Author Topic: Two factor authentication with phone, is it secure enough?  (Read 4884 times)

0 Members and 1 Guest are viewing this topic.

Online JohanH

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: fi
Re: Two factor authentication with phone, is it secure enough?
« Reply #50 on: March 15, 2023, 07:04:14 am »


Until... I setup a  local server in my garage and run Bitwarden locally at home, which could be a bummer if internet at home is down and I am out.....

It stores a copy locally, so opening the vault will work. You can't just synchronize changes.
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1172
  • Country: pl
Re: Two factor authentication with phone, is it secure enough?
« Reply #51 on: March 15, 2023, 08:00:08 am »
1) Bitwarden Premium
2) 2 SFA in Bitwarden with authenticator App Yubico on my phone (not in my PC)
3) Yubico app on my phone with NFC activation
4) Yubikey 5 NFC attached on my necklace
5) Phone unlock with fingerprint
6) Driving a tank with a week of water supply and a toilet: to prevent rubber-hose cryptoanalysis.

I am not saying your idea is invalid or unnecessary. I do not know your situation and threat model. But remember that overengineering is as bad to security as negligence or ignorance.

Security is a balance between many factors. Convenience is one of them. Security measures that are too burdersome are not only pain in the ass, but decrease security. A brain naturally seeks ways to reduce effort and in the end circumvents the security. This is like having 3 doors and 20 locks to your apartment: in the critical moment you will have only one lock closed and it will be one, which is weaker than what you would have if you only started with one door with 2 strong locks.(1)

Again, I want to stress: I do not say your idea is bad! But it has 5 factors involved in protecting the target resource, which sounds much. So just re-evaluate, if it will not end up with your brain trying hard to avoid going through that path each time you need to authenticate. And I tell you, your brain is much clever than you are, and has a master degree in deception.


(1) Nerds feeling an urge to educate me on physical security and adequacy of locks: this is a picture drawn to explain a different subject and whatever one thinks about locks is irrelevant.
« Last Edit: March 15, 2023, 08:03:35 am by golden_labels »
People imagine AI as T1000. What we got so far is glorified T9.
 
The following users thanked this post: JohanH

Online JohanH

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: fi
Re: Two factor authentication with phone, is it secure enough?
« Reply #52 on: March 15, 2023, 08:52:04 am »
Ars Technica has a new article that at a first glance looks like they are bashing 2FA TOTP:

https://arstechnica.com/information-technology/2023/03/software-for-sale-is-fueling-a-torrent-of-phishing-attacks-that-bypass-mfa/

I.e. TOTP bad --> don't use

Right?

No, what they are saying that even with 2FA based on TOTP, you can be hacked by this particular man-in-the-middle hack, if you are tricked to use the web page and input your 2FA code. In this case it wouldn't matter if you used 2FA SMS or no 2FA at all.

That doesn't mean using TOTP is worse. But if you don't know how to interpret the article it could sound like that. The opposite is true. Using only a password is worse in most situations, except this one.

Conclusion is that there is currently no other solution to prevent this particular hack except FIDO2 solutions. I would look into Yubico devices, but they are still expensive for personal use.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #53 on: March 15, 2023, 01:11:48 pm »
It stores a copy locally, so opening the vault will work. You can't just synchronize changes.

I need to do more research on this, I didn't yet since it is a future project.
Even if I VPN in my local network I can't sync the changes?
Or did I not understand your statement?
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #54 on: March 15, 2023, 01:14:31 pm »
No, what they are saying that even with 2FA based on TOTP, you can be hacked by this particular man-in-the-middle hack, if you are tricked to use the web page and input your 2FA code. In this case it wouldn't matter if you used 2FA SMS or no 2FA at all.
That doesn't mean using TOTP is worse. But if you don't know how to interpret the article it could sound like that. The opposite is true. Using only a password is worse in most situations, except this one.
Conclusion is that there is currently no other solution to prevent this particular hack except FIDO2 solutions. I would look into Yubico devices, but they are still expensive for personal use.

This, anyway I spent 50USD for my Yubikey with FIDO2 support, it does not break the bank.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #55 on: March 15, 2023, 01:18:47 pm »
6) Driving a tank with a week of water supply and a toilet: to prevent rubber-hose cryptoanalysis.

I will try my idea out and report back.
To me it is the best compromise between the extra work/actions needed to get into the data and the security level achieved.

In other words, 5 or 8 security levels are not a big difference to me if I all I have to do is just 2 clicks and 1 tap with my phone to my chest to get 4 numbers once a day.
« Last Edit: March 15, 2023, 01:32:35 pm by Zucca »
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Online JohanH

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: fi
Re: Two factor authentication with phone, is it secure enough?
« Reply #56 on: March 15, 2023, 01:57:43 pm »

Even if I VPN in my local network I can't sync the changes?


As I've understood it, while being offline, the vault is read-only and you can't make changes. Whenever you become online (including VPN), you will be able to create new changes.
 
The following users thanked this post: Zucca

Offline madires

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: Two factor authentication with phone, is it secure enough?
« Reply #57 on: March 15, 2023, 02:29:23 pm »
This, anyway I spent 50USD for my Yubikey with FIDO2 support, it does not break the bank.

Having just one Yubikey is a SPOF as you can't backup/restore it. So you need at least two in case one breaks or vanishes into thin air.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: Two factor authentication with phone, is it secure enough?
« Reply #58 on: March 15, 2023, 02:44:37 pm »
It stores a copy locally, so opening the vault will work. You can't just synchronize changes.

I need to do more research on this, I didn't yet since it is a future project.
Even if I VPN in my local network I can't sync the changes?
Or did I not understand your statement?

With most password managers you can create you own 'cloud PW manager' by storing the database in a network folder, e.g. local server or some cloud storage. It's a bit more work than a native cloud PW manager, but you can change the PW manager or storage service at any time without much hassle (no service lock-in).
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #59 on: March 15, 2023, 03:04:37 pm »
Having just one Yubikey is a SPOF as you can't backup/restore it. So you need at least two in case one breaks or vanishes into thin air.

Or you need to have the long number recover code provided at the SFA setup to pierce through the SFA in Bitwaden and deactivate it until the new Yubikey arrives.
PS: This is why it will be on my necklace.
« Last Edit: March 15, 2023, 03:10:58 pm by Zucca »
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #60 on: March 19, 2023, 02:17:59 am »
Yubikey NFC 5 secured with a M3 screw in my wallet



Happy ending.

Thanks everybody!
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: Two factor authentication with phone, is it secure enough?
« Reply #61 on: March 19, 2023, 08:38:57 pm »
Speaking of that, what kind of security key would you guys recommend these days?

Yubikey seems to be one of the top players currently. Always good to know alternatives too.

One thing I've noticed - at least with Yubikey products - is that there is no model with both NFC and a fingerpring reader.
I would like a security key with fingerprint, but I would like NFC as well.
Of course I understand that NFC may not provide enough power to the key to power a fingerprint reader, so that's likely the main reason why it's not offered.
 

Online Marco

  • Super Contributor
  • ***
  • Posts: 6687
  • Country: nl
Re: Two factor authentication with phone, is it secure enough?
« Reply #62 on: March 19, 2023, 08:50:53 pm »
I was looking around to see if there were any programmable Java Cards with a fingerprint sensor, with open API access to the fingerprint verification ... if it exists I can't find it. Smartcards with fingerprint sensor powered by NFC do exist, but it's all proprietary.

I did see Feitian has a pretty nice form factor FIDO2 key with fingerprint sensor and NFC though. Not an endorsement of the quality, only thing I know about it is that it looks nice.
« Last Edit: March 19, 2023, 08:52:56 pm by Marco »
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: Two factor authentication with phone, is it secure enough?
« Reply #63 on: March 19, 2023, 08:55:57 pm »
I did see Feitian has a pretty nice form factor FIDO2 key with fingerprint sensor and NFC though. Not an endorsement of the quality, only thing I know about it is that it looks nice.

Ah, thanks. Looks good indeed.
 

Offline artag

  • Super Contributor
  • ***
  • Posts: 1058
  • Country: gb
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #65 on: March 27, 2023, 03:40:15 am »


Interesting, SFA and everything bypassed by a session token....
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Online Halcyon

  • Global Moderator
  • *****
  • Posts: 5614
  • Country: au
Re: Two factor authentication with phone, is it secure enough?
« Reply #66 on: March 27, 2023, 03:52:46 am »
Interesting, SFA and everything bypassed by a session token....

I think the more salient point here is that someone at LTT downloaded and executed malware on their machine, which enabled the threat actor exfiltrate data from the web browsers installed on that machine. It's basically like giving someone access to your physical machine if you have a password saved or a session open.

This highlights four key issues:

1. Whatever antivirus/EDR tool they are using (if any) was insufficient.
2. There wasn't enough separation between their critical infrastructure (which includes their cloud services like YouTube) and files originating externally from untrusted sources.
3. Staff training/awareness/knowledge was insufficient.
4. Their Disaster Recovery/Incident Response plan was lacking or non-existent.
« Last Edit: March 27, 2023, 04:12:54 am by Halcyon »
 
The following users thanked this post: bitwelder, Zucca

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: Two factor authentication with phone, is it secure enough?
« Reply #67 on: March 27, 2023, 04:44:12 am »
Session IDs are still a very serious security concern, and at this point are a ridiculously large hole. You can use 2FA all you want, if you have a session open that never expires by itself...
I talked about it in another thread. Google accounts in that regard have a serious problem.
Of course you would throw your Android phone away if it kept asking for your credentials. There's a conundrum to solve here.

And regarding YT (or any Google account for that matter), being able to delete all videos or some account entirely without having to at least re-enter your credentials (these are some drastic actions that should warrant an extra step) is mind-boggingly stupid. Fortunately there are services that will re-ask for credentials even when you're logged in for issuing some types of actions. But not YT. Hats off.
« Last Edit: March 27, 2023, 04:46:37 am by SiliconWizard »
 
The following users thanked this post: Zucca

Offline madires

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: Two factor authentication with phone, is it secure enough?
« Reply #68 on: March 27, 2023, 12:44:36 pm »
As always, it's a tradeoff between security and convenience.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #69 on: March 27, 2023, 01:50:34 pm »
I think the more salient point here is that someone at LTT downloaded and executed malware on their machine,

Wise words Halcyon! So if you have a malware running in background, there is nothing you can do?
I imagine even FIDO2 or any other highest security concept/method is at risk with a malaware....

I understand the data extraction from the infected PC, but how they sent the data out to them? I do not know.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #70 on: March 27, 2023, 02:10:19 pm »
Session IDs are still a very serious security concern, and at this point are a ridiculously large hole.

Amen, I browse always in incognito and delete all cookies and history at shutdown. I do not know if helps.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: Two factor authentication with phone, is it secure enough?
« Reply #71 on: March 27, 2023, 03:40:15 pm »
It depends on how the session management of the website is implemented and how often you delete cookies. A bad website would set an auth/session cookie which never expires after the first login. As long as the cookie isn't deleted it's used as magic key any time you visit the website again, i.e. you don't need to re-login. If the bad guy is able to hijack that cookie before you'll delete it then he can use it to access the website. The same can also happen for short-lived cookies (the bad guy needs to be quick enough). However, the attacker can't hijack what is not there.
 
The following users thanked this post: SiliconWizard


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf