General > General Technical Chat
2FA two step verification & the obsession with security
<< < (11/15) > >>
ve7xen:

--- Quote from: metebalci on February 14, 2022, 08:16:06 pm ---
--- Quote from: dunkemhigh on February 14, 2022, 04:45:26 pm ---Now it's assumed everyone  has a phone, it's always with them, and it's always the same phone (or, at least, the same number).

--- End quote ---

I always argued that the phone number/SMS OTP is not a proper 2FA. The phone number does not fully belong to you. Mobile operator can connect your number to another SIM without you realizing, there happened fraud cases because of this when SMS OTP started to be used by banks 10+ years ago. It is not a big issue anymore but I still think there is a difference and I prefer to not use it if there is an alternative.

--- End quote ---

It bothers me quite a bit. 'SIM swapping' means this generally just degrades to 'what's your mother's maiden name' type security that the phone company uses to 'secure' your account with them. If even that, since the phone reps tend to be too lazy to bother verifying this. The only difference is that it requires a bit of targeted effort by the attacker, but for high enough value targets, it's totally worth it. And there's plenty of evidence of this actually happening in the real world, it's not like it's a theoretical attack.

When it's available it's also *very often* the only method offered. Which is just absurd. It's more costly and more difficult to implement the much less secure SMS-based OTP than standard TOTP, so it just makes no sense at all why at the very least services don't offer both. Especially when it's something high security, like the Canada Revenue Agency that recently started requiring '2FA' but only offer it via SMS  |O. Same with one of my credit cards. It's infuriating because not only is it less secure, it's *much* less convenient.

Likewise anyone that tries to force you to use their own authenticator app is  |O. We have standards for this for a reason. The standards mean the friction is lower for users, so they are more likely to use it / use it correctly. Looking at you Steam, I have no reason to have your mobile app installed.

As far as forcing it on users, I think it's perfectly reasonable for anything that confers an identity or has economic consequence. It should have come earlier.

For real-world identity-tied things like taxes and bank accounts, I am a strong proponent of government-issued key material. We've had the technology for decades, but AFAIK only one country (Estonia) has ever issued such an identity document which is just absurd to me.
metebalci:

--- Quote from: ve7xen on February 14, 2022, 09:46:57 pm ---
It bothers me quite a bit. 'SIM swapping' means this generally just degrades to 'what's your mother's maiden name' type security that the phone company uses to 'secure' your account with them. If even that, since the phone reps tend to be too lazy to bother verifying this. The only difference is that it requires a bit of targeted effort by the attacker, but for high enough value targets, it's totally worth it. And there's plenty of evidence of this actually happening in the real world, it's not like it's a theoretical attack.


--- End quote ---

Naturally this is not easy to do in practice. The cases I know involves identity theft, which is I guess a bigger problem then stealing the phone number. But still I think theoretically it is wrong to assume hardware based (eg TOTP) and SMS based OTP is same.


--- Quote from: ve7xen on February 14, 2022, 09:46:57 pm ---
When it's available it's also *very often* the only method offered. Which is just absurd. It's more costly and more difficult to implement the much less secure SMS-based OTP than standard TOTP, so it just makes no sense at all why at the very least services don't offer both. Especially when it's something high security, like the Canada Revenue Agency that recently started requiring '2FA' but only offer it via SMS  |O. Same with one of my credit cards. It's infuriating because not only is it less secure, it's *much* less convenient.


--- End quote ---

I think the implementation complexity depends. I tend to think SMS based solution is simpler considering everything. Because the devices change and TOTP or any security tokens are not always migrated to new devices, whereas the phone number does not change, this is a big plus for operations for SMS based solutions.


--- Quote from: ve7xen on February 14, 2022, 09:46:57 pm ---
Likewise anyone that tries to force you to use their own authenticator app is  |O. We have standards for this for a reason. The standards mean the friction is lower for users, so they are more likely to use it / use it correctly. Looking at you Steam, I have no reason to have your mobile app installed.


--- End quote ---

I think it is converging to standards but it is hard for regulated domains eg financial institutions to quickly adapt.


--- Quote from: ve7xen on February 14, 2022, 09:46:57 pm ---
For real-world identity-tied things like taxes and bank accounts, I am a strong proponent of government-issued key material. We've had the technology for decades, but AFAIK only one country (Estonia) has ever issued such an identity document which is just absurd to me.


--- End quote ---

Dont know the worldwide status but there are actually countries other than Estonia providing certificates equivalent to real identity through SIM or card etc. based solutions that can be used for things like accessing bank or e-government services or contract signing so effectively replacing the wet signature.
ve7xen:

--- Quote from: metebalci on February 14, 2022, 10:26:21 pm ---Naturally this is not easy to do in practice. The cases I know involves identity theft, which is I guess a bigger problem then stealing the phone number. But still I think theoretically it is wrong to assume hardware based (eg TOTP) and SMS based OTP is same.
--- End quote ---

It probably varies quite a bit on regional regulations, competence of the phone provider, and the like. But at least in my own non-malicious dealings with the phone company, it seems like it'd be pretty trivial if you know some basic information about the legitimate owner, they barely do anything that could be called 'identity verification' at all. And if you fail you can just call back and try again with a different rep. Eventually you're likely to be successful. There are more than enough anecdotes to demonstrate that it's not good enough.


--- Quote ---I think the implementation complexity depends. I tend to think SMS based solution is simpler considering everything. Because the devices change and TOTP or any security tokens are not always migrated to new devices, whereas the phone number does not change, this is a big plus for operations for SMS based solutions.
--- End quote ---

There are pros and cons for support considerations and whatnot, but this isn't what I meant by implementation. If you want to do SMS-based OTP, you need to interact with a 3rd-party service to deliver those SMS messages, but all the rest is basically the same, you need to generate key material, produce OTPs and so on just like you would with TOTP. Since there's a 3rd-party integration involved though, I'm considering it more complicated. But I guess you could argue that having to produce your own UI to manage TOTP and recovery codes and the like swings the balance.


--- Quote ---I think it is converging to standards but it is hard for regulated domains eg financial institutions to quickly adapt.
--- End quote ---

I'll give them the benefit of the doubt if they've had a 2FA implementation in place for a long time and it happens to have been based on SMS. Many of these are things that have come online recently though. CRA added their requirement last tax-year. The credit card I complained about added their SMS verification to online transactions and their web app in 2020. The TOTP RFC is more than a decade old at this point, it's not really an acceptable excuse, especially when the SMS way is incredibly weak.


--- Quote from: ve7xen on February 14, 2022, 09:46:57 pm ---Dont know the worldwide status but there are actually countries other than Estonia providing certificates equivalent to real identity through SIM or card etc. based solutions that can be used for things like accessing bank or e-government services or contract signing so effectively replacing the wet signature.

--- End quote ---

Glad to hear it :-+!
mansaxel:

--- Quote from: ve7xen on February 14, 2022, 09:46:57 pm ---
For real-world identity-tied things like taxes and bank accounts, I am a strong proponent of government-issued key material. We've had the technology for decades, but AFAIK only one country (Estonia) has ever issued such an identity document which is just absurd to me.

--- End quote ---

With the caveat that it is a separate government-approved entity that issues the ID, I just today used one of my electronic ID's to fetch and store a Covid-19 vaccination certificate from the government agency who deal with this. 

Increasingly, we can use electronic identification to access services; most government systems require it. I must use it to access my children's school systems, when I file my taxes (which for most people is about as complicated as logging in and saying, "Yes, it's correct" because the tax forms come pre-printed with all collected data here. Unless I've sold stock I can do the same most years.), when I book an appointment for vaccination, and when I log in to pay my bills.  Of course online gambling uses it for age checks, and in many online shops  showing ID lets them populate shipping address et c and also check if they can invoice you or you need to pay upfront.

Quite convenient. But of course could be even better.
metebalci:

--- Quote from: ve7xen on February 14, 2022, 10:37:50 pm ---There are pros and cons for support considerations and whatnot, but this isn't what I meant by implementation. If you want to do SMS-based OTP, you need to interact with a 3rd-party service to deliver those SMS messages, but all the rest is basically the same, you need to generate key material, produce OTPs and so on just like you would with TOTP. Since there's a 3rd-party integration involved though, I'm considering it more complicated. But I guess you could argue that having to produce your own UI to manage TOTP and recovery codes and the like swings the balance.

--- End quote ---

That is right, you need to use a service provider for sending SMS. This was more difficult in the past but now there are non-operator providers, Twilio etc., which makes the integration (both technical and non-technical) simpler. Sometimes the mobile operators have a different service to be used by banks for OTPs due to security, availability and performance concerns, this may make it a bit more complicated.

The key material issue is not the same for both. With SMS OTP, you can just randomly generate a code, keep it and its timestamp in the database, and then check when the user enters it. With TOTP, there is a need to share a symmetric key material because TOTP is generated with a HMAC algorithm, so both generator/user and verifier/service needs to know the secret. Sharing the secret can be as simple as generating/entering some numbers/codes, a QR code, or an online key exchange algorithm. When there is a key material, that has to be kept securely, for example banks may want to use HSM. The same is true for the client side implementation, the key material has to be kept on the device (phone) securely, so the imlementation is not as simple as just keeping any data (however it became simpler in recent years).

A service/bank etc. probably already have some SMS service provider integration, so it is pretty simple for them the code this. It probably takes more time to create user documentation for it. TOTP or any such implementation (FIDO etc.) is more complicated, because some things provided by the SIM card and GSM network has to be replicated. Potentially an HSM is involved. Because this is considerable more complex than SMS OTP, the security review will probably take also a longer time.

I might be a bit biased, I started worked on these when TOTP/HOTP specs. were still drafts and OTP/2FA was not mainstream, and worked until TOTP/HOTP (there is also OCRA for signing) became mainstream and FIDO appeared. Now, I guess everybody knows more about these, so the implementatin process might be more seamless than I think.
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod