1. 18
  1.  

  2. 3

    Mostly agree.

    Out-of-band 2FA is another story though and I didn’t see it implemented properly anywhere.

    There are things like Duo and maybe the Google Auth thingie. But a more likely reading is that homakov didn’t see anybody using them, which seems reasonable. To pick on github, they just do the SMS code thing. Or TOTP.

    https://help.github.com/articles/about-two-factor-authentication/

    My pet peeve wtih 2FA systems that’s not mentioned here is that an SMS code is also often used for password resets. So in reality, anybody with your phone needs only that and not your password. woohoo! (For reasons of convenience, I have my phone display the content of messages on the lock screen.)

    1. 5

      Out-of-band 2FA is another story though and I didn’t see it implemented properly anywhere.

      I have seen it implemented and it works extremely well. Well enough to negate most of this article.

      The author only talks about OTP-based 2FA, not asymmetric-crypto based solutions like U2F.

      It requires you to type a code every time and wastes your time

      U2F is a single tap. Since it’s out-of-band you don’t even need to focus on a text box.

      If you lose HOTP seed it is up to admins to give you second chance to access your account

      You can have as many security keys associated to an account as you want, so if you lose one you can use a backup. The opposite is true, too: if you lose one you can deactivate it while leaving the others trusted.

      Doesn’t stop malware and viruses - Schneier wrote extremely good insight back in 2005

      I am unable to determine if U2F is able to counter Schneier’s concerns. The best info I have is “the protocol supports listing showing a site on the device, but no device has a screen yet.” At least, by requiring a physical tap you make it harder for malware to steal your creds silently.

      Major design mistake - TOTP authenticators generate just 6 digits - OTP bruteforce works like a charm and takes less than 3 days. On top of that 30 seconds limit is quite silly - it doesn’t make bruteforce any harder - just do the math and you will see.

      I am under the impression that the key length used by U2F devices are long enough for the time being, but I can’t find any specific key length info.

      1. 4

        I have seen it implemented and it works extremely well. Well enough to negate most of this article.

        My wife and I both use U2F keys as a second factor for Google services. On computers it is a very low-hassle approach and works very well. I hope they get the NFC standard done and devices rolled out quickly, so that it can also be used by mobile phones.

        I am unable to determine if U2F is able to counter Schneier’s concerns.

        If your computer is compromised using a trojan, pretty much all is lost.

        I am under the impression that the key length used by U2F devices are long enough for the time being, but I can’t find any specific key length info.

        It works differently - in contrast to TOTP it does not use a shared secret. It generates a secp256r1 keypair per service, for use in challenge-response:

        https://www.yubico.com/2014/11/yubicos-u2f-key-wrapping/

        AFAIR the response is an ECDSA signature on p-256 over a fairly long string (key handle, challenge parameter, etc.).

        1. 3

          AFAIR the response is an ECDSA signature on p-256 over a fairly long string (key handle, challenge parameter, etc.).

          That’s correct. (I’ve implemented the standard.)

      2. 4

        ArenaNet uses Google Auth for their 2FA, and Blizzard uses a custom app that is basically Google Auth.

        Both also use aggressive caching so that one doesn’t have to enter the code frequently, which helps against the code-stealing attack. I can go months at a time without entering a 2FA code because I’m logging in from the same machine+ip combination. There is still the danger of someone stealing the token on the machine, but it can’t be used on a different ip (I don’t know if it contains identifying information about the code generator or not, if it does then that’s a problem) so to use the caching for account theft they’d have to be essentially vpn'ing through my machine.

        I was initially given a hardware 2FA device by Blizzard when my account was hacked by gold sellers at the start of cata (I’d reused a weak password). I have never had any issues with it since. Anecdotal, sure, but it’s such an easy thing to deal with as a user that I can’t justify removing the code generator from my accounts.

        My banks, on the other hand, all use SMS codes and force me to enter them frequently. Any compromise of my machine would compromise the code generator in relatively short order.

        1. 5

          Agree that it’s ironic Blizzard seems to take this more seriously than most banks. Maybe that says something about the average person’s account balance. :)

          to use the caching for account theft they’d have to be essentially vpn'ing through my machine.

          s/VPN/VNC/. I think the likelihood of this is probably underestimated. As you noticed, weak (or reused) passwords get guessed first. After that, though, how do attackers get access to your strong password? Probably by riding along on your computer.

          In short, assuming you have a strong, unique password, how does an attacker get it?

          1. 1

            Breaking in and stealing it through a 0-day, or phishing.

            It’s also worth noting that according to the Sakurity OTP bruteforce calculator (http://sakurity.com/otp), an alphabetic 6-character OTP (26 ^ 6 combinations) would take 247 days to brute force with 50% probability. So it seems that the issue is less with OTPs than the decision to use only 6 digits (worth noting: Blizzard’s mobile auth also uses 8 digits, which would take 80 days at 50% probability).

            1. 6

              Breaking in and stealing it through a 0-day

              Right. But at this point, I own more than just your keyboard. I also own your mouse and screen. I can VNC in and drive your browser in an invisible offscreen window. I don’t even need your password. I use your already existing saved browser session.

              (Also, sidenote, 0-day is involved in apparently less than 1% of all breakins. 1-years are far more common. sigh. But same point.)

              , or phishing.

              Aye. I always forget that people really will enter their password into rando websites. Although, I present you with a fake paypal. You enter password, I forward it. paypal sends you SMS code. I ask for that. (Or paypal uses duo and you have to click the approve button.) Either way, it seems likely the user will do exactly as instructed, since they’re operating under the belief that they really are logging in to paypal.

            2. 1

              it’s ironic Blizzard seems to take [identity theft] more seriously than most banks

              Why is this so, do you think?

              1. 2

                I think banks have a variety of “out of band” ways to deal with fraud. accountability to trace the money, dedicated law enforcement, insurance, etc.

                I can also imagine banks just not caring. You lost money? That makes you sad? Take your business to another bank. I’m not sure the bank really wants you, whereas blizzard probably has less flexibility rejecting customers with bad passwords.

        2. 1

          I dunno, they can’t even spell security.