Author Topic: Two factor authentication with phone, is it secure enough?  (Read 4880 times)

0 Members and 1 Guest are viewing this topic.

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 6136
  • Country: ro
Re: Two factor authentication with phone, is it secure enough?
« Reply #25 on: March 10, 2023, 09:25:45 am »
More sites should offer 2FA.

Agree, more sites should offer 2FA, but as an option only.
What buggers me it's the trend to make 2FA mandatory.

That's why, for example I give up using github.  There are other similar git websites that do not enforce 2FA.  For me, 99% of my online accounts are disposable, including the github one.  Why would I bother with 2FA on any of these.

All these mandatory 2FA websites are all acting like an account there would be the ultimate goal in life, worth protecting it at all costs.  I'm so sick and tired of unsolicited protection.

With time, unsolicited help always turns into some sort of exploitation from the "benevolent helper" side, even when the initial help was not planned as an exploitation.  Talking here about any kind of unsolicited help, this is not about computers only.
« Last Edit: March 10, 2023, 09:29:34 am by RoGeorge »
 
The following users thanked this post: SiliconWizard, freda

Online Marco

  • Super Contributor
  • ***
  • Posts: 6686
  • Country: nl
Re: Two factor authentication with phone, is it secure enough?
« Reply #26 on: March 10, 2023, 09:34:34 am »
Passkeys are the future, shame about the ecosystem lock in.

From the user point of view it's pretty much the same as a password manager with random  string passwords, except the site can request presence or biometric authentication and passwords are handled with PKI as they should be.
 

Offline DrGeoff

  • Frequent Contributor
  • **
  • Posts: 793
  • Country: au
    • AXT Systems
Re: Two factor authentication with phone, is it secure enough?
« Reply #27 on: March 10, 2023, 09:48:47 am »
Passkeys are the future, shame about the ecosystem lock in.

From the user point of view it's pretty much the same as a password manager with random  string passwords, except the site can request presence or biometric authentication and passwords are handled with PKI as they should be.

It's not PKI. It's asymmetric keys. PKI involves certificates and chains of trust.
With an asymmetric key pair the private key never leaves the device, as is the case with an HSM or smart cards.

Was it really supposed to do that?
 

Online Marco

  • Super Contributor
  • ***
  • Posts: 6686
  • Country: nl
Re: Two factor authentication with phone, is it secure enough?
« Reply #28 on: March 10, 2023, 09:58:32 am »
With an asymmetric key pair the private key never leaves the device, as is the case with an HSM or smart cards.

That's the difference between traditional U2F and Passkeys, the latter do leave the device. Your iPhone can have the exact same passkey as your Macbook, also Apple can maintain a cloud backup of your passkeys which can be downloaded to a new device.

The usage model for traditional U2F is far too unfriendly for normal users, having to register multiple authentication devices for a single website is bunk. Cross device syncing (or less politically correct, cloning) and cloud backup are a necessity for mainstream adoption.
 

Offline 5U4GB

  • Frequent Contributor
  • **
  • Posts: 341
  • Country: au
Re: Two factor authentication with phone, is it secure enough?
« Reply #29 on: March 10, 2023, 10:05:52 am »
I'd suggest reading up on it a bit more. It avoids PKI because of the inherent problems with PKI and the constant renewal of expiring credentials.

After ploughing through other SSO stuff in the past like OpenID, OAuth, SAML, Shibboleth, BrowserID, and others, all of which ended up being horribly failure-prone, I just lumped Fido in as yet another one (because it looks and sounds a lot like the others did) and didn't have the energy to search out the necessary third-party analysis on whether it can be used safely or not.  It could well be perfectly OK, it's just part of a large collection of similar attempts that ended up being awfully failure-prone once deployed, which is why I'm still sceptical about it.

And yes, that could be an unfair assessment, it just comes from a long line of protocols with a very poor track record, sort of like buying yet another 18650 off Aliexpress and hoping that this time it'll finally have the stated capacity :-).  In any case I'll have a longer look at it when I get time.
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1169
  • Country: pl
Re: Two factor authentication with phone, is it secure enough?
« Reply #30 on: March 10, 2023, 12:24:08 pm »
all the SIM swapping attacks
If you compared SMS 2FA to some other authentication method, it would at least be debatable. But you are making a statement that no security is better than security that has some small chance of failing.(1) Huh?

I am not sure, what is the goal of mentioning poor implementation. I don’t disagree with accuracy of your observation: I just do not see, what it supports. Hard recovery is not weakening the security.


(1)SIM swaps are slow and expensive. They never were and it doesn’t seem they ever could be applicable to anybody but high-value targets. The hole is also absurdly trivial to patch.
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: fi
Re: Two factor authentication with phone, is it secure enough?
« Reply #31 on: March 10, 2023, 01:02:18 pm »
It's commonly agreed upon that SMS 2FA is better than no 2FA at all, even though TOTP also in my opinion is better.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #32 on: March 10, 2023, 02:45:08 pm »
Two factor authentication never ever blocked a hack attempt, in my experience.  Never.  It only blocked me from using my own accounts.  Many times.  The stupidest thing ever.

Not only it saved my ass once, but I was happy to see the scammer was very pissed off because my psw in his hands was useless.
That said the implementation is horrible sometimes.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Online alm

  • Super Contributor
  • ***
  • Posts: 2836
  • Country: 00
Re: Two factor authentication with phone, is it secure enough?
« Reply #33 on: March 10, 2023, 03:35:01 pm »
Agree, more sites should offer 2FA, but as an option only.
What buggers me it's the trend to make 2FA mandatory.
Many password managers offer TOTP secret storage and token generation. Obviously this is a step down compared to storing the secret on a different device, but it could be a solution for those mandatory 2FA sites that you don't care about.

With TOTP no personal information, like phone numbers, has to be exchanged either, although some sites insist on having a phone number as "backup".

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1169
  • Country: pl
Re: Two factor authentication with phone, is it secure enough?
« Reply #34 on: March 10, 2023, 03:35:32 pm »
Two factor authentication never ever blocked a hack attempt, in my experience.  Never.  It only blocked me from using my own accounts.  Many times.  The stupidest thing ever.
Strong words, considering that:
  • You do not know, that your private, personal experience has no value as an argument here. These are low-probability events and they are not even uniformly distributed across population.
  • You do not realize, that the information you see is asymmetrical: you almost always know about failures, but virtually never about successes. The disproportion is enormous. Which makes the experience itself false.
  • Your fail to observe the Sagan standard.(1)
  • Practices you described earlier show negligence regarding security.


(1) There is a debate on how much improvement 2FA brings. Including positions on possibly better options, inadequacy or relative weakness of some specific 2FA mechanisms (e.g. the SMS mention above), abandoning password-based authentication altogether, and what is the right balance. But yours is not among them.
« Last Edit: March 10, 2023, 03:43:41 pm by golden_labels »
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 6136
  • Country: ro
Re: Two factor authentication with phone, is it secure enough?
« Reply #35 on: March 10, 2023, 04:14:49 pm »
You missed the "in my experience" part.  Do as many security measures as you wish, but do not make them mandatory.  Not everybody cherishes the same an online account.  If you need strong security, that's fine from my side, use those measures for your accounts.

Do not enforce your security needs on my account.  That's my rant about.
 
The following users thanked this post: Zucca

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #36 on: March 10, 2023, 04:24:13 pm »
Forcing users is never good. Agreed.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Online alm

  • Super Contributor
  • ***
  • Posts: 2836
  • Country: 00
Re: Two factor authentication with phone, is it secure enough?
« Reply #37 on: March 10, 2023, 04:36:42 pm »
Most people will not voluntarily choose to put in extra work for more security. If average Jane/Joe could log in by just typing in their name, they would. So expect all the big platforms to force their users to be more secure and move away from this failed idea called password authentication. If this doesn't work for you, you might have to move to more niche or self-hosted services.
 
The following users thanked this post: Zucca

Offline madires

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: Two factor authentication with phone, is it secure enough?
« Reply #38 on: March 10, 2023, 05:20:04 pm »
(1)SIM swaps are slow and expensive. They never were and it doesn’t seem they ever could be applicable to anybody but high-value targets. The hole is also absurdly trivial to patch.

Poorly secured SS7 provides a much more professional way to redirect SMS.
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1169
  • Country: pl
Re: Two factor authentication with phone, is it secure enough?
« Reply #39 on: March 10, 2023, 05:51:43 pm »
You missed the "in my experience" part.
I made a comment on exactly that and only that part, so I am pretty sure I did not miss it.

Do not enforce your security needs on my account.  That's my rant about.
I commented on the argument against 2FA, not about your preferences.

The rest is also not as straighforward to simply say “leave it to me”, but I didn’t even touch it and not willing to.
« Last Edit: March 10, 2023, 05:53:45 pm by golden_labels »
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #40 on: March 10, 2023, 07:34:44 pm »
Most people will not voluntarily choose to put in extra work for more security. If average Jane/Joe could log in by just typing in their name, they would. So expect all the big platforms to force their users to be more secure and move away from this failed idea called password authentication. If this doesn't work for you, you might have to move to more niche or self-hosted services.

True but why now set up a big red warning to let them know what are the consequences. I mean better to be transparent than bossy.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 6136
  • Country: ro
Re: Two factor authentication with phone, is it secure enough?
« Reply #41 on: March 11, 2023, 05:49:47 am »
2FA, posted in another thread, today:

Much to many's dismay beamin is back,

I got my tablet stolen with all my accounts two factors and crypto got hacked, the person that found my tablet was computer savvy and almost cost me 6k$ in crypto, not to mention ruining all my email and phone accounts including this account.

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #42 on: March 13, 2023, 01:49:38 pm »
I am wondering how well the access to that tablet was protected...
It looks like he build a impenetrable fortress on quick sands.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: Two factor authentication with phone, is it secure enough?
« Reply #43 on: March 13, 2023, 04:47:14 pm »
Usually 2FA apps are protected by a password or biometric authentication.
 

Online alm

  • Super Contributor
  • ***
  • Posts: 2836
  • Country: 00
Re: Two factor authentication with phone, is it secure enough?
« Reply #44 on: March 13, 2023, 06:57:23 pm »
2FA, posted in another thread, today:

...
This anecdote proves as much about the effect of multi-factor authentication on security as an article about a car crash with a fatal outcome proves about the effect of seat belts on safety.

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 5613
  • Country: au
Re: Two factor authentication with phone, is it secure enough?
« Reply #45 on: March 13, 2023, 11:28:26 pm »
I would never save credentials in a browser. They are extraordinarily easy to extract.

Use a reputable password manager (I prefer Bitwarden) with a browser plug-in/application for your phone.
 
The following users thanked this post: SeanB

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: Two factor authentication with phone, is it secure enough?
« Reply #46 on: March 14, 2023, 03:02:26 am »
I have KeePass, anyone else using it?
 

Offline Black Phoenix

  • Super Contributor
  • ***
  • Posts: 1129
  • Country: hk
Re: Two factor authentication with phone, is it secure enough?
« Reply #47 on: March 14, 2023, 04:25:00 am »
I have KeePass, anyone else using it?

I use Keepass as my password manager since 2014...

3 databases copies, one on my at the system with me at the moment, another on the NAS at home and a offsite one.

Then when any change is made they are merged and updated.
 

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: fi
Re: Two factor authentication with phone, is it secure enough?
« Reply #48 on: March 14, 2023, 02:16:22 pm »
I have KeePass, anyone else using it?

I used Keepass in the past, also command line version. DB in cloud for easy replication. But at one point there were problems that some platforms moved to 2.x format and some stayed on 1.x. So I got lazy and then moved to Bitwarden. It's also available for virtually all platforms.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #49 on: March 15, 2023, 04:03:01 am »
Many thanks!

I am done with the homework!

For now here my idea

1) Bitwarden Premium
2) 2 SFA in Bitwarden with authenticator App Yubico on my phone (not in my PC)
3) Yubico app on my phone with NFC activation
4) Yubikey 5 NFC attached on my necklace
5) Phone unlock with fingerprint

The idea is to use the NFC Yubikey only to unlock the Bitwarden vault... so I should tap my phone on my chest only at the beginning and I do not have to take my Yubikey out from my necklace and plug into my PC.

Until... I setup a  local server in my garage and run Bitwarden locally at home, which could be a bummer if internet at home is down and I am out.....
« Last Edit: March 15, 2023, 04:07:20 am by Zucca »
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf