Author Topic: Two factor authentication with phone, is it secure enough?  (Read 4882 times)

0 Members and 1 Guest are viewing this topic.

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Two factor authentication with phone, is it secure enough?
« on: March 10, 2023, 01:31:53 am »
....of course nothing is secure enough, and it is just another layer of security.

Browser software nowadays offers quite often a feature to save username and password for website logins.
I never trusted the above for critical stuff, but I now realize that all my critical logins require a two factor authentication with my phone.

Since saving the login data in a browser is a terrible idea on a security point of view, it is sooo practical on the other hand...

I am wondering if since I have the two factor authentication active I could safely let FireFox to store and keep my critical logins data...

What do you think?
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #1 on: March 10, 2023, 01:59:30 am »
How do you menage passwords now? If it is a small set of passwords for all sites, then this is pretty much worse of all options.

Use a real password manager with audited code and implementation. My personal preference is Bitwarden, but there are others. And whatever you do, do not use LastPass.

Browser password store is not the best option. Plus it is least portable one.
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 
The following users thanked this post: 5U4GB

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: Two factor authentication with phone, is it secure enough?
« Reply #2 on: March 10, 2023, 02:07:38 am »
It's better to use your browser's password manager, and define a different, strong password for each different website/service you use, than to not use its password manager, and since it becomes less convenient, use fewer different passwords. Hands down.

Now there are also dedicated password managers, they are more secure than your browser's one until some horrific security hole is found in them. Which will invariably happen sooner or later.

Of course two-factor authentication mitigates the problem for critical services.

As to copying your stored passwords, it's usually just a matter of copying the corresponding database in your profile, the exact location depends on your browser and OS. It's not rocket science and I've done that successfully before. Of course, synchronizing password lists this way is not practical, so to be used preferably in a single-way fashion.

With all that said, I'm not advocating any particular approach here. Just giving a couple thoughts.
« Last Edit: March 10, 2023, 02:09:53 am by SiliconWizard »
 
The following users thanked this post: 5U4GB

Offline dobsonr741

  • Frequent Contributor
  • **
  • Posts: 643
  • Country: us
Re: Two factor authentication with phone, is it secure enough?
« Reply #3 on: March 10, 2023, 02:08:47 am »
Well said. Bitwarden, 1Password, to name a few. These password wallets can act as the multi factor authentication token too, super convenient. Use a sufficiently strong password on these wallets. And put proper locking on your phone, in addition.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #4 on: March 10, 2023, 04:23:49 am »
How do you menage passwords now?

A horrible excel file with different password, different username and different email for each website.
Everytime I need to open that file it makes me sick, it has become huge and ugly.

Bitwarden looks sexy, I will do my homework.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Online golden_labels

  • Super Contributor
  • ***
  • Posts: 1172
  • Country: pl
Re: Two factor authentication with phone, is it secure enough?
« Reply #5 on: March 10, 2023, 04:26:38 am »
“Secure enough” is a meaningless phrase without specifying the threat model.

I do not see, how passphrases being managed by the browser is a security concern. Quite opposite: the browser verifies you are actually filling an authentication form from the right domain.(1) That greatly increases difficulty of phishing attacks, but is not being done in any other realistic scenario.

2FA is an example of applying the defence in depth principle, which by definition increases security. But it also increases burden. It is up to you to decide, what level of balance between security and comfort you want to choose. No other person can make that decision for you.


(1) External password managers may have a similar feature. But it is implemented as an add-on, which brings us back to the same point: the browser.

People imagine AI as T1000. What we got so far is glorified T9.
 

Offline DrGeoff

  • Frequent Contributor
  • **
  • Posts: 793
  • Country: au
    • AXT Systems
Re: Two factor authentication with phone, is it secure enough?
« Reply #6 on: March 10, 2023, 04:30:26 am »
Many websites and applications are moving away from passwords and using Fido instead, which is significantly stronger, using asymmetric keys, the private key for the application being managed by the device keystore and never leaving the device (unlike passwords).
Was it really supposed to do that?
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #7 on: March 10, 2023, 04:31:40 am »
One way password managers are better than native browser store is that browser will happily export the passwords in the clear while password managers would ask for the master password.

So, if threat model includes physical access to the PC, then browser store is not secure at all. Still better than a spreadsheet.
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #8 on: March 10, 2023, 04:33:30 am »
being managed by the device keystore and never leaving the device (unlike passwords).
Which makes is a nightmare to manage if you want to access the service from multiple devices. Also, I have not seen any of those in practice, so I don't know how "many" there actually are.

Plus now that Apple embraced it, in a typical Apple way, I expect them to screw it up somehow.
« Last Edit: March 10, 2023, 04:35:21 am by ataradov »
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline DrGeoff

  • Frequent Contributor
  • **
  • Posts: 793
  • Country: au
    • AXT Systems
Re: Two factor authentication with phone, is it secure enough?
« Reply #9 on: March 10, 2023, 04:37:50 am »
being managed by the device keystore and never leaving the device (unlike passwords).
Which makes is a nightmare to manage if you want to access the service from multiple devices. Also, I have not seen any of those in practice, so I don't know how "many" there actually are.

Plus now that Apple embraced it, in a typical Apple way, I expect them to screw it up somehow.

There are many. Bigger ones from Google and most Social Media systems along with Apple.
The device problem is addressed in multiple ways.

Was it really supposed to do that?
 

Online IanB

  • Super Contributor
  • ***
  • Posts: 11771
  • Country: us
Re: Two factor authentication with phone, is it secure enough?
« Reply #10 on: March 10, 2023, 04:39:01 am »
One way password managers are better than native browser store is that browser will happily export the passwords in the clear while password managers would ask for the master password.

How so? Which browser store will export (or reveal) passwords without first asking you to enter the master password?
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #11 on: March 10, 2023, 04:42:06 am »
How so? Which browser store will export (or reveal) passwords without first asking you to enter the master password?
Both Firefox and Chrome will do this.

You may need to be logged in into your account, but do you really log out all the time?

I use Firefox as a secondary browser and I don't have any accounts setup, and it lets you export the passwords, there is not even a master password to enter. I don't want to log out of chrome to check.
« Last Edit: March 10, 2023, 04:46:45 am by ataradov »
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #12 on: March 10, 2023, 04:42:47 am »
https://bitwarden.com/blog/host-your-own-open-source-password-manager/

well the above feature is very important to me. Privacy is also important.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Online IanB

  • Super Contributor
  • ***
  • Posts: 11771
  • Country: us
Re: Two factor authentication with phone, is it secure enough?
« Reply #13 on: March 10, 2023, 05:33:15 am »
How so? Which browser store will export (or reveal) passwords without first asking you to enter the master password?
Both Firefox and Chrome will do this.

You may need to be logged in into your account, but do you really log out all the time?

I use Firefox as a secondary browser and I don't have any accounts setup, and it lets you export the passwords, there is not even a master password to enter. I don't want to log out of chrome to check.

Not Chrome in my experience. Even when logged in there is no way to reveal passwords without secondary verification.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #14 on: March 10, 2023, 05:39:10 am »
Not Chrome in my experience. Even when logged in there is no way to reveal passwords without secondary verification.
I just added a saved password and in the autofill settings there is an eye icon next to each password that shows it. And close to it there is an export option that just saves all of them in a file. All of this without being asked for any additional verification .

Although this article  https://www.alphr.com/view-google-chrome-saved-passwords/ suggests that it should ask for the OS (?) password. I'm using official Chrome on Linux and see nothing like that.
« Last Edit: March 10, 2023, 05:41:12 am by ataradov »
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 6136
  • Country: ro
Re: Two factor authentication with phone, is it secure enough?
« Reply #15 on: March 10, 2023, 06:04:22 am »
I have a text file with websites, usernames and partial passwords.

By partial passwords I mean only write down hint letters, hints that only I know what group of letters or words they have to be replace with, so to form the password.  That equivalence between pass hints and their corresponding chars is not noted down anywhere, I just know them by heart.

About two factor authentication, it's horrible, because it makes you dependent of a second device (what you do if your phone goes belly up?), and because it automatically disclose your identity (your phone number is also your global UUID).

I was once auto-enrolled by the bank into some shitty second authentication for online payments, and as a result I was unable to make payments with a debit card because of no phone battery.  To make it even more ridiculous, the outside payments (i.e. Aliexpress) were accepted without SMS confirmation, only the EU payments were needing a second pass by phone SMS.  I had to walk to the bank to be unsubscribe from such crap.  :horse:

In my eyes, dual authentication is nothing but surveillance, extra data harvesting, and constant nagging if you log from another device.

Same with passwords complexity:  the only times when I've lost an account it was because of a site database leak, not because of brute forcing my password that didn't had enough numbers and special chars.  >:(

Two factor authentication never ever blocked a hack attempt, in my experience.  Never.  It only blocked me from using my own accounts.  Many times.  The stupidest thing ever.

Online IanB

  • Super Contributor
  • ***
  • Posts: 11771
  • Country: us
Re: Two factor authentication with phone, is it secure enough?
« Reply #16 on: March 10, 2023, 06:05:48 am »
Although this article  https://www.alphr.com/view-google-chrome-saved-passwords/ suggests that it should ask for the OS (?) password. I'm using official Chrome on Linux and see nothing like that.

That's odd. You are supposed to be asked for either your Google account password or your OS account password. I don't use Linux so I can't account for that. Is it possible you are using some kind of reduced security settings?
 

Offline 5U4GB

  • Frequent Contributor
  • **
  • Posts: 341
  • Country: au
Re: Two factor authentication with phone, is it secure enough?
« Reply #17 on: March 10, 2023, 06:09:12 am »
Many websites and applications are moving away from passwords and using Fido instead, which is significantly stronger, using asymmetric keys, the private key for the application being managed by the device keystore and never leaving the device (unlike passwords).

The problem with these mechanisms, stuff like OAuth being the poster child, is that it's almost impossible to use correctly on the server side, it's so bad that the author of the OAuth spec actually resigned from the editor position rather than be further associated with it.  So with randomly-chosen per-site passwords, as several people have pointed out, you're about as safe as you can make yourself.  With single-point-of-failure systems like OAuth and others you're only safe as any site you use or your auth provider is.  If they get popped its game over for you and everyone else using them.

In terms of phone-based 2FA, the OP needs to specify which 2FA they're talking about, is it SMS or a 2FA app using (typically) TOTP?  Those are pretty good, I'd recommend looking at Authy for that and then use it for any critical account where money can change hands.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #18 on: March 10, 2023, 06:12:23 am »
what you do if your phone goes belly up?
All 2FA comes with a set of recovery codes. You use one of the codes.

SMS confirmation
SMS 2FA is worse than no 2FA.

Two factor authentication never ever blocked a hack attempt, in my experience.
It may not be for you, but 2FA for sure stops a lot of account takeover attempts for people that are targeted in attacks.
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline 5U4GB

  • Frequent Contributor
  • **
  • Posts: 341
  • Country: au
Re: Two factor authentication with phone, is it secure enough?
« Reply #19 on: March 10, 2023, 06:12:49 am »
About two factor authentication, it's horrible, because it makes you dependent of a second device (what you do if your phone goes belly up?), and because it automatically disclose your identity (your phone number is also your global UUID).

Not with a 2FA app that does TOTP, which is what a great many sites and probably all the ones you care about use.  It's effectively just a challenge/response calculator based on a seed value (your password) that you provide, so you can set it up on a new device with only a password.  In terms of good-enough 2FA it's probably the best option out there, it's entirely under your control (no centralised single point of failure) and portable across devices.
 

Offline 5U4GB

  • Frequent Contributor
  • **
  • Posts: 341
  • Country: au
Re: Two factor authentication with phone, is it secure enough?
« Reply #20 on: March 10, 2023, 06:14:02 am »
SMS 2FA is worse than no 2FA.

[Citation needed]
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #21 on: March 10, 2023, 06:14:09 am »
Is it possible you are using some kind of reduced security settings?
No idea, but I don't really care, I'm very happy with my password manager.

It is good if this asks the password from the people that actually use it. Although it is still weaker than the password manager security where your key actually encrypts the stored data.
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: Two factor authentication with phone, is it secure enough?
« Reply #22 on: March 10, 2023, 06:15:33 am »
[Citation needed]
Personal opinion + all the SIM swapping attacks + it is usually setup by incompetent idiots (banks mostly at this point), so recovery is hard or impossible.
« Last Edit: March 10, 2023, 06:18:47 am by ataradov »
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline DrGeoff

  • Frequent Contributor
  • **
  • Posts: 793
  • Country: au
    • AXT Systems
Re: Two factor authentication with phone, is it secure enough?
« Reply #23 on: March 10, 2023, 06:28:45 am »
Many websites and applications are moving away from passwords and using Fido instead, which is significantly stronger, using asymmetric keys, the private key for the application being managed by the device keystore and never leaving the device (unlike passwords).

The problem with these mechanisms, stuff like OAuth being the poster child, is that it's almost impossible to use correctly on the server side, it's so bad that the author of the OAuth spec actually resigned from the editor position rather than be further associated with it.  So with randomly-chosen per-site passwords, as several people have pointed out, you're about as safe as you can make yourself.  With single-point-of-failure systems like OAuth and others you're only safe as any site you use or your auth provider is.  If they get popped its game over for you and everyone else using them.

In terms of phone-based 2FA, the OP needs to specify which 2FA they're talking about, is it SMS or a 2FA app using (typically) TOTP?  Those are pretty good, I'd recommend looking at Authy for that and then use it for any critical account where money can change hands.

It's not OAuth. The reason it was created was partly because of problems with OAuth.
Webauthn is built into all modern browsers and Fido is well documented and has been in use for several years now. It's very transparent which is why you probably don't think you've seen it.
I'd suggest reading up on it a bit more. It avoids PKI because of the inherent problems with PKI and the constant renewal of expiring credentials.

Was it really supposed to do that?
 

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: fi
Re: Two factor authentication with phone, is it secure enough?
« Reply #24 on: March 10, 2023, 08:40:56 am »
I'm using the following.

Bitwarden with passwords synced to all devices. Bitwarden passwords can also be exported if you want to migrate to another format. You could also set up your own Bitwarden server, if you don't trust the provided one.

AndOTP app as 2-factor (TOTP) on the phone. 2-factor list is exported in encrypted format to my own cloud storage, so easy to restore to a new phone.

