12 days of two-factor authentication: this Xmas, give yourself the gift of opsec


#1

Originally published at: http://boingboing.net/2016/12/08/12-days-of-two-factor-authenti.html


#2

You know, I’d love for them to have one of these be setting up an MFA server so you can use your own server with your own OAUTH token and authenticate it yourself.

The way things are going, rolling your own servers will become increasingly the better choice - putting yourself back in control of your own data.


#3

Can I turn it on for the personal version of CrashPlan? I’m trialing it at the moment and I like it a lot, but it looks like 2 factor authentication is part of their business solution.

Edit: That was not meant as a reply to @alphaxion


#4

and then you can spend the next five years running updates and maintaining it with no errors? I’d rather pay for a third party service.


#5

This.

Nearly every service nowadays has or is implementing some sort of 2FA, usually TOTP or HOTP.

I’m not convinced, though, that you want to run your own OAUTH server at this point. In a magical world where every service let you use your own OAUTH provider instead of theirs, a single compromise of your OAUTH server potentially costs you the keys for all your 2FA sources. Instead, if each service is running their own provider, then compromise of passwords and 2FA keys is basically the same thing - and you’re using unique passwords everywhere already, Right?

It’s nice that we have easy standards for all these auth mechanisms, but I really wish everyone would get on the same page regarding the damn naming already.

Additionally, there needs to be a serious push towards SMTP/IMAP/POP3 2FA integration somehow as well. I’ve noticed recently that brute-force attacks have shifted to these services almost exclusively nowadays, as soon as someone’s email address is known (as that’s almost always the username now).


#6

Hahaha. Only where financial information, trade secrets etc are involved. Anyone who guards their facebook password like the crown jewels lives in a world that I have no desire to comprehend.


#7

Really?

Just needed one friend to tell me the horror story of a family member’s account getting hacked and the hacker posting a suicide note for me to realize the relative importance of locking down your communications channels, even if you have “nothing to hide”.


#8

shrug I go years without posting anything to facebook, so anyone who thinks something like that is from me is pretty gullible and doesn’t know me that well. I think my last two posts were both “I got a new job and moved to a new town so update your contact information” for two different jobs, two years apart.
Not to mention a dozen forums, etc. I really don’t care if someone steals my login for a random software or game forum.


#9

I tried the yubikey token but the iMac could not read the bluetooth signal


#10

It certainly is good to have a wide spread of tokens, but then the threat of you personally being compromised is much lower. This is mainly because as an attacker, which would you target

  1. A single person
  2. The operator of a popular service and acquire potentially tens of millions of accounts

Going after people who host their own would only be worth it if a massive vulnerability were to be uncovered in a basic technology (something akin to POODLE or heartbleed) which could allow you to simply automate crawling the web by home ISP ranges. The issue there is it becomes very obvious to network operators what is going on. Risk vs reward, essentially.

And updating your servers can be automated, it’s not as painful and a regular drain as you think. Each to their own.


#11

Well said. Give careful thought and evaluation using authentication services on 3rd party servers.

Understand the trust you give, or disintermediate as far as possible.


#12

Most attacks aren’t targeted at specific people at all anymore. Those vast networks of botnets were not created by someone tracking down a list of where compromised devices were installed - they just started hitting every IP listening on an appropriate port and tried the attack.

You’re right, it’s not likely that you will be targeted directly. It’s extremely likely that you will be targeted indirectly, and that’s where the risk is. You get to hope that if there’s some 0-day released without a patch that the random botnet trying the exploit doesn’t get to your IP address before there’s a patch or you can otherwise mitigate.

@clevername Sure - I don’t even have a FB account, but impersonation is a genuine issue, otherwise identity theft wouldn’t be a problem, to begin with.


#13

I wish there was a consistent standard. Not just for what protocol/app/system it uses, but also how it’s presented, how fallback is handled, and how recovery is handled. Preferably something cross-platform that doesn’t require that you have a specific device charged up, logged in, and ready at the time.

One service that I have to use daily requires some obscure app that no longer exists, so I have to fallback to SMS messages, and the process times out and fails about as often as it works. Two services use another app and a third uses yet a third app (I have to remember which one uses which method). I have recovery codes for one stored in my password manager, but I have no idea how others handle recovery if for some reason I can’t use my phone.

So in addition to the hassle, delays, and overhead, 2FA adds multiple potential points of failure along with a feeling of insecurity (in the psychological sense - that I might lose access to my accounts when I need them). If that’s what it’s like for a techy user, I must imagine it’s much worse for the vast majority of normal users. And as mentioned above, the services seem to be making it as confusing and difficult as possible for users:

The first web site was 26 years ago and we’re just now beginning to reach a point where TLS is standardized and easy enough to become ubiquitous, and that’s always been easy for the end-user (difficulty and expense was all server-side). Will 2FA be able to become simple and ubiquitous in less than another quarter century?


#14

This topic was automatically closed after 5 days. New replies are no longer allowed.