Hacker News new | ask | show | jobs
by akerl_ 3080 days ago
This makes it sound like the secrets are just printed out and posted on a notice board somewhere, which is pretty much straight fearmongering.

The sandboxing between apps on non-jailbroken iOS (and to a lesser extent un-rooted Android) is such that having the secrets stored in an app's database renders them secure against basically any attack that doesn't involve physical access to the device.

Given that the app needs access to the symmetric TOTP keys for it to work, most of the available other options aren't appreciably changing the security model. Encrypt the DB with a magic secure-enclave-stored key? Now the app is just asking to decrypt the DB every time it's opened. What attack are you worried about where this new setup isn't equally vulnerable?
2 comments
fanzhang 3080 days ago
If someone gets a hold of your lost phone, without the secure enclave, rooting it is easy with physical possession. Whereas with a secure enclave, physical access with a locked device doesn't give the secret away.
link
chimeracoder 3079 days ago
> If someone gets a hold of your lost phone, without the secure enclave, rooting it is easy with physical possession.

Rooting an arbitrary Android phone is not easy, and rooting an arbitrary Android phone (especially the Nexus/Pixel flagship devices) without wiping the storage is really not easy.

link
fanzhang 3079 days ago
After looking around, I agree that standard ways of rooting the phone do involve wiping it.

However, it still remains that the secret is sitting in plain text on a hard drive on the phone. If you unplug/unsolder the hard drive, you could just read it, like a PC.

Another advantage is that if the secure enclave is hardware/firmware linked to authentication (fingerprint / password), then there would need to be a vulnerability in that hardware process for a remote users to get a break.

This is the second factor of a 2FA, so I agree that in most cases, it won't be a large issue. Someone who phishes your password over email would empirically be unlikely to hack your phone.

link
chimeracoder 3079 days ago
> However, it still remains that the secret is sitting in plain text on a hard drive on the phone. If you unplug/unsolder the hard drive, you could just read it, like a PC.

"In plain text"... on a disk that is fully encrypted. Full-disk encryption has been available in Android for several years, and required for almost all of that time.

link
Macha 3079 days ago
Android supports (and at least on my Nexus 5x, enabled by default) disk encryption.
link
stcredzero 3080 days ago
The sandboxing between apps on non-jailbroken iOS (and to a lesser extent un-rooted Android) is such that having the secrets stored in an app's database renders them secure against basically any attack that doesn't involve physical access to the device.

It's best not to rely on just one mechanism. Sandboxing mechanisms are also prone to exploits and bugs. For something as important as Two-Factor, Google engineers should be practicing defense in depth.

link