Most PRIVATE 2FA apps
Summary
TLDREl uso de la Autenticación de Dos Factores (2FA) es fundamental para asegurar nuestras cuentas, añadiendo una capa adicional de seguridad. Sin embargo, algunos de los aplicativos de autenticación más conocidos recopilan más información sobre nuestras actividades de lo que muchos usuarios podrían imaginar. Este video explora qué tipo de información recopilan estos servicios, cómo podemos limitar la información que proporcionamos y presenta alternativas de aplicaciones de 2FA más privadas y de código abierto. Se analiza la recopilación de datos en aplicaciones populares como Authy y Microsoft Authenticator, y se comparan con soluciones más privadas como FreeOTP, Aegis y OTP. Además, se ofrecen consejos sobre cómo introducir manualmente la semilla secreta de 2FA para tener más control sobre la información que compartimos y se resalta la importancia de elegir aplicaciones de 2FA que respeten nuestra privacidad y seguridad.
Takeaways
- 🔒 **Seguridad en cuentas:** El 2FA es esencial para proteger tus cuentas, añadiendo una segunda capa de verificación.
- 📱 **Aplicaciones Autenticadoras:** Algunas aplicaciones de autenticación conocidas recolectan más datos de lo esperado.
- 🕵️♂️ **Privacidad:** Es importante ser consciente de qué información recolectan estas aplicaciones y cómo pueden limitar esa recolección.
- 📈 **Analytics en Aplicaciones:** Las aplicaciones utilizan sistemas de análisis, lo que podría no ser apropiado para herramientas de seguridad privada.
- 📱 **Authy:** Una aplicación popular que recopila información personal y detalles de los servicios que utilizas.
- ❌ **Opt-out Fallido:** A pesar de las opciones para desactivar el análisis, algunas aplicaciones siguen enviando datos.
- 🤔 **Google Authenticator:** Parece no compartir información sobre el uso del servicio, aunque Google generalmente es conocido por rastrear a los usuarios.
- 🌟 **Opciones Privadas:** Existen alternativas de código abierto más privadas, como FreeOTP y Aegis Authenticator, que no recopilan datos.
- ⚙️ **OTP:** Una opción de código abierto y exclusiva de Android que, aunque no está mantenida activamente, aún es considerada segura.
- ⚠️ **Cuidado con el Rastreo:** Es fundamental estar al tanto de cómo las aplicaciones de 2FA manejan tus datos personales.
- 🔑 **Claves de Seguridad:** Las claves de seguridad son la forma más segura de 2FA y se recomienda su uso en lugar de aplicaciones.
Q & A
¿Por qué es esencial el uso del 2FA para proteger las cuentas?
-El 2FA es esencial porque agrega un segundo método de verificación a la cuenta, lo que impide que alguien, incluso si tiene acceso a tu contraseña, pueda acceder a tu cuenta sin el segundo factor de autenticación.
¿Cómo funciona un aplicativo de autenticación 2FA?
-Un aplicativo de autenticación 2FA utiliza una semilla secreta proporcionada por el sitio web, la combina con la hora actual y la alimenta a un algoritmo que genera un código corto cada 30 segundos. Este código debe ser ingresado en el sitio web de la cuenta para autenticarse.
¿Por qué debería preocuparme por la privacidad de mi información si utilizo un aplicativo de autenticación 2FA?
-Algunos aplicativos de autenticación 2FA recopilan más información sobre tus actividades de lo que podrías imaginar, lo que podría afectar tu privacidad si esa información se envía de vuelta a los servidores de la aplicación.
¿Qué información recolectan algunos de los aplicativos de autenticación 2FA más populares?
-Algunos aplicativos recopilan información sensible como el tipo de dispositivo, versión del sistema operativo, información sobre los servicios que utilizas y detalles de las cuentas que tienes, lo que podría vincular tus servicios con tu identidad.
¿Qué es Google Firebase y cómo se relaciona con la recopilación de datos en aplicaciones de autenticación 2FA?
-Google Firebase es un servicio común utilizado para sistemas de análisis en aplicaciones, que recopila datos que a menudo son no maliciosos pero que podrían no ser apropiados para una herramienta de seguridad como un aplicativo de autenticación 2FA.
¿Qué es Authy y qué tipo de información recolecta?
-Authy es un aplicativo de autenticación 2FA popular que recolecta una gran cantidad de información del usuario, incluyendo su dirección de correo electrónico, número telefónico, información del dispositivo y detalles sobre los servicios que utiliza.
¿Por qué podría ser problemático que un aplicativo de autenticación 2FA recopile información analítica?
-La recopilación de información analítica puede ser problemática porque va en contra de la privacidad esperada de una herramienta de seguridad. Los usuarios conscientes de la privacidad no desearía ver análisis en una aplicación de autenticación, y si los análisis son incluidos, deberían ser anónimos e imposibles de vincular con una identidad personal.
¿Qué es Microsoft Authenticator y qué tipo de información recolecta?
-Microsoft Authenticator es otro aplicativo de autenticación 2FA popular que requiere permiso para recopilar datos del usuario antes de su uso. Recopila información sobre el dispositivo, versión del sistema operativo, información del proveedor de servicios de móviles y datos de uso general.
¿Por qué podría ser preocupante el uso de Google Authenticator en términos de privacidad?
-A pesar de que no se detectó comunicación de la actividad dentro de la aplicación con los servidores de Google, la empresa tiene un historial de rastrear a los usuarios, lo que podría preocupar a los usuarios que valoran su privacidad.
¿Cuáles son algunas alternativas de código abierto para aplicaciones de autenticación 2FA que son más privadas?
-Algunas alternativas de código abierto y más privadas incluyen FreeOTP, Aegis Authenticator y OTP. Estas opciones son respetadas en la comunidad y no recopilan datos personales del usuario.
¿Cómo puedo disminuir la cantidad de datos que envío si no confío en una aplicación de autenticación 2FA?
-Puedes introducir manualmente la semilla secreta en lugar de escanear un código QR, lo que te permite controlar exactamente qué información proporciona a la aplicación y también te permite hacer una copia de esa semilla, lo que es esencial para la recuperación en caso de pérdida de la aplicación.
¿Qué medidas adicionales se recomiendan para mejorar la privacidad y seguridad al usar 2FA?
-Se recomienda utilizar un lector de claves de seguridad en lugar de una aplicación 2FA, ya que son la forma más segura de 2FA. También es importante descargar la aplicación desde un sitio web legítimo y no desde copias o aplicaciones parecidas que podrían ser fraudulentas.
Outlines
🔒 Seguridad y privacidad en las apps de autenticación de 2FA
Este párrafo aborda la importancia del 2FA (autenticación de dos factores) para proteger las cuentas y cómo algunas apps de autenticación recopilan más información de lo necesario. Se discute la recopilación de datos personales por parte de apps populares como Authy y la preocupación por la privacidad. Además, se ofrecen consejos sobre cómo usar estas apps de manera más privada y se exploran alternativas más privadas y de código abierto.
📱 Análisis de la privacidad en apps de autenticación de Microsoft y Google
Se examina la política de privacidad y la recopilación de datos de las apps de autenticación de Microsoft y Google. Se menciona que Microsoft Authenticator requiere el consentimiento para recopilar datos y cómo, a pesar de las opciones para desactivar el análisis, la app sigue enviando información. Por otro lado, Google Authenticator no parece comunicar el comportamiento del usuario a los servidores de Google, aunque hay advertencias sobre la reputación de Google en el seguimiento de usuarios.
🛡️ Alternativas de código abierto para aplicaciones de autenticación de 2FA
Este párrafo presenta varias opciones de aplicaciones de autenticación de 2FA de código abierto que son más privadas, como Free OTP, Aegis Authenticator y OTP. Se describen sus características, como el soporte para múltiples cuentas, escáner de código QR integrado y almacenamiento encriptado de secretos TOTP. Se destaca que, aunque son de código abierto, es importante verificar su reputación y estar al tanto de posibles seguimientos no deseados.
📝 Consejos para una mejor privacidad en el uso del 2FA
Se proporcionan recomendaciones para utilizar el 2FA de manera más privada. Incluye la opción de ingresar manualmente la semilla secreta en lugar de escanear un código QR, lo que permite al usuario controlar la información que la aplicación conoce. También se sugiere la utilización de claves de seguridad en lugar de aplicaciones, ya que son la forma más segura de 2FA. Finalmente, se destaca la importancia de descargar aplicaciones desde fuentes legítimas y el valor de la comunidad en la selección de soluciones de 2FA privadas.
Mindmap
Keywords
💡Autenticación de dos factores (2FA)
💡Aplicaciones de autenticación
💡Secret seed
💡Análisis de tráfico de red
💡Google Firebase y App Center
💡Authy
💡Microsoft Authenticator
💡Google Authenticator
💡Aplicaciones de código abierto
💡Seguridad de la clave de seguridad
💡Privacidad
Highlights
2FA es esencial para asegurar tus cuentas, añadiendo un segundo método de verificación.
Algunas aplicaciones de autenticación recopilan más información sobre tus actividades de lo que podrías imaginar.
Authy recopila información sensible, incluyendo los servicios que utilizas y los tipos de cuentas que tienes.
Microsoft Authenticator exige permitir la recopilación de datos antes de su uso y mantiene un seguimiento de la información del dispositivo y del proveedor de servicios.
Google Authenticator no parece recopilar información sobre el comportamiento dentro de la aplicación.
Existen alternativas de código abierto más privadas, como FreeOTP y Aegis Authenticator, que no recopilan datos personales.
FreeOTP y Aegis no tienen rastreadores y se han confirmado como opciones seguras.
Cuando se introduce la semilla secreta en la aplicación, se puede hacer manualmente o escaneando un código QR.
Es posible editar la información en el código QR para evitar que se recopile información adicional.
La entrada manual de la semilla también permite hacer una copia de ella, lo que es esencial en caso de pérdida de la aplicación 2FA.
Se recomienda el uso de claves de seguridad en lugar de aplicaciones 2FA, ya que son la forma más segura de autenticación.
Es importante ser consciente de las aplicaciones que están recopilando datos personales y poder tomar decisiones informadas.
La elección de una aplicación 2FA depende de la postura personal de privacidad y seguridad de cada individuo.
Se debe tener cuidado al descargar una aplicación 2FA y asegurarse de que no sea malware o una aplicación no deseada.
Es posible optar por una aplicación que no recopila información personal, y existen muchas opciones establecidas y reputadas.
Descargar la aplicación correcta es crucial, ya que hay muchos imitadores que pueden ser engañosos.
Siempre que sea posible, se debe optar por usar una clave de seguridad en lugar de una aplicación 2FA.
Transcripts
2fa is essential for securing your
accounts it's where you add a second
verification method for your account so
that even if someone gets access to your
password there's still a barrier
stopping them from accessing your
account one popular 2fa method is an
authenticator app but some of the most
well-known authenticator apps are
actually collecting more data about your
activities than you may realize in this
video we're going to dive into what kind
of information they're collecting how to
give these apps less information when
you use them and we're also going to
explore some more private 2fa apps that
are also open source let's quickly recap
how 2fa authenticators or trtp apps work
basically in your account settings you
might have an option to add 2fa via an
authenticator app when you select this
option the website will give you a
secret seed either in the form of a long
string of digits or in the form of a QR
code that has that long string of digits
embedded in it you need to somehow enter
the code into the app and there are two
options either you enter it manually or
you scan the code talal and Tommy form
the security and privacy research Duo
misc and they explain to us that your
2fa app will take this seed combine it
with the current time and feed it into
an algorithm that spits out a new short
code every 30 seconds or so which you'll
type into the account website meanwhile
the account you're securing like your
Twitter or email will also have a copy
of that secret on their servers when you
try to authenticate they'll feed their
secret into an algorithm on their end
combined with the current time and also
spit out a code if the codes match then
you're in if not it would just reject
your call the 2fa app servers shouldn't
ever get access to your secret seed
really all the apps should be doing is
just some computation locally on the
device involving your seed in the
current time and spitting out codes for
you the app can functionally operate
perfectly without internet but it turns
out that some 2fa apps are doing more
than this sending all kinds of
information back to their servers in our
last video we showed you some malware
2fa apps that were actually stealing
your secret seed so that hackers could
access your 2fa codes too in this video
we're going to talk about a different
threat apps that aren't stealing your
codes but are collecting extra data
around your activities which a privacy
conscious person should be aware of it
is pretty much industry standard at this
point that each app has its own
analytics system they often use common
services such as Google Firebase there's
app center for Microsoft these analytics
aren't necessarily nefarious but are
they appropriate for something like a
2fa app when it comes to security tools
like authenticator apps anything you
would consider to be pretty private we
don't want to see analytics in it and if
there are analytics we want the option
to disable analytics for me it's very
sensitive that the app would send for
example the services that you're dealing
with so if you have an Amazon account
Twitter account Facebook account and
