
There are limits to 2FA - lisper
http://arstechnica.com/security/2016/07/there-are-limits-to-2fa-and-it-can-be-near-crippling-to-your-digital-life/
======
slg
The headline is a little misleading. The "limits" aren't with 2FA. The problem
is there are holes in Apple's feature set where 2FA isn't enabled. This is an
Apple problem and not necessarily a 2FA problem. As others have said, there
are ways around this lost device problem like the one time use codes that
Google and other companies provide.

~~~
atemerev
Can also be lost.

I am losing things constantly (laptops, phones, documents — damn you, ADD),
and I wouldn't want to be locked out from my digital life just because I lost
another piece of paper or device.

In compensation, my symbolic memory is excellent — never had a problem with
memorizing long passwords.

~~~
sbarre
Then you should be able to memorize one of your backup codes, and you'll be
fine..

I don't know if Apple does this, but Google's 2FA (and others) gives you
static (printable - or memorizable!) backup codes in case you lose your
device.

~~~
matco11
Yes, Apple gives you static backup codes

------
JBiserkov
GitHub/Google/Microsoft/Blizzard/Heroku have "recovery" or "backup" codes
which you are supposed to keep in a safe place (perhaps even a physical safe)
and can be used when the phone is not available(lost, locked, erased,
whatever).

They are one-time only (that's why you get 10), but are not time sensitive
(like those generated by app/token) so they are longer.

~~~
iokanuon
Google also tells you to add a second, "backup" number for two factor auth, or
even more of them. It can be a landline, or a trusted person phone.

~~~
atemerev
Phone or SMS based 2FA is inherently insecure. Can be intercepted at carrier
level (and it is quite cheap to do it — some political targets in Russia and
Turkey were attacked this way).

~~~
lorenzhs
Yeah but that's a different threat model than the one discussed. It will
prevent 99% of attacks but someone always comes in yelling "BUT IT'S NOT
PERFECT". As they say, perfect is the enemy of good.

~~~
prodigal_erik
Why would 99% of adversaries fail to choose the attack that's known to work?

~~~
lorenzhs
Not everyone is a nation state or has SS7 access. Intercepting SMS isn't as
easy as you make it out to be.

~~~
atemerev
Not everyone, but many people of varied moral qualities _do_ have access to
SS7 and carrier operations, and they can be contacted and negotiated for
services.

------
rabboRubble
Apple has two types of what might be called 2FA, two-factor and two step
authentication. If memory serves, two step has a back up code that needs to be
maintained by the end user. If the user misplaces this code, the account is
unrecoverable. Two factor does not have this back up code feature. When I went
to the genius bar to ask about this, they said that an affected user would
need to contact Apple and they would interrogate the user to confirm identity.
This seemed a bit strange to me but whatever.

Now with two factor I thought a code could be generated from any previously
authenticated device that is El Capitan / IOS 9.3. These devices can generate
codes while offline and unconnected.

To generate an offline code from a Macbook, turn off WIFI then open Settings >
iCloud > Account Details > Get Verification Code.

To generate an offline code from an iPhone/iPad, put in airplane mode, >
Settings > iCloud > tap your picture / name / Apple account icon-y think at
the top > Get verification code.

So when I read this article, I'm thinking to myself that myabe I know a trick
that the author did not.

Am I missing something?

------
eximius
It sounds like his complaint is that Apple doesn't use 2FA when you
acknowledge your 2FA device is unavailable (I had trouble following the
article). This is admittedly bad. All they need is an offline code or
something like Google's recovery codes. It's actually somewhat disappointing
that so few sites have something like that.

------
stephengillie
The limits described in this article are where all components are part of the
same system - the 2FA device (iPhone) can be disabled from the same system
(iCloud) that is protected by the 2FA device. Thus compromises had to be built
into the system to allow device recovery, since that is also part of the same
system.

Were iCloud 2FA provided by an Android device (or PC or Blackberry or RSA
keychain), this problem could be easily obviated.

------
dendory
It's a bit of a catch 22, if you lose your iPhone then you need some way to
locate it / erase it without having your iPhone. I don't think it's a big
deal, you should have backups anyways.

One thing they could do is, if you have more than 1 device on your account,
then force you to use another device for 2fa.

~~~
derefr
It occurs to me that the "use another device" verification process built into
iCloud Keychain would work well for this. You could make the entire thing
cryptographic, actually: just store each device's "erase code" in the
Keychain, such that you have to auth yourself on one of the devices that has
the unlocked keychain in order to (automatically) grab the erase code and send
it to the associated device.

~~~
ams6110
You're still screwed if you lose both devices (e.g. a burglary where both your
phone and laptop are taken).

~~~
atemerev
I once left my bag with both inside. It surfaced in city's lost and found two
months after, thankfully. But if I had 2FA enabled, it would have been mighty
inconvenient.

~~~
Symbiote
I keep some Google and Github account recovery codes on a slip of paper with
my passport, some more in my wallet, and all in an encrypted file on a server
with SSH access.

Hopefully that's enough that I'm not too inconvenienced, should my phone be
stolen.

~~~
atemerev
How often do you travel?

~~~
Symbiote
For holidays (6 weeks per year) plus one or two business trips (up to 2 weeks
per year), plus about 1 weekend a month.

But does it matter?

Should my wallet and phone be stolen whilst I'm away, I can log in to my
server using SSH (and a long password), then decrypt a file containing the
backup codes (PGP with a long passphrase). Then I can access GMail/Github.

------
subway
Please don't conflate Apple's "Can you read a message we sent you?"
verification with well designed 2FA.

------
mohsinr
I use 2FA and love it, however one issue I faced that I wanted to highlight
for anyone having missing sms issues... in our country we can keep the number
but change phone company, called porting number to other carrier... it works
great however international sms which is mostly the case with 2FA messages,
never work after number porting. Do not know it is just issue with our country
porting config or universal problem. So anyone having issue of no sms
received...may look into it if number ported...

~~~
ktta
You never mention the name of your country though :)

~~~
mohsinr
Pakistan :)

------
matco11
Why not simply disabling "back to my iPhone"? I question its value against
theft - thieves these days know about taking your device offline. Sure, it is
useful if you forget your phone somewhere, but how often does that happen?

It seems the intrinsic risk of attack you expose yourself to by having "back
to my iPhone" enabled is greater than the risk of forgetting your iPhone
somewhere...

~~~
0x0
Find my iphone also has the benefit that if you erase and lock your lost
iphone, then (in theory) the device becomes useless as it will refuse to
reactivate, even with a factory reset. (aka "Activation Lock"). The idea is to
make stealing these types of devices much less attractive (by killing off any
resale value)

------
pi-err
What's the goal of a "Find my iPhone" attack? Ransomware?

Also puzzled that the attacker manages to guess the victim's password
(described as complex). In my experience, 3 incorrect login attempts on iCloud
block the site for a while.

Is there more to this story?

------
darkhorn
2FA? Several years ago I have enabled 2FA on Facebook. One day they they
stopped sending SMS and thus I wasn't able to log in to Facebook for arounnd
half month. Fuck 2FA on Facebook!

------
ereli1
when an attacker is trying to access my Find My iPhone feature, I expect Apple
to offer a different version of the their 2fa - either by user pre-authed
device along with a special secret (those offline password print outs) or
another form (landlines, biometrics, knowledge based, etc.).

remote wiping someone's one can a very serious threat if they don't offer
something that handles both the usability requirements and the security of the
service.

