
The bleak picture of two-factor authentication adoption in the wild - benryon
https://elie.net/blog/security/the-bleak-picture-of-two-factor-authentication-adoption-in-the-wild/
======
schaefer
It completely blows my mind that blizzard got it right over a decade ago with
a dedicated physical device that would generate a one-time, time sensitive key
for second factor authentication (to protect my video game account).

Where as I feel I'm still waiting for my bank (actual money) to catch up. they
took the easy way out by sms-ing me a second factor authentication key. Even
though phone number theft is a known attack vector.

~~~
spydum
The thing that is nutty is.. they PAY MONEY for the SMS method! I do not
understand why more sites don't support TOTP like Google Authenticator.

~~~
spiritcat
Google authentication is great, until it's time to get a new phone.

~~~
sethhochberg
Check out Authenticator Plus - its another TOTP app that lets you backup your
(encypted) 2FA secrets and optionally syncs them across devices.

Thankfully Google Authenticator is just TOTP, so you can use whatever client
you want.

~~~
witten
Also, check out andOTP on F-Droid:
[https://f-droid.org/en/packages/org.shadowice.flocke.andotp/](https://f-droid.org/en/packages/org.shadowice.flocke.andotp/)

Open source and supports backups.

~~~
StavrosK
andOTP is amazing, I thoroughly recommend it.

~~~
otachack
Had no idea about this. I liked Google's Auth since it was simple but it
missed the crucial backup feature. Authy is nice but you're putting trust in a
3rd party that doesn't have a channel for donations, though it seems they're
making money through SMS (Twilio).

andOTP is just what I was looking for since it's FOSS and had backup! This
would have been a lifesaver when I lost my phone but glad to have run into it
now.

------
xte
Personally I _dislike_ nearly all kind of 2FA for a very simple reason: they
add a dependency tie with something big, powerful and outside my control.

For instance I perfectly agree to have an extra, branded, physical token, to
log in to my bank, I _totally_ refuse to use a mobile app on my phone to do
the same.

~~~
quanticle
What is the difference between an extra branded physical token and a 2FA app,
such as Authy, on your phone?

~~~
bdibs
One requires a mobile phone to function (and continue functioning), whereas
the physical token only needs itself.

~~~
quanticle
So I need a physical token for each of my bank accounts (3 bank accounts),
each of my investment accounts (2 investment accounts), each of my e-mail
providers (2 e-mail providers) and one for every other service which might
want to offer 2FA. Or, instead of that, I can have one smartphone, which has
an app which handles all of those 2FA codes for me. Can you understand why I
would prefer the smartphone option?

~~~
xte
So you also can possibly enjoy having 2FA demolish by a simple smartphones
vulnerabilities that perhaps grab both passwords and token in a single
action...

We can't trust smartphones/connected devices in general, that's why IMO is
better, for safe auth only, use offline stuff.

~~~
quanticle
_So you also can possibly enjoy having 2FA demolish by a simple smartphones
vulnerabilities that perhaps grab both passwords and token in a single
action..._

Can you point to any instances where that's actually happened? Yes, sure, it's
theoretically possible for someone to break into my fully patched phone and
steal my 2FA secrets. But it's also theoretically possible for a mobster to
break into my house, hold a gun to my head, and force me to log in to all of
my banks accounts so that he or she can drain the money from them.

There is no such thing as perfect security, and I would much rather have
people using a 2FA app on their phone than just username/password. Is it
perfect? No, of course not. But insisting that the existence of phone
vulnerabilities makes 2FA apps on phone unacceptable, and that the only form
of acceptable security is for people to juggle dozens of authenticator tokens
is making the perfect the enemy of the good. It's because of "advice" like
this that people ignore armchair security experts.

~~~
xte
Does you credit card ever lock you out? For most people no it's not happen,
for Julian Assange we know it happen. Does we have an nuclear warhead explode
by accident?

A dangerous thing remain dangerous even before accidents happen.

------
reconbot
I was having an argument over 1password's 2fa support not being a second
factor. (I don't think it is.) However, it is so much safer than not using
2fa. In similar terms U2F is amazing and keeps you from being phished and has
a great challenge/response protocol, if that was implemented in 1password (or
browsers themselves thank you!) we'd all be a lot safer than not using it at
all.

In 2018 I'm using an app to take screenshots of QR codes to generate one time
codes. It's a sad state of the art, we need to do better.

~~~
seppin
> (I don't think it is.)

If your master password is someone exposed, then nothing really protects you.

~~~
dev_dull
Wouldn’t an 2fa device (such as an otp token) actually protect you in this
case? They have your password but not your otp generator.

~~~
seppin
Yes but to have your MP they'd most likely have rooted your device, they could
surely do the same to your mobile.

If they could do one, they can do the other. Just a matter of efforts I guess

------
lemoncucumber
I got a new phone recently and was dismayed at how easy it was to reset the
2FA on various accounts. Some fall back to SMS in that case (which has well-
documented insecurities), while others allow you to call customer support and
reset it without providing _too_ much to prove that you’re the account owner.
There has to be a path for people who lose or break their phones with their
Authenticator apps, but I’d feel better if it was a little more difficult than
it seems to be in most cases.

------
rkho
It just irritates me how many financial institutions either don't support 2FA
(I'm looking at you, Amex) or only offer either SMS or (yes, really) email as
the only way(s) to protect your account.

Vanguard recently required that all accounts be "secured" via SMS, and I was
dismayed to learn that Nest (of all companies) didn't even support Google
Authenticator -- the only option with Nest was to use SMS as well.

It just seems like a losing battle at this point.

------
GuidoW
The failure mode of TOTP, SMS is that the user needs to be sure to be
connected to the correct site.

The hidden assumption is that the use is _able_ to distinguish the fake from
the correct site.

For any authentication system to work in the face of adversaries trying to
confuse a user, the system needs to be robust against that.

[https://eccentric-authentication.nl/blog/2014/11/30/spot-
the...](https://eccentric-authentication.nl/blog/2014/11/30/spot-the-
differences/)

[https://eccentric-authentication.nl/blog/2016/11/18/on-
the-i...](https://eccentric-authentication.nl/blog/2016/11/18/on-the-internet-
there-is-only-alice/)

~~~
em-bee
true, 2FA prevents against people pretending to be you trying to log into the
site, but not against sites pretending to be the site you want to access.

------
paraditedc
So here's how I use 2FA apps:

I have my primary phone with Authy and all the accounts.

I also have a secondary (old) phone in my drawer, which also has Authy
installed. Both of them automatically sync the 2FA accounts in my Authy
account, which is linked to my email and phone number. In the event that my
primary phone is not available, I can switch to my secondary phone quickly.

Is that a good practice? I also plan to get physical keys and do the same when
they become more popular.

~~~
Kalium
Your heavy use of 2FA is a good practice.

That said, linking SMS often allows for SMS to be used to reset passwords. As
sim swapping and phone cloning become more common attacks, the level of
protection you gain from having SMS available drops. These attacks essentially
let someone else receive your texts or calls. I have at least one friend who
has been attacked this way.

------
laretluval
2FA is a user interface disaster, exporting the failures of software security
as a huge annoyance on to users. I would rather be hacked than deal with 2FA.

~~~
u801e
The right way to do it is to use client-side TLS certificates in combination
with the username and password. Add in a passphrase for the private key and
you could have 3FA.

All that's really needed is for browser vendors to improve their UI for
generating certificate signing requests and importing certificates.

~~~
sedatk
Meanwhile usability cries in a corner.

~~~
dcbadacd
Estonian ID cards or Estonian Mobile ID is not hard to use. The currently
working system is proof that TLS client certs can be _easily_ used if provider
just supported it.

------
mikestew
For all you PNW Microsofties, I saw that First Tech credit union finally got
their shit together after the system change and reimplemented 2FA using a
hardware key. Great, sign me up! First I get a message asking if I _really_
want a hardware key? Well, I’d rather use the U2F keys I’ve already got, but
yeah, send me one. The fact that it showed up in a hand-addressed envelope
tells you how many of these they’re sending out.

No matter, I’ll use the phone authenticator for day-to-day, and the HW key as
a backup. Not optimal, but until they support U2F it’ll have to do. Nope, you
get to pick _one_ key. So the HW key goes in the safe, and I use SMS for day-
to-day. Or IOW, might as well have saved the plastic and postage for that HW
key.

EDIT: someone else suggested directing email codes to an account that _is_
protected by a HW key. Firing up GMail on my phone I less convenient than
reading the SMS code off my watch, but I’ll probably do that.

------
kerng
Pass the Cookie attacks bypass most 2FA solutions. So be aware of malware.

Interesting write up here:
[https://wunderwuzzi23.github.io/blog/passthecookie.html](https://wunderwuzzi23.github.io/blog/passthecookie.html)

I have seen this being used by red teams, not sure about real malware.

------
sigi45
Most annoying: AWS doesn't support two devices...

How to fix it? Create two accounts -_-.

LastPass and bitcoin.de also don't support multiple devices.

------
bubblethink
I feel that most forms of 2FA have too much friction for average users. SMS is
bad, but better than nothing. I really can't imagine average users figuring
out TOTP apps, U2F or other hardware tokens and dealing with backups and lost
keys etc. Perhaps fingerprint based solutions based on WebAuthn will get more
mainstream.

------
ajdhsjakafjt
I'd be happy if we stop calling it 2FA and instead say "2of3" or something. So
many providers require you to use 2FA, but almost no one forces you to include
fallback authentication.

------
interfixus
For those among us who _can_ handle our passwords and general security, 2FA is
just a penalty we have to pay for those who can't. As far as possible, I ditch
any company that wants to force it upon me. I've done my homework, I don't
want to consult my telephone, my mailbox, or even worse, some pesky dongle to
complicate my life and add to my expenses.

~~~
XorNot
2FA is nice when you're working across devices - I.e. using a public PC but
have your phone on you.

~~~
u801e
Ideally, I would not want to use a public computer to access an important
account. People can forget to use an incognito session, forget to log out, or
even forget to close the browser.

