It completely blows my mind that blizzard got it right over a decade ago with a dedicated physical device that would generate a one-time, time sensitive key for second factor authentication (to protect my video game account).
Where as I feel I'm still waiting for my bank (actual money) to catch up. they took the easy way out by sms-ing me a second factor authentication key. Even though phone number theft is a known attack vector.
If you leave your phone unlocked with Google Authenticator / SMS 2fa and a weak master password, you still get popped. The only difference to me in convenience of 2fa code auto fill.
Had no idea about this. I liked Google's Auth since it was simple but it missed the crucial backup feature. Authy is nice but you're putting trust in a 3rd party that doesn't have a channel for donations, though it seems they're making money through SMS (Twilio).
andOTP is just what I was looking for since it's FOSS and had backup! This would have been a lifesaver when I lost my phone but glad to have run into it now.
U2F prevents some vulnerabilities that TOTP alone can't. It's possible to replicate it in software instead of a hardware token, but so far nobody has. So if you're adopting 2FA, suggestion is to use U2F if you can.
A while back because of shifting mobiles a lot ( due to repairing my mobile and also having a temporary replacement) I ended up making a rudimentary program to store shows codes and even qrcodes for reading from the mobile working in my Linux terminal.
https://github.com/lcabral37/terminalOathApp
It did the work and even today I use it every now and then, instead of pulling out the mobile.
I do this too. I guess it sort of undermines the idea of a second factor but the only way someone could get at it would be to break into my 1Password account, which seems unlikely.
Google authenticator allows you to transfer all your codes to a new phone and that includes if you lost your old phone. So they must be backing up to your Google account.
agreed: my investment bank (real "real" money) finally started offering an authenticator (that adds random numbers to your password every login) two years ago.
i worked at a major semiconductor company in the late 1990's and to use their VPN from home you needed an authenticator fob. eventually this was replaced with a password, but hardware fobs (& parellel port dongles) have been around since at least the 80's. astonishing this has taken so long.
although i still have trouble understanding how to best protect myself against MYSELF. I'm just now getting my head around multiple yubikeys and subkeys in case i get locked out.
Barclays has the slot-your-card in pin sentry gadgets. Those are quite nifty. They don't need to be personal, because they take their pin from the bank card. So they can just hand them out.
My first experience with 2FA was the Paypal Security Key[1]. Unfortunately it's proprietary, and to this day, they only support it or SMS for 2FA.
It would be great if everyone adopted TOTP, I'm up to a dozen sites in Authy and it's fantastic. Still waiting for my actual banks to support it though.
My bank used to do the tokens until some mathematician reverse engineered the algorithm proving it insecure.
They've now moved on to certificates on your phone.
You go to the bank, prove your identity, they sms you a certificate. When you choose electronic authentication on the website you get a popup on your phone to accept. You put in a password and it validates the cert on your phone and sends the response to the website.
My bank did that, maybe a decade ago. It was pretty inconvenient any time I wanted to access my bank account away from home. SMS is a godsend by comparison.
Personally I dislike nearly all kind of 2FA for a very simple reason: they add a dependency tie with something big, powerful and outside my control.
For instance I perfectly agree to have an extra, branded, physical token, to log in to my bank, I totally refuse to use a mobile app on my phone to do the same.
branded physical token is "a thing from my bank", so something they are responsible for, that for my POV came from them, created and maintained by them, it's not connected to anything and it's a standalone object.
My phone is a connected device, monitoring me constantly outside my control, controlled by the most powerful data mining companies in the planet. I simply can't trust my phone. I can trust enough my physical offline devices and if it will be cracked sometime I'm completely not responsible for it, my bank is. While with my phone it's really easy to say "it's because of this or that, not our faults" where this or that can be anything from unupdated fw (by the vendor, of course), unsafe apps installed, ...
It's disturbing how many developers simply gloss over the fact that requiring a smartphone with one of two non-free OSes installed (Android and IOS) is severely limiting the user's freedom in their use of digital services.
In the Netherlands the ING bank was testing the waters this year by holding back on announcing a non-smartphone alternative to their ageing authentication methods (either SMS or a list of pre-generated codes received by mail). All of their communication was bent on nudging customers to use their banking smartphone app, and only at the end of this year did they announce a separate hardware solution for customers who don't want to, or cannot, use a smartphone for their banking.
Every other bank in the Netherlands already had such hardware devices (TOTP usually, although newer generations use more complex methods) for a decade.
U2F and its successors are the way forward if we want to maintain some semblance of digital freedom, not tying your whole identity to a smartphone.
could you give some exapmples on how it limits the use of your device?
while i agree with you, i seem to lack the imagination to come up with realistic examples that i can present as arguments.
i am afraid anything i think of would get a response like "yeah, sure, but noone uses their phone like that" or they'll simply accuse me of being paranoid.
> could you give some exapmples on how it limits the use of your device?
Forcing me to use a smartphone app means I can't use a normal desktop or laptop computer, or even a non-Android, non-IOS smartphone. It means that institutions that provide a semi-public utility (e.g., banks) force people to support and agree with the terms of use supplied by a (foreign) megacorporation to function as a citizen in the digital realm. That is inherently undemocratic and a threat to our freedoms.
Expecting the vast majority of citizens to have access to a computing device with a modern web browser is somewhat reasonable (as long as those who can't are supported by other means). You can at least choose what software you run, and there are free software options available. With smartphone apps (well-built web applications excluded) that freedom does not exist.
I do not want proprietary software nor I want to depend on black boxes to use a service. So if a bank, a public administration etc demand using proprietary stuff that does not came from them they force their customers to buy such black boxes and suffer all their limitations.
For instance I hate in the same way countries that ask users to install proprietary crappy software's to pay taxes instead simple pdfs/standard WebUI.
So I need a physical token for each of my bank accounts (3 bank accounts), each of my investment accounts (2 investment accounts), each of my e-mail providers (2 e-mail providers) and one for every other service which might want to offer 2FA. Or, instead of that, I can have one smartphone, which has an app which handles all of those 2FA codes for me. Can you understand why I would prefer the smartphone option?
So you also can possibly enjoy having 2FA demolish by a simple smartphones vulnerabilities that perhaps grab both passwords and token in a single action...
We can't trust smartphones/connected devices in general, that's why IMO is better, for safe auth only, use offline stuff.
So you also can possibly enjoy having 2FA demolish by a simple smartphones vulnerabilities that perhaps grab both passwords and token in a single action...
Can you point to any instances where that's actually happened? Yes, sure, it's theoretically possible for someone to break into my fully patched phone and steal my 2FA secrets. But it's also theoretically possible for a mobster to break into my house, hold a gun to my head, and force me to log in to all of my banks accounts so that he or she can drain the money from them.
There is no such thing as perfect security, and I would much rather have people using a 2FA app on their phone than just username/password. Is it perfect? No, of course not. But insisting that the existence of phone vulnerabilities makes 2FA apps on phone unacceptable, and that the only form of acceptable security is for people to juggle dozens of authenticator tokens is making the perfect the enemy of the good. It's because of "advice" like this that people ignore armchair security experts.
Does you credit card ever lock you out? For most people no it's not happen, for Julian Assange we know it happen. Does we have an nuclear warhead explode by accident?
A dangerous thing remain dangerous even before accidents happen.
I have far more confidence in my ability to hang on to a single smartphone than I have in my ability to hang on to a dozen or more separate 2FA hardware tokens.
Your ability may be relevant but only to a certain extent: for instance I can restore my personal desktop with data and software from scratch quickly and easily from my multiple backups.
I use NixOS so my OS will replicate autonomously, I have dotfiles managed via org-mode+stow (and trying homeManager), rsync and unison at hand. I'm pretty confident that I can survive many kind of crush quickly with enough safety.
My phone however is an entirely different story: I can't backup it properly, I have to relay to obscure, proprietary and totally unreliable mechanism that prove to being able to restore only parts of my phone "operating environment" and in an unpredictable manner.
What you can do with all your soft-token if your phone suddenly die?
Another example in the past banks have had bankbook on paper, essentially ledgers that banks and their consumers have in hand, so both parties can prove a transaction. Now it's all on bank's servers, I can prove nothing as a consumers, I can only hope my bank do it's job well. Same if you buy shares, in the past you obtain a paper document that prove the transaction, now it's all on someone else server. You can take screenshots, perhaps have some sort of pdf receipts but they have essentially no legal value, anyone can forge them. Credit card are the same, internally they operate like paper bankbook, recording a certain number of transactions, however you have no control on that.
