Post ASnyDZgjSSVdAbCjM8 by Tamber@taur.zone
(DIR) More posts by Tamber@taur.zone
(DIR) Post #ASnfBfuVSGhUl91mVM by mjg59@nondeterministic.computer
2023-02-18T09:42:47Z
0 likes, 1 repeats
My heretical opinion: for most users, SMS 2FA is good. As long as sites don't reuse SMS as a way to reset passwords, SMS 2FA is strictly better than no 2FA. Yes, it's the easiest 2FA to compromise - but it's still better than no 2FA at all. If you re-used a password elsewhere, SMS 2FA will still prevent an attacker getting into a different account.
(DIR) Post #ASnfJm9Q8WuUQlrmRk by mjg59@nondeterministic.computer
2023-02-18T09:44:27Z
0 likes, 0 repeats
The big deal about SMS 2FA is that it delegates recovery to your phone provider. That means services that can't afford to handle 2FA resets (an inherently manual process) can still provide 2FA without a large risk of locking users out. This matters, and repeated assertions SMS 2FA are either useless or dangerous are just bad advice.
(DIR) Post #ASnfUj2q1e5vyz0bxI by anthropy@mastodon.derg.nz
2023-02-18T09:46:13Z
0 likes, 0 repeats
@mjg59 idk what's heretical about it, like you could also consider email 2FA bad, and a lot of other things alike, including passwords itself, especially when reused, but I'd argue that's exactly why you have MFA š¤·
(DIR) Post #ASnfeEf9q7iieOT1xQ by alceawisteria@im-in.space
2023-02-18T09:47:12Z
0 likes, 0 repeats
@mjg59 No.Loose your Phone.Break your #sim Boom. Nomore access.Loose your #email ?I. doubt. it.
(DIR) Post #ASnfmlf7270TJRVxpY by mjg59@nondeterministic.computer
2023-02-18T09:48:56Z
0 likes, 0 repeats
@alceawisteria Lose my phone: attacker doesn't have my password, doesn't matter. Attacker has my password, still needs to unlock my phone.I lose my phone: I go to my phone provider, provide ID, gain access to the number again. I don't need to rely on recovery printouts.
(DIR) Post #ASnfusVFTyzSqVlgn2 by inetpro@infosec.exchange
2023-02-18T09:50:19Z
0 likes, 0 repeats
@mjg59 agreed, while I hope that allowing paid subscribers to use SMS 2FA is just a temporary measure to eventually get to a more secure solution, I fear that it may not make the process any easier or better in the long run
(DIR) Post #ASng4EonsrG4f7NUnI by mjm@hachyderm.io
2023-02-18T09:52:45Z
0 likes, 0 repeats
@mjg59 itās certainly better than no 2FA, and elevates you out of the ā low hanging fruitā category.
(DIR) Post #ASngOj9ymgoCYZ3L7Y by inetpro@infosec.exchange
2023-02-18T09:56:20Z
0 likes, 0 repeats
@mjg59 fair point
(DIR) Post #ASngXfyTzsNrHcwUkq by erincandescent@queer.af
2023-02-18T09:57:02Z
0 likes, 0 repeats
@mjg59 I think agree with you. I think the weakest bit of SMS 2FA in practice is that most people have e-mail on their phone; but this issue applies also to most other 2FA forms
(DIR) Post #ASngfan79W29WYOqhc by deetwenty@todon.nl
2023-02-18T09:57:39Z
0 likes, 0 repeats
@mjg59 The biggest issue with SMS 2FA is how easy it is to social engineer many mobile providers, but that is not inherently a problem with SMS 2FA, that is a problem with how mobile providers work (and even then still better than no 2FA!)
(DIR) Post #ASnh0Ei4RgYL7ZstY8 by neffo@mas.to
2023-02-18T10:02:15Z
0 likes, 0 repeats
@mjg59 A sufficiently cooked twitter account is indistinguishable from a hacked one
(DIR) Post #ASnhOAy00v3qSikZPM by sesquipedality@mendeddrum.org
2023-02-18T10:07:20Z
0 likes, 0 repeats
@mjg59 So far as it goes, this is right. However, the issue with SMS authentication is that it provides the illusion of security while being easily circumventable by a black hat. It can then be used as a stick to beat the end user with., "Well, you authenticated using 2FA, so it must have been you that did it." It may also encourage users to worry less about reported password leaks. It is probably better than nothing, but these days, with better options common, it's a bad idea.
