Author Topic: Two factor authentication with phone, is it secure enough?  (Read 4885 times)

0 Members and 1 Guest are viewing this topic.

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Two factor authentication with phone, is it secure enough?
« on: March 10, 2023, 01:31:53 am »
....of course nothing is secure enough, and it is just another layer of security.

Browser software nowadays offers quite often a feature to save username and password for website logins.
I never trusted the above for critical stuff, but I now realize that all my critical logins require a two factor authentication with my phone.

Since saving the login data in a browser is a terrible idea on a security point of view, it is sooo practical on the other hand...

I am wondering if since I have the two factor authentication active I could safely let FireFox to store and keep my critical logins data...

What do you think?
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #1 on: March 10, 2023, 01:59:30 am »
How do you menage passwords now? If it is a small set of passwords for all sites, then this is pretty much worse of all options.

Use a real password manager with audited code and implementation. My personal preference is Bitwarden, but there are others. And whatever you do, do not use LastPass.

Browser password store is not the best option. Plus it is least portable one.
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 
The following users thanked this post: 5U4GB

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: Two factor authentication with phone, is it secure enough?
« Reply #2 on: March 10, 2023, 02:07:38 am »
It's better to use your browser's password manager, and define a different, strong password for each different website/service you use, than to not use its password manager, and since it becomes less convenient, use fewer different passwords. Hands down.

Now there are also dedicated password managers, they are more secure than your browser's one until some horrific security hole is found in them. Which will invariably happen sooner or later.

Of course two-factor authentication mitigates the problem for critical services.

As to copying your stored passwords, it's usually just a matter of copying the corresponding database in your profile, the exact location depends on your browser and OS. It's not rocket science and I've done that successfully before. Of course, synchronizing password lists this way is not practical, so to be used preferably in a single-way fashion.

With all that said, I'm not advocating any particular approach here. Just giving a couple thoughts.
« Last Edit: March 10, 2023, 02:09:53 am by SiliconWizard »
 
The following users thanked this post: 5U4GB

Offline dobsonr741

  • Frequent Contributor
  • **
  • Posts: 643
  • Country: us
Re: Two factor authentication with phone, is it secure enough?
« Reply #3 on: March 10, 2023, 02:08:47 am »
Well said. Bitwarden, 1Password, to name a few. These password wallets can act as the multi factor authentication token too, super convenient. Use a sufficiently strong password on these wallets. And put proper locking on your phone, in addition.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #4 on: March 10, 2023, 04:23:49 am »
How do you menage passwords now?

A horrible excel file with different password, different username and different email for each website.
Everytime I need to open that file it makes me sick, it has become huge and ugly.

Bitwarden looks sexy, I will do my homework.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1172
  • Country: pl
Re: Two factor authentication with phone, is it secure enough?
« Reply #5 on: March 10, 2023, 04:26:38 am »
“Secure enough” is a meaningless phrase without specifying the threat model.

I do not see, how passphrases being managed by the browser is a security concern. Quite opposite: the browser verifies you are actually filling an authentication form from the right domain.(1) That greatly increases difficulty of phishing attacks, but is not being done in any other realistic scenario.

2FA is an example of applying the defence in depth principle, which by definition increases security. But it also increases burden. It is up to you to decide, what level of balance between security and comfort you want to choose. No other person can make that decision for you.


(1) External password managers may have a similar feature. But it is implemented as an add-on, which brings us back to the same point: the browser.

People imagine AI as T1000. What we got so far is glorified T9.
 

Offline DrGeoff

  • Frequent Contributor
  • **
  • Posts: 793
  • Country: au
    • AXT Systems
Re: Two factor authentication with phone, is it secure enough?
« Reply #6 on: March 10, 2023, 04:30:26 am »
Many websites and applications are moving away from passwords and using Fido instead, which is significantly stronger, using asymmetric keys, the private key for the application being managed by the device keystore and never leaving the device (unlike passwords).
Was it really supposed to do that?
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #7 on: March 10, 2023, 04:31:40 am »
One way password managers are better than native browser store is that browser will happily export the passwords in the clear while password managers would ask for the master password.

So, if threat model includes physical access to the PC, then browser store is not secure at all. Still better than a spreadsheet.
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #8 on: March 10, 2023, 04:33:30 am »
being managed by the device keystore and never leaving the device (unlike passwords).
Which makes is a nightmare to manage if you want to access the service from multiple devices. Also, I have not seen any of those in practice, so I don't know how "many" there actually are.

Plus now that Apple embraced it, in a typical Apple way, I expect them to screw it up somehow.
« Last Edit: March 10, 2023, 04:35:21 am by ataradov »
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline DrGeoff

  • Frequent Contributor
  • **
  • Posts: 793
  • Country: au
    • AXT Systems
Re: Two factor authentication with phone, is it secure enough?
« Reply #9 on: March 10, 2023, 04:37:50 am »
being managed by the device keystore and never leaving the device (unlike passwords).
Which makes is a nightmare to manage if you want to access the service from multiple devices. Also, I have not seen any of those in practice, so I don't know how "many" there actually are.

Plus now that Apple embraced it, in a typical Apple way, I expect them to screw it up somehow.

There are many. Bigger ones from Google and most Social Media systems along with Apple.
The device problem is addressed in multiple ways.

Was it really supposed to do that?
 

Offline IanB

  • Super Contributor
  • ***
  • Posts: 11771
  • Country: us
Re: Two factor authentication with phone, is it secure enough?
« Reply #10 on: March 10, 2023, 04:39:01 am »
One way password managers are better than native browser store is that browser will happily export the passwords in the clear while password managers would ask for the master password.

How so? Which browser store will export (or reveal) passwords without first asking you to enter the master password?
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #11 on: March 10, 2023, 04:42:06 am »
How so? Which browser store will export (or reveal) passwords without first asking you to enter the master password?
Both Firefox and Chrome will do this.

You may need to be logged in into your account, but do you really log out all the time?

I use Firefox as a secondary browser and I don't have any accounts setup, and it lets you export the passwords, there is not even a master password to enter. I don't want to log out of chrome to check.
« Last Edit: March 10, 2023, 04:46:45 am by ataradov »
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #12 on: March 10, 2023, 04:42:47 am »
https://bitwarden.com/blog/host-your-own-open-source-password-manager/

well the above feature is very important to me. Privacy is also important.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline IanB

  • Super Contributor
  • ***
  • Posts: 11771
  • Country: us
Re: Two factor authentication with phone, is it secure enough?
« Reply #13 on: March 10, 2023, 05:33:15 am »
How so? Which browser store will export (or reveal) passwords without first asking you to enter the master password?
Both Firefox and Chrome will do this.

You may need to be logged in into your account, but do you really log out all the time?

I use Firefox as a secondary browser and I don't have any accounts setup, and it lets you export the passwords, there is not even a master password to enter. I don't want to log out of chrome to check.

Not Chrome in my experience. Even when logged in there is no way to reveal passwords without secondary verification.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #14 on: March 10, 2023, 05:39:10 am »
Not Chrome in my experience. Even when logged in there is no way to reveal passwords without secondary verification.
I just added a saved password and in the autofill settings there is an eye icon next to each password that shows it. And close to it there is an export option that just saves all of them in a file. All of this without being asked for any additional verification .

Although this article  https://www.alphr.com/view-google-chrome-saved-passwords/ suggests that it should ask for the OS (?) password. I'm using official Chrome on Linux and see nothing like that.
« Last Edit: March 10, 2023, 05:41:12 am by ataradov »
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Online RoGeorge

  • Super Contributor
  • ***
  • Posts: 6136
  • Country: ro
Re: Two factor authentication with phone, is it secure enough?
« Reply #15 on: March 10, 2023, 06:04:22 am »
I have a text file with websites, usernames and partial passwords.

By partial passwords I mean only write down hint letters, hints that only I know what group of letters or words they have to be replace with, so to form the password.  That equivalence between pass hints and their corresponding chars is not noted down anywhere, I just know them by heart.

About two factor authentication, it's horrible, because it makes you dependent of a second device (what you do if your phone goes belly up?), and because it automatically disclose your identity (your phone number is also your global UUID).

I was once auto-enrolled by the bank into some shitty second authentication for online payments, and as a result I was unable to make payments with a debit card because of no phone battery.  To make it even more ridiculous, the outside payments (i.e. Aliexpress) were accepted without SMS confirmation, only the EU payments were needing a second pass by phone SMS.  I had to walk to the bank to be unsubscribe from such crap.  :horse:

In my eyes, dual authentication is nothing but surveillance, extra data harvesting, and constant nagging if you log from another device.

Same with passwords complexity:  the only times when I've lost an account it was because of a site database leak, not because of brute forcing my password that didn't had enough numbers and special chars.  >:(

Two factor authentication never ever blocked a hack attempt, in my experience.  Never.  It only blocked me from using my own accounts.  Many times.  The stupidest thing ever.

Offline IanB

  • Super Contributor
  • ***
  • Posts: 11771
  • Country: us
Re: Two factor authentication with phone, is it secure enough?
« Reply #16 on: March 10, 2023, 06:05:48 am »
Although this article  https://www.alphr.com/view-google-chrome-saved-passwords/ suggests that it should ask for the OS (?) password. I'm using official Chrome on Linux and see nothing like that.

That's odd. You are supposed to be asked for either your Google account password or your OS account password. I don't use Linux so I can't account for that. Is it possible you are using some kind of reduced security settings?
 

Offline 5U4GB

  • Frequent Contributor
  • **
  • Posts: 341
  • Country: au
Re: Two factor authentication with phone, is it secure enough?
« Reply #17 on: March 10, 2023, 06:09:12 am »
Many websites and applications are moving away from passwords and using Fido instead, which is significantly stronger, using asymmetric keys, the private key for the application being managed by the device keystore and never leaving the device (unlike passwords).

The problem with these mechanisms, stuff like OAuth being the poster child, is that it's almost impossible to use correctly on the server side, it's so bad that the author of the OAuth spec actually resigned from the editor position rather than be further associated with it.  So with randomly-chosen per-site passwords, as several people have pointed out, you're about as safe as you can make yourself.  With single-point-of-failure systems like OAuth and others you're only safe as any site you use or your auth provider is.  If they get popped its game over for you and everyone else using them.

In terms of phone-based 2FA, the OP needs to specify which 2FA they're talking about, is it SMS or a 2FA app using (typically) TOTP?  Those are pretty good, I'd recommend looking at Authy for that and then use it for any critical account where money can change hands.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #18 on: March 10, 2023, 06:12:23 am »
what you do if your phone goes belly up?
All 2FA comes with a set of recovery codes. You use one of the codes.

SMS confirmation
SMS 2FA is worse than no 2FA.

Two factor authentication never ever blocked a hack attempt, in my experience.
It may not be for you, but 2FA for sure stops a lot of account takeover attempts for people that are targeted in attacks.
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline 5U4GB

  • Frequent Contributor
  • **
  • Posts: 341
  • Country: au
Re: Two factor authentication with phone, is it secure enough?
« Reply #19 on: March 10, 2023, 06:12:49 am »
About two factor authentication, it's horrible, because it makes you dependent of a second device (what you do if your phone goes belly up?), and because it automatically disclose your identity (your phone number is also your global UUID).

Not with a 2FA app that does TOTP, which is what a great many sites and probably all the ones you care about use.  It's effectively just a challenge/response calculator based on a seed value (your password) that you provide, so you can set it up on a new device with only a password.  In terms of good-enough 2FA it's probably the best option out there, it's entirely under your control (no centralised single point of failure) and portable across devices.
 

Offline 5U4GB

  • Frequent Contributor
  • **
  • Posts: 341
  • Country: au
Re: Two factor authentication with phone, is it secure enough?
« Reply #20 on: March 10, 2023, 06:14:02 am »
SMS 2FA is worse than no 2FA.

[Citation needed]
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #21 on: March 10, 2023, 06:14:09 am »
Is it possible you are using some kind of reduced security settings?
No idea, but I don't really care, I'm very happy with my password manager.

It is good if this asks the password from the people that actually use it. Although it is still weaker than the password manager security where your key actually encrypts the stored data.
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #22 on: March 10, 2023, 06:15:33 am »
[Citation needed]
Personal opinion + all the SIM swapping attacks + it is usually setup by incompetent idiots (banks mostly at this point), so recovery is hard or impossible.
« Last Edit: March 10, 2023, 06:18:47 am by ataradov »
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline DrGeoff

  • Frequent Contributor
  • **
  • Posts: 793
  • Country: au
    • AXT Systems
Re: Two factor authentication with phone, is it secure enough?
« Reply #23 on: March 10, 2023, 06:28:45 am »
Many websites and applications are moving away from passwords and using Fido instead, which is significantly stronger, using asymmetric keys, the private key for the application being managed by the device keystore and never leaving the device (unlike passwords).

The problem with these mechanisms, stuff like OAuth being the poster child, is that it's almost impossible to use correctly on the server side, it's so bad that the author of the OAuth spec actually resigned from the editor position rather than be further associated with it.  So with randomly-chosen per-site passwords, as several people have pointed out, you're about as safe as you can make yourself.  With single-point-of-failure systems like OAuth and others you're only safe as any site you use or your auth provider is.  If they get popped its game over for you and everyone else using them.

In terms of phone-based 2FA, the OP needs to specify which 2FA they're talking about, is it SMS or a 2FA app using (typically) TOTP?  Those are pretty good, I'd recommend looking at Authy for that and then use it for any critical account where money can change hands.

It's not OAuth. The reason it was created was partly because of problems with OAuth.
Webauthn is built into all modern browsers and Fido is well documented and has been in use for several years now. It's very transparent which is why you probably don't think you've seen it.
I'd suggest reading up on it a bit more. It avoids PKI because of the inherent problems with PKI and the constant renewal of expiring credentials.

Was it really supposed to do that?
 

Online JohanH

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: fi
Re: Two factor authentication with phone, is it secure enough?
« Reply #24 on: March 10, 2023, 08:40:56 am »
I'm using the following.

Bitwarden with passwords synced to all devices. Bitwarden passwords can also be exported if you want to migrate to another format. You could also set up your own Bitwarden server, if you don't trust the provided one.

AndOTP app as 2-factor (TOTP) on the phone. 2-factor list is exported in encrypted format to my own cloud storage, so easy to restore to a new phone.

There is 500+ entries in Bitwarden, but only 30+ 2FA sites. More sites should offer 2FA. The most important sites do provide 2FA (TOTP).
 
The following users thanked this post: Zucca


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf