Hacker News new | ask | show | jobs
by 1970-01-01 535 days ago
I disagree with the experts here. There was and is absolutely nothing wrong, and quite a lot right, by having the 2FA program completely separate from your password vault. At best, this is a lateral security trade-off that you are paying them to provide. View the 2FA feature from a software marketing and sales lens. Can you see how it's just feature creep, driven by competition doing the exact same thing?
3 comments
baobabKoodaa 535 days ago
Same here. It seems like they are very narrowly optimizing for the extremely rare case of a person who simultaneously:

A) Is fooled by a phishing attack

and

B) Is not fooled enough to manually copy-paste credentials from their password manager after noticing that the autofill didn't work

Does a person like this exist somewhere? Sure, if you interview 1 million people, I'm sure you will find 1 person like this.

It is very, very strange to me that the security "experts" are narrowly optimizing for this specific user and downplaying all the risks related to their recommendation.

link
yoble 535 days ago
In my previous company we hired a startup that did security training, that recommanded everyone use a password manager. And one of their test was that they sent a fake phishing email to people (randomized over a couple of months so not everyone would get it the same day).

I don't remember the exact number but something like 30% of people who didn't use a password manager got caught. Basically no-one using a manager was.

Granted there might be some selection bias (people who had managers were probably already slightly more security conscious), but people were feeling slightly embarrassed to have been caught and it worked great to have everyone do the switch. And everyone remembered after that that if it doesn't autofill, something's amiss.

link
baobabKoodaa 535 days ago
The most important bit of information is missing from your post: was everyone using 2FA? If yes, then you make a relevant point.
link
Dylan16807 535 days ago
Even if no 2FA was involved at all, it's a good answer to the scenario you were posing.

I think plenty of people will have second thoughts when the password doesn't go.

link
baobabKoodaa 533 days ago
The comparison here is using 2FA with external device, or putting 2FA codes into a password manager.

Any kind of experiment that doesn't involve 2FA at all is not relevant for this comparison.

link
Dylan16807 533 days ago
The anecdote provides evidence for people that are initially fooled by a phishing attack but aren't fooled enough to manually copy-paste credentials when autofill doesn't work.

Your argument about 2FA depends on how many of those people there are.

Therefore the anecdote is quite relevant, indirectly.

link
sneak 535 days ago
The most common 2FA mobile app that isn’t a password manager is Google Authenticator.

Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.

Also, TOTP in general is bad, because it is easily phished, just like passwords. Using a password manager to store TOTP cuts down on phishing risk as it won’t input them into the wrong domain site. Copying them manually from a different app is still vulnerable to phishing.

link
doodlesdev 535 days ago
> Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.

Not true anymore. [0]

[0]: https://www.theverge.com/2023/4/24/23696058/google-authentic...

link
Scion9066 535 days ago
Google Authenticator does support exporting and syncing now:

https://security.googleblog.com/2023/04/google-authenticator...

link
pwg 535 days ago
FreeOTP+, available on FDroid [1] provides for import/export of one's stored codes.

The problem with "phishing" is not the technology. Phishing is 100% a human issue and no matter what tech. you might use, those humans vulnerable to being phished will find a way to be phished.

[1] https://f-droid.org/en/packages/org.liberty.android.freeotpp...

link
BenjiWiebe 535 days ago
What would be the way to phish someone who has a hardware security key that they have to touch?
link
ww520 535 days ago
For Google Authenticator, you can do an export for device migration. Once it shows the QR code image, snap it and then abort the migration. Back up the QR code for later restoration.
link
clysm 535 days ago
> There was and is absolutely nothing wrong, and quite a lot right, by having the 2FA program completely separate from your password vault.

Did you read the article? That's what they say.

> For maximum security, you can store your 2FA token elsewhere ... but for general purpose use, storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides.

link
baobabKoodaa 535 days ago
> Did you read the article? That's what they say.

No, that's not what they say. If you read the text that you just now quoted, you will see that it says "storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides". Clearly the writer of that text believes there _is_ something wrong with having 2FA completely separate from the password vault: it is less convenient, to the extent where they are happy recommending this horrible approach to laypersons.

In addition, if you go and read OP, you will find that they talk about the potential of losing access to your TOTP codes stored in Google Authenticator. So that's another thing that counts as "something wrong" with storing 2FA separately from password vault.

So there's at least 2 things in the article that count as "something wrong". So they definitely didn't say that there's "absolutely nothing wrong".

link
cycomanic 535 days ago
They say it's less convenient, that doesn't mean they say it's wrong. And yes it is less convenient, why are you saying it's "horrible"? Security is always about compromises, if the less convenient method causes people to come up with workarounds then it would be worse even if in theory it's more secure.
link
baobabKoodaa 535 days ago
> if the less convenient method causes people to come up with workarounds then it would be worse even if in theory it's more secure

but that's literally what this is... the less convenient method (2FA) caused people to come up with workarounds (saving 2FA secrets in their password vaults)... and I'm saying it's horrible

link