How to make people sit up and use 2-factor auth: Show 'em a vid reusing a toothbrush to scrub a toilet – then compare it to password reuse Despite multi-factor authentication being on hand to protect online accounts and other logins from hijackings by miscreants for more than a decade now, people still aren't using it. Today, a pair of academics revealed potential reasons why there is limited uptake. Spoiler alert: it's because, apparently, there isn't enough …
Not only that, but it appears that any USB device is potentially hackable because of issues with USB itself. From what I can read, that leaves cell phones for 2FA, which don't have connectivity in some buildings and areas. I'm not entirely convinced that a longer video will solve those problems.
Furthermore, the phone is something you carry with you already. I have never been interested in 2FA that uses a special device because I don't want to have one more thing to carry around and potentially lose. If it is needed to login to something for work that's fine, because I have a bag for my laptop I can put it in and won't have the laptop without the bag.
And does anyone really expect to plug a USB device into their phone, when you take your phone with you everywhere? What are you going to do, carry it on a keychain, so you have a bunch of keys hanging out the bottom of your phone? Yeah right. That's the problem with a special device right there - it can't be universal for your computer(s) and phone/tablet.
Since your phone ALREADY has a way of identifying yourself built in, just use that. Fooling a fingerprint reader or face scanner requires physical presence, you can't unlock the secret remotely (at least not with an iPhone, or presumably any modern Android that has an equivalent of the secure enclave) and if someone can get physical possession of my phone they can get physical possession of my USB dongle...
I don't have one (or the associated monthly bill). But I heard right here at The Reg that if you give one of the biggies (FB was named) your mobe number for 2fa, they then use it for other things, it's an excuse to data-mine.
Frankly, I'm not vain (or rich) enough to think most of my accounts are worth the effort to run a password attack on. For those...well, yeah, I do careful management indeed. But that's not the bulk of the passwords/logins I have by a huge fat margin.
I'm even the type to have set up a separate, small, debit card account to use online - people do have that number - but I never keep more than a couple bucks in it until just before I click the "place your order" button. Nice thing online banking and a good banker let you do. I set up the underlying account to DISABLE overdraft protection...which banks hate as they get fees from that, but...hackers, have at, most you're gonna get is around $2...while leaving some trail back to yourself. I did this because I was once hacked - and that guy did time in the greybar hotel as a result. Don't get mad...get...well, you know.
I can't believe* I got downvoted for not carrying a phone.
It's not my fault I don't have friends who want to speak to me every second of every day, or that I don't absolutely need to speak with them at a whim, or that I don't feel a compulsion to install a Facebook app let alone use it. Unless I'm going out of town for a few days my phone is a fucking expensive alarm clock, that's all.
*Well, alright, maybe I can.
> And does anyone really expect to plug a USB device into their phone, when you take your phone with you everywhere? What are you going to do, carry it on a keychain, so you have a bunch of keys hanging out the bottom of your phone? Yeah right. That's the problem with a special device right there - it can't be universal for your computer(s) and phone/tablet.
My Yubikey lives on my phone. It's got a USB interface for plugging into the PC/Laptop, and NFC support for the phone to communicate with.
It really need not be nearly as hard as you make out.
The problem with relying (just) on your phone is you're screwed if you break or lose it. So you already need to have a backup route. Mines a second yubikey that lives in my safe, as well as a couple of little U2F dongles that live in offsite locations
"My Yubikey lives on my phone. It's got a USB interface for plugging into the PC/Laptop, and NFC support for the phone to communicate with."
Since my phone is the least secure and trustworthy device I own and use, I don't (and won't) use it for any 2FA-related purpose.
Not every phone. Usually, only the most expensive ones. You can't tie a service availability to be able to buy expensive phones too. Anyway, a phone used for too many different tasks can be compromised - and then even biometric authentication is not so secure. Sincerely, I don't like the "all eggs in one basket" approach, especially for very sensitive tasks. What could be acceptable to log-in to ElReg may not be acceptable to approve a $$$$$$$$$ transaction through my bank.
Who says that using your phone has to be the ONLY alternative? It is a simple "something you have" that also offers an extra level of authentication which cannot be bypassed remotely, which makes it pretty damn secure. Dunno about Android, but biometric authentication on an iPhone is VERY secure, Apple has never had an exploit against the secure enclave.
That it is possible to fool Touch ID or Face ID is irrelevant - someone needs physical possession of my phone for that, and take the time/trouble to set things up to fool it, and that only gets the one of the two factors. They'd also need my login/password to my bank account, and hope they can use it before I can revoke that phone as a 2FA method. If they get all that I guess I deserve to have my money stolen.
I'd feel totally comfortable using my phone as the 2FA for my bank or brokerage account. Obviously you'd need some sort of backup 2FA method since phones can break or be lost/stolen, but that's the case with every physical 2FA.
"phones can break or be lost/stolen, but that's the case with every physical 2FA."
Which is exactly why NO physical 2FA will work for me.
I lose things constantly. Sometimes I find them in an hour, sometimes in a month, sometimes in three years. Shorter periods are more common, but a dozen times a day something goes missing. On a good day.
This will happen - there is nothing I can do about it. The medical condition underlying this affects approximately 8% of the population and the percentage is increasing.
I can remember a password - or find a copy of a sufficiently replicated encrypted data package.
The value of the item, or its importance, or usefulness does not affect the chance of loss. My smartphone has vanished for up to a year at a time. More valuable things have been gone longer. Once it was paper documentation worth tens of thousands, and it took more than a decade to find that.
The one thing that helps is something that is too large, too heavy, or otherwise immobile. A computer always plugged into a wall and a network and two or three monitors with cables is a good choice.
On the other hand, every password I use is complex, unpredictable, and used for only one security domain, whether a site, a computer or an SSO authentication system.
If someone needs 2FA to be secure, fine... just as long as the rest of us retain the ability to decline that and keep using passwords.
Currently there are no better alternatives for many of us.
Furthermore, the phone is something you carry with you already.
Not everyone carries a phone with them.
Also, the phone is not as secure as you think. There is the sim card swap which means hackers can put in your number and get texted your username. Then repeat it to reset your password. So effectively by trying to implement the 2FA as it is today means less security than then without it.
"Why should it need connectivity, ... "
Sure, but for those of us in areas where there is no cell connectivity (most of rural Canada), we often don't have, let alone carry, a cell phone.
Also, pardon my ignorance, but how would I connect a cell phone to my computers? Do I need to install some kind of USB wireless device? I am indeed interested in 2FA, but it seems that there are different explanations of how to do it, each with a different set of unexpressed assumptions.
You wouldn't connect it to your computer physically. It could interface with Bluetooth, but failing that it could work just like a standalone security device, and when you open (and authenticate yourself, if you want security above the standalone security device) and it shows a 6 or 8 digit number which is good for one minute, that you will be challenged to provide to login in lieu of a password which can be easily stolen.
"Also, pardon my ignorance, but how would I connect a cell phone to my computers? Do I need to install some kind of USB wireless device? I am indeed interested in 2FA, but it seems that there are different explanations of how to do it, each with a different set of unexpressed assumptions."
There are many ways to authenticate with something physical. A good system will let you choose, which throws out some companies, unfortunately. However, a good system will look like Duo Security (I am not in any way connected with that company. I just use their product to authenticate some places. I don't administer it either, this is purely a user's view).
With this system, you have a few options to authenticate. After you log in with your username and password, you are presented with a list of choices, so you can have multiple active options and use the one that is going to work. The options available include these:
1. Their primary suggestion is their own mobile app. You get a push notification, but it is not connected to your phone number. You have to have an internet connection for that to work, and you authenticate by pressing a button on your phone.
2. A code, also from their app. This is used if you don't have a connection (the code changes every thirty seconds based on a secret known to your phone, and becomes invalid afterward. Duo's is a 6-digit code that you enter on the thing you're logging into.
3. A phone call/SMS to an approved number, meaning you can use a landline. You do have to log in with proper credentials or that won't work, but that one could be abused by a local attacker.
4. A USB token like the ones mentioned in the article, either one that only works with Duo's system which the administrator probably has a gigantic box of, or an independent market one that works with a lot more (what I have).
This does not require that the thing you're connecting to having or allowing a USB device, or your phone having a connection at all times. If you simultaneously don't have a smartphone, don't want a USB device, and don't have any kind of phone with service, then I don't think there are other options. Still, this means you can use the authentication using a number of paths.
FWIW our publishing system uses multi-factor authentication. It is mandatory: you cannot login to write, edit, publish, and manage articles without it.
So there's hope yet it'll be rolled out to comments.
C.
PS: We get our little red Reg badge when we post or reply to comments via the publishing backend.
[MFA on El Reg's web site.]
So there's hope yet it'll be rolled out to comments.
Which rather defeats the option to comment anonymously. Personally I'd prefer to live with a few trolls in order to get the anonymous insider comments we occasionally have on sensitive subjects.
For websites see https://www.turnon2fa.com/tutorials/ and https://twofactorauth.org/.
Even PayPal has it but it's pretty well hidden.
Paypal UK can work with 2FA. I have been using Verisign's VIP Access 2FA app for a few years with Paypal UK. I recall it was set up as a security key (rather than mobile phone), and you then need to append the six digit 2FA code to the end of your password to log in.
Yes Facebook, here's my mobile phone number for 2FA, take it as it will increase my security.
What? You've used the number as part of my personal profile data for your own commercial ends?
Ok, so I'll give you my face, my fingerprint, my DNA sample ... Is there anything else you need to enhance my security? I have faith that you are not going to use them in some clandestine way too ...
MFA in itself may rely on trust which, as we (allegedly) see with Facebook, simply isn't there.
Right. I don't trust any 2FA backend run by ads-placement-seller-and-data-slupers like Google or the like. Nor I trust any OS or app offered by the same companies for the same task.
Not surprisingly, Facebook was caught using its 2FA system to match, identify and search people as well.
There's also another issue: or you use different, disjointed 2FA "devices" for each "service", or if the same strong authentication is used, it uniquely identifies a user itself - and becomes a powerful tracking technique. Maybe not by the service being accessed, but the auth backend knows who is accessing what and when.
Thereby, how many tokens/application/etc we should carry around? Do some of those devices allow for different "identities" to avoid tracking?
Thereby, how many tokens/application/etc we should carry around? Do some of those devices allow for different "identities" to avoid tracking?
I think this is the intention, if not a requirement. See the first paragraph here: https://www.w3.org/TR/webauthn/#intro
if the same strong authentication is used, it uniquely identifies a user itself - and becomes a powerful tracking technique. Maybe not by the service being accessed, but the auth backend knows who is accessing what and when.
==========================================================
Which also means they will be hacked to get your information.
Furthermore, any phone based 2FA that is not contained entirely in the phone so you can use airplane mode means that you can be physically located at login time when you contact the auth back end... lots of bad security possibilities.
For that matter if your location information leaks, your location history can retroactively spill information when linked to authentication times.
This is a real problem. I have done this by having multiple auth tokens (one for corporate systems, one for personal systems, and one that I got because you could program it to do different things). I'm planning to change the firmware on the programmable one to hold multiple keys and use a series of button activations to choose the one to use. It seems very straightforward to do, and entirely capable of that. It may be possible to replace the firmware on more typical keys as well, but I don't know for sure. Also, as a bonus, when I finish with that idea, someone who steals it will have the fun experience of trying to figure out exactly what pattern of button presses I've set for my keys. They're very hard to steal and nobody wants it that badly, but I kind of want it to happen just so I can imagine someone getting annoyed trying to use it maliciously.
I set it up for my organisation last year and, whilst the backend is merely awful (web pages that have a few lines of text, no common navigaiton structure with the rest of the O365 admin area), the setup for the desktop Outlook application is bonkers. Newer Office apps (Teams etc.) can utilise the MFA SMS / authorisation apps but Outlook needs a password. Not your O365 password, no - that would be insecure. Outlook requires a system-generated 15 character (always all letters, all lower case) one that the user then has to type or paste in; the app remembers it but they will need it (or need to generate another - multiples are allowed) if they wish to open Outlook on a second Windows device. What do MS think most users going to do with such a password?
The whole system is a nightmare and not easy to use, never mind administer; I wouldn't blame any admin not implementing it, never mind a user for resisting it. I've only been a user of other systems (gmail, Apple, BitDefender etc. etc.) but they are all simple, intuitive and logical in comparison.
> With less than 10 per cent of Gmail users logging in with two-step authentication, last time we checked, there’s clearly a long way to go
That, in fairness, is partly Google's fault.
They've sort of made provision for stuff you can't 2FA to log into your account - you can create a dedicated 'app password' for those. Except, that the flow is - app logs in with that password, exchanges it for a token and then uses the token going forward.
So, if something you need to use only speaks standard compliant stuff like IMAP and POP rather than google specific authentication bollocks, you cannot have 2FA turned on on that account. Backing your mail up with getmail being a prime example.
Which is patently fucking stupid. Yes the app password means there's a potential way to login without 2FA, but it gives limited access (i.e. just to the mail rather than to the account) and is easily revoked. Instead, you have to leave the entire account wide open across Google's services. That's Google letting perfect be the enemy of good there IMO.
thanks, though neither help in this case. Its a cronjob that logs in to pull specific mails down into a mhonarc archive.
Not a common use-case I admit. Google have never given a fuck about their auth scheme breaking things, even when thunderbird couldn't handle it.
I really should just stop using them, but lack the time to sit and think a replacement through properly
I really should just stop using them, but lack the time to sit and think a replacement through properly
--------------------------------------------
Just find an ISP that does email, that you will never use for connectivity, and that supports encrypted SMTP and IMAP and you are good.
If your country has bad rules about privacy and monitoring, choose one in another country that doesn't.
Use a carefully chosen no-log VPN service for all connections from your computer, and use Thunderbird with encrypted SMTP and IMAP, and enigmail/PGP where possible.
I've got fetchmail running via cron quite happily on 2fa'd gmail accounts.
You just need to give your email a slightly bigger attack surface - and yes, I mean that.
If you go to the right bit of their website and click in the right places, they issue you with an 'application password' - a medium-sized random string - for you to cut and paste into your fetchmail/grabmail/etc config file.
It probably won't work to login via webmail, but it works for IMAP clients.
As I mentioned in the original post, I've already gone the application password route. Didn't work.
Well, technically, it did - once. The first run was fine, and then Google stopped accepting the password (because it should then have been swapped for a token).
Sounds like fetchmail have added support for Google's auth flow. Unfortunately there are reasons I'm using getmail and not fetchmail, though I really should revisit whether those are still valid
And you are supposed to keep track of this list of one time codes exactly how?
Sticking copies up on the refrigerator at home, the whiteboard in your office, in your wallet, and in the console of your car?
Which then get lost, buried, or moved?
Just let them set a good, secure password of their own design.
I would have thought World + Dog would dropped RSA after they were exposed for weakening all RSA systems for the US Gov, which of course ended up biting them in the arse when the OMP data was hacked due to the Exact Exploit they had RSA put in for them.......
Trust is earned and lost by actions - RSA lost trust by putting back doors in everything, even if it was just once - which we don't know. Some how Cisco back doors haven't had the same effect - yet.
2FA is great in principle.
In practice it is not the use of 2FA that is the problem, it is the ancillary activities, for example:
1) How do you ensure you have a trustworthy 2FA device? What process should you follow in obtaining one to ensure it isn't bogus, loaded with hacked firmware, has a borked RNG etc?
2) Once you have a 2FA device, what do you do if it breaks, gets lost, or malfunctions. How do you know it is malfunctioning?
People pretty much know what to do with passwords, but the understanding around the use of 2FA devices is far less prevalent. It's just another electronic doodad that can break, or get lost. Should you let someone else have possession of it temporarily? Can you safely send it in the post to someone? Can two people share one? None of these are questions that security professionals have a problem with, but your average end user generally has a far better understanding of the issues surrounding passwords than they do of the (potential) issues surrounding multi-factor authentication.
The fun starts when your vague and slightly forgetful relative puts their security token through the washing machine for the third time in six months and can't pay their bills until the bank supplies a new one. Or, perhaps they've encrypted some important documents and the decryption key was stored with no backup on a device that has just failed (because it went through the W/M, again). At least passwords are easy to copy and the copy can put put in an envelope and stored in your lawyer's safe, or a bank safety deposit box. I have enough trouble with someone who has no familiarity with technology, and for the life of them cannot remember the difference between the Windows logon password, the WiFi password for their home network, and their GMail password. I will need an entire pantheon of divine helpers if they are ever forced to use multi-factor authentication. It is absolutely no surprise that the take-up of multi-factor authentication is so low.
More explanation is required for that statement. We all know about the biometrics problem (can't change them, you carry them with you where people can steal copies, etc.). Those don't apply to 2FA. So what are the problems you're referring to and what are the "simpler, more reliable ways" to fix it?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
