I no longer tell many of my less tech-savvy to use 2FA for most sites. The notable exception being their primary email and a few others. I instead push them to use a system like 1Password that will let them generate unique strong passwords.
For a huge majority of people, the odds of them losing, breaking, or wiping their phones and misplacing or forgetting to save their backup codes is MUCH higher than getting hacked while using a 1Password system.
1Password supports saving the 2FA token: https://support.1password.com/one-time-passwords/. Though you could argue that's not much safer than not using 2FA since if 1Password is breached, the tokens would be available as well.
As an alternative, you could use Authy, which backs up the tokens encrypted (just don't store the Authy password in 1Password if you're worried about that being a single point of failure).
2FA and unique passwords aren't an either or thing. There is a lot of overlap in what they protect against but it's not complete. Having a strong, unique password won't help again being phished but 2FA can help mitigate the dangers of password reuse.
I get that everyone's exposure to and acceptance of risk is different. I understand that sometimes the best you can hope for out of a non-technical friend is that they accept maybe one piece of advice at most, but I'd disagree with the priority. 2FA is extremely powerful.
My Hearthstone account has better security than my Paypal account.
Here are some fun websites that do not support decent TOTP 2FA or U2F:
- Ebay
- Paypal
- Most banking websites apparently because regulations *shrugs*
- Twitter. The thing the POTUS uses to communicate.
And here is just some utter nonsense:
- Facebook supports TOTP 2fa... but you need a phone number linked to the account
- Wikipedia has TOTP 2fa... but only for sysadmins
- Steam is one of the rare oddballs in the gaming space, with an idiotic email-based 2fa system, which by the way constantly gets hit by massive delays.
Steam now has Steam Guard Mobile Authenticator which does 2FA codes on the Steam mobile app. It looks like it uses TOTP but with different encoding and no way to use other app. It is now required for trades and market sales, and they need to be confirmed in mobile app.
A lot of sites are like this but they miss the point... which is that I don't want to give them my mobile phone number in the first place.
I might, if I could reasonably trust that they really do delete it, but I think experience shows that we can't completely trust most companies nowadays.
PayPal does support (at least some) 2FA methods as my first YubiKey (~6 years ago?) was a "YubiKey VIP" that worked with PayPal (6-digit codes). There was also a "Symantec VIP" mobile app that you could use (very similar to Google Authenticator) instead.
PayPal also had their own security device you could get. I think it cost $5. Not sure if it's still available.
For years Deutsche Bank and other European banks have relied on TAN, which typically is a printed sheet of 100 numbers that are required at random [1]. There are also various electronic TANs that have been introduced over the years. The list doesn't seem to include paper tokens, which are a valid 2FA.
Edit: Deutsche Bank isn't actually listed, changed comment to reflect that, but left it up because a lot of people may find the paper TAN system interesting.
iTAN is solid secure concept, if you take normal post service for granted, handle the paper with care, and don't fall for "phishing attacks" where the attacker tricks the user into logging into a forged copy of the bank's website.
From a security point of view (imho, please correct me) is iTAN more secure than SMS-token (mTAN), email-token and app-token. You simply cannot beat analog offline security, as the iTAN-list exists only in two places on the server and printed out on paper (user).
"Indexed TANs reduce the risk of phishing. To authorize a transaction, the user is not asked to use an arbitrary TAN from the list but to enter a specific TAN as identified by a sequence number (index). As the index is randomly chosen by the bank, an arbitrary TAN acquired by an attacker is usually worthless.
However, iTANs are still susceptible to man-in-the-middle attacks, including phishing attacks where the attacker tricks the user into logging into a forged copy of the bank's website and man-in-the-browser attacks which allow the attacker to secretly swap the transaction details in the background of the PC as well as to conceal the actual transactions carried out by the attacker in the online account overview.
Therefore, in 2012 the European Union Agency for Network and Information Security advised all banks to consider the PC systems of their users being infected by malware by default and use security processes where the user can cross-check the transaction data against manipulations like for example (provided the security of the mobile phone holds up) mTAN or smartcard readers with an own screen including the transaction data into the TAN generation process while displaying it beforehand to the user (chipTAN)."
iTAN has been replaced with ChipTAN which I personally find easier to handle since I frequently misplaced my TAN lists :)
Plus the advantages that are already mentioned at the end of your quote - the TAN generator shows the IBAN and the amount, essentially acting as a secure display device for the transaction.
