What kind of two factor authentication? TOTP codes don't protect you against e.g. phishing. A MITM can request codes and forward them (since they are time-based).
Get a U2F key. They work with Google accounts and provide much better protection against phishing (the phishing site does not have the key handle and cannot initiate the challenge-response as a result):
> What kind of two factor authentication? TOTP codes don't protect you against e.g. phishing.
Sure it does. TOTP codes are only good for X seconds and most phishing scammers merely collect the information to use much later (I have seen the source behind the actual phishing sites).
I have yet to hear of a story of someone's account being compromised while using TOTP (knock on wood).
But seriously though - companies like Google, Facebook, Gandi, Dropbox, and Microsoft all use TOTP. So I would wager that TOTP is pretty safe to use.
(This is mandated because the user could start typing at the end of a time step and/or clocks can be slightly out of sync.)
and most phishing scammers merely collect the information to use much later
Right. It's probably still profitable to do things in this manner because most people do not use any second factor. That does not change the fact that TOTP is extremely vulnerable to phishing. Most people here could probably a code that does this live in an hour or so.
But seriously though - companies like Google, Facebook, Gandi, Dropbox, and Microsoft all use TOTP.
Yes, because TOTP adds good security against other attacks, such as password leaks, since every site has its own shared secret.
Almost every service I use is 30 seconds - including Google's [1]. Even in the RFC you linked it says 30 seconds.
> This is mandated because the user could start typing at the end of a time step and/or clocks can be slightly out of sync.
That is the downside of TOTP. If your clock isn't in sync with the server's then you may never have a valid OTP. However, I have seen many implementations allow for time shifting - ie the code that was generated in the past 30 seconds, this 30 seconds and the next 30 seconds are all valid. I didn't do that for my source code hosting service - but it makes sense in case the user hit enter right after the 30 second window. I suppose HOTP is supposed to solve the timing problem.
> That does not change the fact that TOTP is extremely vulnerable to phishing.
This doesn't make sense - TOTP isn't any more vulnerable than the password itself. You still need my password. And even if you phished that - by the time you would attempt to access my account the TOTP would be invalid. The only way that would work is if you were actively watching the captured credentials and attempted to login right away. That to me would be a targeted attack rather than some random phish.
However, I have seen many implementations allow for time shifting - ie the code that was generated in the past 30 seconds, this 30 seconds and the next 30 seconds are all valid.
Hence one minute. This is also why I referred to the RFC.
The only way that would work is if you were actively watching the captured credentials and attempted to login right away. That to me would be a targeted attack rather than some random phish.
Why? It's no problem to make a phishing site that requests the password and the TOTP code and uses these credentials immediately.
This is old. They old Yubikeys with HOTP provided some advantages over authenticator, but new Yubikeys provide U2F which is much more resilient against phishing attacks.
Moreover, U2F does not present itself as a USB keyboard (which had security implications on X11, since every application can listen in on keyboard events.)
A company offers a free service. "Your aunt" does know know or understand the need for "two step verification" nor do almost certainly a large percentage of people using gmail.
This idea that companies resolve themselves of all responsibility to provide reasonable customer support for a free product with such wide adoption is ridiculous. Google derives benefit from the relationship regardless of the fact that the service is free.
The fact that "your aunt" can access the Internet at all without some moral equivalent of a driver's license is testament to the fact that our societies have balanced the freedom of information made available by accessing the Internet with the individual's responsibility to understand the basics of the tools of accessing said Internet.
... and stories such as this are the consequence we shall have for taking the Libertarian solution. Not that I disagree with the solution taken! I just have a hard time swallowing the argument that it's always the provider's responsibility to account for total user ignorance at all times. A solution has been provided for this attack vector, and if the end-user chooses not to use it then perhaps at some point the onus is on the end-user.
(Or perhaps Google should just make 2FA mandatory for everyone, "your aunt" included).
>"Your aunt" does know know or understand the need for "two step verification"
I wonder more and more if we need to make it mandatory in some form, but maybe more formal. Like you can use your phone, but also here is a plastic, officially-sealed set of codes we'll mail to you at a verified address just in case.
Yea but technical strong people like yourself are always able to handle themselves better in all aspects of computing.
This is why you end up fixing your aunts printer. And why you have a more secure e-mail account than her. And why you can handle backing up your photos.... etc
I like the sound of that. I actually have run my own mail servers since the mid 90's [1] but I am more of a business guy who knows computers than a strong technical guy the way that I see it. I don't use gmail (for anything important I do use it for unimportant things) I don't like the idea of my mail sitting on their servers.
[1] Actually if you include non internet mail dates back to the mid 80's on a Unix system V.
I have found it helpful and have done deals with people that would normally be considered spammers. Wish I could provide details but let's just say that some people who spam actually are legitimate buyers of certain products or services and respond quite well to reply emails.
How much spam do I get and have to go through? Easily 3000 messages per day. You will have to trust me when I say I have not regretted not doing any filtering in terms of what I do [1]
[1] And no I do not sell a product or service to spammers...
I self-host my own mail server, and deal with spam amazingly well. I deal with it so well that I'm able to have "old school" public mailing lists that don't require registration in order to post.
There are various options for dealing with spam, if you're doing it by yourself.
My number one defense is a simple DNS check. SMTP servers that do not have valid and matching forward and reverse DNS are almost always spammers, with very little false positive identification. Spammers almost never have a server whose reverse DNS address is a domain name that resolves back to the same IP. Most of the time when spammers do have such a thing is when they compromise someone else's (e.g. Yahoo or whatever).
After that, it's a few DNS-based checks of black-listing databases.
Then some pieces of custom logic in the Exim configuration.
Of course, SPF: if the apparent sender's domain publishes an SPF record, I check it to see whether the server connecting is authorized to handle mail for that sender.
Finally, I also have scripts that monitor the mail server's log and implement IP banning (like fail2ban but home brewed). For instance, if the server reports suspicious SMTP commands, this will be ferreted out of the log in real-time and turned into an iptables-based ban that stays in effect for some time.
Oh, plus I have geographic banning in effect. Periodically, I download the latest IP netblock list from ARIN and other autonomous systems and block certain parts of the world (e.g. China) from connecting to my port 25.
Get a U2F key. They work with Google accounts and provide much better protection against phishing (the phishing site does not have the key handle and cannot initiate the challenge-response as a result):
https://www.yubico.com/products/yubikey-hardware/fido-u2f-se...