because you would be confused if you

15:07

only have the secrets they do pile up

15:09

after a while of using them by inputting

15:12

this information manually you can choose

15:14

exactly what information you want the

15:16

app to have in theory if you have your

15:18

own way of distinguishing between the

15:20

various codes and the various accounts

15:22

that you have that would be one way to

15:24

obfuscate that this code belongs to

15:26

Twitter that code belongs to Instagram

15:28

and so on instead of having that

15:30

information in the QR code itself this

15:32

would result in a marginal difference in

15:34

privacy but that difference might be

15:36

important a privacy conscious people who

15:38

choose to opt out of this data

15:40

collection but importantly manually

15:42

inputting your seed also allows you to

15:44

easily make a copy of that seed which is

15:46

essential in case you ever lose your 2fa

15:49

app so I highly recommend manual input

15:51

anyway so here are our main takeaways

15:53

when using 2fa one you should absolutely

15:56

have 2fa on your accounts whenever you

15:58

can two be careful which 2fa app you

16:01

download because some of them are

16:03

outright malware three out of the

16:05

legitimate apps you have the option to

16:07

choose one that doesn't collect Donna

16:08

about you and there are a lot of

16:10

established and well-regarded options

16:12

for you to choose from four whichever

16:14

app you choose make sure you download

16:16

the right thing there are lots of

16:18

copycats out there that will pay to be

16:21

the first option in search results when

16:23

in doubt find the real app from their

16:25

legitimate website first and link to the

16:27

App Store from there and five wherever

16:29

possible opt to use a security key as

16:32

your 2fa method instead of an app

16:34

because security keys are the most

16:36

secure form of 2fa out there we have a

16:38

whole video explaining how they work if

16:40

you want to take a look 2fa is an

16:42

essential part of your privacy and

16:44

security setup and it's important people

16:46

know that they can make more private

16:48

choices with these if you were to ask

16:49

them do you want to be tracked most

16:51

people would say no they don't want to

16:53

be tracked by knowing which Tech in our

16:55

lives is tracking us and collecting our

16:57

data we can make more informed decisions

16:59

about which products and services we

17:01

decide to use you can make the choice

17:04

that's right for you nbtv is funded by

17:06

community support if you'd like to

17:08

support our free educational content

17:10

please visit nbtv.media support or check

17:14

out our eBook The Beginner's

17:15

introduction to privacy which also

17:17

supports the channel or even just liking

17:19

sharing commenting on and subscribing to

17:21

our content also really helps us thank

17:24

you so much for watching through till

17:25

the end click here to receive your

17:27

access code to Twitter well I don't

17:29

remember requesting an access code to

17:30

Twitter but let me click on this random

17:32

link anyway