In a few weeks I’ll do a workshop about security for people who are tech illiterate, I plan to teach about password managers and 2FA.

If I show the 2FA number codes, like the 123 456 ones that I have to paste when required, can that be a possible security breach for me? or is it save since is gonna change in a few seconds anyway?

  • miss_brainfart@lemmy.ml
    link
    fedilink
    arrow-up
    36
    ·
    1 year ago

    I’d probably edit a few example screenshots for a purpose like that.

    If you really want to show it live on an actual device, then maybe with a throwaway/dummy account

    • JoeKrogan@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      1 year ago

      Yea I think that is most valuable as you can include the setup and answer questions people may have. What is obvious to us may not be obvious to them.

  • chevre@jlai.lu
    link
    fedilink
    arrow-up
    19
    ·
    1 year ago

    I would assume there aren’t any security concerns as:

    • You are not showing the seed used to generate the actual codes
    • this is for non tech-savy users
  • m-p{3}@lemmy.ca
    link
    fedilink
    English
    arrow-up
    12
    ·
    edit-2
    1 year ago

    It’s good to keep in mind that while it does improve the overall security of the account, a 2FA/TOTP code can still be phished, so if the user encounters a fake login page and supply his password and 2FA code, it could let an attacker pass the intercepted credentials to the real login page in the background and gain access. Most websites using TOTP will not allow reusing a code more than once in the same time slot, but that’s a moot point if the 2FA code is intercepted without being entered on the legitimate website, but in your case of making a demonstration that would not be a security concern.

    It’s important for the user to ensure they’re accessing the legitimate website before typing any credentials and 2FA code.

    A safer option nowadays is FIDO2/Passkeys, which will not provide a valid 2FA challenge-response in the case of a spoofed/phishing website, further reducing the possibility of a breach.

  • meseek #2982@lemmy.ca
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    1 year ago

    2FA (if it’s true 2 factor), each unique code is also challenged against your password and has a lifespan of all but 30 seconds. Wait a minute before showing the slides, they’ll just be useless numbers by then.

    They cannot be reverse engineered in some way as to hack any account. At least not to anyone’s knowledge.

  • Boring@lemmy.ml
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    Unless there’s a super hacker or NSA agent in the class that can figure out your password in real time… You should be fine doing that.

  • hperrin@lemmy.world
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    It’s as safe as “leaking” an encrypted document. No one can figure out your TOTP secret unless they brute force it with only a leaked code or two. But if it worries you, you can always change your TOTP secret by going through 2FA setup again.

    Also, even if someone knows your second factor, they still need your first factor (your password).

  • Destide@feddit.uk
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    2
    ·
    1 year ago

    Why would you not have all your demo stuff in a throwaway VE. I would personally just set up a 2FA on something pointless and empty, like a blank proxmox install. Use a separate authenticator for tutorials or just use images that are already out there.

    I’ve entered some 2FA codes about 20 seconds after refresh before, so yeah there is a risk.

      • Destide@feddit.uk
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        For me I’d put proxmox in a proxmox. get the second one installed with a user then save it as a template. From here you can spin up a new image and use the TOTP services to show various 2FA which include YUBI keys if ever the tutorials get deep. I don’t know if there is a 2FA playground as such that just to me seems like a quick low impact way of showing the process. You then just delete that image within the first proxmox install. Hold the phone just searched 2FA playground and it gave me https://pragmarx.com/playground/google2fa#/ which seems perfect for your needs. I can’t vouch for the safety of the site but their github is on there so have a browse through

      • Lem Jukes@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Is this being taught in a computer lab or will the students all have laptops or smartphones? If so I would almost be tempted to just walk them through all creating a temporary email address and then setting up 2fa on the accounts. But yeah Gmail accounts.

          • Lem Jukes@lemm.ee
            link
            fedilink
            arrow-up
            4
            arrow-down
            1
            ·
            edit-2
            1 year ago

            You can create endless Gmail accounts for free and google has several different 2fa options to choose from. So you could make one ‘2faClassDemoEmail@gmail.com’ or have each person on their own device create dummy Gmail addresses like ‘StudentName2FADemo@gmail.com’ and have each student go through the process individually. They would only be temporary in that you’d just stop using it after the class and google would eventually get rid of it(maybe?) After long enough without any use. I don’t think you’re going to find something that just generates dummy 2fa codes for demo purposes.

  • loki@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    it’s unlikely they are going to be able to bruteforce your 2FA codes in the duration of the class, so just change them back once you’re done with the class?

    or record the video showing the whole process. change the code, show the video you recorded before the change

  • Muddybulldog@mylemmy.win
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    As you suspect, only during the sixty or so seconds that they are valid.

    SMS-based codes tend to be longer lived.

    They’re useless without your other authentication factors, e.g. login, password.

  • nao@sh.itjust.works
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    If you leak one of the 2FA codes, especially together with a timestamp, in theory it allows someone to brute force the seed, since they now have one known plaintext. If you leak multiple, it reduces the amount of time needed to do that.