Hacker News new | comments | ask | show | jobs | submit login
Two-Factor Authentication Might Not Keep You Safe (nytimes.com)
45 points by pseudolus 19 days ago | hide | past | web | favorite | 49 comments

>we actually know very little about how well two-factor authentication works

Actually we have known literally for years, maybe over a decade, that SMS-based two factor is insecure and prone to phishing... that's the point of TOTP/shared secret based two-factor auth...

Not only SMS-based two-factor is susceptible to phishing, its also susceptible to intercept/forging by the rogue governments (RU) https://meduza.io/news/2016/04/29/mts-otklyuchil-oppozitsion... And very limited security in SS-7 makes it possible to hijack the messages even for the foreign phone numbers.

(Edit) Just to point our, here I talk not about possibility of sms interception - I'm talking about sms intercept that DID happen in 2016 and is widely publicised and have a lot of sources, including timeline of this event and comm with the mobile service provider(albeit, this info is mostly in russian)

I think the point of the article was to spook the non tech crowd into moving away from SMS based 2FA. Obviously the tech crowd has known for a long time but most other people are oblivious to all of this.

> Obviously the tech crowd has known for a long time

Who else but the "tech crowd" implements SMS 2FA on these websites? What does it say about our industry if we're pushing solutions we know to be flawed?

It's not about who implements it, it's about who pays to implement it and gives the orders.

The tech crowd isn't implementing SMS 2FA for fun. They're doing so because the manager is like "wait what! they'd need to install an app? but we can just use SMS! I don't care what you say about it being insecure, it's still more secure than not having it!"

What's the fix? I mean for fucks sake, naming & shaming companies doesn't ever work for security stuff. It doesn't even work for getting https on login forms; it's not like it's easy to push through the nuances of SMS 2FA's security issues.

Or even tech stuff in general. I just moved to Belgium and half the national services here don't know how to dial an international phone number, don't support + or 00 at the beginning of phone number inputs, etc. There is no end to how technologically illiterate services can be. And yet, it's still "the tech crowd" implementing all these things.

We need to find a way to push these obvious fixes through, but as far as I know, short of reporting the issue and crossing your fingers someone relevant hears it, it's not possible.

Fixing it seems like a tough task. At first glance, somehow requiring tech vendors to work not to fulfill the customer's technical specs, but their actual real-world needs, seems necessary. But all other problems aside, if the customer doesn't have the knowhow to specify their needs in the first place, that's a tough task. Maybe it would have to be a combination of bolstering the buyer side's in-house technical understanding and legally requiring providers to commit to delivering the product their customer needs, not the one they say they want.

I wouldn't want to try to formulate that into concrete legislation, though. It would be an enormous change, and I'm not sure what we'd end up with if we tried that.

The "tech crowd" tends to implement what the business asks them to implement, like you said. In the case of security, fixing it is straightforward -- there's a large enough amount of fines for breaches where customer data was leaked to a third party where any company would either implement really good security or hire out to platforms that could do it. It's not easy, because there's not a lot of people in government who have incentives to make that happen.

Still better then nothing.

Really? They mention YubiKey but it seemed to me like they just lumped it in with less effective SMS 2FA.

Is it not possible to capture both the login credentials and TOTP code from a phishing form and submit them to the real service in real time?

It would seem push notification style 2FA ala icloud/gmail/Duo/blizzard is the better solution but that also opens up a vector for users who simply accept every push notification request.

U2F would seem better than both those options but alas that can still be lost or stolen and compromised before access can be revoked.

This is why having two tokens (one primary you carry with you and one backup kept in a secure location) is important.

TOTP is just as vulnerable to phishing as SMS.

If you want phishing protection, use U2F.

Yes that's true actually, it's U2F that actually fights phishing directly. I use TOTP integrated into my password manager, so it does partly fight phishing in that sense, since I can't accidentally enter it on the wrong domain.

Though it is still worth considering SMS insecure due to the many other pitfalls that aren't phishing, where TOTP fairs a bit better. Still, I wish more stuff supported U2F.

What password manager do you use that uses TOTP?

1Password and Bitwarden support TOTP. Obviously, you lose the security of having two separate factors to compromise, but you gain the normal mechanical advantages of TOTP and a bit of extra phishing protection. I have a few YubiKeys as well, but yeah, less stuff supports that...

KeePassXC supports TOTP, though it's still manual copy-paste (while the browser extension checks websites, and requests access from your KeePassXC session it doesn't support entering TOTP so you have to do it manually).

Besides the other two mentioned there's also Codebook.

TOTP 2FA is also susceptible to phishing.

Susceptible, but more limited.

I think an article should be written like this:

"There isn't a security measure that exists short of locking a computer in room with a keyless door and no external connection that is completely flawless to hacking, there are just varying degrees of computer security and 2FA happens to be safer than others".

How more limited? In both cases you type some numbers into a form field. The phishing attack is exactly the same.

Phone number vulnerabilities include the unique vectors of:

- Someone porting away your phone number from your wireless provider

- The ease of confusion of a txt message asking you to send a generated OTP (e.g. you're more likely to forward a OTP generated from a SMS to another SMS, than you would from a TOTP generator)

- Wireless provider can theoretically read the message in transit (or backdoor code, whether from a gov't agency or a malicious actor acting on behalf of the wireless provider)

Those are just 3 I can think of off the top of my head...I'm sure there are more.

The first and last of those aren’t phishing, and the middle doesn’t seem likely. I’ve never legitimately been asked to text the code I just got via text

Isn't TOTP also prone to phishing? If I can present a form to someone and trick them into entering their credentials, why not present a second form that also requests the TOTP code? That gives me a window of opportunity to log in as the user, or just script that part of it to happen automatically. Would that not work?

It's not just SMS that's vulnerable.

2fa apps like Authy are also at risk from fraudulent interstitial sites that capture your user ID, password and Authy code, authenticate with the legitimate site, and allow the fraudster to control your account.

Really the only secure 2fa is a hardware token.

While hardware tokens are definitely more secure, there is a large difference between the security of SMS 2FA and TOTP code-based 2FA. SMS 2FA is fundamentally insecure because the SMS system can be hacked regardless of the security consciousness of the end user. On the other hand, while TOTP code-based 2FA is certainly subject to phishing, there are 100% effective ways that an end user can prevent this (like double checking the URL).

So while I do agree with you that hardware tokens are best, it's a mistake to lump SMS in with other forms of 2FA from a vulnerability perspective.

No, I don't think this is true. TOTP 2FA has the advantage that your 2FA codes can't be stolen by porting your phone to another device (an attack teenagers can pull off), and, in elaborate attack scenarios, TOTP also has the advantage that it's not susceptible to attacks on SMS itself.

But both TOTP and SMS are phishable, and moving from SMS to TOTP is not a meaningful anti-phishing defense.

U2F and Webauthn resist phishing using a form a mutual authentication, which is why security keys actually do resist phishing, and why Google switched to them and away from TOTP.

I think you misread my post. I wrote "while TOTP code-based 2FA is certainly subject to phishing..."

My point being that at least with phishing attacks the end user can prevent them by paying attention. With SMS 2FA, even if the end user does everything right they are still open to getting hacked. For example, a bunch of people had their Bitcoin stolen when bad guys convinced the phone company to change number ownership.

Using a password manager defeats this as all the main ones will verify the url asking for the creds before sending them, defeating phishing.

How is the other method supposed to help? The secret is generated completely on the client dongle and so if phished the attacker is going to get the token needed for that time window. The attacker logs in and disables the 2FA.

> This type of phishing is precisely the kind of threat that two-factor authentication is supposed to protect you against.

I've never seen an article so imprecise. 2FA protects against account takeover, not from phishing. In fact, most of 2FA mechanisms are affected by phishing, and that's why there are security keys with U2F and now FIDO2, that seem unknown to the writer. I'm surprised to see such a poor quality writeup from the NYT.

It's not factually correct, and off-topic, but why do I see so much hyperbole so often? Have you really never seen such an imprecise article? I believe I've seen plenty, and this one isn't the most imprecise one I've ever seen. I feel such hyperbole makes things seem worse than they are and then correspondingly ups the angst.

It's a shame they don't mention this only applies to some forms of 2fa. U2f / Fido does the verification both ways. It also authenticates that the url requesting the credentials is the expected one. As long as DNS+TLS did their job, you can't abuse it via a fake login site.

In general you are right about U2F, it's really much better than e.g. TOTP. But even U2F can be phished: https://www.wired.com/story/chrome-yubikey-phishing-webusb/

The phrase "can be phished" seems inaccurate, because that Chrome vulnerability has been fixed.


I wouldn't say this is really a u2f problem. It's a "you mounted your secure lock with screws accessible from outside, so your lock security is irrelevant" situation.

If a single large vendor has ~30% market share and automatically installs locks for people with screws accessible from the outside surely it's a security issue of _some_ type for services that rely on those secure locks being installed properly. I agree it's google's problem and not FIDOs but it still affects the applied security of their devices.

Any security solution is only as strong as the weakest link and needs to be evaluated on an end-to-end basis. A secure lock with properly installed screws is surely useless if installed on a screen door, or a window is habitually left open near the secure lock door, or keys to the secure lock with the address and PIN number written on them left in public places.

The article mentions Yubikeys, but it doesn't mention that Yubikeys implement U2F.

The article reports that Google internally switched from TOTP, but doesn't report what Google switched to: U2F.

The article describes, in some detail, how TOTP and SMS two-factor authentication can be phished, but doesn't describe a two-factor authentication method that is quite a bit harder to phish: U2F.

There is a pattern here, and it is puzzling, to say the least.

EDIT: Changed "phish-proof" to a more realistic adjective.

Declaring U2F "phish-proof" seems premature at best. It is certainly much better than other existing options, but I wouldn't suspect it to stand up very long at all against a nation state adversary. Feels very much like "air-gapped networks can't be actively infiltrated" before Stuxnet.

You are right, of course. I have corrected the parent comment.

A commenter above even provides a source for a novel U2F phishing attack, although it appears to rely exclusively on bugs in the chrome webUSB feature and is likely already patched.

This argument does quickly devolve though; if an advanced persistent threat is taking an active interest in you the only technique that is even close to effective is to cut out as much technology as possible; Bin Laden or Unabomber style

I read that Facebook was using the PII disclosed for the purpose of so-called "2FA" for targeted advertising purposes.


The paper from website of CS Prof. Alan Mislove:


Are HN readers concerned about having to disclose more and more PII to advertising companies in order to be "authenticated"?

Recently I heard someone being interveiwed on the radio who studies internet privacy and he was talking about this type of authentication. He was arguing it is problematic for privacy in that it requires the authenticating party to always have "one more" item of PII.

He suggested that the PII disclosure requirements would only keep esacalating and eroding privacy until the user has to "jump through her phone" to prove she is who she says.

I would provide a reference but I did not get his name. Maybe this sounds familiar to someone? Who knows, maybe he reads HN.

Lots of hate for SMS as 2FA here. By no means perfect but does anyone know of a viable alternative? Genuinely curious as this is a problem we have hit deploying financial services applications for predominantly underbanked / non tech savvy users.

So, an authentication method that:

- Is without dedicated hardware, as hardware is expensive, difficult to distribute and if it's a USB there is no guarantee that a user has a laptop.

- That functions on feature phones (yes, they are still out there), or at the least phones without biometrics, as most don't.

- That doesn't require the user to do anything extremely complex, as ironically this is the part where a lot of fraud occurs.

Eg During a mobile banking rollout, customers were asked to register their phone number at an ATM. However many customers of the bank weren't familiar with ATMs (they banked at branches) and the people they requested help from linked their own phones and stole their cash.

2FA by itself protects you against credential stuffing and other password reuse based attacks. It doesn't in general protect against phishing.

U2F protects against phishing.

Reminds of KoiPhish relay proxy: https://github.com/wunderwuzzi23/KoiPhish There is also another one called Medlischka I believe.

FIDO and U2FA is addressing this, but it needs browser support. And Google Chrome had some bad bugs in their WebUSB implementation that allowed any site to read keys - not sure if all those issues are addressed by now.

To be a broken record, SMS codes are not 2FA. They're readable by many people, they're not private, they don't have delivery guarantees; Can we please stop calling it that? Better yet, can companies stop promoting them?

Just because a password field in a web form is susceptible to various methods of attack doesn't mean its not a factor of authentication. And the same goes with SMS. It's still 2FA, just not absolutely secure/reliable.

Also there are lots of use cases where there just doesn't seem to be any more practical option for developers. For example, a second factor of authentication for financial transactions where the requestor only has a feature phone. Or the far more common scenario - where the practicality of rolling our hardware dongles, custom authentication applications is just too difficult/expensive.

I think having SMS codes as a second factor is better than nothing at all. Changes the risk profile significantly. Anybody can try bruteforce your password, but a smaller group of people have the ability to intercept your SMS messages.

Wouldn't the solution be browser telling you the fake site looks like Bank of America but the IP or URL is incorrect

Reminds me of short comings in Captcha

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact