Two-factor is far from perfect
More and more I read posts on here how people want 2 factor security, then reading articles like this on ZDnet, the more I like the secret key.
People, SMS is horrible security. This is why you should not rely on it 100%. If you're on here, you probably use 1Password. So don't use weak passwords even if you have 2 factor authentication turned on.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@prime: Yeah, that's why I hate talking about "two-factor". It's a nonsense term because there are so many different implementations. Some are beneficial; others are just security theater.
I was just looking at another article about this yesterday which had a similarly misguided headline. This one reads:
Two-factor security is so broken, now hackers can drain bank accounts
What it should really say is
SMS security is broken, may allow compromise of bank accounts
But while more accurate, I guess that's not clickbaity enough. :tongue:
0 -
@brenty very true, there are different implementations, but most people do use and know the SMS version. For my bank, it was set up by it self. And if you use authenticator app for whatever account, in some cases, a cell phone number is required as a back up.
While is is clickbaity, it is true and I think we should get away from it.
0 -
I am glad my bank don't force its costumers to enter their personal mobile phone number to use it as an authentication method. My question is "what must happen in order for the carries to fix the flaws in the calling and text message routing system, known as Signaling System 7 (SS7)?" The NSA, CIA, FBI and other National Security Agency around the world make use of these flaws to intercept calls, text messages in order "to do their job" according to another article I have found on the Internet. If they patch all the issues they might lock out the agencies as well, but I would rather do that than let the bad guys intercepting the telecommunication systems. The banks and everyone else should drop the SMS 2FA and instead make us of a QR code that you can scan it with 1Password, for One-Time Password or any other apps that can scan the QR code and generate the 6 digits code. Wondering why aren't the codes alphanumerical? Hope anyone can give me some answers or explanations to my 2 questions.
0 -
@brenty very true, there are different implementations, but most people do use and know the SMS version. For my bank, it was set up by it self. And if you use authenticator app for whatever account, in some cases, a cell phone number is required as a back up.
@prime: You're absolutely right. And I guess I also forget that in some cases we're not even given an option, as is often the case with banks.
While is is clickbaity, it is true and I think we should get away from it.
I want to agree with you on this too, as you're right that it does raise awareness. But I think misinformation is the wrong kind of awareness. I may be wrong about this, but I do feel strongly that once we're using "2FA" interchangeably with "SMS", it's not a huge leap for most people to lump all of this "security stuff" together and write it off completely.
0 -
I am glad my bank don't force its costumers to enter their personal mobile phone number to use it as an authentication method.
@Catalin1P: Indeed, we're the lucky ones. At least one of my banks doesn't do this.
My question is "what must happen in order for the carries to fix the flaws in the calling and text message routing system, known as Signaling System 7 (SS7)?"
That's a heck of a question. I think you always have to follow the money, as that's going to be the biggest motivator. But in cases like this, there isn't a clear financial motivator.
On the one hand, banks can be pressured by their customers not to do this, and ultimately if enough people do this, they may change in time. But on the other hand, there would likely be huge costs involved in changing; and, while insecure, SMS two-factor still offers a security benefit over no two-factor at all, so the costs of fraud have to be factored in as well; and finally, SMS is ubiquitous and means not having a separate app/dongle/whatever for a customer to lose, thus decreasing support costs in a number of ways. That isn't to defend the use of insecure SMS in the service of security, but I think I can see where they're coming from at least.
After all of that though, I really must say that only the banks can answer your question. But when the costs pro outweigh the costs con, I have no doubt they'll change. I'm just afraid that a lot of people's bank accounts are going to get drained along the way.
The NSA, CIA, FBI and other National Security Agency around the world make use of these flaws to intercept calls, text messages in order "to do their job" according to another article I have found on the Internet. If they patch all the issues they might lock out the agencies as well, but I would rather do that than let the bad guys intercepting the telecommunication systems.
I believe that we should be unsympathetic to law enforcement in this regard. That may sound harsh, but they're paid for their work and I don't think it's incumbent on society as a whole to use weak security just to make their jobs easier. Obviously that's not what you're proposing, though they'd like that, but it's important for all of us to maintain perspective on this: most people are law-abiding and thus haven't abdicated their right to privacy and security, so anything that weakens or maintains a low status quo for security when we know and can do better is overwhelmingly hurting us more than it is helpful. Government agencies won't just come out and say it this way, but they're effectively arguing that in order for us to have better security (terrorists, criminals, etc.) we need worse security (weak encryption, backdoors, etc.)
The banks and everyone else should drop the SMS 2FA and instead make us of a QR code that you can scan it with 1Password, for One-Time Password or any other apps that can scan the QR code and generate the 6 digits code.
This sort of goes back to something I mentioned earlier. Certainly there are much more secure ways of doing things, but especially when we're talking about consumers whose job isn't security, it's a real tightrope walk between keeping people safe and making it easy for them to lock themselves out of their own accounts. This really hits close to home for me, as I've helped family members recover their 1Password.com accounts, and customers likewise. But since we've introduced Duo two-factor authentication beta for 1Password Teams Pro customers, I've seen folks lock themselves — and their colleagues — out of their accounts more easily than ever before.
Wondering why aren't the codes alphanumerical? Hope anyone can give me some answers or explanations to my 2 questions.
I suspect that numbers are most commonly used because they're m much easier to "eyeball" and enter, and also this is what the TOTP standard supports. Steam uses alphanumeric authenticator codes, and I always have to double check what I'm entering. There's probably a scientific explanation for this, but I just know from experience that numbers are easier to deal with. And a six digit numeric code is sufficiently secure for a one-time password with a 30-90 second life.
0 -
@Catalin1P I think all banks should do this. SMS 2 step factor is better than none at all, but people still need a long and unique password. People rely on 2SA/2SA way too much and they shouldn't, One thing people can do to protect their cell phone account is set a PIN for it. My cell phone provider can't make any changes at all unless I give it to them. So no one can go in, ask for a SIM with my number on it, and use it.
@brenty I hope in the future banks use a better system. At Least they are headed in the right direction, but they need to do it faster.
0 -
@prime: Yeah, and that's a great point. Certainly it depends on the person, but it can certainly be tempting to use a weaker password if you believe that the two-factor authentication will protect your account — especially considering some of the rather archaic password restrictions many finical institutions have in place. And just be aware that depending on the company, there are often escape hatches in place that can be used to circumvent account PIN/password through social engineering.
0 -
I think it is far from perfect but now it got even worse. According to the competition they came up with this: Announcing Cloud Backup for Authenticator: You can now back up your Authenticator data to your account. Isn't that what 1Password has implemented years ahead? I mean 1Password One-time password does the same thing but it does not require a separate app. Does't this backup thing decrease it's purpose of using it? If they get into your main account they can easily restore your codes as well.
0 -
@Catalin1P: Hmm. That's new to me, so it hard to say without researching it further. I think some people might prefer that, but you're right that that does sound like it negates the second factor. The best and worst thing about two-factor authentication is often the recovery mechanism. When you need them, they're a blessing, but the rest of the time they're a bit of a security curse.
0
