Hacker News new | past | comments | ask | show | jobs | submit login
The New Ten-Factor Authentication Processes (mcsweeneys.net)
124 points by apsec112 12 days ago | hide | past | favorite | 99 comments

My favourite stupidity is related to self-service password reset questions.

You know the type: "What's your favourite animal?", and other easily-guessed and easily obtained information hackers can use.

I always put in some gibberish by mashing the keyboard and make sure to record them somewhere safe just in case I need a password reset. I memorise my password and that should be fine, right?

Well, I was overseas with just my phone available to me, and one of the banking apps refused to let me use my valid password without also entering my password reset answers!

They misused the value I was only expecting to need for a reset for access.

I was totally locked out of my bank account with no recourse until I got back home and could look up the gibberish string used for the answers.

That drives me crazy, too: "Choose a password." I choose a very secure password. "Now, in case you (or anyone else) can't recall your password, choose one of the following three personal security questions that any reader of your blog will be able to answer."

I can create my own question in a way that a specific answer will immediately come to mind if I'm ever asked in the future, without any need to look anything up, and that cannot be answered by googling me. How about if you let me choose the question? "No, we are security experts who have given you three excellent options to choose from. Choose one."

A travel agent had ridiculous and not explained rules for password composition so after many many tries I ended up very angry and with a password on the lines of "how about f* you idiots" (I use a password manager too). Later I wasn't able to login and the phone support told me it was because I used profanity in the password.

I treat all security questions as if they are just an additional password. I use a password manager and store a random string for each required security question.

Yet even that becomes an social engineering attack vector, if you can talk to a human: “I just put random gibberish in there” is too likely to work.

You could possibly use generated words to prevent that. "tenably-spelt-stall-proxy" shouldn't be considered "random gibberish."

Shouldn't, but it all depends on the training and awareness of the person on the phone. Instead of "random gibberish" the attacker could just say "random words", or, if they didn't know which strategy you used, "random stuff".

The most insane security question I've encountered is on united.com where they have you select your question _and answer_ from a dropdown.

It's true, I tried it out: https://imgur.com/a/cJ51inY

The list of possible answers can be very long. When they don't recognize your device, you select the answer from a subset.

And the answer’s probabilities are not equally distributed! For example for the color of the house you grew up in, there are clearly most common colors and rare colors. If they asked for house number, it would have been better.

Those are not good questions if you still live in the same place you grew up.

and the questions are insanely specific

Using password reset questions are pretty bad as a second factor is pretty bad. It probably came from good intentions. Since you were logging in from an unusual location, the bank flagged the process for a higher level of security. I wonder if they could have used literally anything else to verify you. (My bank also lets me tell them when I'll be abroad, which would have helped with the issue.)

But it isn't as bad as those "identify which of these loans you might have used" to identify you or as bad as silently truncating a password on input (both of which I've seen). Still, pretty darn bad. Don't surprise your users!

Speaking additional factors, I wrote up a piece about all the different kinds of factors[0] and when you might use them. But NIST has the canonical list[1] as far as I'm concerned (section 5).

0: https://fusionauth.io/learn/expert-advice/authentication/mul...

1: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

> You know the type: "What's your favourite animal?", and other easily-guessed and easily obtained information hackers can use.

> I always put in some gibberish by mashing the keyboard and make sure to record them somewhere safe just in case I need a password reset. I memorise my password and that should be fine, right?

But then you have to trust that "somewhere safe" is actually as safe as you think it is.

One alternative is to use them like mnemonic code phrases. So perhaps your answer to "What's your favourite animal?" is not really an animal, but maybe Cthulhu, so as a (somewhat overkill but illustrative) example maybe the answer would be "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn"

>One alternative is to use them like mnemonic code phrases. So perhaps your answer to "What's your favourite animal?" is not really an animal, but maybe Cthulhu, so maybe the answer would be "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn"

I'd go further than that and use stuff like that for actual passwords, but with a twist.

Using that sort of thing for such questions is good, but take something you know well, like a song lyric or line from a poem and then change it subtly. For example:

   Forty score and eleventy years ago, our 
   foremothers brought forth a new abomination.
Since you're the one making this stuff up, it's easy to remember, both for passwords and for those "secret" questions.

Those are pretty much endless in possibility too:

   In the town where babby formed, there lived a 
   gal who mailed some trees.

   Ask not what who has done it in your country.  
   Ask which Lulu can do it with you.
And on and on. The only real requirement is that you know whatever it is you're adapting well. Whether that be song lyrics, movie lines, poesy, etc.

