Hacker News new | ask | show | jobs
by jonafato 2844 days ago
Can anyone comment on their "zero touch is safe" claim (https://krypt.co/faq/)? As far as I understand, tokens like YubiKeys require a touch as an explicit action by the user to prevent authentication without their knowledge. Doesn't a zero touch approach remove a security feature?
2 comments
henryfjordan 2844 days ago
It depends on your threat model.

You pair your phone and browser and then they can talk. Any time you want to log in through that browser it can talk to your phone and auth you automatically. For someone to exploit this, they'd need access to the computer with your browser.

So if your laptop gets stolen, yes this is a bad idea, but I think most people think that they can just revoke the browser's keys if if the laptop gets stolen and they are way more likely to have their phone stolen anyway.

link
jonafato 2844 days ago
I was more thinking of malware / some otherwise rogue process. This seems like something that's worth having in the world of fake support remote desktop scams.
link
ReverseCold 2843 days ago
That's so easy to bypass.

1. Wait for user to sign in. 2. Intercept their sign in. 3. User: "Oh, it didn't work. I'll just try again." 4. User tries again and it works. Attacker is also logged in now.

Alternatively, at that point you could just inject JS into whatever website needed 2FA and do everything without the user noticing anything.

link
ztjio 2843 days ago
It wouldn't matter if they had their laptop stolen unless they also had their phone stolen. The keys are on the phone. Any new auth attempt would require the phone in proximity of the laptop. It connects via Bluetooth, not over the internet.
link
jiveturkey 2844 days ago
I haven't researched their claim, but my guess is that with something like yubikey you wouldn't know an authentication has happened. with Krypton, there would be a notification pending on your phone. Possibly you would only be able to authenticate if your phone is unlocked as well.
link
ithkuil 2843 days ago
My phone locks after a while of inactivity. if I have to unlock the phone, then it wouldn't be zero touch, right?
link
mplewis 2843 days ago
When Krypton asks you to authorize an access, you can tell it to authorize that single access, authorize the host for three hours, or authorize everything for three hours.

I typically authorize the host for three hours, meaning for the next three hours I don't have to Touch ID in again.

link