then it would link the services that you
use with your identity the misc team
analyzed the network traffic from the
most popular 2fa apps to find out what
information each was collecting and
which app was the most private we would
see if the app is sharing more
information more analytics than it is
required let's start with authy a
popular 2fa authenticator app that it
turns out collects a lot of information
from you to be able to use authi you
have to supply your email this is the
first thing that they request when you
open the app for the first time you need
to give your phone number and you need
to verify your phone number and when you
create your account they give you an ID
called S auth ID the user can see that
this ID belongs to them after the
verification of course this ID is going
to be tied with your email and your
phone number then there's the analytics
that's sent to all these servers and
there's a lot device information like
device type OS version but there's also
more sensitive information they are
collecting information about the
services that you use and they know
which accounts types you already have
Google is the service of the token that
we scanned during this experiment and of
course
can't go using whether it's Google or
Twitter or something else with your user
ID this data analytics that we see in
here this is not anonymous because it is
associated with the Sid and the SIDS
associated with the email and the phone
number which are already personal
information they are able to keep track
of what their own users are doing within
their own apps we don't think security
tools such as authenticators should be
using analytics and if the vendor really
wants to add analytics we believe it
should be anonymous in this case we can
see that these analytics events do
contain a unique identifier that can be
tied back to the user's account with
authy at least give the option for users
to disable analytics and all fee doesn't
there was no option in the app to turn
this off now do we think that authy is
using this information for some Grand
conspiracy of linking all the platforms
someone uses together in a giant
centralized database probably not if I
were to speculate they just really want
to know overall what are the more more
popular accounts how are users using
their app and so on typically analytics
it's not malicious it's just something
that
is pretty much industry standard at this
point we just have strong opinions about
which apps should be using analytics and
how analytics should be anonymous and
not user identifiable but even if there
is no Grand conspiracy I'd prefer that
an app not know which platforms I'm
using or what my phone number and email
address are authy is a very talkative
app meaning it sends data back to its
servers frequently if you're privacy
conscious it might not be the best app
for you now let's look at Microsoft
authenticator another popular 2fa app
the first thing to note about Microsoft
authenticator is that they mandate you
allow Microsoft to collect your data
before you can use their authenticator
if you decline to share your data they
tell you that you can't use the app not
a great start so what data do they want
from you there's information about your
device OS version they're even
collecting which mobile operator you use
so they mapping who your sell provider
is yes they're using something called
App Center to collect this starter which
is an Analytics tool developed by
Microsoft this is one of the standard
things that App Center collects it does
collect carrier information there's also
General usage data as in your behavior
each button clicked how you use the app
and on top of that Microsoft 2 collects
which platforms you're using you can see
here in the analytics proton which is
the account linked in this test
Microsoft is also contradictory
regarding whether all these analytics
are personally identifiable according to
the app's privacy label data collected
is linked to your real identity but then
in the app settings it says that the
data collected is non-identifying let's
take a look at the actual identifiers
they collect so that we can figure out
which one is true first there's the Sid
which is an ID that changes with each
session that would suggest that it might
be randomly generated and not personally
identifiable but they also collect
something called your shared device
identifier which is a persistent ID that
would allow them to aggregate analytic
across sessions if Microsoft links the
shared device identifier ID to the
user's identity then all these analytics
become identifiable but as you notice
there is an option for you to turn data
sharing off what happens if we toggle
that off we switched the analytics off
and we run the experiment again and we
saw that this information is being sent
nonetheless now the amount of data was
was reduced for example the app stopped
sending General usage data like she
clicked here scrolled here Etc and they
stopped sending which platform you're
using like proton Twitter Etc but they
are indeed still sharing data like your
device information your phone carrier
and they're even still collecting your
persistent shared device identifier that
was the interesting part about the
Microsoft authenticator because you
switch the usage data off yet it sends
this thing these apps they're still
sending analytics even though the user
has opted out from analytics this is
still a lot of information for no
analytics so if you're one of those
great busy people who thinks that opting
out of data sharing should actually opt
you out of data sharing Microsoft
authenticator probably isn't the best
choice for you now let's look at Google
Authenticator this was a tricky one when
analyzing the app traffic to the misc
team it appeared that Google was not
collecting activity from within the app
your behavior inside the app was not
being communicated to Google servers we
couldn't detect anything about what kind
of service you're scanning or how many
services for example if you add multiple
accounts one from Amazon the other one
from Google another from Twitter
Mastodon it would not share this
information with Google Google did send
some things like crash reports but other
than that we were surprised to see that
actually it doesn't seem to send
anything indeed surprising behavior for
a company that is renowned for
collecting as much data about users as
it can and it also seems to contradict
what is self-disclosed in their privacy
label if you were to look at the Privacy
label on the App Store they do mention
that the dual link usage data and
identify some Diagnostics during account
and hence to a user's identity but
Exodus privacy confirmed that they too
found no trackers in Google
Authenticator they did say that they did
a static analysis of Google
authenticators APK which stands for
Android package kit and is the file
format used by Android to distribute and
install applications and in this
analysis found tracker signatures but
this is not proof of activity of these
trackers on the other side of things the
application could contain trackers that
Exodus privacy doesn't know about yet
they do associate this thing with a
cookie ID which is shared among all the
Google apps that you have installed on
your iPhone and there might be other
tracking methods that we're missing
there are ways to do this especially if
you have multiple Google apps installed
on your phone so while Google
Authenticator actually seems okay tread
carefully because Google has a terrible
track record when it comes to tracking
users now let's look at some more
private alternatives for your 2fa app we
explored a bunch of Open Source options
to see how they compare free OTP is a
popular open Source trtp app developed
by Red Hat it's available for both
Android and iOS devices and supports
multiple accounts free OTP is available
on the Google Play Store F Droid and
Apple App Store there's also a fork of
it called free OTP plus that allows you
to export or import settings to Google
Drive has a more modern UI and also
allows biometric or pin authentication
to secure the app Exodus privacy said
that they found zero trackers in freeotp
and the misc team confirmed that they
couldn't detect any network traffic
according to the privacy policy of
freeotp they do not collect any data
from your mobile device and permissions
are very narrow in how they're used free
OTP seems like a solid choice for an
authenticator app next we have Aegis
authenticator another open source totp
app this is only available for Android
but has some good qualities including a
built-in QR code scanner Aegis
authenticator is available on both the
Google Play Store and F Droid and the
totp secrets are stored in an encrypted
Vault for added secure ready Aegis also
has biometric support and integration
with Guardian projects Ripple which
allows you to delete the Vault if you
hit the panic button which is a really
cool feature Exodus privacy reports that
they found zero trackers in Aegis and
the misc team confirmed in their testing
that Aegis doesn't send any trackers the
Aegis privacy policy states that they
don't collect any data from your device
and that the usage of the camera
permissions is narrow Aegis is another
solid choice for an authenticator app if
you're on Android and OTP is another
free and open source totp app and as its
name implies it is also Android
exclusive one thing to note is that it's
no longer actively maintained as the
developer doesn't have time but many
still say that it's a good choice for an
authenticator app and it also has zero
trackers and doesn't collect any data
use unmaintained code at your own risk
we also looked at 2fas another open
source two-factor authenticator that is
available for both IOS and Android but
according to Exodus privacy reports it
does contain trackers the misc team
confirmed this that it sends for example
frequent Google analytics data but
according to them it's nothing really
sensitive in terms of all the different
2fa product choices now that you have
more information about how they do or
don't use your data you can pick the app
that you feel best aligns with your
personal privacy and security stance and
this is going to vary from person to
person some people will choose to go
with the most well-known products
because they want to avoid any
lesser-known apps that might be scams if
they're not too bothered by analytics
data then it's not necessarily a lower
security option for them if you're more
careful you really don't want any
analytics data then yes something like
an open source solution that you trust
that you vetted that others have vetted
would be a better option because you
know that they're not sending analytics
data because you can actually see what
the app is doing and just because
something is open source it doesn't make
it immediately trusted so don't just
choose an app because it says that it's
open source make sure that it's well
vetted and has a good reputation there
are many open source options out there
the thing is that once you publish your
app to the store it's very hard to
verify that the code which is open
source is the same as the code that you
submitted to the store the final part of
this video is on how to decrease the
amount of data you send off regardless
of which app you choose when you first
input into your 2fa app the string of
random digits that is your secret seed
you can choose to type it in manually or
to scan a code that has the seed
embedded in it that's secret seed it's
long it's hard to type and stuff so this
is why they use QR code it's very
convenient to just scan with the camera
and then you get the C to your app so if
you trust the app and you want to let it
access your camera scanning might be a
good option but there's actually all
kinds of other data that might have been
added to that QR code you can't tell
just by looking at a QR code what data
or instructions are actually embedded in
it but if you really want to you can
actually just use any QR code scanner
app and see what's actually in the QR
code in a typical QR code for one of
these 2fa apps there's usually standard
information about your account that will
allow the app to easily autofill the
descriptions your username normally is
included inside the QR code your data
and login screen and service and issue
and all these things they are inside the
the QR code this is optional data for
you so that you know that this C that
you're scanning to which account it
belongs and which issuer has issued this
code but you can change it you can
delete it it's no problem it is really
optional so if you're using an app that
you know will send this information back
to their service you can actually edit
the information in the QR code and
create a new one before scanning it into
the app or another option is just typing
in the seed manually in which case no
other information will be Auto filled
you'll have to type it in manually too
when you enter the code manually they
prompt you to ask you what is this code
for because you would be confused if you
only have the secrets they do pile up
after a while of using them by inputting
this information manually you can choose
exactly what information you want the
app to have in theory if you have your
own way of distinguishing between the
various codes and the various accounts
that you have that would be one way to
obfuscate that this code belongs to
Twitter that code belongs to Instagram
and so on instead of having that
information in the QR code itself this
would result in a marginal difference in
privacy but that difference might be
important a privacy conscious people who
choose to opt out of this data
collection but importantly manually
inputting your seed also allows you to
easily make a copy of that seed which is
essential in case you ever lose your 2fa
app so I highly recommend manual input
anyway so here are our main takeaways
when using 2fa one you should absolutely
have 2fa on your accounts whenever you
can two be careful which 2fa app you
download because some of them are
outright malware three out of the
legitimate apps you have the option to
choose one that doesn't collect Donna
about you and there are a lot of
established and well-regarded options
for you to choose from four whichever
app you choose make sure you download
the right thing there are lots of
copycats out there that will pay to be
the first option in search results when
in doubt find the real app from their
legitimate website first and link to the
App Store from there and five wherever
possible opt to use a security key as
your 2fa method instead of an app
because security keys are the most
secure form of 2fa out there we have a
whole video explaining how they work if
you want to take a look 2fa is an
essential part of your privacy and
security setup and it's important people
know that they can make more private
choices with these if you were to ask
them do you want to be tracked most
people would say no they don't want to
be tracked by knowing which Tech in our
lives is tracking us and collecting our
data we can make more informed decisions
about which products and services we
decide to use you can make the choice
that's right for you nbtv is funded by
community support if you'd like to
support our free educational content
please visit nbtv.media support or check
out our eBook The Beginner's
introduction to privacy which also
supports the channel or even just liking
sharing commenting on and subscribing to
our content also really helps us thank
you so much for watching through till
the end click here to receive your
access code to Twitter well I don't
remember requesting an access code to
Twitter but let me click on this random
link anyway
関連動画をさらに表示
SEGURIDAD DIGITAL Y PRIVACIDAD DE LA INFORMACIÓN
¿Sabes qué es BIG DATA? | Discovery en Español
Is Your Phone Listening To You?
Bases de datos desde Cero | ¿Que es un Gestor de Base de Datos? | Parte 3
Curso de seguridad con Windows 10 - 02. El Firewall de Windows
¿Qué consecuencias tiene subir una foto a Internet? | PAULA DE LA HOZ | TEDxRealejo
5.0 / 5 (0 votes)