I prefer song lyrics myself, since they're usually easier to remember, and when presented with the need to recall it as a password/"secret" question, the modifications made come right back.

I imagine that wouldn't work for everyone, but it works well for me, and would also work for others.

Good luck!

Finally make those eggcorns useful!

In linguistics, an eggcorn is an idiosyncratic substitution of a word or phrase for a word or words that sound similar or identical in the speaker's dialect. The new phrase introduces a meaning that is different from the original but plausible in the same context, such as "old-timers' disease" for "Alzheimer's disease".[1] An eggcorn can be described as an intra-lingual phono-semantic matching, a matching in which the intended word and substitute are from the same language. Together with other types of same-sounding phrases, eggcorns are sometimes also referred to "oronyms".


in my experience this inevitably be on form feild where pasting isn't allowed and you cant see what you are typing and will be case sensitive but not inform you of that. and you will get locked out on attempt 3.

Add them to the Notes field in Bitwarden

I had to tell some support guy my gibberish over the phone to get them to talk to me at all ... what a fun.

Sigh. We're working to normalize better UX around account security at https://clerk.dev

It's a sordid affair, but we're making progress. We've reduced our average time to sign-in by about 20% since our launch 6 months ago. (There's nothing to say our starting point was very good, but we do think about this very consciously.)

If you're working to improve your sign-in flow, our biggest wins so far have been:

- OAuth buttons at the top, critically with Google included. OAuth is _way_ faster than passwords for most users, putting it at the top switched oauth usage from just below 50% to just over 50%. Those extra percent using oauth bring down the overall average speed.

- Eliminate OAuth "edge cases." Turns out, they're not edge cases at all. 15% of users will sign up with email/password then try OAuth next, or will sign up with OAuth then try email/password next. Make sure you have happy paths for these.

- Magic links instead of OTPs for passwordless auth. Overall, magic links are a few seconds faster than OTPs since there's no entry step. (That said, we're still investigating whether it's better to trigger OTPs on mobile devices because of the auto-fill capabilities)

- Integrate with password managers. Our sign-in flow is normally two screens, but if we detect a password manager we'll accept the password on the first screen. Password manager folks are already the fastest, but this makes them even faster.

This is just the first factor. Admittedly, our second factor is still lagging behind, but UX is getting better for 2FA with FaceID & TouchID. We're optimistic we can have a positive impact on the second factor, as well.

If you're interested in having a team obsess over this on your behalf, come check us out :)

How about you allow me to turn off the second factor if I have a password manager, because I'm way more concerned about loosing my second factor and getting locked out of my account than someone somehow getting into my password manager.

I personally use 1password for authenticator codes - highly recommend if you haven't seen it: https://support.1password.com/one-time-passwords/

Edit: Didn't answer the actual question - it's something we can look into. My instinct is that offering this wouldn't drastically change the security model, as long as we can be confident your password actually came from a secure password manager. Since some password managers (like 1password) are very strongly tied to devices, I think your ability to retrieve a password from it is a reasonable proxy for a possession factor.

It's definitely something I'd want to read more literature on before building. That's just my instinct, and I'm half expecting someone on HN to share the attack I'm forgetting :)

But doesn't this completely defeat the purpose of the codes, since they're no longer a second factor? I'd rather just not have the codes, as they're still a significant annoyance with next to zero benefit.

There are still some benefits. Your password can probably be bypassed with a "forgot password" flow while the TOTP code cannot.

Aside from that, though, I think it's reasonable to argue that the security of password+code in 1password is equivalent to just password in 1password.

If someone scrapes your clipboard or records your screen for example, this still adds a second layer of protection.

They can't scrape the clipboard because of autofill, and they can't record the screen because passwords appear as ******.

> passwords appear as hunter2.

You should be careful about copy pasting your password on the internet.

Huh? That’s not what I wrote...

Thank you. It was a clever reference on your part, I just hadn't seen it before. :)

Hehe you learn something new every day

"Magic links instead of OTPs for passwordless auth. Overall, magic links are a few seconds faster than OTPs since there's no entry step."

I am willing to stipulate that magic links are better in this way.

That is, provided they are of reasonable length. Say, 32 characters or less beyond the domain name itself ?

You can't predict what device, or interface, or mail client one will receive these links on. You also can't predict how they will interface with the link (or resend or process it).

The 300+ character hash links I sometimes see are really lazy and clueless.

> We've reduced our overall sign-in speed by about 20%

So it's slower now, or did you mean to say you've reduced the time to sign-in?

Fixed :) Thank you

> You might think there aren’t enough bells and whistles for us to teach you a new one every time you log on, but there are. And when there aren’t, we’ll switch to a new one.

> Update: It’s come to our attention that some of you don’t drive, which, honestly, just never occurred to us.


Worst I've seen by far for getting into a desktop banking website recently, it felt like a parody:

1. On desktop: Enter username and answer to a random memorable question like "your first pet" (password manager will probably fail to autofill this). You're then prompted for a "mobile security code".

2. On mobile app: Enter username + different password. Need to scroll, tap 7 items and then enter a password to get a mobile code you then have to type into the desktop app.

Getting the mobile security code logs you out of the mobile app and logging into the mobile app will log you out of the desktop app.

It's like they didn't do any user testing and think that more steps = better security.

Lots of UK banks also ask for random parts of your password only e.g. "enter the 2nd, 10th and 5th character from your password" which is super tedious to do correctly because you can't use muscle memory or autofill. This is to defeat key loggers? Isn't that what 2FA would do? You'd think banks would be clued up on this.

One time I signed up on a site with 'Sign in with Google'. Months later, I wanted to delete my account, but the deletion process required I enter my account's password, which obviously I was never prompted to set up. The site wouldn't let me do a 'Forgot password' to set a password, so the account was impossible to delete.

It's easy! Just delete your google account, it will automatically invalidate any credential tokens given out to the third party site.

I'd change banks!

Yep, agree with that. UK banks don't usually advertise their log-in UX though so it's a pain being surprised by this and having to switch after going through the long sign up process (usually involves receiving letters by post and multiple sign-up steps over a week).

my bank insisted that i add a phone number to my account when i called them today. i declined and when pressed briefly explained sim swapping and declined again. a glaring and obvious flaw in the integrity of using a phone number for id verification was not even in the lexicon of this establishment that safeguards nothing less than all of my literal fucking money. they then went on to find that i actually did have a phone number on record and that it is authorized for identity verification and also that i have never even heard of this phone number! im still dealing with it.

its amazing to think that not just this but the entire mountain of bullshit could be avoided with simple passwords. it should be an option offered by every service for a user to deactivate all authorization methods besides one very strong password and perhaps a backup password. we should at least have the option.

Unfortunately people like you (and me), who actually have strong passwords, let alone who understand in any detail what constitutes a strong password, are a tiny minority. They have to design for the lowest common denominator.

And even those of us with strong passwords, and a strong understanding of cyber security, are vulnerable to phishing and other attacks, that can be defended against by using MFA.

Obviously MFA can be taken to ridiculous "ten factor" extremes. But sticking with, or going back to, just passwords, isn't the solution.

if we had just passwords then there would be far fewer people losing their life savings than with the current system.

All of the comments so far are about security and UX, but I read this more as a parody of the ever increasing bloat of university administration and burdens placed on faculty that go beyond their core expertise (and some mild digs at wokeism)

After consulting with the TSA, they added an alternate 2FA process in which access is gated via displaying your University Precheck Card ($199/year) to the webcam, and verifying the subsequent link sent to your university email.

People who care about user experience hardy ever talk to people who care about security in large organizations. That's how we end up with experiences like this.

Ring (Amazon) made me call them to reset my two-factor app sync. They asked me to send a bill to the address of my home via my email as a proof that this is really me and not just someone who have my password and access to my email. I asked what's the point of this if it's not really me but it's someone who has my password, has access to my email and can go login to the utility company to get a copy of my bill after reseting my password there too? They agent literally said this is the script they have to say and they don't know...

This is how you come up with security suggestions like "Let's just email the user a one time password on every login" which gets suggested here perennially.

Though that approach is flawed, at least they stuck to their script, i.e., resisted social engineering.

My grandparents recently got locked out of their Comcast account the other day. They forced multi-factor on all their customers in the last year.

You could not imagine how hard it is to have the internet without also having a cell phone.

Modern security is a usability nightmare.

Plus, grandparents, the group notorious for their tech-skill.

I've just taken over all my elder family accounts for internet, TV, phone, etc. Much easier. And all the vendors treat me as HVC cause I'm paying for multiple services on their platforms.

What does HVC mean?

"High value customer", if I had to guess.

Yea, these three are correct - I use the word Client tho.

High value customer, I’d imagine

my guess is "high value customer"

Has anyone had any luck reasoning with the powers that be, to come up with reasonable security?

When the security department suggests another thing, to protest sounds like you want things be less safe simply because it's annoying. But some of things add only a little bit of security, or address a scenario that is highly unlikely, but you pay for it every day, day after day, with a dozen irritations that peck at you.

Security is a continuum. I could always imagine something more to add: "Lock the screen after 10 minutes? Why not 5? Why not 2?" So the security team seems to have their way until the users are almost driven crazy but not quite.

Here's a question spurred by the post. Who administers and issues VINs? I assume VINs are the same throughout the world.

Is there some sort of worldwide regulatory body, or is compliance by manufacturers simply a gentlemens' agreement?

Before 1981 car manufacturers just made up their own numbers. Now there’s a global SAE standard.

The NHTSA in the United States has a partnership with SAE.

I believe they're administered by Vin Diesel.

I think the UK uses AWS QLDB to issue vehicle ownership. I don’t know if VIN’s are recognized globally, but I really appreciate that non-repudiation use of the blockchain.

Almost all the comments here pertain to the 10-factor authentication mechanism in the title of the article, but the article really is a criticism of the current education system.

it's both. administration/bureaucracy is behind both. university or megacorp they both overcomplicate things. they overextended because there's no real pressure pushing against that extension.

sure, good intentions are pushing for doing more, more inclusivity more security more assessment, more reports, more measurability (to get more fairness), etc.

and since it's hard to start a competing university or ISP or telco or TSA (!)... there's not even the usual push from the market to be resource efficient.

> While the system verifies that your definition is sufficiently accurate, please report to campus police, where you’ll undergo a very brief body cavity search. For security reasons, we cannot tell you what we’re looking for. This is about digital safety.

This was a fantastic read. Kudos to whoever put it together.

the problem with mcsweeneys is that it's a humor publication that fails at humor. it's like those sitcoms from the 80s where they had to add laugh tracks because no one actually laughed while watching them. at best it's something for young adults to forward around to try and look sophisticated, but like those young adults, it misses the point entirely by trying much too hard.

There aren't very many things that someone can say that are universally wrong, but "I don't think this is funny and therefore it is failed humor" is probably pretty close

but seriously, it's just not funny. did you read the stupid one about the pumpkins they trot out each year? curse words with serifs, ooh lala.

Again: "I don't find this funny" =/= "this is not funny"

Personally, the decorative gourds one always gets me. Different tastes.

This is too complicated, and could instead be handled by an intelligent, dynamorphic anal-probe which you sit upon to,

and then have your individual inner patterns recognized.

This could have many other benefits, like corporate approved application of nutrients and drugs by enema,

connection to plumbing to save toilet time, and motivation by dildonic gratification for good work.

It could also give a spine.

Baa! Baa! Baa! Mew!

Seems reasonable. They don't even require a pubic hair sample.

Ten is a nice round number. Now if it was 11, a nice prime number, well then, that would have been nerdy pretentious. Good job at finding the sweet spot.

The 11th round involves identifying a correct Nigel Tufnel quote from "This Is Spinal Tap".

Damn I wish I thought of that. But, hey, way to go taking care of business!

how do you type sign language

There are many systems, here's an overview: https://aslfont.github.io/Symbol-Font-For-ASL/ways-to-write....

E.g. for one of the systems in the article:

> It is written left to right, and uses subscripts, superscripts and diacritics. Each sign is written in this order: handshape, orientation, location, actions.

In theaters next summer: Decafactor. This time, Auth is taking it personally.

How much Time does 10 factor authentication take ?

is this a April fool joke?

A sign of the times. Seems like our non-technical brethren find 2FA/MFA a burden?

McSweeneys’ satire and parodies are rarely in good jest in my experience. This is a criticism of the move towards 2FA/MFA make no doubt about it. The writer, and the editors who let this through, are not happy about this state of affairs.

McSweeney’s isn’t a no-name blog or journal either — its name holds sway over those who work in literary arts.

I'm one of your technical brethren, and non-technical people aren't the only ones who think 2FA is a pain.

Don't get me wrong, the security benefits are worth it. But having to pull out my phone multiple times a day to enter a code from an authenticator app? Dude, my phone communicates with my laptop throughout the day. Why does this need me in the mix?

Digital OTP, like the kind provided by 1Password or Bitwarden, are a little more convenient. And having Google Voice means I can easily copy codes sent via text straight from my laptop.

But it's something I'd rather not even have to pay attention to. I don't need to manually enter a code to get HTTPS.

> the security benefits are worth it.

Mind that 2FA replaced TANs, which are literally the most secure thing (one-time pads). 2FA is not about security, but about ease of administration.

(As a side effect, 2FA usually puts all the eggs in a single basket and forces you to carry that basket around with you, everywhere you go. Mind that this basket isn't even the basket itself, but one of many ways to access an account connected to another ID, but still the only one accessible to you.)

I remember a DevOps engineer at my last job telling me about a "cheat code" where we could type 'push' into the VPN 2FA prompt to have it pushed as a notification to the enrolled device. I've been typing the same command into every 2FA prompt I encounter since then with no luck. I wish that was a standard convention.

There shouldn't be a standard convention for a "cheat code" - if the thing can do push, it just should offer it in the UI.

A push notification is still a context switch so you're really only saving the time to find your authenticator app.

5-factor auth is an obnoxious thing and real.

  1. username and password for website
  2. token sent to email
  3. login for email (auto logged out)
  4. email 2fa that requires SMS 2FA or Google auth, stored on phone
  5. pincode / face for phone

Oh! I could add 2 real more:

  -1: password manager login
   0: password manager 2fa

RSA soft tokens require a PIN. Some versions it's appended to the code, some you enter it to get the code (both exist in my organization). So that's like three more factors right there.

> our non-technical brethren

Nah. I currently work for NYU and find their 2FA system pointlessly burdensome. I need to type my password (in practice, unlock my password manager) and then procure my second factor every day, on every device I use. Inevitably any mobile app I need to interact with requires doing all of this again, except this time inside a custom webview that doesn't remember cookies. I have never worked for a tech company that made things this annoying, and I can't fathom how bad it must be for anyone who needs to use e.g. a screen reader.

Hold the condescension. I wouldn't be surprised if author is from the place where the following definitely literally happened:

At first, there was 2FA where you could either

1. Download the proprietary app OR

2. Get texted the code.

(i.e. no "do-it-yourself" e.g. Google Authenticator option.)

This means you must have a cell phone of nearly any kind. Mostly reasonable.

Turns out; option 2 cost somebody like half a cent every time it was used and also was far more popular than anticipated.

So they just got rid of 2. That's all, no mitigation.

And now you've DRASTICALLY increased the tech requirements for a major public school; I know of IT instructors in the place who did not actually regularly use a phone "fancy" or new enough to handle the official app.

Utter BS.

Is anyone happy about the accumulation of passwords, authentications and verifications required in the modern technical world?

The founders and investors of 1Password, perhaps.

I don't think there's quite as much malice as you seem to read into it. Yeah, 2FA is kind of annoying, particularly when you don't have a real concrete understanding of the reasons why it's important.

It's a funny frame device to float a couple different satirical ideas. I'm sure faculty members – and most people – understand that 2FA is a necessary minor annoyance.

» I don't think there's quite as much malice as you seem to read into it.

Requiring signing into my Microsoft account (with two step authentication code) every twenty four hours on a company laptop you control is obnoxious. You should educate and empower your employees, not treat them as the weak link in your armor.

It’s naive to not treat them like the weak link though, because they really are. No amount of education (that is routinely ignored) is enough to actually change that.

Routinely ignored implies that it's a deliberate action on the part of an employee. I don't think that's the case. The yearly security training gets treated just like the airplane safety briefing. Folks pay attention the first couple of times they encounter it, but when they realize they'll never be in a situation then it gets classified as 'could be useful, but will probably never need.'

The yearly security training is probably just a compliance checkbox companies do. If they wanted an educated workforce that practices security first there are other far more effective approaches.

Of course, that all ignores the fact that employees are weak links not because they are dumb, but because they don't have an incentive to protect the company when they or their families are put in danger by a threat actor.

I hear you, it is obnoxious, and probably not the best solution. That said the employees absolutely are weak spots in the armor.

The two factor where I work, Google, uses security keys for the second factor. I think offering these as an alternative to the email/SMS codes would be nice, tapping a little USB nub isn’t nearly as annoying as grabbing a code from another webpage or device.

Not just non-technical. It’s a huge burden.

Not to mention the pain when said factor is lost. I just replaced a broken phone, and having to login in everywhere that previously required an Authenticator has not been fun.

I thought it was a bit strange when my neighbor put up a sign to encourage me. I guess it was all more complicated than I thought.

I found it to be less a satire of 2FA/MFA than of college administration busybodies in general.

2FA is by definition an additional burden.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact