
Two-Factor Authentication Might Not Keep You Safe - pseudolus
https://www.nytimes.com/2019/01/27/opinion/2fa-cyberattacks-security.html
======
jchw
>we actually know very little about how well two-factor authentication works

Actually we have known literally for years, maybe over a decade, that SMS-
based two factor is insecure and prone to phishing... that's the point of
TOTP/shared secret based two-factor auth...

~~~
jacoblambda
I think the point of the article was to spook the non tech crowd into moving
away from SMS based 2FA. Obviously the tech crowd has known for a long time
but most other people are oblivious to all of this.

~~~
sgustard
> Obviously the tech crowd has known for a long time

Who else but the "tech crowd" implements SMS 2FA on these websites? What does
it say about our industry if we're pushing solutions we know to be flawed?

~~~
scrollaway
It's not about who implements it, it's about who pays to implement it and
gives the orders.

The tech crowd isn't implementing SMS 2FA for fun. They're doing so because
the manager is like "wait what! they'd need to install an app? but we can just
use SMS! I don't care what you say about it being insecure, it's still more
secure than not having it!"

What's the fix? I mean for fucks sake, naming & shaming companies doesn't ever
work for security stuff. It doesn't even work for getting _https_ on login
forms; it's not like it's easy to push through the nuances of SMS 2FA's
security issues.

Or even tech stuff in general. I just moved to Belgium and half the national
services here don't know how to dial an international phone number, don't
support + or 00 at the beginning of phone number inputs, etc. There is no end
to how technologically illiterate services can be. And yet, it's still "the
tech crowd" implementing all these things.

We need to find a way to push these obvious fixes through, but as far as I
know, short of reporting the issue and crossing your fingers someone relevant
hears it, it's not possible.

~~~
rebuilder
Fixing it seems like a tough task. At first glance, somehow requiring tech
vendors to work not to fulfill the customer's technical specs, but their
actual real-world needs, seems necessary. But all other problems aside, if the
customer doesn't have the knowhow to specify their needs in the first place,
that's a tough task. Maybe it would have to be a combination of bolstering the
buyer side's in-house technical understanding and legally requiring providers
to commit to delivering the product their customer needs, not the one they say
they want.

I wouldn't want to try to formulate that into concrete legislation, though. It
would be an enormous change, and I'm not sure what we'd end up with if we
tried that.

------
ecesena
> This type of phishing is precisely the kind of threat that two-factor
> authentication is supposed to protect you against.

I've never seen an article so imprecise. 2FA protects against account
takeover, not from phishing. In fact, most of 2FA mechanisms are affected by
phishing, and that's why there are security keys with U2F and now FIDO2, that
seem unknown to the writer. I'm surprised to see such a poor quality writeup
from the NYT.

~~~
PakG1
It's not factually correct, and off-topic, but why do I see so much hyperbole
so often? Have you really _never_ seen such an imprecise article? I believe
I've seen plenty, and this one isn't the most imprecise one I've ever seen. I
feel such hyperbole makes things seem worse than they are and then
correspondingly ups the angst.

------
viraptor
It's a shame they don't mention this only applies to some forms of 2fa. U2f /
Fido does the verification both ways. It also authenticates that the url
requesting the credentials is the expected one. As long as DNS+TLS did their
job, you can't abuse it via a fake login site.

~~~
est31
In general you are right about U2F, it's really much better than e.g. TOTP.
But even U2F can be phished: [https://www.wired.com/story/chrome-yubikey-
phishing-webusb/](https://www.wired.com/story/chrome-yubikey-phishing-webusb/)

~~~
viraptor
I wouldn't say this is really a u2f problem. It's a "you mounted your secure
lock with screws accessible from outside, so your lock security is irrelevant"
situation.

~~~
Phlarp
If a single large vendor has ~30% market share and automatically installs
locks for people with screws accessible from the outside surely it's a
security issue of _some_ type for services that rely on those secure locks
being installed properly. I agree it's google's problem and not FIDOs but it
still affects the applied security of their devices.

Any security solution is only as strong as the weakest link and needs to be
evaluated on an end-to-end basis. A secure lock with properly installed screws
is surely useless if installed on a screen door, or a window is habitually
left open near the secure lock door, or keys to the secure lock with the
address and PIN number written on them left in public places.

------
my_first_acct
The article mentions Yubikeys, but it doesn't mention that Yubikeys implement
U2F.

The article reports that Google internally switched from TOTP, but doesn't
report what Google switched to: U2F.

The article describes, in some detail, how TOTP and SMS two-factor
authentication can be phished, but doesn't describe a two-factor
authentication method that is quite a bit harder to phish: U2F.

There is a pattern here, and it is puzzling, to say the least.

EDIT: Changed "phish-proof" to a more realistic adjective.

~~~
Phlarp
Declaring U2F "phish-proof" seems premature at best. It is certainly much
better than other existing options, but I wouldn't suspect it to stand up very
long at all against a nation state adversary. Feels very much like "air-gapped
networks can't be actively infiltrated" before Stuxnet.

~~~
my_first_acct
You are right, of course. I have corrected the parent comment.

~~~
Phlarp
A commenter above even provides a source for a novel U2F phishing attack,
although it appears to rely exclusively on bugs in the chrome webUSB feature
and is likely already patched.

This argument does quickly devolve though; if an advanced persistent threat is
taking an active interest in you the only technique that is even close to
effective is to cut out as much technology as possible; Bin Laden or Unabomber
style

------
3xblah
I read that Facebook was using the PII disclosed for the purpose of so-called
"2FA" for targeted advertising purposes.

[https://gizmodo.com/facebook-is-giving-advertisers-access-
to...](https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-
shadow-co-1828476051)

The paper from website of CS Prof. Alan Mislove:

[https://mislove.org/publications/PII-
PETS.pdf](https://mislove.org/publications/PII-PETS.pdf)

Are HN readers concerned about having to disclose more and more PII to
advertising companies in order to be "authenticated"?

Recently I heard someone being interveiwed on the radio who studies internet
privacy and he was talking about this type of authentication. He was arguing
it is problematic for privacy in that it requires the authenticating party to
always have "one more" item of PII.

He suggested that the PII disclosure requirements would only keep esacalating
and eroding privacy until the user has to "jump through her phone" to prove
she is who she says.

I would provide a reference but I did not get his name. Maybe this sounds
familiar to someone? Who knows, maybe he reads HN.

------
ian0
Lots of hate for SMS as 2FA here. By no means perfect but does anyone know of
a viable alternative? Genuinely curious as this is a problem we have hit
deploying financial services applications for predominantly underbanked / non
tech savvy users.

So, an authentication method that:

\- Is without dedicated hardware, as hardware is expensive, difficult to
distribute and if it's a USB there is no guarantee that a user has a laptop.

\- That functions on feature phones (yes, they are still out there), or at the
least phones without biometrics, as most don't.

\- That doesn't require the user to do anything extremely complex, as
ironically this is the part where a lot of fraud occurs _.

_ Eg During a mobile banking rollout, customers were asked to register their
phone number at an ATM. However many customers of the bank weren't familiar
with ATMs (they banked at branches) and the people they requested help from
linked their own phones and stole their cash.

------
Buge
2FA by itself protects you against credential stuffing and other password
reuse based attacks. It doesn't in general protect against phishing.

U2F protects against phishing.

------
kerng
Reminds of KoiPhish relay proxy:
[https://github.com/wunderwuzzi23/KoiPhish](https://github.com/wunderwuzzi23/KoiPhish)
There is also another one called Medlischka I believe.

FIDO and U2FA is addressing this, but it needs browser support. And Google
Chrome had some bad bugs in their WebUSB implementation that allowed any site
to read keys - not sure if all those issues are addressed by now.

------
exabrial
To be a broken record, SMS codes are not 2FA. They're readable by many people,
they're not private, they don't have delivery guarantees; Can we please stop
calling it that? Better yet, can companies stop promoting them?

~~~
ian0
Just because a password field in a web form is susceptible to various methods
of attack doesn't mean its not a factor of authentication. And the same goes
with SMS. It's still 2FA, just not absolutely secure/reliable.

Also there are lots of use cases where there just doesn't seem to be any more
practical option for developers. For example, a second factor of
authentication for financial transactions where the requestor only has a
feature phone. Or the far more common scenario - where the practicality of
rolling our hardware dongles, custom authentication applications is just too
difficult/expensive.

------
galaxyLogic
Wouldn't the solution be browser telling you the fake site looks like Bank of
America but the IP or URL is incorrect

------
known
Reminds me of short comings in Captcha

