Hacker News new | ask | show | jobs
by six0h 1419 days ago
Are you writing off 2fa as a whole, or just sms? Aside from full database breach, why would requiring me to use a security key, or authenticator app be a bad idea? Physical theft is a lot harder (even just due to physical distance from a hacker) than stealing my password, which can happen at any distance
3 comments
winternett 1419 days ago
As a whole for social media at least.

For items that are of national security and high sensitivity in the business world, personal devices are regularly being used in many cases (Non Gov Furnished Equipment) as well, and that thoroughly defeats the purpose too.

The people that seek that level and volume of data are not usually simple amateurs that stumble upon script tools, they are usually engineers, info warriors, and even massive operations themselves with funding, skill, and human resources to get what they want. The best ways to secure data is at the system level and by not collecting data that is not needed for direct relevance to system function to begin with.

Personal phone numbers have no relevance to apps like Twitter or Facebook beyond facilitating their personal information and ID lust.

link
kube-system 1419 days ago
Token based 2fa does not leak any information to the service and it has a benefit of preventing other types of attacks on the functions that the system is supposed to do. There is literally no reason to be against TOTP or WebAuthN
link
hombre_fatal 1419 days ago
I don’t agree. At worst it just introduces a “hey i lost my phone” customer support backdoor that may be weaker than what was there before.
link
kube-system 1418 days ago
It’s not any worse than the “hey I forgot my password” support backdoor.

If you have a support backdoor, it doesn’t matter what technology you use. That’s not a technology problem.

link
rtev 1418 days ago
That’s a security flaw. Backup codes are the fix if you get locked out. Sure, the attacker could find the backup codes, but that can be a challenging task.
link
duckmysick 1418 days ago
And at best? And what about on average?
link
winternett 1419 days ago
How could you ever guarantee that when registration for many services are conducted on such a wide variety of Internet-based web forms that are integrated into web sites?

That's not logical.

I've even seen sites where registration is done on sites with expired certs. Not everyone registers directly within the service itself, and there are plenty of cases where config and security are not implemented and managed properly.

link
kube-system 1418 days ago
You can guarantee that TOTP and WebAuthn do not share personal information because their implementation does not involve the use of any personal information.
link
ziddoap 1419 days ago
>I've even seen sites where registration is done on sites with expired certs. Not everyone registers directly within the service itself, and there are plenty of cases where config and security are not implemented and managed properly.

I might be missing something, but what does that have to do with the efficacy of token-based 2FA?

link
winternett 1419 days ago
Web forms allow social media sites to capture bare phone numbers and store them in other places than just for authentication services. The places they store these numbers are often exposed to the public and to partners for a fee, along with personal data, which regularly is connected to other personal data on each account user. 2FA does not keep your account secure, and is just a bogus ploy to get your phone number, by social and other platforms) if most of your personally identifiable information on a site stores can be scraped ALONG WITH YOUR PHONE NUMBER, as it was, from a social media site (Which is exactly what happened in the original article cited).
link
scrollaway 1419 days ago
You are missing the point of the GP’s comment. Token based 2fa does not involve phone numbers.

Most people who talk about 2fa being good are talking about TOTP or security keys. Phone number based 2fa is awful for a variety of reasons.

link
croes 1418 days ago
Ever heard of YubiKey, Google Authenticator or Authy?
link
rtev 1418 days ago
At the risk of sounding rude, I don’t think you understand how modern 2FA works. No phone number is involved.

Your parent comment is based on misinformation and is the top comment; please consider editing or deleting it.

link
Thorrez 1419 days ago
>personal devices are regularly being used in many cases (Non Gov Furnished Equipment) as well, and that thoroughly defeats the purpose too.

U2F and WebAuthN protect against phishing. This protection applies regardless of whether you use a personal device or not.

Even more relevant, one of the main benefits of 2FA is securing people who reuse passwords. Similarly, that gained protection is not lost by using a personal device.

link
winternett 1419 days ago
System rules can, and often are configured to prevent password reuse well before 2FA. They have also enforced password complexity for ages now before 2FA... 2FA was invented and foisted on everyone without real necessity and demand involved. Tying vital security to random, and often personal, mobile devices that aren't properly secured and registered is reckless. Text messages also aren't properly secure, neither is Wi-Fi and Bluetooth in many cases... It's not logically sound to say 2FA creates additional security in any other sense but within the technical complexity added to authentication.

None of what you mentioned is advanced security if user phone numbers are stored and accessible along with their personal data.

Social engineering alone from being able to call and text users and socially engineer access to their accounts through scams with the sheer amount of personal data that social sites and apps greedily and unnecessarily collect on them.

Social media surveillance is a gold mine of data for a social engineer these days, specifically BECAUSE of how invasive it is. 2FA does not protect it, it only creates a secure log in, it does not secure data beyond verifying a user has the phone tied to the account. A mobile device is not a footprint nor proof of ID, it can be physically lost or stolen, or even cloned, which has happened often.

link
Thorrez 1418 days ago
>System rules can, and often are configured to prevent password reuse

How? And even if it's not verbatim password reuse, people often choose extremely similar passwords such that given one password, the other one can be guessed in a few guesses.

Password complexity requirements don't stop password reuse.

>Tying vital security to random, and often personal, mobile devices that aren't properly secured and registered is reckless.

I agree that SMS is the worst form of 2FA. There are others though.

>It's not logically sound to say 2FA creates additional security in any other sense but within the technical complexity added to authentication.

You're conflating SMS 2FA with all forms of 2FA. There are other forms. The biggest threat that people face today is phishing. That's stopped by U2F/WebAuthN. One of the next biggest threats is credential stuffing. That's stopped by all forms of 2FA, regardless of how weak SMS is.

>Social engineering alone from being able to call and text users and socially engineer access to their accounts through scams with the sheer amount of personal data that social sites and apps greedily and unnecessarily collect on them.

U2F and WebAuthN protect against these types of phishing attacks.

>A mobile device is not a footprint nor proof of ID, it can be physically lost or stolen, or even cloned, which has happened often.

So use a different type of 2FA than SMS.

link
Linosaurus 1418 days ago
> System rules can, and often are configured to prevent password reuse well before 2FA.

That does not at all help people who reuse passwords from one site on another.

link
sebow 1419 days ago
I assume he mostly means SMS. And I fully agree, ever since I've got my security key I've stopped using SMS (though I never really had problems with people trying to social engineer my telecom provider). It's way more secure and it's somewhat permanent compared to a phone number, especially if left at home(since realistically unless you're commuting a lot you don't need it). The biggest perceived risk imo is when travelling(especially since changing countries will most likely trip any account session). Even authenticator apps are better than 2FA through SMS.
link
ipaddr 1419 days ago
You lose access to the security key or the key stops working.
link
staticassertion 1419 days ago
Buy two keys. Your phone is probably a key already, so just one additional key.
link
winternett 1419 days ago
Give copies of the keys to all your co-workers, and leave one under the doormat too for a good time... Hah!

All the added complexity of implementing minimum character limits on passwords and requiring them to be changed every 3 months literally drove people to write passwords on post its and put them on PC monitors back in 2019... Some things never change...

Maybe we should add second and third passwords, and then keep goin until admins lose root access and just use Sudo.... LOL!

link
microtonal 1419 days ago
A YubiKey under the doormat protects against one of primary intended scenario: preventing phishing. It's unlikely that a phisher on the other side of the world has access to your doormat. Moreover:

- Modern FIDO2 keys allow you to set a password (I think sites have to implement the newer FIDO2/Webauthn standards rather than U2F to use this functionality). So then when someone takes it from under your doormat, it is worthless.

- Passkeys are coming. E.g. on Apple platforms they will be secured between devices using end-to-end encryption (through iCloud keychain) and they use biometric authentication to unlock (Face ID or Touch ID). This will make non-password authentication a lot more convenient.

link
winternett 1419 days ago
I know, I've used them multiple times.

The thing is, no one can explain to me how it's better than just requiring 2+ passwords on each user account. You can't authenticate if you lose the Yubi when tech support is not available without circumventing the very process it was based upon... Nothing is failproof. Of course each specific use case is different.

If Facebook demanded I use a dongle or even biometrics, that would very well be the exact point I quit it though.

link
ziddoap 1419 days ago
>The thing is, no one can explain to me how it's better than just requiring 2+ passwords on each user account.

Really? It seems pretty straightforward. In one case I have a physical object that must be physically stolen from me to access my account. In the other case, if I make 2 poor passwords, my account can be accessed from anywhere in the world, no physical access required. The pool of people who can realistically compromise my account drops exponentially.

>You can't authenticate if you lose the Yubi when tech support is not available without circumventing the very process it was based upon.

Perfect is the enemy of good. Some people sometimes losing their Yubi and having to authenticate in a different way one time is not a good reason to argue for not having them at all.

link
fragmede 1419 days ago
U2F ("Yubi") doesn't have a "password" that's exposed to the user (you), so the attacker would have to steal it in order to get its password. Meanwhile, two passwords are basically the same as having one long password, and if the attacker gets that, then they're in.

(Yes, if the attacker can factor very large prime numbers, then they can get the "Yubi password", but if they can do that, there's a lot of bitcoin they could steal.)

U2F also signs the auth with the site's domain name, so even if the user tries to log into faceb00k.com (zeros), U2F won't let the attacker reuse the credentials on facebook.com.

This does require that you actually lose access without the second factor. In higher security environments this is enforced - if you lose the U2F device, then you can't log in. Obviously if the site lets you log in without the device then having the device doesn't actually matter.

Lost device flow is a weakness, but typically they're more involved and require the attacker to have more details about the user than a simple phish attack would have access to.

link
staticassertion 1419 days ago
> The thing is, no one can explain to me how it's better than just requiring 2+ passwords

I'm sure many people can explain this. It's not hard. FIDO2 tokens are not phishable, the domain name is part of the challenge.

link
KronisLV 1419 days ago
> All the added complexity of implementing minimum character limits on passwords and requiring them to be changed every 3 months literally drove people to write passwords on post its and put them on PC monitors back in 2019... Some things never change...

This does seem a bit silly, but is also the "logical" thing for many people, who won't be able to remember all of their different passwords and don't know of any better solution - thus the less tech savvy will store their passwords in a text file, a spreadsheet, or a post it note on their computer.

Personally, I don't know any of my passwords anymore. Everything is randomly generated by KeePass with the password databases being distributed across my devices or SD cards/HDDs for backups (encrypted). Once you stop thinking of passwords as something that you should "know", but rather something that you "have", then it becomes way easier. Far too many people have the wrong mindset and attempt to use the same password for multiple sites - they're one breach away from having a really bad time.

And yet, somehow we don't really talk about that and don't educate people. I don't believe that in school or university, across more than a decade of education a password manager of any sort was ever mentioned, be it a web based one or a file based one. Not even proper encryption (outside of SSL/TLS, but for websites), no mentions of PGP/GPG either. And that's after getting a Master's Degree in Software Engineering. Of course, I talked with peers and other people, including professors about these topics, but they were never officially covered in any of the courses.

That makes me think that outside of ads on YouTube for popular SaaS offerings in the space, it's a pretty dire situation for the average person.

link
staticassertion 1419 days ago
> Give copies of the keys to all your co-workers, and leave one under the doormat too for a good time... Hah!

Straw man, not going to address this.

> write passwords on post its and put them on PC monitors back in 2019

This is fine

> requiring them to be changed every 3 months

NIST recommends against this

I don't really get your post.

link
winternett 1418 days ago
> I don't really get your post.

That's because we are going down a rabbit hole far away from the original premise... We are talking mostly about social media here (as cited above) using 2FA... 2FA in more high value settings is a separate discussion.

In Private settings, 2FA can still be compromised by data scraped from social media, that catalogues data even on people who do not create social media profiles.

I am not arguing against the technical merits of how 2FA operates, but even with a Yubi Key, a user with system access can be compromised if they are physically extorted or abducted along with their key. The real world is a factor in security, it is not overcome by encryption.

I have listed several aspects of flaws to the security model in other posts here. Arguing about the technical bones of 2FA is a distraction/sidebar from those other valid points.

link