
Two-factor authentication is a mess - stanleydrew
https://www.theverge.com/2017/7/10/15946642/two-factor-authentication-online-security-mess
======
mikestew
I'm of the opinion that the accelerant for this dumpster fire is that
companies are allowed to define "two-factor authentication". Security
questions? Nope. "Choose the picture"? Nope. SMS? Again, close but nope. But
because we sadly let just about anything beyond UID/PWD under the 2FA tent,
that's what we ended up with.

The article identifies 2012 as when the mess started. Oh, no, it goes back at
least five years prior. I worked at a company implementing biometrics as an
authentication factor. The Feds had just mandated 2FA for banks and the like.
Man, we're all going to be rich soon! Nope, I never made a dime off those
options, and last I checked the company has pivoted twice and may not even be
in business anymore. What happened, we were practically handed a money
printing press? What happened was that banks and the like were allowed to use
those half-assed implementations like security questions. Yes, security
questions counted as 2FA. The "choose a picture" was allowed. So our
relatively expensive system was rejected in favor of the less expensive, half-
assed systems. And ten years later, here we are, with a bunch of security
questions that can be answered by anyone you've friended on Facebook, and SMS
that can be social-engineered.

From where I stand, it comes down to money (doesn't it always?). RSA fobs,
biometric systems, they all cost money and have high support costs. Because
that's what security is: it costs money, and it adds inconvenience. Well, we
can't have that, so we'll implement a JS library we found on github, reset
passwords over the phone for anyone that says the right things, and we save
money.

------
rb808
One thing I'd like is different levels of authentication based on the
importance of the action.

When I bought I house I drained by savings account and my brokerage account.
It was scary that I could instantly transfer my life savings, with just a few
clicks from the regular online screens I use each day. Such events should have
extra authentication and some delays - like I need to take ID to a branch.

Similarly for domains - if someone wants to change some dns settings - 2FA is
good enough. If someone wants transfer the domain I'd like a much higher level
of proof including physical mail sent to my address and a month-long delay
with multiple confirmations. I'm surprised the cut-throat world of registrars
don't compete on this.

~~~
blakesterz
>> I'm surprised the cut-throat world of registrars don't compete on this.

How many people go looking for that though? For _most_ people my guess is
people go shopping for CHEAP first, EASY second, maybe LOOKS GOOD third, and
some where down that list is "much more secure". I hate to say, I rarely go
looking for the more secure option of anything.

~~~
WorldMaker
It's why I started doing more of my business with Hover.com. I wanted a
reliable looking company with 2FA. That was important to me.

~~~
mcgrath_sh
I was at Hover and moved most of my domains to NameCheap. The _only_ way I
could change my last name on my Hover account was to remove 2FA to prove that
I was the owner of the account. No ability to give them a code verbally, etc.
Remove, change my name, re-add. It didn't sit well with me for some reason.

------
jmuguy
It drives me nuts when sites insist on using SMS or Authy instead of TOTP for
2FA. I get that some users might not be sophisticated or motivated enough to
setup TOTP but when somewhere like Cloudflare insists on ONLY using Authy it
makes me want to look elsewhere for service.

I've spoken to AT&T numerous times to see what extra steps I can take to
secure my account against any changes. So far all that's led to is an eight
digit number I have to provide when making any changes. Better than nothing,
but something tells me their CS people would still cave too easily to social
engineering.

~~~
StavrosK
I just consider them as not supporting 2FA. I'm looking at you, Namecheap. My
domain registrar not having two-factor authentication in 2017 is preposterous.

~~~
taf2
Namecheap does have 2fa...
[https://www.namecheap.com/support/knowledgebase/article.aspx...](https://www.namecheap.com/support/knowledgebase/article.aspx/9253/45/how-
to-two-factor-authentication)

Do you mean because they only support SMS based 2fa?

Considering they have a drop down menu it's possible they just have not had
time to develop the other options?

~~~
EvanAnderson
As of January, 2014 Namecheap said[1]: "Currently, we only accept SMS
authentication but Google Authenticator, Authy, and TOTP authentication are
planned."

More than three years seems to me a long development cycle to add TOTP
support. Am I being disingenuous to think they just don't care?

[1] [https://blog.namecheap.com/account-
security/](https://blog.namecheap.com/account-security/)

~~~
koolba
It's not that they don't care. It's that $CARE_AMOUNT < $ESTIMATED_COST.

That formula would immediately shift if a high profile website registered on
Namecheap encounters an SMS hijacking.

~~~
bpicolo
TOTP codes are straightforward to bootstrap. It's not rocket science.

~~~
koolba
At scale the cost of implementing a feature as wide ranging as 2FA is well
beyond the tech cost. A basic TOTP implementation can be coded from scratch in
an afternoon[1].

The real cost is testing to make sure a code change like this doesn't break
existing users and estimating the additional support overhead of dealing with
users that lose their two-factor devices.

[1] _Seriously the RFC is very straightforward and readable:_
[https://tools.ietf.org/html/rfc6238](https://tools.ietf.org/html/rfc6238)

------
simias
>The rush to check that box has led to usability problems as well as security
problems. Boroditsky points to Apple’s iCloud system, which came under fire
after easily guessed account-recovery questions enabled the mass theft of nude
photos in 2014.

I'm still amazed by how many websites still use this "security question"
mechanism. It's almost always the same questions too, "what's your mother's
maiden name", "what's your childhood's pet name" etc... It's so easy to get
the answers to these questions through the tiniest bit of social engineering,
or even just exploring their facebook profiles.

It's crazy how many websites manage to handle auth credentials incredibly
poorly, it ought to be a solved problem by now. Last week I created an account
on [https://www.comedie-francaise.fr/](https://www.comedie-francaise.fr/), it
used javascript to prevent me from pasting the password in the field (very
convenient when you use a password manager, I had tweak the source to remove
the limitation). Now that's pretty silly, but what's even sillier is that they
then emailed me a password "reminder" in plaintext!

So when so many websites can't seem to handle regular user+password login
properly, it's not surprising that 2FA ends up being a huge mess.

------
xref
Namecheap is still the big one that only supports SMS 2FA for me. It has
apparently been a big engineering project to add TOTP support so they've
delayed it for many (4+) years. They did recently blog they were pausing all
other development to add TOTP support but there has been no progress update
and their initial promise of "in 60 days" has since passed...

[https://blog.namecheap.com/authy-based-2-factor-
authenticati...](https://blog.namecheap.com/authy-based-2-factor-
authentication-is-coming/)

~~~
dublinben
I've just moved my domains to porkbun.com instead, since they support TOTP and
have equivalent or better prices.

~~~
desdiv
I just buy my domain from AWS since I'm already using them for hosting. One
less account to deal with and one less attack surface.

~~~
niij
>one less attack surface

Yes, but your Amazon attack surface just got bigger.

------
ecesena
I think there are two big aspects that need to be kept distinct.

First, is large-scale ATOs. This is, IMO, the real reason why major services
implement 2FA. To the best of my knowledge, despite the insecurity of SMS,
there's no evidence that an attacker can massively take over accounts of a set
of users with 2FA enabled.

Then, there's attacking a single target user. I don't think there will ever be
a solution for that, unless the user is really careful. 2FA offers a 2nd
factor, but you still need a strong 1st factor to reduce the attacker power.

For example, storing a strong password in a pwd manager is useless when you
loose your phone (assuming an attacker can unlock the screen), as both factors
are on the same device, making the 2FA de-factor a single factor auth.

Currently, again IMO, the only way to achieve a secure two-factor auth, is to
have a strong password that you _remember_ , and a second factor that proves
you have a device.

------
hoorayimhelping
> _At the same time, it’s proven difficult to kill off particular types of
> two-factor even after they’re shown to be insecure. The National Institute
> of Standards and Technology quietly withdrew support for SMS-based two-
> factor in August, pointing to the risk of interception or spoofing, but tech
> companies have been slow to respond. If anything, services are relying more
> on SMS as Twitter and PayPal look to tie accounts more closely to phone
> numbers. It’s less secure, but easier to use. As long as it’s two-factor,
> few account holders know the difference._

Is perfect the enemy of better here? I would think that having a second factor
is probably orders of magnitude more secure than not having one, even if it's
a hijackable medium like sms.

------
desdiv
Please critique this wild-ass idea of mine:

When the user makes their first purchase, print out five identical business
cards and send it to them by snail-mail. (If you're selling physical products
then obviously ship it with the product).

The front of the card is a regular business card; the back says "Use this code
for a 10% discount on your next checkout: correct-horse-battery-staple-OTOP-
backup-code" and a OTOP QR code.

When the user uses the discount code during checkout, offer them a 20%
discount if they scan the QR code and successfully setup 2FA.

This way you "trick" the user into properly setting up 2FA and also holding
five physical copies of their OTOP backup code in a fairly innocent looking
format.

~~~
mcgrath_sh
I throw out every business card I get with a package. I never scan the QR
codes. I can only imagine the nightmare of recovering 2FA for someone who was
tricked into setting it up without really understanding it. Just getting my
relatively technically savvy mom on a passowrd manager took some work.

~~~
desdiv
It's fine if the user throws it out. The whole scheme is optional and the code
is never activated until the user types it in first.

The user can either:

1\. Throw it away. Then nothing happens; no 2FA is set up.

2\. Type in the code in for a 10% discount. Again, no 2FA is set up so the
user's security is never worst off than before.

3\. Type in the code and setup 2FA. This is case the user is tech-savvy enough
to properly setup 2FA and successfully authenticate with it (in order to claim
the 20% discount) so they (hopefully) realize the importance and convenience
of the pre-printed physical backup codes and will (hopefully) stash them away
somewhere safe.

~~~
recursive
The problem happens when someone claims the 20% discount, but doesn't
understand that they need to keep the card.

------
ibgib
I'm looking forward to more genuine MFA. For my site, I'm experimenting with
the ability to identify yourself with as many email address identities as you
want (in the future the plan is to add more types including oauth, sms, etc.).
If you're a regular person, you can just use one. If you're cagey, maybe two
or three. Straight up paranoid, how about 10?

The point is that you are basically using an extensible claims-based approach
to identity to create "aggregate identities". In the case of a beginner user,
it just looks like "my account". More advanced users can add more security as
necessary.

~~~
Sargos
So instead of hacking 1 email/account they would just hack 2 or 3? I don't
think that is adding any real security as those accounts would still just be
protected by regular passwords. It makes it a tad bit harder for a hacker but
not prohibitively so, because if they got the credentials to your first
account then the others are probably not too much harder.

The real power of 2FA is having the code generated by you, the human, via your
hardware device or software physically controlled by you and not another
automated machine.

~~~
ibgib
> _So instead of hacking 1 email /account they would just hack 2 or 3? I don't
> think that is adding any real security as those accounts would still just be
> protected by regular passwords. It makes it a tad bit harder for a hacker
> but not prohibitively so, because if they got the credentials to your first
> account then the others are probably not too much harder._

That's certainly one of the thoughts that I had originally! But if you look at
the details, perhaps it will become a bit clearer for you: Each of my email
accounts are themselves protected by 2FA, so "those accounts" are not just
"protected by regular passwords".

You can have email accounts with multiple email providers, e.g. gmail,
outlook, etc. So, depending on _how_ your email account gets compromised, this
gives you additional layering of security. If mail provider X has a security
breach, no big deal, because you also are using provider Y.

More generally, this can be seen with _any_ factor in authentication, i.e. a
claim. If any claim X is compromised, by any particular attack vector, then
you also have Y, Z, etc. in play, depending on your security vs. convenience
configuration.

And as I stated, email is only _one_ of the avenues used to provide evidence
for a claim. In the future, Oauth(2) tokens, sms, etc. The point is that it's
an extensible mechanism for genuine MFA, instead of hard-coding in the "2" in
2FA. And that diversity is where the "real power" of multi-factor
authentication comes into play.

~~~
Sargos
This really does just seem like 2FA with extra steps.

You can't add N factors to multi factor authentication by adding more
accounts. That's just lightly strengthening the first factor (something you
know which is a few different accounts) with a splattering of the second
factor (those accounts rely on something you have such as your phone). The
third factor of something you are doesn't even come into play in this
solution.

Having 2FA set up for the account in question makes it reasonably secure.
Relying on a second account that also has 2FA enabled does not make it twice
as secure. It might make it slightly more secure but not by a lot. It's even
likely that the second account is using the same device for the second factor
as the first account which negates any added security.

The best you can do in a scheme like this is shift the trust based security to
second entity. It's the same level of security but just handled by something
you might trust more. (Google/Facebook vs some random website I had to make an
account for).

~~~
ibgib
> _Relying on a second account that also has 2FA enabled does not make it
> twice as secure._

This is an absurd statement that I didn't imply, but perhaps you inferred?

> _The third factor of something you are doesn 't even come into play in this
> solution._

As I've said, the point is to allow for additional claims to be given.
"Something you are", i.e. biometrics, is _certainly_ "in play" in this
solution. It is yet another claim to add to establish an identity. The point
is that the identification is extensible, and that _it 's left to the end
user_ to make the opinions that you're depicting rather insouciantly as some
kind of "absolute truth", when what we're actually talking about is trade-offs
with security vs. convenience, as well as defense-in-depth.

> _It 's even likely that the second account is using the same device for the
> second factor as the first account which negates any added security._

You're assuming that the attack vector is only at the end device. Of course
diversification of hardware like a keyfob or smart card is an added layer of
defense. But that doesn't mean that there is no value in multiple identities
from the same device. It all depends on the specifics of how your device is
compromised, or even if it's your device that is compromised in the first
place. As I said, what if you have a single email address hacked or a single
email (or oauth, or sms, or whoever) has a data breach?

> _The best you can do in a scheme like this is shift the trust based security
> to second entity._

Creating your own user/pass scheme, or your own oauth server is certainly one
of the options we have, so again this is not "shifting to a second entity".

I'm wondering if this is just trolling at this point? You're making simply
outlandish remarks with numerous assumptions and with little regard to what
I'm actually saying.

------
joelrunyon
Doesn't help that major organizations that use 2FA (facebook / instagram) have
had their iterations completely broken (and documented by many, many people)
and they still won't fix it.

[https://medium.com/@joelrunyon/instagrams-security-
features-...](https://medium.com/@joelrunyon/instagrams-security-features-are-
broken-and-they-won-t-do-anything-about-it-16233f0935b0)

------
jbg_
I've finally arrived at a pretty comfortable 2FA setup: A Yubikey Neo for
TOTP, so I can get codes on any of my devices (including my smartphone via
NFC), and a dedicated dumbphone with a worldwide roaming SIM in it where SMS
works (and is dirt cheap to receive) no matter where in the world I am.

I still much prefer TOTP whenever possible as the phone is potentially
vulnerable to social engineering against the SIM provider.

------
Cpoll
> Avoid: SMS has been at the center of a lot of two-factor hacks, most
> recently as a way to hijack Telegram accounts in Iran. High-security
> accounts are already moving away from it, but a frightening number of
> services still keep it as an option, giving anyone who compromises your
> carrier account an easy way in.

I feel like this is badly phrased. SMS 2FA is far worse than other types, but
still better than no 2FA.

~~~
blakesterz
>> SMS 2FA is far worse than other types, but still better than no 2FA.

It seems like every time I read about how SMS2FA was hacked it was done by
some state level power that would've gotten in through some other method. I
don't know if that's confirmation bias or actually true, but I think you're
right, SMS is better than no 2FA. Just because the NSA etc... can easily break
it doesn't mean it's useless right now. (maybe not the case in a year or two?)

~~~
mannykannot
> It seems like every time I read about how SMS2FA was hacked it was done by
> some state level power...

It seems to be a lot more vulnerable than that. Perhaps the biggest problem is
that the phone companies do not treat your phone number as being a component
of a 2FA system (and, to be fair, that was never the intent). This is from the
linked article by Cody Brown, "How to lose $8k worth of bitcoin in 15 minutes
with Verizon and Coinbase.com":

"Of all the things that went down in the factors that lead to this hack,
Verizon Wireless is what I was massively unprepared for. After talking at
length with customer service reps, I learned that the hacker did not need to
give them my pin number or my social security number and was able to get
approval to takeover my cell phone number with simple billing information."

See also: [https://krebsonsecurity.com/2016/09/the-limits-of-sms-
for-2-...](https://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-
authentication/)

~~~
ksec
> It seems like every time I read about how SMS2FA was hacked it was done by
> some state level power... It seems to be a lot more vulnerable than that.
> Perhaps the biggest problem is that the phone companies do not treat your
> phone number as being a component of a 2FA system (and, to be fair, that was
> never the intent).

I think this sums up the problem.

BUT

SMS is likely the most convenient way for non geeks to use. And, as far as I
am concern it seems only ( or especially ) Telecoms in US are vulnerable. In
places like China / Hong Kong / Japan / Korea, you cant change your recovery
code or what ever without your personal ID.

------
cmurf
What I don't like is everyone using different 2FA standards, so you end up
having to use different apps to find the code for a given service.

Recently Google and Lastpass are supporting push notification for 2nd factor
in lieu of manually inputting a code. That seems like it'd be more secure than
TOTP, but does require an internet connection to receive the notification.

------
blibble
people's phones have their passwords from their google/firefox accounts, their
email, and tend to be their 2FA device for google authenticator... not really
2FA anymore

to be fair if you are running the latest android or have an iphone that's
probably better than having it all on your exploit ridden PC, but it's still
1FA

~~~
VikingCoder
Having a secure way to log in to your phone is supposed to be the second
factor.

------
w8rbt
Got to use TOTP or FIDO (U2F). Can't rely on SMS (SS7) attacks. Here's some
TOTP/HOTP software I wrote:

    
    
        https://github.com/w8rbt/oathgen
    
        https://github.com/w8rbt/goathgen

------
albertgoeswoof
I lost my 2FA to AWS (my phone broke), now I have to provide:

1) A completed, signed, and notarized Identity Verification Form and Affidavit
2) A photocopy of the AWS account owner’s primary proof of identification,
such as a State driver’s license or US passport. (note that I don't live in
the US) 3) A photocopy of the AWS account owner’s proof of address matching
the address on record (I don't live there anymore)

in order to stop them from billing me every month for resources I don't use.

I lost my MongoLab token as well, now I can only access my database over a
connection string.

Now I don't enable 2FA, the chances of me losing my token are higher than the
chances of me being hacked. And after 2 or 3 years I don't remember where my
backup tokens are so that's not a realistic option

~~~
SAI_Peregrinus
I only enable 2FA if it's TOTP or HOTP. In the case of TOTP I save the key
(the data in the QR code) in my password manager (KeePass), in the case of
HOTP my backup key is in my fireproof safe at home along with other important
documents. That's admittedly a small portable box with a carry handle, so easy
for a burglar to steal, but it's also easy to get to and I can take it with me
if I ever have to evacuate or move.

~~~
StavrosK
Saving the 2FA key along with your password makes it a single factor. I just
add every new key to my Yubikey (as well as FreeOTP on my phone), so I have a
backup if one breaks (this is on top of the backup codes).

------
jcastro
> It was supposed to be a one-stop security fix.

I use 2FA as much as the next person but I have realistic expectations that
it's not a magical fix for everything.

------
paulpauper
The big problem is no so much that 2FA is broken but bitcoin makes breaking
2FA so much more lucrative.