(DIR) Post #ASnhWs4hcfggTb22Bk by gringene@genomic.social
2023-02-18T10:08:47Z
0 likes, 0 repeats
@mjg59 so in other words, SMS 2FA is better than FA 2FA
(DIR) Post #ASnhgljg2vhHiBuuf2 by mjg59@nondeterministic.computer
2023-02-18T10:11:03Z
0 likes, 0 repeats
@deetwenty Right! It's a 2FA mechanism that has some attack vectors, but (a) it still requires the attacker to have the primary factor and (b) it involves the attacker needing to go to the effort of socially engineering your phone provider
(DIR) Post #ASnhwDdQbFvQaEMRvM by mjg59@nondeterministic.computer
2023-02-18T10:13:41Z
0 likes, 0 repeats
@sesquipedality It's not "easily circumventable". It requires an attacker to have another authentication factor, and it requires that attacker to coerce your phone provider (or the underlying network) into giving them access to your number. From a security perspective, that's an improvement over just using a password.But I agree that framing it as a strongly effective 2FA mechanism is potentially a way for avoiding responsibility, and that's bad. Banks shouldn't do that.
(DIR) Post #ASniXItY0RqRbyaHjM by sesquipedality@mendeddrum.org
2023-02-18T10:20:20Z
0 likes, 0 repeats
@mjg59 what I've read suggests that it is relatively easy to obtain access to this data by bad actors with the relevant know-how and some financial resources, but I think the key point is that it's a known weakness, and if you have a phone, these days you can install a 2FA app which doesn't have the same weaknesses. If a known and significant vulnerability can be eliminated, it probably should be.
(DIR) Post #ASnifcoPq2L1hU9TN2 by siguza@mastodon.social
2023-02-18T10:21:22Z
0 likes, 0 repeats
@mjg59 the pessimist in me says that every SMS 2FA will be turned into SMS 1FA sooner or later, because it's just so easy and convenient to do.
(DIR) Post #ASninKAZ2GToCJBOcK by mjg59@nondeterministic.computer
2023-02-18T10:23:13Z
0 likes, 0 repeats
@sesquipedality "Relatively easy" is a broad spectrum - it's relatively easy for an intelligence organisation, it's not relatively easy for a teenager in a foreign country. Alternative mechanisms are more secure against that, but carry different risks (if you use TOTP and lose your phone, how do you get access to your account again?), and framing it as a one-dimensional tradeoff is just misleading
(DIR) Post #ASniwXPBC8RtqzPdAm by pwaring@fosstodon.org
2023-02-18T10:24:24Z
0 likes, 0 repeats
@mjg59 I agree, and SMS has the advantage of wide adoption and pretty much everyone with a phone knows their number (or can look it up) and how to read texts. 'Scan this QR code in an app you don't use for anything else and then type a number that changes every 30s' is not user friendly.
(DIR) Post #ASnjRAVuM3BRpmAJo8 by sesquipedality@mendeddrum.org
2023-02-18T10:30:22Z
0 likes, 0 repeats
@mjg59 I think the answer to that is "by using something like authy and setting it up on multiple devices" but it's fair to say that that might be beyond the technological capabilities of many. Banks seem to use their apps for 2FA and are able to navigate lost phone scenarios, but as you say, that carries support cost for them. You are right that it's not a one dimensional trade-off though. SMS is also likely to be more accessible than app setup for those who find technology difficult.
(DIR) Post #ASnjdYxRIXXR7Yx9LU by mkj@social.linux.pizza
2023-02-18T10:32:42Z
0 likes, 0 repeats
@mjg59 A lot of people seem to consider SMS/email #2FA a poor choice because they can be circumvented; overlooking that the attack must then be *targeted*. That alone is a huge win IMO as it eliminates several classes of attacks including password spraying, and is why I aruge at https://michael.kjorling.se/password-tips/ that SMS/email 2FA can help. (At the bottom because that page is mostly about passwords.) TOTP or FIDO2 is even better but any forcing to target an attack is far better than only a static secret.
(DIR) Post #ASnjtJH1NZ7l6vcZN2 by sesquipedality@mendeddrum.org
2023-02-18T10:31:21Z
0 likes, 0 repeats
@mjg59 Mostly I'm against SMS as the *only* 2FA option on offer.
(DIR) Post #ASnjtJmvSwe2hsY36G by mjg59@nondeterministic.computer
2023-02-18T10:35:38Z
0 likes, 0 repeats
@sesquipedality 100% agree
(DIR) Post #ASnlwYwblutaUQkfxY by tuo2@infosec.exchange
2023-02-18T10:58:29Z
0 likes, 0 repeats
@mjg59 this, 100%. Perfect is enemy of the good.
(DIR) Post #ASnn9520OmKtR2oDmy by alceawisteria@im-in.space
2023-02-18T11:11:58Z
0 likes, 0 repeats
@mjg59 This is about *loosing access to the phone / sim*besides:Cellular networks aren't that foolproof and messages can be intercepted
(DIR) Post #ASnnSMEkeXa0Icxm40 by pilif@mastodon.social
2023-02-18T11:15:32Z
0 likes, 0 repeats
@mjg59 the largest problem with SMS 2FA is that way too many services allow for password recovery over SMS once a phone number is configured. And that is worse than email
(DIR) Post #ASnpVrL7faglXXjyz2 by RandomDamage@infosec.exchange
2023-02-18T11:38:26Z
0 likes, 0 repeats
@mjg59 @sesquipedality near physical proximity is also sufficient for SMS intercept.This isn't a problem for everyone, but it definitely can be an issue for people who live in high-density areas.The attack model becomes: 1. rig up SMS signal interceptor2. scan latest exfil dump for targets that should be in your area3. attempt access on several while watching for SMS 2FA code transmissionsIt might take you a few to get your hit, and it raises the bar somewhat over grabbing purses on the street, but the attack vector is real.In East Middle Nowhere Montana this isn't a viable attack.In London or New York it most definitely *is* a viable attack.
(DIR) Post #ASnsuvVBdCD9YF5nSi by maol@home.social
2023-02-18T12:16:32Z
0 likes, 0 repeats
@mjg59 not heretical, just common sense: 2FA is always better than just a password. Even when the second factor is an SMS
(DIR) Post #ASnx0Ubovnf1hM6ZvM by c0dec0dec0de@hachyderm.io
2023-02-18T13:02:25Z
0 likes, 0 repeats
@mjg59 Hard agree.
(DIR) Post #ASnyDZgjSSVdAbCjM8 by Tamber@taur.zone
2023-02-18T13:15:53Z
0 likes, 0 repeats
@mjg59 I think people get too wrapped up in pushing for a *perfect* solution, with the end result of people getting *no* solution rather than one that is flawed but better than nothing.
(DIR) Post #ASo0mRVe3gL1qblxb6 by KristinMuH@mastodon.social
2023-02-18T13:44:42Z
0 likes, 0 repeats
@mjg59 the best security in the world will fail if users won't accept it. SMS 2FA is less secure but more user-friendly than auth apps or security keys, so functionally it is more effective
(DIR) Post #ASo2ZDF7zNyHkErkMy by virtulis@loud.computer
2023-02-18T14:04:30Z
0 likes, 0 repeats
@mjg59 hello, sorry to bother, if you could comment on my dumb idea related to this, that'd be very useful :) https://loud.computer/@virtulis/109885911001873758
(DIR) Post #ASo7sGFXXBDaLIxdse by AntifaGrannie@mastodon.social
2023-02-18T15:04:05Z
0 likes, 0 repeats
@mjg59 Antifa Grannieš here, new to Mastodon & old. Could you splain this in "old english" ?
(DIR) Post #ASoQOM7b2JxkzmhP2O by seanhood@hachyderm.io
2023-02-18T18:31:26Z
0 likes, 0 repeats
@mjg59 One of the things I /like/ about SMS 2FA, is you in effect get a notification if your account is compromised (assuming you're not being targeted in an attack). I'm aware some other 2FA solutions would alert in a similar way, but I've rarely come across them. And not all sites spam with email when you log into a new device either. I'm still in the SMS 2FA is not less secure than only user/pass camp.
(DIR) Post #ASoTlv03pD9Fgy6Lfk by Rairii@haqueers.com
2023-02-18T19:09:35Z
0 likes, 0 repeats
@mjg59 yeah, i think most of the problem of SMS 2FA is "most consumer focused websites reuse it as a way to reset passwords"
(DIR) Post #ASoUrEl9t1LUNTENwO by captainslim@infosec.exchange
2023-02-18T19:21:38Z
0 likes, 0 repeats
@mjg59 @sesquipedality As easy as it may or may not be for an attacker to gain access to someoneās 2FA SMS codes, whatās definitely a whole lot easier is not having to bother with that at all because an account is secured by only a password. SMS 2FA is still a pretty big hurdle for an attacker, even if itās not as big a hurdle as other forms of 2FA.
(DIR) Post #ASoxNk95WjodhciEYi by mjg59@nondeterministic.computer
2023-02-19T00:41:27Z
0 likes, 0 repeats
@vandry either use a number you can forward or receive SMSes on via other mechanisms, or don't use SMS 2FA?
(DIR) Post #ASpW8NS9717NNI2EHw by corsac@mastodon.social
2023-02-19T07:10:38Z
0 likes, 0 repeats
@mjg59 I guess you already know but @taviso has strong opinions on SMS 2FA as well (https://blog.cmpxchg8b.com/2020/07/you-dont-need-sms-2fa.html)
(DIR) Post #ASqmPut1qwQSPlxEie by taviso@social.sdf.org
2023-02-19T21:46:09Z
0 likes, 0 repeats
@corsac @mjg59 Yeah, strong disagree that SMS-2FA is better than no 2FA at al...but there is a cheap and easy solution to credential stuffing that is! Unique Passwords make credential stuffing literally impossible, and it works on every service, not just a few! It's also free, and doesn't require a cellphone subscription!
(DIR) Post #ASqmPvUbbEU2IJXFI0 by mjg59@nondeterministic.computer
2023-02-19T21:47:41Z
0 likes, 0 repeats
@taviso @corsac and also requires a password manager (Chrome's built-in one doesn't handle app use-cases)
(DIR) Post #ASqmYyahRvh8VfhXAu by taviso@social.sdf.org
2023-02-19T21:49:31Z
0 likes, 0 repeats
@mjg59 @corsac It's an optional enhancement, you can use paper and pencil if you prefer, or any method of information storage and retrieval that works for you!
(DIR) Post #ASqmv3ir3EeanP2sS0 by mjg59@nondeterministic.computer
2023-02-19T21:53:35Z
0 likes, 0 repeats
@taviso @corsac Well yes but I think the intersection of "People who can't manage TOTP" and "People willing to use strong passwords for every site" is approximately 0
(DIR) Post #ASqnDRJ46ZOP9XkNWa by taviso@social.sdf.org
2023-02-19T21:56:49Z
0 likes, 0 repeats
@mjg59 @corsac You believe there are people who can manually copy a TOTP code from their phone to a website, but won't copy a password from their phone to a website? Is your concern the complexity? Even low-complexity unique passwords (~8 alnum) are a significant upgrade over password reuse!
(DIR) Post #ASqnSQQHfkA8kxGlFo by mjg59@nondeterministic.computer
2023-02-19T21:59:35Z
0 likes, 0 repeats
@taviso @corsac As someone who does use strong unique passwords for every site, *I* find it a huge pain in the ass to copy passwords from the password manager on phone to an app on my phone.
(DIR) Post #ASqnhSoH518AVFf52e by taviso@social.sdf.org
2023-02-19T22:02:16Z
0 likes, 0 repeats
@mjg59 @corsac Yeah, it probably would be for strong passwords! If you won't use a tool to help and insist on manual copying from your phone, we can optimize for that to make it just as simple as copying a SMS 2FA code. Low complexity unique passwords are easy to copy, and still a significant upgrade. We can even use bubble babble or similar algorithm to optimize readability!
(DIR) Post #ASqnvaDMLY6dWR7y7c by Darius@mastodon.cloud
2023-02-19T22:04:40Z
0 likes, 0 repeats
@mjg59 Hopefully Android will copy iOS soon and make it a lot easier for apps to request passwords from a store via a nice UI rather than requiring copy & paste
(DIR) Post #ASqo4crnr3CQM2MAuO by mcepl@floss.social
2023-02-19T22:04:53Z
0 likes, 0 repeats
@mjg59 @taviso @corsac https://f-droid.org/packages/dev.msfjarvis.aps/ and syncthing? #pass
(DIR) Post #ASqoDIP1JFqVUZ1mjo by Hollabecq@mastodon.social
2023-02-19T22:06:50Z
0 likes, 0 repeats
@mjg59 @taviso @corsac FWIW, Google Password Manager does offer storing/pasting passwords for apps on Android.
(DIR) Post #ASqr4PbnRpmf66SXhI by mikemol@pony.social
2023-02-19T22:40:00Z
0 likes, 0 repeats
@mjg59 @taviso @corsac Chrome's built-in one syncs with Android, if you permit it. I quite like it.(full disclosure, I work for Google, my opinions are my own, etc.)
(DIR) Post #ASr8FoSr4cMAanIbzc by Colinvparker@mathstodon.xyz
2023-02-20T01:52:32Z
0 likes, 0 repeats
@mjg59 @taviso @corsac If you only ever enter the PW into the app, isnāt that already significantly harder to phish, since the app presumably always connects to the correct host and verifies the certificate?