1. 27
  1.  

  2. 5

    Reads like one of the admins didn’t have 2FA on.

    Take it as a reminder to require 2FA on your organization (there’s a setting) and force all older users to activate it (there’s a review board). Otherwise, revoke access.

    <3 the detailed writeup!

    1. 2

      My issue with most implementations of 2FA is that they rely on phones and MMS/SMS which is beyond terrible and is often less secure than no-2FA at all - as well as placing you at the mercy of a third party provider of which you are a mere customer. Don’t pay your bill because of hard times or, worse yet, have an adversary inside the provider or government that has influence over the priced and all bets are off - your password is going to get reset or account ‘recovered’ and there isn’t much you can do.

      For these reasons, the best 2FA, IMO, is a combination of “something you have” - a crypto key - and “something you know” - the password to that key. Then you can backup your own encrypted key, without being at the mercy of third parties.

      Of course, if you loose the key or forget the password then all bets are off - but that’s much more acceptable to me than alternative.

      (FYI - I don’t use Github and I’m not familiar with their 2FA scheme, but commenting generally that most 2FA is done poorly and sometimes it’s better not to use it at all, depending on how it’s implemented.)

      1. 4

        (FYI - I don’t use Github and I’m not familiar with their 2FA scheme, but commenting generally that most 2FA is done poorly and sometimes it’s better not to use it at all, depending on how it’s implemented.)

        GitHub has a very extensive 2FA implementation and prefers Google Authenticator or similar apps as a second factor.

        https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/

        1. 2

          I don’t use Google’s search engine or any of their products nor do I have a Google account, and I don’t use social media - I have no Facebook or Twitter or MySpace or similar (that includes GitHub because I consider it social networking). Lobste.rs is about as far into ‘social networking’ as I go. Sadly, it appears that the GitHub 2FA requires using Google or a Google product - quite unfortunate.

          1. 9

            You can use any app implementing the appropriate TOTP mechanisms. Authenticator is just an example.

            https://help.github.com/articles/configuring-two-factor-authentication-via-a-totp-mobile-app/

            1. 5

              Google Authenticator does not require a Google account, nor does it connect with one in any way so far as I am aware.

              Github also offers U2F (Security Key) support, which provides the highest level of protection, including against phishing.

              1. 3

                This is very good to know - thank you for educating me. I only wish every service gave these sort of options.

              2. 1

                You can also use a U2F/FIDO dongle as a second factor (with Chrome or Firefox, or the safari extension if you use macOS). Yubikey is an example, but GitHub has also released and open sourced a software U2F app

            2. 0

              My issue with most implementations of 2FA is that they rely on phones and MMS/SMS which is beyond terrible and is often less secure than no-2FA at all

              A second factor is never less secure than one factor. Please stop spreading lies and FUD. The insecurity of MMS/SMS is only a concern if you are being targeted by someone with the resources required to physically locate you and bring equipment to spy on you and intercept your messages or socially engineer your cellular provider to transfer your service to their phone/SIM card.

              2FA with SMS is plenty secure to stop script kiddies or anyone with compromised passwords from accessing your account.

              1. 1

                I happen to disagree completely. This is not lies nor FUD. This is simple reality.

                The when the second factor is something that is easily recreated by a third party it does not enhance security. Since many common “two-factor” methods allow resetting of a password with only SMS/MMS and a password, the issue should be quite apparent.

                If you either do not believe or simply choose to ignore this risk, you do so at your own peril - but to accuse me of lying or spreading FUD only shows your shortsightedness here, especially with all of the recent exploits which have occurred in the wild.

                1. 1

                  Give me an example of such a vulnerable service with SMS 2FA. I will create an account and enable 2FA. I will give my username and password and one year to compromise my account. If you succeed I will pay you $100USD.

                  1. 1

                    We both know $100 doesn’t even come close to covering the necessary expenses or risks of such an attack - $10,000 or $100,000 is a much different story - and it’s happened over and over and over.

                    For example, see:

                    Just because I’m not immediately able to exploit your account does not mean that it’s wise to throw best-practices to the wind.

                    This is like deprecating MD5 or moving away from 512-bit keys - while you might not be able to immediately crack such a key or find a collision, there were warnings in place for years which were ignored - until the attacks become trivial, and then it’s a scramble to replace vulnerable practices and replace exploitable systems.

                    I’m not sure what there is to gain in trying to downplay the risk and advising against best practices. Be part of the solution, not the problem.

                    Edit: Your challenge is similar to: “I use remote access to my home computer extensively - I’ll switch to using Telnet for a month and pay you $100 when you’ve compromised my account.”

                    Even if you can’t that doesn’t justify promoting insecure authentication and communication methods. Instead of arguing about the adaquecy of SMS 2FA long after it’s been exposed as weak, we should instead be pushing for secure solutions (as GitHub already has and was mentioned in the threads above).

                    I also wanted to apologize for the condescending attitude in my precious response to you.

                    1. 1

                      So you’re admitting that SMS 2FA is perfectly fine for the average person unless they’ve been specifically targeted by someone who has a lot of money and resources.

                      Got it.

                      1. 1

                        DES, MD5, and unencrypted Telnet connections are perfectly fine for the average person too - until they are targeted by someone with modest resources or motivation.

                        So, yes, I admit that. It still is no excuse to refuse best practices and use insecure tech because it’s “usually fine”.

                        1. 1

                          Please study up on Threat Models. Grandma has a different Threat Model than Edward Snowden. Sure, Grandma should be using a very secure password with a hardware token for 2FA, but that is not a user friendly or accessible technology for Grandma. Her bank account is significantly more secure with SMS 2FA than nothing.

                          1. 1

                            That actually depends on how much money is in Grandma’s bank account. And if SMS can be used for a password reset, I’d highly recommend grandma avoid it - it simply is not safer than using a strong unique password. With the prevalence of password managers, this is now trivial.

                            While I don’t have any grandma’s left, I still have a mother in her 80’s, and, bless her heart, she uses 2FA with her bank - which is integrated into the banking application itself that runs on the tablet I bought her - it does not rely on SMS. At the onset of her forgetful old age she started using the open-source “pwsafe” program to generate and manage her passwords. She also understands phishing and similar risks better than most of the kids these days simply because she’s been using technology for many years. She grew up with it and knows more of the basics, because schools seem to no longer teach the basics outside of a computer science curriculum.

                            These days, being born in the 1930s or 1940s means that you would have entered college right at the first big tech boom and the introduction of widescale computing - I find that many “grandma/grandpa” types actually have a better understanding of technology and it’s risks than than millennials.

                            I do understand Theat Models, but this argument falls apart when it’s actually easier to use the strong unique passwords than the weaker ones - and the archetype of the technology oblivious senior, clinging to their fountain pens and their wall mounted rotary phones is, as of about ten years ago, a thing of the past.

                            1. 1

                              More on SMS 2FA posts:

                              https://pages.nist.gov/800-63-3/sp800-63b.html#pstnOOB

                              https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

                              NIST is no longer recommending two-factor authentication systems that use SMS, because of their many insecurities. In the latest draft of its Digital Authentication Guideline, there’s the line: [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

                              Since NIST has come out strongly against using SMS 2FA years ago it should be fairly straightforward to cease any recommendations for it’s use at this point.