That's the BIG point: it doesn't matter how skilled and provident you are, the systems it more and more designed in a way that you are TOTALLY powerless, no matter how many things you know and how attentive you are.
my hardware tokens are locked safely at home or in the company office (to manage accounts for work), and only taken out when i need them.
the phone i carry always around. the risk if loss or theft is always lingering.
my wife just dropped her phone. it crashed. took 5 minutes to boot, i guess a filesystem check after the crash. it could have died completely too. my previous phone stopped working because of a botched update. we had a phone stolen...
there are just to many uncertainties to trust a single portable device.
Why not just use an open source app like FreeOTP (android only)? The TOTP/HTOP spec requires no network as well so you can firewall the apps and they’ll still work fine.
I was having an argument over 1password's 2fa support not being a second factor. (I don't think it is.) However, it is so much safer than not using 2fa. In similar terms U2F is amazing and keeps you from being phished and has a great challenge/response protocol, if that was implemented in 1password (or browsers themselves thank you!) we'd all be a lot safer than not using it at all.
In 2018 I'm using an app to take screenshots of QR codes to generate one time codes. It's a sad state of the art, we need to do better.
Afaiu 2fa primarily protects from password leaks on the part of the service and coincidentally some other kinds of leaks such as keylogging. Not so much from data theft on the user's side.
A different question, though, is whether a password keeper web service could leak passwords like any other service.
> Afaiu 2fa primarily protects from password leaks on the part of the service and coincidentally some other kinds of leaks such as keylogging. Not so much from data theft on the user's side.
2FA is meant to protect primarily against phishing. It happens to protect against some other attacks as well, but phishing is the primary motivation.
That's why physical U2F devices are considered the gold standard of authentication today - it's possible to phish a TOTP code, but it's very difficult to phish a U2F signature, and impossible to do so through a scalable, automated attack.
This is not true. 1Password could have a breach which exposes your master password. A hacker would then have access to your passwords, but not your 2fa. Even if you do not keep these items physically separated like a hardware token, it makes complete sense to have them be in different applications. For example, passwords in 1Password and tokens stored in Authy.
I got a new phone recently and was dismayed at how easy it was to reset the 2FA on various accounts. Some fall back to SMS in that case (which has well-documented insecurities), while others allow you to call customer support and reset it without providing too much to prove that you’re the account owner. There has to be a path for people who lose or break their phones with their Authenticator apps, but I’d feel better if it was a little more difficult than it seems to be in most cases.
It just irritates me how many financial institutions either don't support 2FA (I'm looking at you, Amex) or only offer either SMS or (yes, really) email as the only way(s) to protect your account.
Vanguard recently required that all accounts be "secured" via SMS, and I was dismayed to learn that Nest (of all companies) didn't even support Google Authenticator -- the only option with Nest was to use SMS as well.
true, 2FA prevents against people pretending to be you trying to log into the site, but not against sites pretending to be the site you want to access.
I have my primary phone with Authy and all the accounts.
I also have a secondary (old) phone in my drawer, which also has Authy installed. Both of them automatically sync the 2FA accounts in my Authy account, which is linked to my email and phone number. In the event that my primary phone is not available, I can switch to my secondary phone quickly.
Is that a good practice? I also plan to get physical keys and do the same when they become more popular.
That said, linking SMS often allows for SMS to be used to reset passwords. As sim swapping and phone cloning become more common attacks, the level of protection you gain from having SMS available drops. These attacks essentially let someone else receive your texts or calls. I have at least one friend who has been attacked this way.
2FA is a user interface disaster, exporting the failures of software security as a huge annoyance on to users. I would rather be hacked than deal with 2FA.
> 2FA is a user interface disaster, exporting the failures of software security as a huge annoyance on to users
I'd argue that it's exporting the failures of human psychology, not software security.
Sure, there are some pretty egregiously bad technologies underlying a lot of industry standard encrypted-communication/authentication/identity-management systems (including HTTPS). No argument that the tools and practices on the technical side could be way better.
But even if technical security was executed 100% perfectly, if the inputs to those systems remain usernames and passwords, people will be incredibly vulnerable. It's just too easy to [re]use weak usernames/passwords, too easy to write them down, and too easy to forget them (requiring "forgot password" attack vectors).
I agree with you that MFA is much more inconvenient than traditional U/P authentication. But I don't think it's inconvenient because of a failure in software security; it's inconvenient because it's extra work, and it has to be extra work because, well, people suck at diligence and security.
The right way to do it is to use client-side TLS certificates in combination with the username and password. Add in a passphrase for the private key and you could have 3FA.
All that's really needed is for browser vendors to improve their UI for generating certificate signing requests and importing certificates.
Yes, but one has to buy another device, and only a limited number of companies support it at the moment [1]. It doesn't look like any of the banks I use, any of the credit cards I use, or the tax filing service I use support it. Not to mention that this website and other forums I log into aren't mentioned there either.
Some of those companies offer SMS or email based 2FA as an option.
In any case, every single one of those services allows me to connect using TLS where my browser verifies the server's identity via the CA bundle I have installed on my machine. I simply don't see why companies don't make the investment to support client-side TLS authentication or start supporting U2F.
> And there's no way to steal your key without physically getting the dongle.
I would contend that it's probably easier to steal the dongle as opposed to my machine at home.
Client-side certificates are widely used among the Estonian population btw. It's basically the rest of the world that has caused the need for U2F/TOTP because they can't deploy smartcards with certs to users.
Estonian ID cards or Estonian Mobile ID is not hard to use. The currently working system is proof that TLS client certs can be easily used if provider just supported it.
It could be said that having my identity "stolen" and having to deal with the fall out is a far bigger real-life usability issue as compared to having to deal with a one time set up to use client-side TLS certificate with a service like my bank.
For all you PNW Microsofties, I saw that First Tech credit union finally got their shit together after the system change and reimplemented 2FA using a hardware key. Great, sign me up! First I get a message asking if I really want a hardware key? Well, I’d rather use the U2F keys I’ve already got, but yeah, send me one. The fact that it showed up in a hand-addressed envelope tells you how many of these they’re sending out.
No matter, I’ll use the phone authenticator for day-to-day, and the HW key as a backup. Not optimal, but until they support U2F it’ll have to do. Nope, you get to pick one key. So the HW key goes in the safe, and I use SMS for day-to-day. Or IOW, might as well have saved the plastic and postage for that HW key.
EDIT: someone else suggested directing email codes to an account that is protected by a HW key. Firing up GMail on my phone I less convenient than reading the SMS code off my watch, but I’ll probably do that.
I feel that most forms of 2FA have too much friction for average users. SMS is bad, but better than nothing. I really can't imagine average users figuring out TOTP apps, U2F or other hardware tokens and dealing with backups and lost keys etc. Perhaps fingerprint based solutions based on WebAuthn will get more mainstream.
I'd be happy if we stop calling it 2FA and instead say "2of3" or something. So many providers require you to use 2FA, but almost no one forces you to include fallback authentication.
For those among us who can handle our passwords and general security, 2FA is just a penalty we have to pay for those who can't. As far as possible, I ditch any company that wants to force it upon me. I've done my homework, I don't want to consult my telephone, my mailbox, or even worse, some pesky dongle to complicate my life and add to my expenses.
In contrast, I wouldn't hesitate to enable 2FA if the company supported doing so via client-side TLS certificates (such that I can import it into my browser and use it in combination with my existing credentials).
Ideally, I would not want to use a public computer to access an important account. People can forget to use an incognito session, forget to log out, or even forget to close the browser.
Until a zero day exploit takes your browser, your VM you run your browser in (with confidence like yours you'd better run Qubes OS style) and just sniffs everything.
The "I know what I'm doing" doesn't hold up very well, statistically.
as mentioned elsewhere, 2FA protects against identity theft in that someone can call your bank, pretend to be you and get access, whereas it is actually less effective against phishing sites that will ask you for your 2FA code and if you didn't notice you are on the wrong site you'll likely just give it to them.
while you can protect yourself against fishing, and there 2FA is indeed less useful, you can't control how diligent the bank is in verifying your identity.
The inherent limitations of human memory likely made that person assume you use a single password everywhere. Your response makes me assume that you memorize a unique password for every account.
You do you; but personally, I would rather memorize timeless things like facts and theorems - or at least ephemeral-yet-important things like deadlines, decisions, names+faces, etc. - than memorize a ton of meaningless blobs of entropy.
Contrary to what the other person said, I didn't think that you use a single password. Still, when a password is stolen, I prefer to have a second layer of security instead of losing my stuff in that account (and giving the attacker additional data to use against other accounts).
Where as I feel I'm still waiting for my bank (actual money) to catch up. they took the easy way out by sms-ing me a second factor authentication key. Even though phone number theft is a known attack vector.