Two Factor Authentication What is two factor authentication and what's the best technology for 2FA? -------------------------------------------------------------------------------- Two Factor Authentication ========================= 5 min read /[cendyne: teaching]-----------------------------------------------------------\ | A second factor helps protect your account when your password has been | | leaked. Generally it proving something about you or something you have. For | | example, biometrics or possession of a unique token device. We call this Two | | Factor Authentication (2FA). | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Duo Security | |------------------------------------------------------------------------------| | [I1: Video: WarGames: The Two-Factor Edit] | | | | WarGames: The Two-Factor Edit [L1] 1/9/2023 | \------------------------------------------------------------------------------/ /[cendyne: stonks]-------------------------------------------------------------\ | Entire brands on the market exist just to deliver two factor authentication | | solutions. If you get a text with "Your code is 123 456", you just got a one | | time password (OTP). These services don't come cheap at scale. | \------------------------------------------------------------------------------/ [I2: Twilio charges $0.09 per TOTP authentication] /----------------------------------------------------------------[kyrmeso: beg]\ | Charging for Time-based One Time Passwords [L2] (TOTPs)? I get that for free | | with google authenticator... | \------------------------------------------------------------------------------/ /[cendyne: bullying]-----------------------------------------------------------\ | Welcome to enterprise business contracts where nothing is priced sensibly. | \------------------------------------------------------------------------------/ /[cendyne: surprise]-----------------------------------------------------------\ | There are weaknesses with every method out there except Webauthn. SIM | | swapping [L3] is just the tip of the iceberg for OTPs over SMS. What if | | someone has your password and tries valid values every single minute of | | every day? You as the victim might get a lot of spam texts... or you might | | not if it is a TOTP. | \------------------------------------------------------------------------------/ /[cendyne: access-granted]-----------------------------------------------------\ | We should not rely upon OTP or TOTP for second factors if the authentication | | provider does not respond to adversaries with increasing difficulty. Problem | | is, the most common "safe" second factor option (TOTPs) do not support | | dynamic difficulty changes. TOTPs specify how long the code should be, | | usually they come out to 6 digits long. | \------------------------------------------------------------------------------/ /[cendyne: eww]----------------------------------------------------------------\ | Any authentication or authorization flow that relies upon a human copying | | information between devices or processes is vulnerable to phishing. That | | includes: | | | | * OTPs which are delivered out of band before the event or on demand | | during the event; | | * HOTPs [L4] and TOTPs which are generated offline by another process or | | device; | | * Device authorization codes which are normally presented by a device | | without a browser or keyboard; | | * And other authorization code grants. | \------------------------------------------------------------------------------/ /----------------------------------------------------------------[roury: ramen]\ | What about push notifications? An attacker could just spam these until the | | victim gives in. | \------------------------------------------------------------------------------/ /[cendyne: todays-interesting-thing]-------------------------------------------\ | Push notifications are generally delivered through an established device- | | bound channel (that is others cannot listen in like SMS) with a provider | | like Apple or Google. Like OTPs over SMS, these are noisy. Because it is | | device-bound, I think this is safer than SMS. However, if the attacker | | convinces the victim that this is normal behavior during a phish, push | | notifications do not solve the 2FA problem. | \------------------------------------------------------------------------------/ /[cendyne: please]-------------------------------------------------------------\ | We should put our resources towards Webauthn, which is bound to 1) a device | | (the second factor provider) and 2) to an origin (where the authentication | | occurs). I also believe any services that support Webauthn must support | | multiple Webauthn devices. | \------------------------------------------------------------------------------/ /[cendyne: glassy-tears]-------------------------------------------------------\ | Unfortunately some really important services only support one Webauthn | | device... Such as Amazon Web Services and PayPal. | \------------------------------------------------------------------------------/ /[cendyne: yess]---------------------------------------------------------------\ | Good news! Next year, you might not even need to buy a dedicated device | | (e.g. a Yubikey) for Webauthn! | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | TRT World @trtworld@twitter.com | |------------------------------------------------------------------------------| | Apple, Google and Microsoft are working on authentication technology that | | will replace passwords with smartphone 'passkeys' by 2023 | | [I3: Video: Video included with tweet] | | | | [L5] 5/10/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------[kyrmeso: hopeful]\ | I'd like to add 2FA to my service! | \------------------------------------------------------------------------------/ /[cendyne: certified]----------------------------------------------------------\ | Please do! But also... Please please please force a password reset if the | | 2FA fails after 10 or so times! Be as noisy as possible when a 2FA fails. | | Email the victim that something is off, mention IP address and location of | | the authentication event. Oh and please support multiple Webauthn keys if | | you can do Webauthn at all. | \------------------------------------------------------------------------------/ -------------------------------------------------------------------------------- [L1]: https://www.youtube.com/watch?v=WH_KuCCf0c0 [L2]: https://www.rfc-editor.org/rfc/rfc6238.html [L3]: https://blog.mozilla.org/en/internet-culture/mozilla-explains/mozilla- explains-sim-swapping/ [L4]: https://en.wikipedia.org/wiki/HMAC-based_one-time_password [L5]: https://twitter.com/trtworld/status/1524038298200514560 [I1]: https://c.cdyn.dev/UnLTH2YU [I2]: https://c.cdyn.dev/SC1ILHEU [I3]: https://c.cdyn.dev/mhNYHgtf