I've been crusading against two factor auth for a while now, including being against email as recovery/revocation fallback.
- SMS is insecure, both from a protocol and from a social engineering point of view. Google Authenticator is better, but still has fatal flaws.
- We use email for casual communication and security-sensitive account changes. This is a disaster. What happens if Google bans your account by mistake, or a thief steals your phone and decides to data-mine/destroy your online life?
- I have yet to see a two factor auth protocol with decent recovery ("I lost my phone") and revocation ("the thief used my phone to login and kick me out"). The instructions are usually "make a new backup for every new account if the site supports" and "tough luck", respectively.
Our online lives are more important than ever. Hearing "I'm sorry, you lost every single online account you ever had" is going to become recurrent unless we change our ways.
EDIT: I'm not against adding two-factor to a website that only has username+password. I personally use two-factor everywhere I can. My point is that this is not a good combo, from a security and usability point of view. But still better than just passwords.
I left it out because this is a separate rant. Cliff notes:
- Backup is per-website. Every new registration requires you to e.g. print a slip of paper and store it in your safe/friend's house/secret drawer.
- Each website has to implement their own backup flow. That's extra cost, hurts adoption, and some don't even bother with that.
- The PIN is extremely low-entropy, which requires absolutely perfect rate-limiting. As soon as the attacker is able to side-step the rate-limiting (which has a large surface area), the OTP is useless.
- The PIN is vulnerable to shoulder-surfing and surveillance. Can you type the PIN faster than the attacker that's using OCR?
- Typing a PIN number (that has a timer!) adds friction and mental angst.
- And I may be wrong, but as I understand all devices have the same level of trust. If your phone is stolen, it's a race to revoke the thief's codes before they revoke yours. Ideally you should have some "master secret" in your safe/friend's house/secret drawer, that is able to revoke any and all devices because it's the safest secret you have.
- It's only suitable as a second factor, not primary. You are probably also using passwords, which adds a whole lot more security and usability problems.
Add in that google's own migration tool does not port the app's database. So if you switch phones you're left manually doing a disable/re-enable loop for every provider, unless you printed or screenshotted the original QR codes at signup.
I'm not against enabling two-factor on a website that only supports login+password. I use GMail with two-factor, for example.
What I'm against is people treating "username + password + two-factor" as some high bar of security and usability, suitable even for banking systems (as some users implied before).
My point is that we should be looking at other solutions. Two-factor is a stop-gap measure.
And please don't call other comments "ridiculous". This is not the kind of community I want to participate in, and probably neither do you. Also note I'm not some crank, this is my area of research.
The stuff on that page is old, and I don't find it all that damning. Gibson is a character indeed, and I disagree with some of his stuff (e.g. writing security code in assembly and posting screenshots online in lieu of open source), but I wouldn't put scary quotes around the word "work" as you did.
I'm not sure why. I've seen nothing that would lead me to change my opinions of him.
I probably wouldn't feel so strongly about it had I not listened to a couple of his podcasts. I had several hours of driving ahead, searched for something that sounded interesting, found his "Security Now" podcast, and downloaded a few episodes. Keep in mind that his audience, AFAICT, is primarily made up of younger listeners who are relatively new to infosec as well as "non-techy" people en masse (the kind of people who get their tech support from a guy on the radio, as someone elsewhere put it). Now, I'm far from a security expert but I'm not exactly a "n00b" and it didn't take long at all until I heard him saying things that were just patently incorrect. When one is repeatedly wrong in an area in which they claim to be an expert, I tend to question their credibility.
Others have found plenty of issues with "SQRL" -- arguably his best idea -- which he simply dismisses and I can still remember when he first presented "GENESIS" to the world.
Oh, and be careful out there on the Internet, as your ISP-assigned reverse DNS "might uniquely identify you on the Internet". IMO, that's right up there with "your computer may be broadcasting your IP address".
Last, remember, he's a marketing guy. That's his real area of expertise. He's certainly better at that than he is anything related to security.
Adding 2FA is as much work as adding a really good authentication protocol, with much better usability and security.
But we don't have discussions like this very often, therefore we don't have a consensus on which solution is the best alternative. I think this is a network effect problem (chicken-and-egg) more than a "perfect is the enemy of good".
I'm constantly disappointed by lack of support for U2F keys, especially by domain name registrars (ghandi is there only one but unfortunately they come with their own questionable t ToS). No matter how well protected your accounts are, if you lose your domain, they're all toast.
Replying to myself here. I've asked Namecheap to consider it (as I'm sure many others have too) but received to ETA. I'd really like to stay with them but lack of U2F is becoming a deal breaker for me, considering how prevalent phone account hijacking has become recently.
Off-topic: I recently bought a u2f token. It registers as a HID device. I wanted to play around with using it for other purposes, but I can't find a usb protocol specification anywhere. Anyone have a link?
38 comments
[ 3.2 ms ] story [ 84.9 ms ] threadFor a huge majority of people, the odds of them losing, breaking, or wiping their phones and misplacing or forgetting to save their backup codes is MUCH higher than getting hacked while using a 1Password system.
As an alternative, you could use Authy, which backs up the tokens encrypted (just don't store the Authy password in 1Password if you're worried about that being a single point of failure).
I get that everyone's exposure to and acceptance of risk is different. I understand that sometimes the best you can hope for out of a non-technical friend is that they accept maybe one piece of advice at most, but I'd disagree with the priority. 2FA is extremely powerful.
If you’ve got or know of a site using 2fa, definitely put in a pull request to show your support.
GitHub is a good example of a web site that has 2FA, that you really want 2FA on, and yet the 2FA setup is kinda buried.
Here are some fun websites that do not support decent TOTP 2FA or U2F:
And here is just some utter nonsense:- Facebook supports TOTP 2fa... but you need a phone number linked to the account
- Wikipedia has TOTP 2fa... but only for sysadmins
- Steam is one of the rare oddballs in the gaming space, with an idiotic email-based 2fa system, which by the way constantly gets hit by massive delays.
https://en.wikipedia.org/wiki/Wikipedia_talk:Simple_2FA#Why_...
Blizzard also supports 2FA, but other than those, most gaming services don't support it indeed.
https://github.com/jleclanche/python-bna
You can use it to export the seed or a QR of it, if you want to stuff your Blizzard TOTP into andOTP or something.
I might, if I could reasonably trust that they really do delete it, but I think experience shows that we can't completely trust most companies nowadays.
PayPal also had their own security device you could get. I think it cost $5. Not sure if it's still available.
[1] See image here - http://explipedia.de/online-banking-verfahren-erklaert/
Edit: Deutsche Bank isn't actually listed, changed comment to reflect that, but left it up because a lot of people may find the paper TAN system interesting.
iTAN is solid secure concept, if you take normal post service for granted, handle the paper with care, and don't fall for "phishing attacks" where the attacker tricks the user into logging into a forged copy of the bank's website.
From a security point of view (imho, please correct me) is iTAN more secure than SMS-token (mTAN), email-token and app-token. You simply cannot beat analog offline security, as the iTAN-list exists only in two places on the server and printed out on paper (user).
https://en.wikipedia.org/wiki/Transaction_authentication_num...
iTAN (Indexed_TAN) article:
"Indexed TANs reduce the risk of phishing. To authorize a transaction, the user is not asked to use an arbitrary TAN from the list but to enter a specific TAN as identified by a sequence number (index). As the index is randomly chosen by the bank, an arbitrary TAN acquired by an attacker is usually worthless.
However, iTANs are still susceptible to man-in-the-middle attacks, including phishing attacks where the attacker tricks the user into logging into a forged copy of the bank's website and man-in-the-browser attacks which allow the attacker to secretly swap the transaction details in the background of the PC as well as to conceal the actual transactions carried out by the attacker in the online account overview.
Therefore, in 2012 the European Union Agency for Network and Information Security advised all banks to consider the PC systems of their users being infected by malware by default and use security processes where the user can cross-check the transaction data against manipulations like for example (provided the security of the mobile phone holds up) mTAN or smartcard readers with an own screen including the transaction data into the TAN generation process while displaying it beforehand to the user (chipTAN)."
Plus the advantages that are already mentioned at the end of your quote - the TAN generator shows the IBAN and the amount, essentially acting as a secure display device for the transaction.
- SMS is insecure, both from a protocol and from a social engineering point of view. Google Authenticator is better, but still has fatal flaws.
- We use email for casual communication and security-sensitive account changes. This is a disaster. What happens if Google bans your account by mistake, or a thief steals your phone and decides to data-mine/destroy your online life?
- I have yet to see a two factor auth protocol with decent recovery ("I lost my phone") and revocation ("the thief used my phone to login and kick me out"). The instructions are usually "make a new backup for every new account if the site supports" and "tough luck", respectively.
Our online lives are more important than ever. Hearing "I'm sorry, you lost every single online account you ever had" is going to become recurrent unless we change our ways.
IMHO I think the best solution would look something like SQRL (https://www.grc.com/sqrl/sqrl.htm).
EDIT: I'm not against adding two-factor to a website that only has username+password. I personally use two-factor everywhere I can. My point is that this is not a good combo, from a security and usability point of view. But still better than just passwords.
Still, it might be a nice incremental improvement.
What flaws do you mean?
- Backup is per-website. Every new registration requires you to e.g. print a slip of paper and store it in your safe/friend's house/secret drawer.
- Each website has to implement their own backup flow. That's extra cost, hurts adoption, and some don't even bother with that.
- The PIN is extremely low-entropy, which requires absolutely perfect rate-limiting. As soon as the attacker is able to side-step the rate-limiting (which has a large surface area), the OTP is useless.
- The PIN is vulnerable to shoulder-surfing and surveillance. Can you type the PIN faster than the attacker that's using OCR?
- Typing a PIN number (that has a timer!) adds friction and mental angst.
- And I may be wrong, but as I understand all devices have the same level of trust. If your phone is stolen, it's a race to revoke the thief's codes before they revoke yours. Ideally you should have some "master secret" in your safe/friend's house/secret drawer, that is able to revoke any and all devices because it's the safest secret you have.
- It's only suitable as a second factor, not primary. You are probably also using passwords, which adds a whole lot more security and usability problems.
It's strange to be on a crusade against increased security for the average user.
Is 2FA the final answer? No. But are you more secure with it than without it? Yes.
We're talking about normal people here that could have their lives ruined if their accounts are compromised.
What I'm against is people treating "username + password + two-factor" as some high bar of security and usability, suitable even for banking systems (as some users implied before).
My point is that we should be looking at other solutions. Two-factor is a stop-gap measure.
And please don't call other comments "ridiculous". This is not the kind of community I want to participate in, and probably neither do you. Also note I'm not some crank, this is my area of research.
And note I said "something like SQRL".
I probably wouldn't feel so strongly about it had I not listened to a couple of his podcasts. I had several hours of driving ahead, searched for something that sounded interesting, found his "Security Now" podcast, and downloaded a few episodes. Keep in mind that his audience, AFAICT, is primarily made up of younger listeners who are relatively new to infosec as well as "non-techy" people en masse (the kind of people who get their tech support from a guy on the radio, as someone elsewhere put it). Now, I'm far from a security expert but I'm not exactly a "n00b" and it didn't take long at all until I heard him saying things that were just patently incorrect. When one is repeatedly wrong in an area in which they claim to be an expert, I tend to question their credibility.
Others have found plenty of issues with "SQRL" -- arguably his best idea -- which he simply dismisses and I can still remember when he first presented "GENESIS" to the world.
Oh, and be careful out there on the Internet, as your ISP-assigned reverse DNS "might uniquely identify you on the Internet". IMO, that's right up there with "your computer may be broadcasting your IP address".
Last, remember, he's a marketing guy. That's his real area of expertise. He's certainly better at that than he is anything related to security.
But we don't have discussions like this very often, therefore we don't have a consensus on which solution is the best alternative. I think this is a network effect problem (chicken-and-egg) more than a "perfect is the enemy of good".