[tptacek]

It is very much the FTC's place to require companies to live up to the commitments they've made to customers, and probably, more broadly, to make sure they live up to the implied commitments of universal industry best practices. It is less clear that FTC has the authority to turn random companies into test cases for the elimination of phishing attacks.

The practices CafePress had prior to its breach were clearly inadequate, and justifiably actionable. They authenticated users with password-equivalent "security questions", which they (of course) stored in clear text. Storing cleartext password reset secrets contravenes universal industry best practices, and, really, so does the use of "security questions" at all --- though many banks still do.

But requiring 2FA tokens is not a universal practice. Moreover, deployed over a whole userbase, it doesn't really address the concerns that lead to or were revealed by this breach. Managing 2FA for non-technical end users --- that's the kind CafePress serves --- is extraordinarily difficult. People lose tokens, 2FA codes are phishable, account recovery remains the most difficult problem in computer security, and so on.

So yes, it is weird to me to see the FTC suggest that the appropriate solution to a broken authentication system with security question is "make people use 2FA tokens". The universal best practice solution to the specific problem the security tokens solved is "password reset emails that prove custody of a trusted email account". The demand from the FTC exceeds that best practice. That's interesting, and so I called it out.

We don't know each other, so it probably bears saying that I am foursquare supportive of 2FA. I'm supportive of a lot of things the FTC would no doubt love to force companies to do (penetration testing in particular!)

[4oh9do]

> But requiring 2FA tokens is not a universal practice.

It is not universal practice, but it is industry-standard, so I don't particularly understand why it is surprising that the FTC is recommending that CafePress adhere to industry standards.

[tptacek]

2FA is not in fact the industry standard process for account recovery (it's the industry standard problem that causes us to have to spend time on account recovery!), and account recovery is the problem this part of the consent agreement addresses.

[4oh9do]

As per NIST 800-63B:

> To maintain the integrity of the authentication factors, it is essential that it not be possible to leverage an authentication involving one factor to obtain an authenticator of a different factor. For example, a memorized secret must not be usable to obtain a new list of look-up secrets.

And further:

> Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication.

[tptacek]

That's the NIST standard definition for out-of-band authenticators. FTC didn't demand out-of-band authenticators, nor is anyone obligated to comply with NIST.

[bombcar]

And the account/2FA reset procedure is always the weak point - most of my accounts with 2FA enabled let me reset it with access to email or SMS.

(Which is good for some of them, as they're notoriously flaky).

[tptacek]

Yes. For obvious reasons, people are more prone to lose 2FA authenticators (be they code generators or hardware keys) than passwords. Both passwords and 2FA mechanisms are customers of account recovery, which is the process that kicks in when you can't log in. Security questions are a particularly bad account recovery system. Reset emails are somewhat better.

Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.

To get a general sense of where we're at as an industry with this, look at the process for what happens when you lose an AWS 2FA secret:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

[4oh9do]

> Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.

Your reading of the FTC text seems to be that you think the FTC has conflated account recovery with 2FA, but I don't think that's the case. Instead, my read is that they're suggesting that password breaches can be rendered moot points by requiring 2FA for accounts, so that the compromise of a password would not require an account reset in the first place.

[tptacek]

I'm reading the plain language of the agreement, which requires the replacement of security questions and answers, and is not in fact a manifesto about the insecurity of passwords writ large.

But technical language aside: a requirement that CafePress fully adopt 2FA also doesn't make sense, because its users will not fully adopt 2FA. The users that can't 2FA are the interesting case here, and the thing I'm calling out.