You know the type: "What's your favourite animal?", and other easily-guessed and easily obtained information hackers can use.
I always put in some gibberish by mashing the keyboard and make sure to record them somewhere safe just in case I need a password reset. I memorise my password and that should be fine, right?
Well, I was overseas with just my phone available to me, and one of the banking apps refused to let me use my valid password without also entering my password reset answers!
They misused the value I was only expecting to need for a reset for access.
I was totally locked out of my bank account with no recourse until I got back home and could look up the gibberish string used for the answers.
I can create my own question in a way that a specific answer will immediately come to mind if I'm ever asked in the future, without any need to look anything up, and that cannot be answered by googling me. How about if you let me choose the question? "No, we are security experts who have given you three excellent options to choose from. Choose one."
The list of possible answers can be very long. When they don't recognize your device, you select the answer from a subset.
But it isn't as bad as those "identify which of these loans you might have used" to identify you or as bad as silently truncating a password on input (both of which I've seen). Still, pretty darn bad. Don't surprise your users!
Speaking additional factors, I wrote up a piece about all the different kinds of factors and when you might use them. But NIST has the canonical list as far as I'm concerned (section 5).
> I always put in some gibberish by mashing the keyboard and make sure to record them somewhere safe just in case I need a password reset. I memorise my password and that should be fine, right?
But then you have to trust that "somewhere safe" is actually as safe as you think it is.
One alternative is to use them like mnemonic code phrases. So perhaps your answer to "What's your favourite animal?" is not really an animal, but maybe Cthulhu, so as a (somewhat overkill but illustrative) example maybe the answer would be "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn"
I'd go further than that and use stuff like that for actual passwords, but with a twist.
Using that sort of thing for such questions is good, but take something you know well, like a song lyric or line from a poem and then change it subtly. For example:
Forty score and eleventy years ago, our
foremothers brought forth a new abomination.
Those are pretty much endless in possibility too:
In the town where babby formed, there lived a
gal who mailed some trees.
Ask not what who has done it in your country.
Ask which Lulu can do it with you.
I prefer song lyrics myself, since they're usually easier to remember, and when presented with the need to recall it as a password/"secret" question, the modifications made come right back.
I imagine that wouldn't work for everyone, but it works well for me, and would also work for others.
In linguistics, an eggcorn is an idiosyncratic substitution of a word or phrase for a word or words that sound similar or identical in the speaker's dialect. The new phrase introduces a meaning that is different from the original but plausible in the same context, such as "old-timers' disease" for "Alzheimer's disease". An eggcorn can be described as an intra-lingual phono-semantic matching, a matching in which the intended word and substitute are from the same language. Together with other types of same-sounding phrases, eggcorns are sometimes also referred to "oronyms".
It's a sordid affair, but we're making progress. We've reduced our average time to sign-in by about 20% since our launch 6 months ago. (There's nothing to say our starting point was very good, but we do think about this very consciously.)
If you're working to improve your sign-in flow, our biggest wins so far have been:
- OAuth buttons at the top, critically with Google included. OAuth is _way_ faster than passwords for most users, putting it at the top switched oauth usage from just below 50% to just over 50%. Those extra percent using oauth bring down the overall average speed.
- Eliminate OAuth "edge cases." Turns out, they're not edge cases at all. 15% of users will sign up with email/password then try OAuth next, or will sign up with OAuth then try email/password next. Make sure you have happy paths for these.
- Magic links instead of OTPs for passwordless auth. Overall, magic links are a few seconds faster than OTPs since there's no entry step. (That said, we're still investigating whether it's better to trigger OTPs on mobile devices because of the auto-fill capabilities)
- Integrate with password managers. Our sign-in flow is normally two screens, but if we detect a password manager we'll accept the password on the first screen. Password manager folks are already the fastest, but this makes them even faster.
This is just the first factor. Admittedly, our second factor is still lagging behind, but UX is getting better for 2FA with FaceID & TouchID. We're optimistic we can have a positive impact on the second factor, as well.
If you're interested in having a team obsess over this on your behalf, come check us out :)
Edit: Didn't answer the actual question - it's something we can look into. My instinct is that offering this wouldn't drastically change the security model, as long as we can be confident your password actually came from a secure password manager. Since some password managers (like 1password) are very strongly tied to devices, I think your ability to retrieve a password from it is a reasonable proxy for a possession factor.
It's definitely something I'd want to read more literature on before building. That's just my instinct, and I'm half expecting someone on HN to share the attack I'm forgetting :)
Aside from that, though, I think it's reasonable to argue that the security of password+code in 1password is equivalent to just password in 1password.
You should be careful about copy pasting your password on the internet.
I am willing to stipulate that magic links are better in this way.
That is, provided they are of reasonable length. Say, 32 characters or less beyond the domain name itself ?
You can't predict what device, or interface, or mail client one will receive these links on. You also can't predict how they will interface with the link (or resend or process it).
The 300+ character hash links I sometimes see are really lazy and clueless.
So it's slower now, or did you mean to say you've reduced the time to sign-in?
> Update: It’s come to our attention that some of you don’t drive, which, honestly, just never occurred to us.
1. On desktop: Enter username and answer to a random memorable question like "your first pet" (password manager will probably fail to autofill this). You're then prompted for a "mobile security code".
2. On mobile app: Enter username + different password. Need to scroll, tap 7 items and then enter a password to get a mobile code you then have to type into the desktop app.
Getting the mobile security code logs you out of the mobile app and logging into the mobile app will log you out of the desktop app.
It's like they didn't do any user testing and think that more steps = better security.
Lots of UK banks also ask for random parts of your password only e.g. "enter the 2nd, 10th and 5th character from your password" which is super tedious to do correctly because you can't use muscle memory or autofill. This is to defeat key loggers? Isn't that what 2FA would do? You'd think banks would be clued up on this.
its amazing to think that not just this but the entire mountain of bullshit could be avoided with simple passwords. it should be an option offered by every service for a user to deactivate all authorization methods besides one very strong password and perhaps a backup password. we should at least have the option.
And even those of us with strong passwords, and a strong understanding of cyber security, are vulnerable to phishing and other attacks, that can be defended against by using MFA.
Obviously MFA can be taken to ridiculous "ten factor" extremes. But sticking with, or going back to, just passwords, isn't the solution.
Ring (Amazon) made me call them to reset my two-factor app sync. They asked me to send a bill to the address of my home via my email as a proof that this is really me and not just someone who have my password and access to my email. I asked what's the point of this if it's not really me but it's someone who has my password, has access to my email and can go login to the utility company to get a copy of my bill after reseting my password there too? They agent literally said this is the script they have to say and they don't know...
You could not imagine how hard it is to have the internet without also having a cell phone.
Modern security is a usability nightmare.
I've just taken over all my elder family accounts for internet, TV, phone, etc. Much easier. And all the vendors treat me as HVC cause I'm paying for multiple services on their platforms.
When the security department suggests another thing, to protest sounds like you want things be less safe simply because it's annoying. But some of things add only a little bit of security, or address a scenario that is highly unlikely, but you pay for it every day, day after day, with a dozen irritations that peck at you.
Security is a continuum. I could always imagine something more to add: "Lock the screen after 10 minutes? Why not 5? Why not 2?" So the security team seems to have their way until the users are almost driven crazy but not quite.
Is there some sort of worldwide regulatory body, or is compliance by manufacturers simply a gentlemens' agreement?
The NHTSA in the United States has a partnership with SAE.
sure, good intentions are pushing for doing more, more inclusivity more security more assessment, more reports, more measurability (to get more fairness), etc.
and since it's hard to start a competing university or ISP or telco or TSA (!)... there's not even the usual push from the market to be resource efficient.
This was a fantastic read. Kudos to whoever put it together.
Personally, the decorative gourds one always gets me. Different tastes.
and then have your individual inner patterns recognized.
This could have many other benefits, like corporate approved application of nutrients and drugs by enema,
connection to plumbing to save toilet time, and motivation by dildonic gratification for good work.
It could also give a spine.
Baa! Baa! Baa! Mew!
E.g. for one of the systems in the article:
> It is written left to right, and uses subscripts, superscripts and diacritics. Each sign is written in this order: handshape, orientation, location, actions.
McSweeneys’ satire and parodies are rarely in good jest in my experience. This is a criticism of the move towards 2FA/MFA make no doubt about it. The writer, and the editors who let this through, are not happy about this state of affairs.
McSweeney’s isn’t a no-name blog or journal either — its name holds sway over those who work in literary arts.
Don't get me wrong, the security benefits are worth it. But having to pull out my phone multiple times a day to enter a code from an authenticator app? Dude, my phone communicates with my laptop throughout the day. Why does this need me in the mix?
Digital OTP, like the kind provided by 1Password or Bitwarden, are a little more convenient. And having Google Voice means I can easily copy codes sent via text straight from my laptop.
But it's something I'd rather not even have to pay attention to. I don't need to manually enter a code to get HTTPS.
Mind that 2FA replaced TANs, which are literally the most secure thing (one-time pads). 2FA is not about security, but about ease of administration.
(As a side effect, 2FA usually puts all the eggs in a single basket and forces you to carry that basket around with you, everywhere you go. Mind that this basket isn't even the basket itself, but one of many ways to access an account connected to another ID, but still the only one accessible to you.)
1. username and password for website
2. token sent to email
3. login for email (auto logged out)
4. email 2fa that requires SMS 2FA or Google auth, stored on phone
5. pincode / face for phone
Oh! I could add 2 real more:
-1: password manager login
0: password manager 2fa
Nah. I currently work for NYU and find their 2FA system pointlessly burdensome. I need to type my password (in practice, unlock my password manager) and then procure my second factor every day, on every device I use. Inevitably any mobile app I need to interact with requires doing all of this again, except this time inside a custom webview that doesn't remember cookies. I have never worked for a tech company that made things this annoying, and I can't fathom how bad it must be for anyone who needs to use e.g. a screen reader.
At first, there was 2FA where you could either
1. Download the proprietary app OR
2. Get texted the code.
(i.e. no "do-it-yourself" e.g. Google Authenticator option.)
This means you must have a cell phone of nearly any kind. Mostly reasonable.
Turns out; option 2 cost somebody like half a cent every time it was used and also was far more popular than anticipated.
So they just got rid of 2. That's all, no mitigation.
And now you've DRASTICALLY increased the tech requirements for a major public school; I know of IT instructors in the place who did not actually regularly use a phone "fancy" or new enough to handle the official app.
The founders and investors of 1Password, perhaps.
It's a funny frame device to float a couple different satirical ideas. I'm sure faculty members – and most people – understand that 2FA is a necessary minor annoyance.
Requiring signing into my Microsoft account (with two step authentication code) every twenty four hours on a company laptop you control is obnoxious. You should educate and empower your employees, not treat them as the weak link in your armor.
The yearly security training is probably just a compliance checkbox companies do. If they wanted an educated workforce that practices security first there are other far more effective approaches.
Of course, that all ignores the fact that employees are weak links not because they are dumb, but because they don't have an incentive to protect the company when they or their families are put in danger by a threat actor.
Not to mention the pain when said factor is lost. I just replaced a broken phone, and having to login in everywhere that previously required an Authenticator has not been fun.