Author Topic: 2FA two step verification & the obsession with security  (Read 9337 times)

0 Members and 1 Guest are viewing this topic.

Offline jonovidTopic starter

  • Super Contributor
  • ***
  • Posts: 1546
  • Country: au
    • JONOVID
2FA two step verification & the obsession with security
« on: February 12, 2022, 07:20:00 pm »
recently google ,microsoft and others have started pushing two step verifications
and having an obsession with security.  :scared:
as if it was a big threat to them.
as a non-phone owner.
I never asked for this level of security. I never asked for more verifications

its like a door to door salesman selling padlocks but he has the master key.
when your front door already has a lock & door-key.
salesman is saying you need a padlock too.

what ever happened to using your personal profile as verification.
URL- known location & known activitys.  this has worked for yrs  no problem at all until mid 2020
then the paranoia started from them.
 
the two step verification USB thumb drive 2FA security key so its it a scame
another bit of hardware to buy, another online financial parasite?
just as a phone can also be a financial parasite.

what if this 2FA thing locks me out of my own hardware?
or if it locks me out of my own online accidents?
security is a two way street. it can lock you out of your own abode if it fails to work.
my point is the obsession with security is not coming from us users, but google , microsoft & apple Inc
who are the paranoid users, that say we want this.   
Hobbyist with a basic knowledge of electronics
 

Online tszaboo

  • Super Contributor
  • ***
  • Posts: 8218
  • Country: nl
  • Current job: ATEX product design
Re: 2FA two step verification & the obsession with security
« Reply #1 on: February 12, 2022, 07:47:54 pm »
I read a study, that 2FA makes accounts 2x safer.
I'm more upset about rules for passwords, that is really getting out of hand.
 

Offline metebalci

  • Frequent Contributor
  • **
  • Posts: 460
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #2 on: February 12, 2022, 08:03:53 pm »
2FA is not new, eg. SIM cards, ATM cards. Password (something you know) is I think a strange concept for security, it can be stolen easily and remotely, without even realizing it has been stolen. Also you cannot memorize so many different passwords, so you will reuse them, making the issue even worse. In a non online world, password might be enough but at the moment it is not. I think the actual issue is how to make 2FA more transparent to user, eg by using biometrics and secure environments in mobile devices.
 
The following users thanked this post: wraper

Offline jonovidTopic starter

  • Super Contributor
  • ***
  • Posts: 1546
  • Country: au
    • JONOVID
Re: 2FA two step verification & the obsession with security
« Reply #3 on: February 12, 2022, 11:49:27 pm »
if I need one of them USB thumb drive 2FA verification keys how do I know if its trustworthy? they are not free!
its a bit like buying a crypto wallet,  is the USB thumb drive 2FA inline retailers site trustworthy? will Google , Microsoft & apple Inc  find it acceptable.
Hobbyist with a basic knowledge of electronics
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: 2FA two step verification & the obsession with security
« Reply #4 on: February 13, 2022, 12:37:26 am »
Quote
I'm more upset about rules for passwords, that is really getting out of hand.

No kidding. I have to use a system where the password must be >12 characters, contain letters, numbers, caps (but fortunately no punctuation, yet), and can't be one that's been used before. And you get forced to change it every 4 weeks. Sometimes I want to cry.

Meanwhile, if I log into Starling bank online it needs the app on my phone to say that's OK, so first I need to authenticate with that app (fingerprint), then it tells the website I am me and the website then shows a QR code which the app then uses the phone camera to verify, and then I am in. It's probably quite secure and, on the whole, preferable to having to stick a debit card into a card reader (neither of which I typically have with me when I want to do online banking).
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 7043
  • Country: nl
Re: 2FA two step verification & the obsession with security
« Reply #5 on: February 13, 2022, 12:51:07 am »
if I need one of them USB thumb drive 2FA verification keys how do I know if its trustworthy? they are not free!

Yubico has been around for 15 years, so you can trust them by reputation. Solokey is open source, so you can trust them by reading the code. Nothing is absolute, but you can pick your poison.
 
The following users thanked this post: Someone, JohanH, newbrain

Offline sleemanj

  • Super Contributor
  • ***
  • Posts: 3051
  • Country: nz
  • Professional tightwad.
    • The electronics hobby components I sell.
Re: 2FA two step verification & the obsession with security
« Reply #6 on: February 13, 2022, 01:09:10 am »
TOTP (Time-based One Time Password) is the mechanism by which most 2FA works.

Plenty of existing libraries to do it in various languages - even an Arduino can do it.  You need a reasonably accurate clock and to be able to do an sha1 hash and that's about the biggest complexity.

For your "backup in case something goes wrong", you can print/save/screenshot the QR/text-based key, and just rescan that any time.  Sites that use 2FA will also often have one-time-password lists you can generate to use for that purpose, or can email you a one-time-password.

Also sites may not require you to use the 2FA all the time, typically only if they see you come from a system that they havn't seen before, like a new user agent, a browser that doesn't have their session cookie, an IP address in a different country, or whatever that makes their system want to be sure it's you.

Don't get me wrong, I'm not a total fan of 2FA myself, strong unique passwords are good-enough for almost all purposes.  But, for some things, you want just that bit extra and it's not actually that complicated.

If you do at some point get a mobile phone, then the 2FAS app works well and has a backup function to your google drive.
« Last Edit: February 13, 2022, 01:10:59 am by sleemanj »
~~~
EEVBlog Members - get yourself 10% discount off all my electronic components for sale just use the Buy Direct links and use Coupon Code "eevblog" during checkout.  Shipping from New Zealand, international orders welcome :-)
 

Online Monkeh

  • Super Contributor
  • ***
  • Posts: 8134
  • Country: gb
Re: 2FA two step verification & the obsession with security
« Reply #7 on: February 13, 2022, 01:21:27 am »
...

Spoken like somebody who has never had to deal with having accounts compromised.
 
The following users thanked this post: tom66, janoc, Bassman59, tooki, newbrain, Buriedcode

Offline Someone

  • Super Contributor
  • ***
  • Posts: 5155
  • Country: au
    • send complaints here
Re: 2FA two step verification & the obsession with security
« Reply #8 on: February 13, 2022, 03:08:33 am »
TOTP (Time-based One Time Password) is the mechanism by which most 2FA works.

Plenty of existing libraries to do it in various languages - even an Arduino can do it.  You need a reasonably accurate clock and to be able to do an sha1 hash and that's about the biggest complexity.
Except, many of the services requiring 2FA actively (and intentionally) work against letting you bring your own solutions:
https://github.com/abrasive/mygov-totp-enroll
Trying to force you to use their app. Or they only offer TOPT in addition to/after verification by a mobile phone SMS.
...
Spoken like somebody who has never had to deal with having accounts compromised.
2FA makes sense for things that are valuable/sensitive, but asking students to 2FA so they can access course material? at some point its just "security" because its little to no cost to the operator, ignoring the costs to the users.
 

Offline metebalci

  • Frequent Contributor
  • **
  • Posts: 460
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #9 on: February 13, 2022, 07:40:48 am »
TOTP or HOTP is pretty simple to use and implement, and available in many platforms as mentioned. The issue is there are always some private/secret material involved that has to be kept securely. That was distinguishing it from the hardware solutions like from RSA. Recent mobile devices have secure execution/storage ICs, so this problem is theoretically solved but still up to the developer to implement it correctly because the secure execution area is most of the time not directly open to developers. The industry is/was (I am not working on this topic anymore) moving in challenge-response/signature mechanisms rather than OTP. There FIDO enters the picture and it is I think the main implementation now.
 

Offline metebalci

  • Frequent Contributor
  • **
  • Posts: 460
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #10 on: February 13, 2022, 07:43:45 am »
if I need one of them USB thumb drive 2FA verification keys how do I know if its trustworthy? they are not free!
its a bit like buying a crypto wallet,  is the USB thumb drive 2FA inline retailers site trustworthy? will Google , Microsoft & apple Inc  find it acceptable.

Just get one from a well known company like yubico, I am sure there are many others. Currently all should be based on FIDO, so a certification would be a good indication.
 

Offline metebalci

  • Frequent Contributor
  • **
  • Posts: 460
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #11 on: February 13, 2022, 07:51:46 am »
2FA makes sense for things that are valuable/sensitive, but asking students to 2FA so they can access course material? at some point its just "security" because its little to no cost to the operator, ignoring the costs to the users.

I understand the point and you have right to some extent. However, it may not matter  because on that site to download course material, there can be for example user data so the security of that site is also important. There might not be any sensitive data now, but there might possibly be in the future etc. It is not a bad practice. I 100% agree about the cost to the user. It was becoming quite not seamless in the past, now it is getting simpler (password managers, FIDO, biometrics etc), but there is still some obstacles.
 
The following users thanked this post: Someone

Offline alexanderbrevig

  • Frequent Contributor
  • **
  • Posts: 700
  • Country: no
  • Musician, developer and EE hobbyist
    • alexanderbrevig.com
Re: 2FA two step verification & the obsession with security
« Reply #12 on: February 13, 2022, 10:49:27 am »
You should want it.

The reason for enforcing rules and why most companies require 2FA is because people absolutely suck at passwords. So much so that the top five most common passwords should make you cringe.

Even Trump reused an already absolutely crap password across multiple services. When one got leaked (maga2020!), his Twitter got hacked. This would be mitigated by good password hygiene (which is hard for people) or 2FA which is comparatively easy.
 
The following users thanked this post: ve7xen, wraper, tooki, newbrain

Offline magic

  • Super Contributor
  • ***
  • Posts: 7453
  • Country: pl
Re: 2FA two step verification & the obsession with security
« Reply #13 on: February 13, 2022, 11:22:29 am »
And nothing has happened because Trump's twatter got pwnzored.

Which is why you sholudn't care when it comes to stupid things.

But it's 100% what Monkeh said: the companies themselves don't want do deal with the drama of user getting compromised, so they shove security down their throat.
 

Offline Someone

  • Super Contributor
  • ***
  • Posts: 5155
  • Country: au
    • send complaints here
Re: 2FA two step verification & the obsession with security
« Reply #14 on: February 13, 2022, 11:26:15 am »
2FA makes sense for things that are valuable/sensitive, but asking students to 2FA so they can access course material? at some point its just "security" because its little to no cost to the operator, ignoring the costs to the users.
I understand the point and you have right to some extent. However, it may not matter  because on that site to download course material, there can be for example user data so the security of that site is also important. There might not be any sensitive data now, but there might possibly be in the future etc. It is not a bad practice. I 100% agree about the cost to the user. It was becoming quite not seamless in the past, now it is getting simpler (password managers, FIDO, biometrics etc), but there is still some obstacles.
Agree 100% on all you are saying, its a lot of lazy implementation that is the friction here. Extending the example of above, 2FA can easily be required for "higher" access within a system that has levels of sensitive information/control. Plenty of well thought out services already have this in place where you can do the cheap/easy login to go through everyday things but a challenge comes up when you do something unusual or with exposure commensurate to that. That sort of tiered security was in place well before 2FA became a thing, requiring the user to acknowledge/recognise the relative value of their access. Having a single level of login may cheapen the differentiation and will lead back to complacency by users.

The OP is probably also put out by the security being dictated chosen for them by the service provider. Long gone are the days of setting up an anonymous/throwaway email address with a brand name provider. Many people would be fine with minimal security on their worthless accounts but layers of perceived unnecessary security is pushed as mandatory. Another example, I don't link payment details with webshop accounts for instance but someone who does have their platinum card linked to their account may well want 2FA at some point in that chain (some credit cards are now mandating that).
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 7453
  • Country: pl
Re: 2FA two step verification & the obsession with security
« Reply #15 on: February 13, 2022, 11:31:12 am »
GMail isn't the only "brand name provider".

Last time I checked, Microsoft still allowed signups without phone numbers and bullshit like that. You did have to do some captcha thing.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 8276
  • Country: de
  • A qualified hobbyist ;)
Re: 2FA two step verification & the obsession with security
« Reply #16 on: February 13, 2022, 12:38:14 pm »
In case you go for a FIDO token get two, one for daily use and the second one as backup token. Register both with each 2FA account. The problem is that you can't copy/backup/restore those tokens. If you have just one and it breaks or you lose it, you will have a lot of fun recovering access to your accounts. Most services support having multiple tokens, but the odd one might only allow a single token. BTW, hardware tokens usually provide higher security than apps on your mobile phone.
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 7043
  • Country: nl
Re: 2FA two step verification & the obsession with security
« Reply #17 on: February 13, 2022, 01:21:17 pm »
It's a shame FIDO is explicitly designed to prevent cloning, even by the user.

I'd really prefer a paper backup of the private key.
 

Online JohanH

  • Frequent Contributor
  • **
  • Posts: 669
  • Country: fi
Re: 2FA two step verification & the obsession with security
« Reply #18 on: February 13, 2022, 02:07:40 pm »
TOTP (Time-based One Time Password) is the mechanism by which most 2FA works.

Plenty of existing libraries to do it in various languages - even an Arduino can do it.  You need a reasonably accurate clock and to be able to do an sha1 hash and that's about the biggest complexity.


I'd set up google-authenticator in PAM on the raspberry pie. Suddenly one day it didn't accept my TOTP. I had of course forgot to set up ntp on the raspberry that lacks an internal hardware clock and the clock had drifted. But, I waited for half a minute (for the next round of codes) and now it accepted the old code. With ntp it works without problems.
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 13157
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #19 on: February 13, 2022, 02:37:41 pm »
recently google ,microsoft and others have started pushing two step verifications
and having an obsession with security.  :scared:
as if it was a big threat to them.
as a non-phone owner.
I never asked for this level of security. I never asked for more verifications

[…]
my point is the obsession with security is not coming from us users, but google , microsoft & apple Inc
who are the paranoid users, that say we want this.
The stupid in this post is so strong it hurts.

You clearly haven’t put even two seconds of thought or research into what the consequences of a personal security breach can be.

The fact that we’re moving everything to 2FA isn’t a show of “paranoia”, but rather a fully justified condemnation of 1FA.
 
The following users thanked this post: ve7xen, Bassman59, newbrain, mansaxel

Online JohanH

  • Frequent Contributor
  • **
  • Posts: 669
  • Country: fi
Re: 2FA two step verification & the obsession with security
« Reply #20 on: February 13, 2022, 03:07:40 pm »
recently google ,microsoft and others have started pushing two step verifications
and having an obsession with security.  :scared:
as if it was a big threat to them.
as a non-phone owner.
I never asked for this level of security. I never asked for more verifications

[…]
my point is the obsession with security is not coming from us users, but google , microsoft & apple Inc
who are the paranoid users, that say we want this.
The stupid in this post is so strong it hurts.

You clearly haven’t put even two seconds of thought or research into what the consequences of a personal security breach can be.

The fact that we’re moving everything to 2FA isn’t a show of “paranoia”, but rather a fully justified condemnation of 1FA.

True. Users and security experts have demanded of the "big ones" for years to implement 2FA. Part in hope to get rid of utter useless password rules and crappy "security" questions about mother's maiden names etc. In those places where they still have these useless security questions, my mother's maiden name is typically "QJfBG$$NB7Z3MeKd#pNM7f@Tb" or similar.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 8276
  • Country: de
  • A qualified hobbyist ;)
Re: 2FA two step verification & the obsession with security
« Reply #21 on: February 13, 2022, 03:14:29 pm »
Not everything! But important services should employ 2FA, e.g. home banking and your main email account (-> password recovery). 2FA isn't anything new, I'm using it for 20+ years.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: 2FA two step verification & the obsession with security
« Reply #22 on: February 13, 2022, 04:07:18 pm »
Would you want to do 2FA to get onto EEVBlog?
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 13157
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #23 on: February 13, 2022, 06:37:19 pm »
Eevblog isn’t the keys to the castle that email accounts, Google logins, and Apple IDs are. It can’t be used to gain access to other sites/services/devices.
 
The following users thanked this post: newbrain

Online JohanH

  • Frequent Contributor
  • **
  • Posts: 669
  • Country: fi
Re: 2FA two step verification & the obsession with security
« Reply #24 on: February 13, 2022, 07:32:29 pm »
Would you want to do 2FA to get onto EEVBlog?

I would have no issue with entering a TOTP code the first time and when changing password, or changing browser/computer and similar situations. But it is true that forums like this don't necessary need that level of security. 2FA or TOTP isn't the answer to everything. However, we still have a big fundamental problem when some people use the same password on eevblog as on other sites. I can't know this, but I'm fairly certain.
 
The following users thanked this post: newbrain


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf