Real Two Step Securty

[TwoTankAmin]

I just finished a small battle with Vanguard not to have to use two step security to log onto my account. I just came across this article in today's TechTimes:

No Google Employee Has Fallen Prey To Phishing Since They Started Using These $20 Devices
24 July 2018, 7:41 am EDT By Aaron Mamiit Tech Times
https://www.techtimes.com/articles/232614/20180724/no-google-employee-has-fallen-prey-to-phishing-since-they-started-using-these-20-devices.htm

Here are what I consider to be the two most important statements in the article.

Google told KrebsOnSecurity that none of its over 85,000 employees have been victimized by a phishing attack on their work-related accounts ever since the company started requiring them to use physical security keys in place of the traditional passwords and one-time codes........

Phishing attacks come in various forms, but their end goal is to trick users into giving up sensitive information such as log-in details. Two-factor authentication seeks to prevent this, because even if hackers acquire an account's password, they will also need to acquire the second code. Unfortunately, there are already some hacks that are capable of intercepting the codes, which are usually sent through SMS.

[Moonchild]

It's been widely known in the security sector that "one time codes", "e-mail verification" and even using an "authenticator app" (looking at you, Steam) is not actually 2-factor, just an extension of 1-factor, and just makes it more likely that people choose weak credentials because it allows them to log in faster with the extra hurdles.

The security factor paradigm is:

• Something you have
• Something you know
• Something you are

Something you know is usually the 1st factor used everywhere: login username and password.

Verifying with e-mail is making an assumption that someone who has your credentials doesn't have access to your e-mail. Both of those only require something you know.
The pseudo-second factor of one-time code or app fails because this is also something you can know -- it's an attempt at verifying that you have something (a mobile device), but the problem there is that a mobile device also has the primary channel for account recovery on it. Every smartphone has an e-mail app. Conversely, SMS messages can be intercepted and apps can be run in emulators.
None of the common "2-factor" authentication methods you see around are actually 2-factor. This is why I generally don't bother, and instead make sure to have strong and unique passwords that are never shared with anyone.

An actual second factor as something you have would be printed codes that are determined beforehand, sent securely to you and kept safe.
Cryptographic (hardware)keys or code devices with unique, unexportable private (cypher-)keys on/in them is also something you can verify as "having" since it's based on a challenge-response that can only be produced by having the physical key or code device in your possession.

Just as much a common mistake is thinking that biometrics are "more secure". By themselves, they aren't. They are just 1 factor (something you are) and as safe or unsafe as something you have (a key) or something you know (a password). Only if combined with the other factors will they increase security.

[TwoTankAmin]

@Moonchild=

Was that your techy way of saying the USB key thing works well and is an excellent idea?

[Moonchild]

@Moonchild=

Was that your techy way of saying the USB key thing works well and is an excellent idea?

Yes and no

Just highlighting that yes, it's a good idea because it's actually 2-factor, and no, don't go out and buy a crypto key because of this article, unless you actually have a use for it for a critical service (and want to run the risk of not being able to log in if you lose or forget to bring your key...)

[Phantom]

I use 2FA with damn near every login I can. And I've backed up the codes to Keepass which it's database is then encrypted again in a SFX archive and stored in my local FTP, cloud and DVD/RW in a fire proof safe rated for electronics. I think it's better than nothing. I don't particularly care for the SMS crap that Yahoo and Box use. I mostly use Authy, Google and for PayPal, Symantec.


How many times do you hear a massive database was hacked? Well, with 2FA you have a fighting chance at not having your account pried into. Especially CloudFlare. God forbid some asshole hacker finds his way into there. And I'll never EVER use their API crap.

[Isengrim]

I would honestly prefer one of these physical keys over, say, providing a phone number. That would save me from giving up yet another piece of PII.

Off-topic:
I also don't understand why more services don't allow for TOTP authentication, which would also allow me to keep my phone number to myself.

[Moonchild]

I use 2FA with damn near every login I can.

pseudo-2FA. Which is more an annoyance to make you feel safer than it actually being 2-factor.

I'm not completely dismissing the value of it, though, don't get me wrong. It has some use, but it's still 1-factor. Sure, if you don't plan it and it bites you randomly it most definitely will lock YOU, the legitimate owner, out... but a planning attacker will never be surprised by the extra verification.

And I've backed up the codes to Keepass

Safeguarding your passwords is good but that doesn't strengthen your security, per se. If a server gets hacked, it gets hacked -- no secure local storage of your passwords will prevent that -- unless you think that the biggest danger is someone coming into your house and grabbing your password store from there?
Certainly, I keep all my passwords (over 500 of them) secured in an encrypted storage as well locked behind a master password only stored in my brain. But that has nothing to do with the authentication method, really, which is what this topic is about.

How many times do you hear a massive database was hacked?

Rarely. And it just underlines the need for unique passwords for sites. Once again nothing to do with authentication method. Nor the Cloudflare venom you had to throw in again.

I would honestly prefer one of these physical keys over, say, providing a phone number.

Same here! But not many services offer key-based authentication. Or even cert-based, for that matter.

[Phantom]

pseudo-2FA. Which is more an annoyance to make you feel safer than it actually being 2-factor.

I'm not completely dismissing the value of it, though, don't get me wrong. It has some use, but it's still 1-factor. Sure, if you don't plan it and it bites you randomly it most definitely will lock YOU, the legitimate owner, out... but a planning attacker will never be surprised by the extra verification.

That's why I have backed up the backup codes to Keepass just in case I do get locked out. Like I said, it's better than nothing.

Safeguarding your passwords is good but that doesn't strengthen your security, per se. If a server gets hacked, it gets hacked -- no secure local storage of your passwords will prevent that -- unless you think that the biggest danger is someone coming into your house and grabbing your password store from there?
Certainly, I keep all my passwords (over 500 of them) secured in an encrypted storage as well locked behind a master password only stored in my brain. But that has nothing to do with the authentication method, really, which is what this topic is about.

That's not the point.

Rarely. And it just underlines the need for unique passwords for sites. Once again nothing to do with authentication method. Nor the Cloudflare venom you had to throw in again.

BS. I have heard in the news time and time again of database breaches here in the U.S. and I get emails from a website when my email ends up in another hacked database.

[TwoTankAmin]

Just found this- Moon Child is right as always

From ArsTechnica:

WEAK LINK IN THE 2FA CHAIN —
Password breach teaches Reddit that, yes, phone-based 2FA is that bad

A newly disclosed breach that stole password data and private messages is teaching Reddit officials a lesson that security professionals have known for years: two-factor authentication (2FA) that uses SMS or phone calls is only slightly better than no 2FA at all.

[therube]

Linked, https://arstechnica.com/information-tec ... -that-bad/.

[Phantom]

I've known that forever. That's why I don't like my Box and Yahoo account to use SMS. And even though things like Authy or Google Authenticator are better, it's all in how you use it and not get stuck in a phishing scheme.

I never read the article. I already know what it's going to say.

[Phantom]

Here's some food for thought. https://krebsonsecurity.com/2018/08/han ... -security/

Why people keep that much money tied up in volatile crypto currency I'll never know. Probably all about greed and status. I'd personally cash out and talk to a financial planner and CPA and see about moving it or at least most of it to a Cayman account. I'd also buy gold and maybe silver to hedge against a financial collapse brought on by God knows what up to and including the next possible Carrington event or EMP. If I had that much money I wouldn't want to be poor again.

Like I mentioned, I can't stand that Yahoo and box use crappy SMS for 2FA. I like Authy the most especially since in the App I can disable the creation of more Authy accounts. The only flaws I see with it are phishing, server hacks or my phone gets hacked. A hardware-based token is ideal, but not too many websites support it. So I'm left with Authy, Symantec VIP Access and Google authenticator.