Hacker News new | ask | show | jobs
by tptacek 1460 days ago
2FA is not in fact the industry standard process for account recovery (it's the industry standard problem that causes us to have to spend time on account recovery!), and account recovery is the problem this part of the consent agreement addresses.
2 comments
4oh9do 1460 days ago
As per NIST 800-63B:

> To maintain the integrity of the authentication factors, it is essential that it not be possible to leverage an authentication involving one factor to obtain an authenticator of a different factor. For example, a memorized secret must not be usable to obtain a new list of look-up secrets.

And further:

> Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication.

link
tptacek 1459 days ago
That's the NIST standard definition for out-of-band authenticators. FTC didn't demand out-of-band authenticators, nor is anyone obligated to comply with NIST.
link
bombcar 1460 days ago
And the account/2FA reset procedure is always the weak point - most of my accounts with 2FA enabled let me reset it with access to email or SMS.

(Which is good for some of them, as they're notoriously flaky).

link
tptacek 1460 days ago
Yes. For obvious reasons, people are more prone to lose 2FA authenticators (be they code generators or hardware keys) than passwords. Both passwords and 2FA mechanisms are customers of account recovery, which is the process that kicks in when you can't log in. Security questions are a particularly bad account recovery system. Reset emails are somewhat better.

Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.

To get a general sense of where we're at as an industry with this, look at the process for what happens when you lose an AWS 2FA secret:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

link
4oh9do 1460 days ago
> Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.

Your reading of the FTC text seems to be that you think the FTC has conflated account recovery with 2FA, but I don't think that's the case. Instead, my read is that they're suggesting that password breaches can be rendered moot points by requiring 2FA for accounts, so that the compromise of a password would not require an account reset in the first place.

link
tptacek 1459 days ago
I'm reading the plain language of the agreement, which requires the replacement of security questions and answers, and is not in fact a manifesto about the insecurity of passwords writ large.

But technical language aside: a requirement that CafePress fully adopt 2FA also doesn't make sense, because its users will not fully adopt 2FA. The users that can't 2FA are the interesting case here, and the thing I'm calling out.

link