n.b. Passkey is a generic term for FIDO/WebAuthn credentials, which PyPI’s 2FA supports in addition to TOTP. PyPI also require you to record a set of recovery codes and ask you to recite a code back during their 2FA setup process.
It seems fears around recovery/device migration are a significant part
of the rationale behind Apple’s passkeys implementation requiring iCloud
Speaking as someone who worked in the hosting biz and had to deal with
this stuff, fears around recovery and device migration are all too
legitimate. “I lost my 2FA” was one of my most-loathed support
requests. Usually it was “I used the authenticator app on my old phone
and forgot to migrate”.
As the article hints at, what makes MFA really viable is the hidden
factor: human-to-human / human-to-organization relationships. Social
relationships, not technical ones.
I’m also not comfortable with $bigtech_corp setting itself up as a
trusted intermediary for the same reason. $bigtech_corp tends to be all
about lack of accountability and destroying legitimate social
relationships.
I have questions not answers, problems not solutions.
Usually it was “I used the authenticator app on my old phone and forgot to migrate”.
Or “my old phone is now toast and I forgot the authenticator was there and there goes all my access”
Thankfully I had my core device codes backed up, but some stuff I just had to write off to no longer having access to because there wasn’t a support team to engage.
I moved phones several years ago and had some but not all TFA codes migrate. Fortunately I noticed before I sent the old phone to recycling but jeez why was that a possible failure mode? All or none, ffs.
That recovery thing was my biggest concern when getting my old SE repaired and the upgrade to the 13. It went well though, but I always think about those things.
I feel that it’s much more likely that I will suffer from MFA issues than it is that I will be targeted and successfully phished
But the damage it causes is different. For PyPi you losing your MFA is a minor loss of a package name and updates, not much different from any other package becoming unmaintained. OTOH a hack of your account credentials, whether through phishing or password reuse, could result in malware being spread to users who trusted you.
I really like the idea of centralizing that recovery. For example both 1Password and LastPass will store and BACKUP to the cloud your 2fa.
At that point your ability to access any site that uses 2fa is as secure and recoverable as your LastPass/1Password account, which for most people (but not everyone) is good enough for all their accounts. 1Password, for example, requires a secret key to login which is effectively a second factor with no recovery process if you can’t get to it. So it is possible to get locked out of everything but at least you can just worry about the recoverability of that one account.
Sort of! It sits in a weird place. 1Password requires MFA to get into the account in the first place, and then that gets you access to the service. It isn’t really reducing the number of factors, it’s just centralizing all the factors for multiple services into one place.
There are probably threat models where this is an awful idea (where you need MFA to protect against your password manager getting hacked, because the stakes are that high), but I think for the majority of people and majority of services this is exactly the same benefit password managers brought in the first place: by making MFA convenient and letting you solve security and recoverability just once, your overall security posture hugely improves.
This is one of those mostly-pointless terminology debates, like people who insist on “regex” instead of “regular expression” because PCRE is no longer regular in the formal CS sense, despite everyone knowing what’s actually meant.
It’s “pointless” because the main threat model that leads people to push for MFA is not “someone exfiltrates your local password-manager vault”, it’s “someone gets a huge database of passwords from a breach of some random site, and runs credential-stuffing attacks on every other site they can think of”.
TOTP is a shared secret, so if you know the secret, you can generate every TOTP code you want. So if you can steal the password file, you probably can also steal the TOTP secret file.
FIDO U2F/webauthn is not that way, it’s public key crypto, where the private part stays with the client.
A breach is still a breach, but again the threat model being mitigated here, for most people, is not “someone breaches the site’s database”, it’s “someone breaches another site and runs credential stuffing attacks”.
Obtaining Site A’s passwords and TOTP secrets does not give me any inroads into Site B’s TOTP secrets. So if both are using even “just” TOTP, Site B and Site B’s users are more strongly protected and more meaningfully protected than they would have been if both used only passwords.
So I still largely do not see nit-picking about how TOTP shouldn’t count as useful, and mentally categorize it with “regex” versus “regular expression” as one of those “everyone knows what it means, nobody needs to actually bother with the technical distinctions” things.
I can’t think of a threat that is thwarted by having TOTP but stored in the same password manager. But by enabling mfa on your service account you’re signaling hopefully-better security to the service, but there are never guarantees here, and there never were.
For example, is a hardware yubikey that is always plugged into your laptop a full second factor? Certainly to some threats (online password compromise) but not others (your laptop being stolen). Factors are contextual. It doesn’t mean we shouldn’t use them and services should certainly support them, so I’m happy to add them to my password manager.
And if I ever have a life critical service that just cannot be compromised I will use an offline hardware factor instead.
Depends completely on the risk(s) one worries about.
TOTP protects you from various threats. For instance if I can see the traffic between you and the site, I can slurp up your password and use it at another time. If I slurp up your TOTP code, then it won’t do me much(if any) good – totally depends on the TOTP implementation on the server and how good it is.
So TOTP(and almost all MFA) protects you from the MITM threat. Having your TOTP on a 2nd device doesn’t add any extra protection from this particular risk though(but it does from some other risks).
For every possible risk, there is almost always a security posture one can adopt that will lower or eliminate that risk. But for every security measure, there is some cost (convenience, money, maintenance, etc). The site you use will hopefully try to balance those in a safe, sane way. You have to do the same.
I agree with you. I just misunderstood what you meant. Sorry about that, I just wasn’t reading carefully enough.
Like you mentioned, security is about protecting from a particular threat. Without defining the threat you want to protect from, security is pretty much a pointless exercise. If you try to protect from ALL of them, then you live in a bunker in a plastic bubble and your life totally sucks by every objective measure. Everyone has to balance their risks vs convenience.
Some people/organizations probably have a threat where allowing TOTP codes on the same device is not OK due to a particular threat they are worried about. If that’s what keeps them up at night, then by all means keep them separate, but most people probably don’t have a kidnap threat risk for some authentication somewhere. Though if that was your legitimate threat, doing something like Shamir Secret Sharing with multiple people would probably be a better solution to the problem, than keeping TOTP on a 2nd device.
This is one of those mostly-pointless terminology debates
It certainly is a terminology debate, sometimes pointless, but I think people ask this question every single time I point out 1Password’s TOTP implementation because it’s a very natural question to have.
A question is never pointless if it comes from a place of curiosity and not argumentation.
It seems fears around recovery/device migration are a significant part of the rationale behind Apple’s passkeys implementation requiring iCloud Keychain sync https://twitter.com/rmondello/status/1534914697123667969 (referencing https://developer.apple.com/forums/thread/707539)
n.b. Passkey is a generic term for FIDO/WebAuthn credentials, which PyPI’s 2FA supports in addition to TOTP. PyPI also require you to record a set of recovery codes and ask you to recite a code back during their 2FA setup process.
Speaking as someone who worked in the hosting biz and had to deal with this stuff, fears around recovery and device migration are all too legitimate. “I lost my 2FA” was one of my most-loathed support requests. Usually it was “I used the authenticator app on my old phone and forgot to migrate”.
As the article hints at, what makes MFA really viable is the hidden factor: human-to-human / human-to-organization relationships. Social relationships, not technical ones.
I’m also not comfortable with $bigtech_corp setting itself up as a trusted intermediary for the same reason. $bigtech_corp tends to be all about lack of accountability and destroying legitimate social relationships.
I have questions not answers, problems not solutions.
Or “my old phone is now toast and I forgot the authenticator was there and there goes all my access”
Thankfully I had my core device codes backed up, but some stuff I just had to write off to no longer having access to because there wasn’t a support team to engage.
I moved phones several years ago and had some but not all TFA codes migrate. Fortunately I noticed before I sent the old phone to recycling but jeez why was that a possible failure mode? All or none, ffs.
That recovery thing was my biggest concern when getting my old SE repaired and the upgrade to the 13. It went well though, but I always think about those things.
But the damage it causes is different. For PyPi you losing your MFA is a minor loss of a package name and updates, not much different from any other package becoming unmaintained. OTOH a hack of your account credentials, whether through phishing or password reuse, could result in malware being spread to users who trusted you.
I really like the idea of centralizing that recovery. For example both 1Password and LastPass will store and BACKUP to the cloud your 2fa.
At that point your ability to access any site that uses 2fa is as secure and recoverable as your LastPass/1Password account, which for most people (but not everyone) is good enough for all their accounts. 1Password, for example, requires a secret key to login which is effectively a second factor with no recovery process if you can’t get to it. So it is possible to get locked out of everything but at least you can just worry about the recoverability of that one account.
Is it really MFA though if both components are stored in the same location? It seems like this entirely misses the point of MFA…
Sort of! It sits in a weird place. 1Password requires MFA to get into the account in the first place, and then that gets you access to the service. It isn’t really reducing the number of factors, it’s just centralizing all the factors for multiple services into one place.
There are probably threat models where this is an awful idea (where you need MFA to protect against your password manager getting hacked, because the stakes are that high), but I think for the majority of people and majority of services this is exactly the same benefit password managers brought in the first place: by making MFA convenient and letting you solve security and recoverability just once, your overall security posture hugely improves.
This is one of those mostly-pointless terminology debates, like people who insist on “regex” instead of “regular expression” because PCRE is no longer regular in the formal CS sense, despite everyone knowing what’s actually meant.
what’s “pointless” about insisting that storing two passwords requried to unlock the same account in one location might be dangerous?
It’s “pointless” because the main threat model that leads people to push for MFA is not “someone exfiltrates your local password-manager vault”, it’s “someone gets a huge database of passwords from a breach of some random site, and runs credential-stuffing attacks on every other site they can think of”.
TOTP is a shared secret, so if you know the secret, you can generate every TOTP code you want. So if you can steal the password file, you probably can also steal the TOTP secret file.
FIDO U2F/webauthn is not that way, it’s public key crypto, where the private part stays with the client.
A breach is still a breach, but again the threat model being mitigated here, for most people, is not “someone breaches the site’s database”, it’s “someone breaches another site and runs credential stuffing attacks”.
Obtaining Site A’s passwords and TOTP secrets does not give me any inroads into Site B’s TOTP secrets. So if both are using even “just” TOTP, Site B and Site B’s users are more strongly protected and more meaningfully protected than they would have been if both used only passwords.
So I still largely do not see nit-picking about how TOTP shouldn’t count as useful, and mentally categorize it with “regex” versus “regular expression” as one of those “everyone knows what it means, nobody needs to actually bother with the technical distinctions” things.
But this means if I use a password manager and have unique, strong passwords for each site, there’s no point to enabling MFA?
I can’t think of a threat that is thwarted by having TOTP but stored in the same password manager. But by enabling mfa on your service account you’re signaling hopefully-better security to the service, but there are never guarantees here, and there never were.
For example, is a hardware yubikey that is always plugged into your laptop a full second factor? Certainly to some threats (online password compromise) but not others (your laptop being stolen). Factors are contextual. It doesn’t mean we shouldn’t use them and services should certainly support them, so I’m happy to add them to my password manager.
And if I ever have a life critical service that just cannot be compromised I will use an offline hardware factor instead.
Depends completely on the risk(s) one worries about.
TOTP protects you from various threats. For instance if I can see the traffic between you and the site, I can slurp up your password and use it at another time. If I slurp up your TOTP code, then it won’t do me much(if any) good – totally depends on the TOTP implementation on the server and how good it is.
So TOTP(and almost all MFA) protects you from the MITM threat. Having your TOTP on a 2nd device doesn’t add any extra protection from this particular risk though(but it does from some other risks).
For every possible risk, there is almost always a security posture one can adopt that will lower or eliminate that risk. But for every security measure, there is some cost (convenience, money, maintenance, etc). The site you use will hopefully try to balance those in a safe, sane way. You have to do the same.
I agree with you. I just misunderstood what you meant. Sorry about that, I just wasn’t reading carefully enough.
Like you mentioned, security is about protecting from a particular threat. Without defining the threat you want to protect from, security is pretty much a pointless exercise. If you try to protect from ALL of them, then you live in a bunker in a plastic bubble and your life totally sucks by every objective measure. Everyone has to balance their risks vs convenience.
Some people/organizations probably have a threat where allowing TOTP codes on the same device is not OK due to a particular threat they are worried about. If that’s what keeps them up at night, then by all means keep them separate, but most people probably don’t have a kidnap threat risk for some authentication somewhere. Though if that was your legitimate threat, doing something like Shamir Secret Sharing with multiple people would probably be a better solution to the problem, than keeping TOTP on a 2nd device.
It certainly is a terminology debate, sometimes pointless, but I think people ask this question every single time I point out 1Password’s TOTP implementation because it’s a very natural question to have.
A question is never pointless if it comes from a place of curiosity and not argumentation.