General > General Technical Chat
2FA two step verification & the obsession with security
ve7xen:
--- Quote from: metebalci on February 15, 2022, 06:55:12 am ---The key material issue is not the same for both. With SMS OTP, you can just randomly generate a code, keep it and its timestamp in the database, and then check when the user enters it. With TOTP, there is a need to share a symmetric key material because TOTP is generated with a HMAC algorithm, so both generator/user and verifier/service needs to know the secret. Sharing the secret can be as simple as generating/entering some numbers/codes, a QR code, or an online key exchange algorithm. When there is a key material, that has to be kept securely, for example banks may want to use HSM. The same is true for the client side implementation, the key material has to be kept on the device (phone) securely, so the imlementation is not as simple as just keeping any data (however it became simpler in recent years).
--- End quote ---
Yeah, I realized I'd overlooked this a while after I posted, but didn't think it was worth an edit. You're coming at this from clearly a different side of the equation than me, but in my experience, any time you have to involve a 3rd party service, the complexity balloons substantially. Things I can keep entirely in-house are easier to manage, easier to (continually) test, and easier to rely on, but that might not be the equation for everyone. I imagine that's especially true if you can 'outsource' most of the certification work and liability.
--- Quote ---One thing highlighted by its absence in this TOTP discussion is that to use it the end user needs to be running either a special product-specific app or generaic authenticator. Not so hot if they are PC users, and the support for user errors is likely to be greater than zero. OTOH, SMS just works and you don't need an iPhone or Android or anything special - a simple decade-old dumb phone will work. Further, the end user isn't in a race to read and type before the pretty short timeout (sods law says they will start with 15 seconds to go).
--- End quote ---
I'm definitely not a fan of product-specific authenticators. For one, it's annoying. For two, it's a security-critical purpose, and I don't trust random lowest-bid app developers working in a completely different domain to do it properly. NIH is a real problem with security-critical code.
Maybe I'm just one of the kids these days, but I think the number of people who have ditched their phone number entirely is higher than the number of people that don't own a device that can run a TOTP authenticator, which is practically any general purpose computing device made in the last 20 years. This forced SMS authentication is one of the things holding us back from ditching our phone service, to be honest. I don't use it for much of anything else.
In general though, I think both can be a bit of an accessibility problem, but it is much worse with SMS. Not everyone can afford to maintain consistent access to a cell phone plan, and losing your phone number shouldn't be made such a pain in the ass, e.g. if you move. Tying authentication to a third-party for-pay service really just stinks to me, it's so user-hostile. Even the homeless these days often have access to a device that they use with WiFi etc, it's much more ubiquitous and reasonable to expect that someone own a device that is now quite cheap than pay for a monthly service. Hell, FIDO keys are simple and cheap enough to manufacture that you can practically give them away.
PlainName:
--- Quote ---FIDO keys are simple and cheap enough to manufacture that you can practically give them away
--- End quote ---
Which misses the user perspective that they are yet another thing you have to carry around with you and lose. Something on a phone works because everyone has a phone now (at least, those that don't are rare) and typically everyone has their phone with them. Phones score well because the shite cameras in them are better than the really good camera you left at home because you didn't want to carry it around 'just in case'. While keys remain a separate item, and particularly when they are a niche item, they're going to remain least desired method of authenticating.
ve7xen:
--- Quote from: dunkemhigh on February 15, 2022, 09:43:03 pm ---
--- Quote ---FIDO keys are simple and cheap enough to manufacture that you can practically give them away
--- End quote ---
Which misses the user perspective that they are yet another thing you have to carry around with you and lose. Something on a phone works because everyone has a phone now (at least, those that don't are rare) and typically everyone has their phone with them. Phones score well because the shite cameras in them are better than the really good camera you left at home because you didn't want to carry it around 'just in case'. While keys remain a separate item, and particularly when they are a niche item, they're going to remain least desired method of authenticating.
--- End quote ---
I was talking specifically about the accessibility issues around assuming everyone has a phone with active (and continuous, or you will lose the number the account is tied to) service. SMS 2FA is getting forced on us for 'critical' things, and it does not address the accessibility issues at all. Yes, it's not ideal to have something else to carry around, and I agree it may not make sense if you own a suitable device, I'm specifically talking about those who don't, and the possibility of support organizations providing them cheap FIDO keys as an alternative to a smartphone. It's much better than expecting them to go to a bank branch or government service centre to have any access to the services at all.
Edit: Not to mention the problems that arise if you're outside of cellular service range (particularly if that's your home location) and need to do an auth check. Sometimes if you're very lucky, a POTS fallback is offered, but it's usually to the same number, so it works (sorta) for people who only have a landline, but is useless if you're out of service. Oh and many of these services block 'VoIP' numbers, though like geolocating IPs, detecting that is horribly unreliable since MNP (my main number is an ex-VoIP number that was ported and is now attached to my cellular service - and I've run into this issue with both Steam and Uber). SMS 2FA / tying accounts to mobile service in general is just a horrible solution.
Cerebus:
--- Quote from: dunkemhigh on February 15, 2022, 09:43:03 pm ---
--- Quote ---FIDO keys are simple and cheap enough to manufacture that you can practically give them away
--- End quote ---
Which misses the user perspective that they are yet another thing you have to carry around with you and lose. Something on a phone works because everyone has a phone now (at least, those that don't are rare) and typically everyone has their phone with them. Phones score well because the shite cameras in them are better than the really good camera you left at home because you didn't want to carry it around 'just in case'. While keys remain a separate item, and particularly when they are a niche item, they're going to remain least desired method of authenticating.
--- End quote ---
You do realise that these literally fit onto a keyring don't you? I don't know about you but if I'm out of the house then my keyring is in my pocket complete with the authentication and authorisation tokens for my house and car (mechanical keys) which I'm already obligated to carry and keep track of. Adding another key to the ring hardly increases the burden of responsibility much. Whereas I often deliberately don't always take my phone out with me.
Someone:
--- Quote from: dunkemhigh on February 15, 2022, 09:43:03 pm ---
--- Quote ---FIDO keys are simple and cheap enough to manufacture that you can practically give them away
--- End quote ---
Which misses the user perspective that they are yet another thing you have to carry around with you and lose. Something on a phone works because everyone has a phone now (at least, those that don't are rare) and typically everyone has their phone with them. Phones score well because the shite cameras in them are better than the really good camera you left at home because you didn't want to carry it around 'just in case'. While keys remain a separate item, and particularly when they are a niche item, they're going to remain least desired method of authenticating.
--- End quote ---
As the above posters mention, its great that you would prefer something else, and it should be an option to you. Just as not having SMS should be an option to others.
Thinking here of people complaining all building have ramps as access, when they would prefer stairs.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version