There is 500+ entries in Bitwarden, but only 30+ 2FA sites. More sites should offer 2FA. The most important sites do provide 2FA (TOTP).
 
The following users thanked this post: Zucca

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 6136
  • Country: ro
Re: Two factor authentication with phone, is it secure enough?
« Reply #25 on: March 10, 2023, 09:25:45 am »
More sites should offer 2FA.

Agree, more sites should offer 2FA, but as an option only.
What buggers me it's the trend to make 2FA mandatory.

That's why, for example I give up using github.  There are other similar git websites that do not enforce 2FA.  For me, 99% of my online accounts are disposable, including the github one.  Why would I bother with 2FA on any of these.

All these mandatory 2FA websites are all acting like an account there would be the ultimate goal in life, worth protecting it at all costs.  I'm so sick and tired of unsolicited protection.

With time, unsolicited help always turns into some sort of exploitation from the "benevolent helper" side, even when the initial help was not planned as an exploitation.  Talking here about any kind of unsolicited help, this is not about computers only.
« Last Edit: March 10, 2023, 09:29:34 am by RoGeorge »
 
The following users thanked this post: SiliconWizard, freda

Offline Marco

  • Super Contributor
  • ***
  • Posts: 6686
  • Country: nl
Re: Two factor authentication with phone, is it secure enough?
« Reply #26 on: March 10, 2023, 09:34:34 am »
Passkeys are the future, shame about the ecosystem lock in.

From the user point of view it's pretty much the same as a password manager with random  string passwords, except the site can request presence or biometric authentication and passwords are handled with PKI as they should be.
 

Offline DrGeoff

  • Frequent Contributor
  • **
  • Posts: 793
  • Country: au
    • AXT Systems
Re: Two factor authentication with phone, is it secure enough?
« Reply #27 on: March 10, 2023, 09:48:47 am »
Passkeys are the future, shame about the ecosystem lock in.

From the user point of view it's pretty much the same as a password manager with random  string passwords, except the site can request presence or biometric authentication and passwords are handled with PKI as they should be.

It's not PKI. It's asymmetric keys. PKI involves certificates and chains of trust.
With an asymmetric key pair the private key never leaves the device, as is the case with an HSM or smart cards.

Was it really supposed to do that?
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 6686
  • Country: nl
Re: Two factor authentication with phone, is it secure enough?
« Reply #28 on: March 10, 2023, 09:58:32 am »
With an asymmetric key pair the private key never leaves the device, as is the case with an HSM or smart cards.

That's the difference between traditional U2F and Passkeys, the latter do leave the device. Your iPhone can have the exact same passkey as your Macbook, also Apple can maintain a cloud backup of your passkeys which can be downloaded to a new device.

The usage model for traditional U2F is far too unfriendly for normal users, having to register multiple authentication devices for a single website is bunk. Cross device syncing (or less politically correct, cloning) and cloud backup are a necessity for mainstream adoption.
 

Offline 5U4GB

  • Frequent Contributor
  • **
  • Posts: 341
  • Country: au
Re: Two factor authentication with phone, is it secure enough?
« Reply #29 on: March 10, 2023, 10:05:52 am »
I'd suggest reading up on it a bit more. It avoids PKI because of the inherent problems with PKI and the constant renewal of expiring credentials.

After ploughing through other SSO stuff in the past like OpenID, OAuth, SAML, Shibboleth, BrowserID, and others, all of which ended up being horribly failure-prone, I just lumped Fido in as yet another one (because it looks and sounds a lot like the others did) and didn't have the energy to search out the necessary third-party analysis on whether it can be used safely or not.  It could well be perfectly OK, it's just part of a large collection of similar attempts that ended up being awfully failure-prone once deployed, which is why I'm still sceptical about it.

And yes, that could be an unfair assessment, it just comes from a long line of protocols with a very poor track record, sort of like buying yet another 18650 off Aliexpress and hoping that this time it'll finally have the stated capacity :-).  In any case I'll have a longer look at it when I get time.
 

Online golden_labels

  • Super Contributor
  • ***
  • Posts: 1172
  • Country: pl
Re: Two factor authentication with phone, is it secure enough?
« Reply #30 on: March 10, 2023, 12:24:08 pm »
all the SIM swapping attacks
If you compared SMS 2FA to some other authentication method, it would at least be debatable. But you are making a statement that no security is better than security that has some small chance of failing.(1) Huh?

I am not sure, what is the goal of mentioning poor implementation. I don’t disagree with accuracy of your observation: I just do not see, what it supports. Hard recovery is not weakening the security.


(1)SIM swaps are slow and expensive. They never were and it doesn’t seem they ever could be applicable to anybody but high-value targets. The hole is also absurdly trivial to patch.
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: fi
Re: Two factor authentication with phone, is it secure enough?
« Reply #31 on: March 10, 2023, 01:02:18 pm »
It's commonly agreed upon that SMS 2FA is better than no 2FA at all, even though TOTP also in my opinion is better.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #32 on: March 10, 2023, 02:45:08 pm »
Two factor authentication never ever blocked a hack attempt, in my experience.  Never.  It only blocked me from using my own accounts.  Many times.  The stupidest thing ever.

Not only it saved my ass once, but I was happy to see the scammer was very pissed off because my psw in his hands was useless.
That said the implementation is horrible sometimes.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline alm

  • Super Contributor
  • ***
  • Posts: 2837
  • Country: 00
Re: Two factor authentication with phone, is it secure enough?
« Reply #33 on: March 10, 2023, 03:35:01 pm »
Agree, more sites should offer 2FA, but as an option only.
What buggers me it's the trend to make 2FA mandatory.
Many password managers offer TOTP secret storage and token generation. Obviously this is a step down compared to storing the secret on a different device, but it could be a solution for those mandatory 2FA sites that you don't care about.

With TOTP no personal information, like phone numbers, has to be exchanged either, although some sites insist on having a phone number as "backup".

Online golden_labels

  • Super Contributor
  • ***
  • Posts: 1172
  • Country: pl
Re: Two factor authentication with phone, is it secure enough?
« Reply #34 on: March 10, 2023, 03:35:32 pm »
Two factor authentication never ever blocked a hack attempt, in my experience.  Never.  It only blocked me from using my own accounts.  Many times.  The stupidest thing ever.
Strong words, considering that:
  • You do not know, that your private, personal experience has no value as an argument here. These are low-probability events and they are not even uniformly distributed across population.
  • You do not realize, that the information you see is asymmetrical: you almost always know about failures, but virtually never about successes. The disproportion is enormous. Which makes the experience itself false.
  • Your fail to observe the Sagan standard.(1)
  • Practices you described earlier show negligence regarding security.


(1) There is a debate on how much improvement 2FA brings. Including positions on possibly better options, inadequacy or relative weakness of some specific 2FA mechanisms (e.g. the SMS mention above), abandoning password-based authentication altogether, and what is the right balance. But yours is not among them.
« Last Edit: March 10, 2023, 03:43:41 pm by golden_labels »
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 6136
  • Country: ro
Re: Two factor authentication with phone, is it secure enough?
« Reply #35 on: March 10, 2023, 04:14:49 pm »
You missed the "in my experience" part.  Do as many security measures as you wish, but do not make them mandatory.  Not everybody cherishes the same an online account.  If you need strong security, that's fine from my side, use those measures for your accounts.

Do not enforce your security needs on my account.  That's my rant about.
 
The following users thanked this post: Zucca

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #36 on: March 10, 2023, 04:24:13 pm »
Forcing users is never good. Agreed.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline alm

  • Super Contributor
  • ***
  • Posts: 2837
  • Country: 00
Re: Two factor authentication with phone, is it secure enough?
« Reply #37 on: March 10, 2023, 04:36:42 pm »
Most people will not voluntarily choose to put in extra work for more security. If average Jane/Joe could log in by just typing in their name, they would. So expect all the big platforms to force their users to be more secure and move away from this failed idea called password authentication. If this doesn't work for you, you might have to move to more niche or self-hosted services.
 
The following users thanked this post: Zucca

Offline madires

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: Two factor authentication with phone, is it secure enough?
« Reply #38 on: March 10, 2023, 05:20:04 pm »
(1)SIM swaps are slow and expensive. They never were and it doesn’t seem they ever could be applicable to anybody but high-value targets. The hole is also absurdly trivial to patch.

Poorly secured SS7 provides a much more professional way to redirect SMS.
 

Online golden_labels

  • Super Contributor
  • ***
  • Posts: 1172
  • Country: pl
Re: Two factor authentication with phone, is it secure enough?
« Reply #39 on: March 10, 2023, 05:51:43 pm »
You missed the "in my experience" part.
I made a comment on exactly that and only that part, so I am pretty sure I did not miss it.

Do not enforce your security needs on my account.  That's my rant about.
I commented on the argument against 2FA, not about your preferences.

The rest is also not as straighforward to simply say “leave it to me”, but I didn’t even touch it and not willing to.
« Last Edit: March 10, 2023, 05:53:45 pm by golden_labels »
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #40 on: March 10, 2023, 07:34:44 pm »
Most people will not voluntarily choose to put in extra work for more security. If average Jane/Joe could log in by just typing in their name, they would. So expect all the big platforms to force their users to be more secure and move away from this failed idea called password authentication. If this doesn't work for you, you might have to move to more niche or self-hosted services.

True but why now set up a big red warning to let them know what are the consequences. I mean better to be transparent than bossy.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 6136
  • Country: ro
Re: Two factor authentication with phone, is it secure enough?
« Reply #41 on: March 11, 2023, 05:49:47 am »
2FA, posted in another thread, today:

Much to many's dismay beamin is back,

I got my tablet stolen with all my accounts two factors and crypto got hacked, the person that found my tablet was computer savvy and almost cost me 6k$ in crypto, not to mention ruining all my email and phone accounts including this account.

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #42 on: March 13, 2023, 01:49:38 pm »
I am wondering how well the access to that tablet was protected...
It looks like he build a impenetrable fortress on quick sands.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: Two factor authentication with phone, is it secure enough?
« Reply #43 on: March 13, 2023, 04:47:14 pm »
Usually 2FA apps are protected by a password or biometric authentication.
 

Offline alm

  • Super Contributor
  • ***
  • Posts: 2837
  • Country: 00
Re: Two factor authentication with phone, is it secure enough?
« Reply #44 on: March 13, 2023, 06:57:23 pm »
2FA, posted in another thread, today:

...
This anecdote proves as much about the effect of multi-factor authentication on security as an article about a car crash with a fatal outcome proves about the effect of seat belts on safety.

Online Halcyon

  • Global Moderator
  • *****
  • Posts: 5614
  • Country: au
Re: Two factor authentication with phone, is it secure enough?
« Reply #45 on: March 13, 2023, 11:28:26 pm »
I would never save credentials in a browser. They are extraordinarily easy to extract.

Use a reputable password manager (I prefer Bitwarden) with a browser plug-in/application for your phone.
 
The following users thanked this post: SeanB

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: Two factor authentication with phone, is it secure enough?
« Reply #46 on: March 14, 2023, 03:02:26 am »
I have KeePass, anyone else using it?
 

Offline Black Phoenix

  • Super Contributor
  • ***
  • Posts: 1129
  • Country: hk
Re: Two factor authentication with phone, is it secure enough?
« Reply #47 on: March 14, 2023, 04:25:00 am »
I have KeePass, anyone else using it?

I use Keepass as my password manager since 2014...

3 databases copies, one on my at the system with me at the moment, another on the NAS at home and a offsite one.

Then when any change is made they are merged and updated.
 

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: fi
Re: Two factor authentication with phone, is it secure enough?
« Reply #48 on: March 14, 2023, 02:16:22 pm »
I have KeePass, anyone else using it?

I used Keepass in the past, also command line version. DB in cloud for easy replication. But at one point there were problems that some platforms moved to 2.x format and some stayed on 1.x. So I got lazy and then moved to Bitwarden. It's also available for virtually all platforms.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #49 on: March 15, 2023, 04:03:01 am »
Many thanks!

I am done with the homework!

For now here my idea

1) Bitwarden Premium
2) 2 SFA in Bitwarden with authenticator App Yubico on my phone (not in my PC)
3) Yubico app on my phone with NFC activation
4) Yubikey 5 NFC attached on my necklace
5) Phone unlock with fingerprint

The idea is to use the NFC Yubikey only to unlock the Bitwarden vault... so I should tap my phone on my chest only at the beginning and I do not have to take my Yubikey out from my necklace and plug into my PC.

Until... I setup a  local server in my garage and run Bitwarden locally at home, which could be a bummer if internet at home is down and I am out.....
« Last Edit: March 15, 2023, 04:07:20 am by Zucca »
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: fi
Re: Two factor authentication with phone, is it secure enough?
« Reply #50 on: March 15, 2023, 07:04:14 am »


Until... I setup a  local server in my garage and run Bitwarden locally at home, which could be a bummer if internet at home is down and I am out.....

It stores a copy locally, so opening the vault will work. You can't just synchronize changes.
 

Online golden_labels

  • Super Contributor
  • ***
  • Posts: 1172
  • Country: pl
Re: Two factor authentication with phone, is it secure enough?
« Reply #51 on: March 15, 2023, 08:00:08 am »
1) Bitwarden Premium
2) 2 SFA in Bitwarden with authenticator App Yubico on my phone (not in my PC)
3) Yubico app on my phone with NFC activation
4) Yubikey 5 NFC attached on my necklace
5) Phone unlock with fingerprint
6) Driving a tank with a week of water supply and a toilet: to prevent rubber-hose cryptoanalysis.

I am not saying your idea is invalid or unnecessary. I do not know your situation and threat model. But remember that overengineering is as bad to security as negligence or ignorance.

Security is a balance between many factors. Convenience is one of them. Security measures that are too burdersome are not only pain in the ass, but decrease security. A brain naturally seeks ways to reduce effort and in the end circumvents the security. This is like having 3 doors and 20 locks to your apartment: in the critical moment you will have only one lock closed and it will be one, which is weaker than what you would have if you only started with one door with 2 strong locks.(1)

Again, I want to stress: I do not say your idea is bad! But it has 5 factors involved in protecting the target resource, which sounds much. So just re-evaluate, if it will not end up with your brain trying hard to avoid going through that path each time you need to authenticate. And I tell you, your brain is much clever than you are, and has a master degree in deception.


(1) Nerds feeling an urge to educate me on physical security and adequacy of locks: this is a picture drawn to explain a different subject and whatever one thinks about locks is irrelevant.
« Last Edit: March 15, 2023, 08:03:35 am by golden_labels »
People imagine AI as T1000. What we got so far is glorified T9.
 
The following users thanked this post: JohanH

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: fi
Re: Two factor authentication with phone, is it secure enough?
« Reply #52 on: March 15, 2023, 08:52:04 am »
Ars Technica has a new article that at a first glance looks like they are bashing 2FA TOTP:

https://arstechnica.com/information-technology/2023/03/software-for-sale-is-fueling-a-torrent-of-phishing-attacks-that-bypass-mfa/

I.e. TOTP bad --> don't use

Right?

No, what they are saying that even with 2FA based on TOTP, you can be hacked by this particular man-in-the-middle hack, if you are tricked to use the web page and input your 2FA code. In this case it wouldn't matter if you used 2FA SMS or no 2FA at all.

That doesn't mean using TOTP is worse. But if you don't know how to interpret the article it could sound like that. The opposite is true. Using only a password is worse in most situations, except this one.

Conclusion is that there is currently no other solution to prevent this particular hack except FIDO2 solutions. I would look into Yubico devices, but they are still expensive for personal use.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #53 on: March 15, 2023, 01:11:48 pm »
It stores a copy locally, so opening the vault will work. You can't just synchronize changes.

I need to do more research on this, I didn't yet since it is a future project.
Even if I VPN in my local network I can't sync the changes?
Or did I not understand your statement?
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #54 on: March 15, 2023, 01:14:31 pm »
No, what they are saying that even with 2FA based on TOTP, you can be hacked by this particular man-in-the-middle hack, if you are tricked to use the web page and input your 2FA code. In this case it wouldn't matter if you used 2FA SMS or no 2FA at all.
That doesn't mean using TOTP is worse. But if you don't know how to interpret the article it could sound like that. The opposite is true. Using only a password is worse in most situations, except this one.
Conclusion is that there is currently no other solution to prevent this particular hack except FIDO2 solutions. I would look into Yubico devices, but they are still expensive for personal use.

This, anyway I spent 50USD for my Yubikey with FIDO2 support, it does not break the bank.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #55 on: March 15, 2023, 01:18:47 pm »
6) Driving a tank with a week of water supply and a toilet: to prevent rubber-hose cryptoanalysis.

I will try my idea out and report back.
To me it is the best compromise between the extra work/actions needed to get into the data and the security level achieved.

In other words, 5 or 8 security levels are not a big difference to me if I all I have to do is just 2 clicks and 1 tap with my phone to my chest to get 4 numbers once a day.
« Last Edit: March 15, 2023, 01:32:35 pm by Zucca »
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 619
  • Country: fi
Re: Two factor authentication with phone, is it secure enough?
« Reply #56 on: March 15, 2023, 01:57:43 pm »

Even if I VPN in my local network I can't sync the changes?


As I've understood it, while being offline, the vault is read-only and you can't make changes. Whenever you become online (including VPN), you will be able to create new changes.
 
The following users thanked this post: Zucca

Offline madires

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: Two factor authentication with phone, is it secure enough?
« Reply #57 on: March 15, 2023, 02:29:23 pm »
This, anyway I spent 50USD for my Yubikey with FIDO2 support, it does not break the bank.

Having just one Yubikey is a SPOF as you can't backup/restore it. So you need at least two in case one breaks or vanishes into thin air.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: Two factor authentication with phone, is it secure enough?
« Reply #58 on: March 15, 2023, 02:44:37 pm »
It stores a copy locally, so opening the vault will work. You can't just synchronize changes.

I need to do more research on this, I didn't yet since it is a future project.
Even if I VPN in my local network I can't sync the changes?
Or did I not understand your statement?

With most password managers you can create you own 'cloud PW manager' by storing the database in a network folder, e.g. local server or some cloud storage. It's a bit more work than a native cloud PW manager, but you can change the PW manager or storage service at any time without much hassle (no service lock-in).
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #59 on: March 15, 2023, 03:04:37 pm »
Having just one Yubikey is a SPOF as you can't backup/restore it. So you need at least two in case one breaks or vanishes into thin air.

Or you need to have the long number recover code provided at the SFA setup to pierce through the SFA in Bitwaden and deactivate it until the new Yubikey arrives.
PS: This is why it will be on my necklace.
« Last Edit: March 15, 2023, 03:10:58 pm by Zucca »
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #60 on: March 19, 2023, 02:17:59 am »
Yubikey NFC 5 secured with a M3 screw in my wallet



Happy ending.

Thanks everybody!
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: Two factor authentication with phone, is it secure enough?
« Reply #61 on: March 19, 2023, 08:38:57 pm »
Speaking of that, what kind of security key would you guys recommend these days?

Yubikey seems to be one of the top players currently. Always good to know alternatives too.

One thing I've noticed - at least with Yubikey products - is that there is no model with both NFC and a fingerpring reader.
I would like a security key with fingerprint, but I would like NFC as well.
Of course I understand that NFC may not provide enough power to the key to power a fingerprint reader, so that's likely the main reason why it's not offered.
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 6686
  • Country: nl
Re: Two factor authentication with phone, is it secure enough?
« Reply #62 on: March 19, 2023, 08:50:53 pm »
I was looking around to see if there were any programmable Java Cards with a fingerprint sensor, with open API access to the fingerprint verification ... if it exists I can't find it. Smartcards with fingerprint sensor powered by NFC do exist, but it's all proprietary.

I did see Feitian has a pretty nice form factor FIDO2 key with fingerprint sensor and NFC though. Not an endorsement of the quality, only thing I know about it is that it looks nice.
« Last Edit: March 19, 2023, 08:52:56 pm by Marco »
 

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: Two factor authentication with phone, is it secure enough?
« Reply #63 on: March 19, 2023, 08:55:57 pm »
I did see Feitian has a pretty nice form factor FIDO2 key with fingerprint sensor and NFC though. Not an endorsement of the quality, only thing I know about it is that it looks nice.

Ah, thanks. Looks good indeed.
 

Offline artag

  • Super Contributor
  • ***
  • Posts: 1058
  • Country: gb
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #65 on: March 27, 2023, 03:40:15 am »


Interesting, SFA and everything bypassed by a session token....
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Online Halcyon

  • Global Moderator
  • *****
  • Posts: 5614
  • Country: au
Re: Two factor authentication with phone, is it secure enough?
« Reply #66 on: March 27, 2023, 03:52:46 am »
Interesting, SFA and everything bypassed by a session token....

I think the more salient point here is that someone at LTT downloaded and executed malware on their machine, which enabled the threat actor exfiltrate data from the web browsers installed on that machine. It's basically like giving someone access to your physical machine if you have a password saved or a session open.

This highlights four key issues:

1. Whatever antivirus/EDR tool they are using (if any) was insufficient.
2. There wasn't enough separation between their critical infrastructure (which includes their cloud services like YouTube) and files originating externally from untrusted sources.
3. Staff training/awareness/knowledge was insufficient.
4. Their Disaster Recovery/Incident Response plan was lacking or non-existent.
« Last Edit: March 27, 2023, 04:12:54 am by Halcyon »
 
The following users thanked this post: bitwelder, Zucca

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: Two factor authentication with phone, is it secure enough?
« Reply #67 on: March 27, 2023, 04:44:12 am »
Session IDs are still a very serious security concern, and at this point are a ridiculously large hole. You can use 2FA all you want, if you have a session open that never expires by itself...
I talked about it in another thread. Google accounts in that regard have a serious problem.
Of course you would throw your Android phone away if it kept asking for your credentials. There's a conundrum to solve here.

And regarding YT (or any Google account for that matter), being able to delete all videos or some account entirely without having to at least re-enter your credentials (these are some drastic actions that should warrant an extra step) is mind-boggingly stupid. Fortunately there are services that will re-ask for credentials even when you're logged in for issuing some types of actions. But not YT. Hats off.
« Last Edit: March 27, 2023, 04:46:37 am by SiliconWizard »
 
The following users thanked this post: Zucca

Offline madires

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: Two factor authentication with phone, is it secure enough?
« Reply #68 on: March 27, 2023, 12:44:36 pm »
As always, it's a tradeoff between security and convenience.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #69 on: March 27, 2023, 01:50:34 pm »
I think the more salient point here is that someone at LTT downloaded and executed malware on their machine,

Wise words Halcyon! So if you have a malware running in background, there is nothing you can do?
I imagine even FIDO2 or any other highest security concept/method is at risk with a malaware....

I understand the data extraction from the infected PC, but how they sent the data out to them? I do not know.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4292
  • Country: it
  • EE meid in Itali
Re: Two factor authentication with phone, is it secure enough?
« Reply #70 on: March 27, 2023, 02:10:19 pm »
Session IDs are still a very serious security concern, and at this point are a ridiculously large hole.

Amen, I browse always in incognito and delete all cookies and history at shutdown. I do not know if helps.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: Two factor authentication with phone, is it secure enough?
« Reply #71 on: March 27, 2023, 03:40:15 pm »
It depends on how the session management of the website is implemented and how often you delete cookies. A bad website would set an auth/session cookie which never expires after the first login. As long as the cookie isn't deleted it's used as magic key any time you visit the website again, i.e. you don't need to re-login. If the bad guy is able to hijack that cookie before you'll delete it then he can use it to access the website. The same can also happen for short-lived cookies (the bad guy needs to be quick enough). However, the attacker can't hijack what is not there.
 
The following users thanked this post: SiliconWizard


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf