Real Two Step Securty

General discussion and chat (archived)

Moderator: satrow

Locked
User avatar
TwoTankAmin
Astronaut
Astronaut
Posts: 745
Joined: 2014-07-23, 13:56
Location: New York

Real Two Step Securty

Post by TwoTankAmin » 2018-07-24, 16:32

I just finished a small battle with Vanguard not to have to use two step security to log onto my account. I just came across this article in today's TechTimes:

No Google Employee Has Fallen Prey To Phishing Since They Started Using These $20 Devices
24 July 2018, 7:41 am EDT By Aaron Mamiit Tech Times
https://www.techtimes.com/articles/232614/20180724/no-google-employee-has-fallen-prey-to-phishing-since-they-started-using-these-20-devices.htm

Here are what I consider to be the two most important statements in the article.
Google told KrebsOnSecurity that none of its over 85,000 employees have been victimized by a phishing attack on their work-related accounts ever since the company started requiring them to use physical security keys in place of the traditional passwords and one-time codes........

Phishing attacks come in various forms, but their end goal is to trick users into giving up sensitive information such as log-in details. Two-factor authentication seeks to prevent this, because even if hackers acquire an account's password, they will also need to acquire the second code. Unfortunately, there are already some hacks that are capable of intercepting the codes, which are usually sent through SMS.
“No one has ever become poor by giving.” Anonymous
“Everyone is entitled to his own opinion, but not to his own facts.”" Daniel Patrick Moynihan
"The good thing about science is that it’s true whether or not you believe in it." Neil DeGrasse Tyson

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25020
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Real Two Step Securty

Post by Moonchild » 2018-07-24, 18:15

It's been widely known in the security sector that "one time codes", "e-mail verification" and even using an "authenticator app" (looking at you, Steam) is not actually 2-factor, just an extension of 1-factor, and just makes it more likely that people choose weak credentials because it allows them to log in faster with the extra hurdles.

The security factor paradigm is:
  • Something you have
  • Something you know
  • Something you are
Something you know is usually the 1st factor used everywhere: login username and password.

Verifying with e-mail is making an assumption that someone who has your credentials doesn't have access to your e-mail. Both of those only require something you know.
The pseudo-second factor of one-time code or app fails because this is also something you can know -- it's an attempt at verifying that you have something (a mobile device), but the problem there is that a mobile device also has the primary channel for account recovery on it. Every smartphone has an e-mail app. Conversely, SMS messages can be intercepted and apps can be run in emulators.
None of the common "2-factor" authentication methods you see around are actually 2-factor. This is why I generally don't bother, and instead make sure to have strong and unique passwords that are never shared with anyone.

An actual second factor as something you have would be printed codes that are determined beforehand, sent securely to you and kept safe.
Cryptographic (hardware)keys or code devices with unique, unexportable private (cypher-)keys on/in them is also something you can verify as "having" since it's based on a challenge-response that can only be produced by having the physical key or code device in your possession.

Just as much a common mistake is thinking that biometrics are "more secure". By themselves, they aren't. They are just 1 factor (something you are) and as safe or unsafe as something you have (a key) or something you know (a password). Only if combined with the other factors will they increase security.
Last edited by Moonchild on 2018-07-24, 18:21, edited 3 times in total.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
TwoTankAmin
Astronaut
Astronaut
Posts: 745
Joined: 2014-07-23, 13:56
Location: New York

Re: Real Two Step Securty

Post by TwoTankAmin » 2018-07-24, 23:50

@Moonchild=

Was that your techy way of saying the USB key thing works well and is an excellent idea?
“No one has ever become poor by giving.” Anonymous
“Everyone is entitled to his own opinion, but not to his own facts.”" Daniel Patrick Moynihan
"The good thing about science is that it’s true whether or not you believe in it." Neil DeGrasse Tyson

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25020
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Real Two Step Securty

Post by Moonchild » 2018-07-25, 00:37

TwoTankAmin wrote:@Moonchild=

Was that your techy way of saying the USB key thing works well and is an excellent idea?
Yes and no :)

Just highlighting that yes, it's a good idea because it's actually 2-factor, and no, don't go out and buy a crypto key because of this article, unless you actually have a use for it for a critical service (and want to run the risk of not being able to log in if you lose or forget to bring your key...)
Last edited by Moonchild on 2018-07-25, 00:37, edited 1 time in total.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Phantom
Banned user
Banned user
Posts: 119
Joined: 2018-03-04, 04:56

Re: Real Two Step Securty

Post by Phantom » 2018-07-25, 02:05

I use 2FA with damn near every login I can. And I've backed up the codes to Keepass which it's database is then encrypted again in a SFX archive and stored in my local FTP, cloud and DVD/RW in a fire proof safe rated for electronics. I think it's better than nothing. I don't particularly care for the SMS crap that Yahoo and Box use. I mostly use Authy, Google and for PayPal, Symantec.


How many times do you hear a massive database was hacked? Well, with 2FA you have a fighting chance at not having your account pried into. Especially CloudFlare. God forbid some asshole hacker finds his way into there. And I'll never EVER use their API crap.
Last edited by Phantom on 2018-07-25, 02:06, edited 2 times in total.

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1003
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: Real Two Step Securty

Post by Isengrim » 2018-07-25, 03:17

I would honestly prefer one of these physical keys over, say, providing a phone number. That would save me from giving up yet another piece of PII.
Off-topic:
I also don't understand why more services don't allow for TOTP authentication, which would also allow me to keep my phone number to myself.
Linux Mint 19.2 Cinnamon (64-bit), Windows 7 (64-bit), Windows 10 build 1803 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25020
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Real Two Step Securty

Post by Moonchild » 2018-07-25, 05:11

Phantom wrote:I use 2FA with damn near every login I can.
pseudo-2FA. Which is more an annoyance to make you feel safer than it actually being 2-factor.

I'm not completely dismissing the value of it, though, don't get me wrong. It has some use, but it's still 1-factor. Sure, if you don't plan it and it bites you randomly it most definitely will lock YOU, the legitimate owner, out... but a planning attacker will never be surprised by the extra verification.
Phantom wrote:And I've backed up the codes to Keepass
Safeguarding your passwords is good but that doesn't strengthen your security, per se. If a server gets hacked, it gets hacked -- no secure local storage of your passwords will prevent that -- unless you think that the biggest danger is someone coming into your house and grabbing your password store from there?
Certainly, I keep all my passwords (over 500 of them) secured in an encrypted storage as well locked behind a master password only stored in my brain. But that has nothing to do with the authentication method, really, which is what this topic is about.
Phantom wrote:How many times do you hear a massive database was hacked?
Rarely. And it just underlines the need for unique passwords for sites. Once again nothing to do with authentication method. Nor the Cloudflare venom you had to throw in again.
Isengrim wrote:I would honestly prefer one of these physical keys over, say, providing a phone number.
Same here! But not many services offer key-based authentication. Or even cert-based, for that matter.
Last edited by Moonchild on 2018-07-25, 05:17, edited 1 time in total.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Phantom
Banned user
Banned user
Posts: 119
Joined: 2018-03-04, 04:56

Re: Real Two Step Securty

Post by Phantom » 2018-07-26, 09:58

Moonchild wrote: pseudo-2FA. Which is more an annoyance to make you feel safer than it actually being 2-factor.

I'm not completely dismissing the value of it, though, don't get me wrong. It has some use, but it's still 1-factor. Sure, if you don't plan it and it bites you randomly it most definitely will lock YOU, the legitimate owner, out... but a planning attacker will never be surprised by the extra verification.
That's why I have backed up the backup codes to Keepass just in case I do get locked out. Like I said, it's better than nothing.
Moonchild wrote: Safeguarding your passwords is good but that doesn't strengthen your security, per se. If a server gets hacked, it gets hacked -- no secure local storage of your passwords will prevent that -- unless you think that the biggest danger is someone coming into your house and grabbing your password store from there?
Certainly, I keep all my passwords (over 500 of them) secured in an encrypted storage as well locked behind a master password only stored in my brain. But that has nothing to do with the authentication method, really, which is what this topic is about.
That's not the point.
Moonchild wrote: Rarely. And it just underlines the need for unique passwords for sites. Once again nothing to do with authentication method. Nor the Cloudflare venom you had to throw in again.
BS. I have heard in the news time and time again of database breaches here in the U.S. and I get emails from a website when my email ends up in another hacked database.

User avatar
TwoTankAmin
Astronaut
Astronaut
Posts: 745
Joined: 2014-07-23, 13:56
Location: New York

Re: Real Two Step Securty

Post by TwoTankAmin » 2018-08-02, 16:25

Just found this- Moon Child is right as always :D

From ArsTechnica:

WEAK LINK IN THE 2FA CHAIN —
Password breach teaches Reddit that, yes, phone-based 2FA is that bad
A newly disclosed breach that stole password data and private messages is teaching Reddit officials a lesson that security professionals have known for years: two-factor authentication (2FA) that uses SMS or phone calls is only slightly better than no 2FA at all.
“No one has ever become poor by giving.” Anonymous
“Everyone is entitled to his own opinion, but not to his own facts.”" Daniel Patrick Moynihan
"The good thing about science is that it’s true whether or not you believe in it." Neil DeGrasse Tyson

User avatar
therube
Board Warrior
Board Warrior
Posts: 1108
Joined: 2018-06-08, 17:02

Re: Real Two Step Securty

Post by therube » 2018-08-02, 19:13


User avatar
Phantom
Banned user
Banned user
Posts: 119
Joined: 2018-03-04, 04:56

Re: Real Two Step Securty

Post by Phantom » 2018-08-02, 22:33

I've known that forever. That's why I don't like my Box and Yahoo account to use SMS. And even though things like Authy or Google Authenticator are better, it's all in how you use it and not get stuck in a phishing scheme.

I never read the article. I already know what it's going to say.

User avatar
Phantom
Banned user
Banned user
Posts: 119
Joined: 2018-03-04, 04:56

Re: Real Two Step Securty

Post by Phantom » 2018-08-22, 13:37

Here's some food for thought. https://krebsonsecurity.com/2018/08/han ... -security/

Why people keep that much money tied up in volatile crypto currency I'll never know. Probably all about greed and status. I'd personally cash out and talk to a financial planner and CPA and see about moving it or at least most of it to a Cayman account. I'd also buy gold and maybe silver to hedge against a financial collapse brought on by God knows what up to and including the next possible Carrington event or EMP. If I had that much money I wouldn't want to be poor again.

Like I mentioned, I can't stand that Yahoo and box use crappy SMS for 2FA. I like Authy the most especially since in the App I can disable the creation of more Authy accounts. The only flaws I see with it are phishing, server hacks or my phone gets hacked. A hardware-based token is ideal, but not too many websites support it. So I'm left with Authy, Symantec VIP Access and Google authenticator.

Locked