https://shkspr.mobi/blog/2021/01/thats-not-how-2fa-works/ Terence Eden's Blog That's not how 2FA works 2021-01-17 by @edent | #2fa #security #usability #yubikey | 4 comments | Read ~12,874 times. --------------------------------------------------------------------- Another day, another high-profile website cloned to phish credentials. Is this a phishing attempt? Goes to "https://t.co/7b0EaPdGZR" and asks for username and pw (if so, it nearly got me!) /cc @github pic.twitter.com/jgt4oNvjF2 -- Tess Rinearson (@_tessr) January 16, 2021 In the replies, you'll see lots of techbros saying "this is why you should switch on 2FA people!!!" List of tweeters advocating for 2FA. Except, and I hate to bring accuracy to a technical discussion, that's not how 2FA works! A second factor allows a site to better authenticate you. It does not help you identify the site. If you log on to fake-bank.com, the scammers will immediately take your username and password and send it to real-bank.com - the fake bank will then ask you for your 2FA token. That could come via SMS, email, an authenticator app, or even post. Then the fake site uses your real token and logs in as you. Game Over. There is almost nothing you can do to authenticate that a site is legitimate. * Any information that you can request from the real site can be proxied to the fake site. * The green SSL padlock means nothing for validity. Anyone can get one. * The top result on Google is invariably an advert for a scam site. Realistically the only thing you can do is look for "out of band" verification. What's the URL stamped on your credit card? What's written on the welcome letter sent by snail mail? None of these are infallible - and they can all be manipulated by a suitably determined attacker. The best defence is to use a password manager. I recommend the open source Bit Warden. A password manager stores your passwords. But it also stores the web address of site's login page. If you visit githud, the password manager won't prompt you to use the login details for github. Defence in depth. Use 2FA to prevent attackers masquerading as you. And use a password manager to prevent fake sites masquerading as real sites. What About YubiKeys? No. I'm not a big fan of YubiKeys. In theory, a hardware token can help with this. You register the token with the device and it spits out a code only to the correct site. But it has significant downsides. * Cost. The average YubiKey is PS50. There are a few around the PS30 price point. That's a huge expense given the small number of sites that support them. * Usability. Buy a device, register it, install the app, configure it, find the setting in the website, enable it, hope your machine has the right sort of USB ports, press the button at the right time. Take 10 minutes to watch a normal user try to set one up - then tell me if you think this is a good solution. * Convenience. My YubiKey is on my keyring. My keys are in my coat. My laptop is not near my coat. Given how often I need to log into things, it means adopting a significant change of habit. Or leaving my YubiKey plugged in all the time. Which leads to... * Risk. YubiKeys have no password lock of their own. At least my crumby Android has a fingerprint lock to prevent people getting my 2FA tokens. But if you've stolen my laptop and the YubiKey is plugged in, then you've got the keys to my kingdom. * Support. WebAuthn is a great standard - but only a few sites support it. While it is good at protecting a handful of sites, I encounter it so infrequently that I regularly forget how it works. While a WebAuthn request can't be proxied - there's nothing stopping a fake site from asking for your token, then rejecting it and asking for a separate factor. If fake-github.com said "Hmmm we're having problems with our WebAuthn backend - please use a one-time code from your authenticator app for added security" would you be fooled? WebAuthn and hardware tokens are probably the future. And they're probably the best way we have to verify site legitimacy. But they're also currently a poorly supported usability disaster. Stay safe out there. --------------------------------------------------------------------- More posts from around the site: 4 thoughts on "That's not how 2FA works" 1. [72745e77] Russ Garrett says: 2021-01-17 at 12:52 For what it's worth, on macOS (at least with Chrome), Touch ID works automatically as a WebAuthN provider with no additional setup needed. I assume it has the same attestation features as U2F, but you are then stuck with only being able to log in on one computer. Reply 2. [823282a4] Jon Wood says: 2021-01-17 at 13:18 Which is really frustrating. It feels like Apple with their tight integration could store the actual key against an iCloud account, then use biometrics to unlock the key, making it available across all devices. (There may be glaring security holes I'm missing here) Reply 3. [G3sBtHlb] HackerNewsTop10 says: 2021-01-17 at 14:23 That's not how 2FA works Link: shkspr.mobi/blog/2021/01/t... Comments: news.ycombinator.com/item?id=258102... Reply 4. [] Sime Vidas says: 2021-01-17 at 19:53 Sounds like you could use a YubiKey implant. (joke) Reply Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment[ ] Name * [ ] Email * [ ] Website [ ] [ ] Notify me of follow-up comments by email. [ ] Notify me of new posts by email. [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Learn More) [ ] [Ping me!] Subscribe to Blog via Email Enter your email address to subscribe to this blog and receive notifications of new posts by email. Join 11,832 other subscribers. Email Address [ ] Subscribe Search for: [ ] [Search] Explore The Archives 2021 January 17 posts February March April May June July August September October November December 2020 January 31 posts February 29 posts March 31 posts April 30 posts May 31 posts June 30 posts July 31 posts August 31 posts September 30 posts October 31 posts November 30 posts December 31 posts 2019 January 31 posts February 12 posts March 17 posts April 12 posts May 12 posts June 10 posts July 7 posts August 5 posts September 6 posts October 14 posts November 30 posts December 17 posts 2018 January 8 posts February 4 posts March 6 posts April 14 posts May 5 posts June 6 posts July 6 posts August 13 posts September 14 posts October 8 posts November 30 posts December 4 posts 2017 January 12 posts February 9 posts March 8 posts April 4 posts May 10 posts June 5 posts July 5 posts August 6 posts September 3 posts October 4 posts November 30 posts December 2016 January 10 posts February 10 posts March 11 posts April 9 posts May 8 posts June 9 posts July 6 posts August 9 posts September 4 posts October 2 posts November 30 posts December 14 posts 2015 January 8 posts February 11 posts March 10 posts April 4 posts May 9 posts June 3 posts July 7 posts August 9 posts September 10 posts October 2 posts November 30 posts December 4 posts 2014 January 13 posts February 13 posts March 14 posts April 13 posts May 7 posts June 7 posts July 9 posts August 5 posts September 5 posts October 1 post November 30 posts December 20 posts 2013 January 25 posts February 17 posts March 15 posts April 18 posts May 11 posts June 14 posts July 6 posts August 14 posts September 6 posts October 4 posts November 30 posts December 14 posts 2012 January 14 posts February 8 posts March 13 posts April 15 posts May 10 posts June 16 posts July 8 posts August 8 posts September 6 posts October 6 posts November 30 posts December 31 posts 2011 January 13 posts February 11 posts March 11 posts April 12 posts May 8 posts June 8 posts July 6 posts August 5 posts September 11 posts October 7 posts November 30 posts December 17 posts 2010 January 6 posts February 15 posts March 12 posts April 13 posts May 4 posts June 3 posts July 15 posts August 8 posts September 11 posts October 9 posts November 30 posts December 9 posts 2009 January 1 post February 5 posts March 3 posts April 7 posts May 12 posts June 8 posts July 10 posts August 10 posts September 12 posts October 22 posts November 31 posts December 15 posts 2008 January 2 posts February March 2 posts April 3 posts May 2 posts June July 1 post August 3 posts September 1 post October 3 posts November 2 posts December 1 post 2007 January February March April May June July August September October November 4 posts December 5 posts 2006 January February March April 1 post May June July August September October November 1 post December 2005 January February March 1 post April May June July August September 1 post October November December 2004 January February March April May 5 posts June 3 posts July 1 post August September October November December 2003 January February March 2 posts April May June July August September October November December 2002 January February 1 post March April 3 posts May June July August September October November December 2001 January February March April May June July 1 post August September October 1 post November December 2000 January February March 1 post April May June July August September October November 1 post December 1999 January February March April May June July August September 1 post October November December 1 post 1995 January February March 1 post April May June July August September October November December 1987 January February March April May June July August September October November December 1 post * (c) Terence Eden * Contact Me * Subscribe * Citations * About Me