So we'll all have
a keyring with dozens of TFA token generators to carry around.
I can see the improvement already.
Bill Gates in 2004 predicted the death of the password over time. “They just don’t meet the challenge for anything you really want to secure,” Gates said. Ten years on, passwords haven’t gone anywhere and as the recent nude-celeb-pics-on-iCloud proved, the medium is still not up to muster yet is in widespread use in scenarios …
Which is precisely why the FIDO Alliance is creating a Universal two factor standard (U2F).
Short term you're right, we'll probably all have a few separate tokens, but done properly it should be possible to have a single item that covers multiple services.
If Google and Apple get involved, most of us could get by with one, or maybe two if they don't interoperate well.
The problem with using your phone is that you're screwed you if you don't have it, it is broken, the battery is dead, whatever. This might be about the only reason I could see for a smartwatch - you'd have a "backup" secure element.
or if you are travelling and you don't like wearing your phone company's roaming charges. I generally buy a local sim when travelling if I'm staying long enough to justify it, but of course that means you have a new mobile number, which leads to conversations like this:
"Oh, you want to change your personal details. No problem, we'll just text you a one-time passcode and you'll be able to log in to you account...oh".
Just for clarity -
Google's 2FA scheme has an installable app which does not use data roaming and does not require a connection once set up. For the times you don't have it installed, you can either have a code from a print and keep list of one-time codes in your wallet, or have it texted to you. Three ways not to get hit with roaming charges. And compared with risking your email account, incredibly easy.
If you're truly paranoid about roaming charges and so don't even take a smartphone on travels, the paper and SMS options are still available if the number is registered - even a landline, alternative SIM number, or put your SIM into a £10 2003 Nokia
Amen to that.
Google provide 2FA for their entire suite of apps (behind the "Google Account") - they also provide printable one time codes in case you lose your phone/flat battery etc.
Google Authenticator also allows other codes to be added from other apps. My Joomla installation and a NAS box (with PAM 2FA based auth) are sitting looking at me, under my Google Account.
Facebook also provide 2FA, which pops up on your mobile if you try to login on a PC.
Using the above has in no way been complicated, and it's reassuring knowing it's there.
Way to go confusing the general public again. TFA? WTF!
Why not stick to the industry standard acronym of 2FA, you know, the one most people recognise as security related. (don't believe me, google "TFA" - first mention of it being "two factor authentication is on the fifth page of results where 2FA is on page one)
Three, twenty, thousand?
Use 2FA, it's more precise, same length, fewer collisions with other contractions, more memorable, etc.
In fact the whole article read a bit like it wasn't originally written for tech press, but for Readers Digest or similar, to me at least.
My bank issues a card reading device to produce an authentication code. By casual observation it would appear that it gives a particular 8 digit number at the same time each day. If this is indeed the case - then a key logger thief would be able to re-use the code if they did a transaction from elsewhere at that time of day.
Yes, I think I've noticed that with the devices issued by HSBC. (I have three for three distinct account set ups).
The three devices don't all generate the same code at the same time, though, so there is some other element involved - but I'm pretty sure I've seen the same code repeated on the same one when accessing the accounts at the same time on different days.
With the ones I have (different Dutch banks) you need to enter a device PIN to activate it, then the 6..8 digit number the bank presents to you. From which the device generates a response code which you need to enter into the web page.
Those apparently predictable codes look like someone's done a cheap version of an RSA token
I've had fingerprint readers on my past three notebooks. And I've used 2FA with a key fob device, for access to a corporate network.
The first real level of security is, "don't put that there," and, "don't let it do that." Don't put embarrassing photos of yourself on the Internet, and don't let your bank transfer funds like that.
The fingerprint idea is OK until you get an owie on your finger, and you need a Band-Aid. Even when it works right, it can take a few swipes before it recognizes your finger. The key fob is OK until it gets out of sync with the service, and then a re-sync needs to happen. The smart card and the key fob can also suffer from insufficient randomness or whatever other problem can crop up.
It's really hard to protect people from themselves. My apartment manager's password is two very simple words, followed by repeating numbers, and he has problems remembering that, so no way is he going to remember v<#?rSK51_Rc,pt, which can still be broken by a rainbow table. Yes, he has called me up on occasion to find out what his password is.
Sending a text message containing a second password to the phone is a good idea, though. Then the second password could be something random, like, "battery horse staple." Of course, for a MITM attack, that would restrict the attack to the current session. But depending on the data that the attackers want to access, that may be enough.
Sending a text message containing a second password to the phone is a good idea, though.
It has additional advantages. My bank uses it to verify online purchases, checking that my credit card is being used by me. Some months ago I got 3 or 4 such passwords within 5 minutes, for purchase attempts I hadn't made. A check online showed that other purchases were being made on my clearly skimmed Visa card. A quick call to the card hotline to cancel the card saved me a lot of grief.
- companies that don't allow you to paste a password, and don't allow the entered password to be visible. So either you have to have a short one that's easy to remember and type accurately, or else you have to write it down.
- companies that ask you for a memorable word that THEY specify: Like "favourite piece of music" (mine changes weekly) or "mother's maiden name" (my grandparents didn't speak much English and my mother's name was wrong on her birth certificate, so I know two versions.) Etc etc.
- companies that reject passwords that don't comply with their rules, but they don't tell you what the rules are. Sometimes they don't even tell you that there ARE rules, you have to work out for yourself why your registration isn't accepted.
I have hundreds of passwords, so I use KeePass with a long pass-phrase, including a number that hopefully I won't forget until I'm too old to care. The KeePass data file is synchronised to my mobile via DropBox so I can also use their mobile app. I don't feel that my security is too bad. But I think it would be better if more companies allowed pass-phrases with spaces.
Hmm, hundreds of passwords? Why?
I use the same brief password for all those online crap sites that expect me to register but I couldn't really give a <bleep> <bleep> whether anyone accesses their site with my credentials. I therefore have only a few 'proper' passwords to remember.
For example, is your identity on 'The Register' so sacred that you'd be really upset if someone posted something as you? Perhaps for some. Or is it really important that someone else can log into BuyAnyOldTat.com and have it automatically populate the address details with yours or perhaps see what you bought last time? (Though obviously there may be some sites where you really don't want people knowing what you've been buying - naughty, naughty.) I even don't mind if someone logs onto my energy supplier and pays the bill on my behalf.
So long as there is no harm that can be done to you why bother going to much length to protect the access? Assess the risks, the possible consequences and choose a password appropriately.
I'm proposing the nipple as a biometric. It has obvious advantages over other biometrics - you leave fingerprints on everything you touch, and every CCTV catches your face, but the nipple is far less exposed.
I'll need funding for an in-depth study into whether nipples are unique and unchanging, using online resources and selected focus groups.
OTP is an RFC defined tech, so anyone can write their own implementation. As much as I dislike Google, their standalone authenticator *works* (time based OTP), and has already got some reference implementations in the form of plugings for Joomla and Wordpress so it really isn't difficult to do.
Why Yet Another Setup trying to fix what isn't broken?
My Amazon, Facebook, Google, Microsoft (and a few more) accounts are all secured with 2FA using the same authenticator app (Microsoft one on Windows Phone in my case). Having a unified platform supported across these companies gives me hope that sometimes, the tech industry can do things right on occasion.
In order to keep your naughty pics safe, the lads responsible for maintaining whichever service you've put 'em on need to get it right 100% of the time. That's every update checked up down back and sideways. Every third-party software change audited and tested to hell and back. Every call-centre grunt able to spot the difference between a customer with lost access credentials and someone pretending to be such with 100% accuracy. Etc ad nauseum.
The miscreants only have to get it right once......
I'm afraid that Ricky Gervais was absolutely right. Trouble is that with cloud processing and storage being such huge business right now and soooo convenient, nobody wants to hear it and its preferable to shoot the messenger rather than run the gravy train into the buffers.
AFAICT, the recent Apple cloud leaks were caused by a password-guessing attack. In order to guess a password, the script tried 500 or so passwords for each username.
Now if Apple had been monitoring failed password attempts, and stopped repeated failed attempts, especialy when a whole bunch of them for different usernames came from one IP location, this would not have worked. Apple were not using passwords in the right way.
AFAICS, Apple have now started to do this, which is why and how the attack has stopped.
Another method to defeat such attacks might be for the login username to be different from the public username, making it hard for an attacker to guess a login username.
More, if Apple had emailed the celebs saying that there had been several failed password login attempts, especially those from unusual IP addresses, and the celebs had said "I didn't do that" then Apple could have been on an especial watch (and could probably have caught the attackers).
Don't get me wrong, password are a totally shit method of identification, and a really bad method of authentication. But my banks use them online, along with other methods: one (Lloyds) sensibly, one (Tesco) in an overly paranoid manner which actually detracts from security.
And like PIN passwords for debit and credit cards, if used correctly online passwords seem to work well enough for money.
If I make repeated failed password login attempts to my banks they lock me out, and want me to contact them. Very sensible, if annoying. However yesterday I forgot my itv player password, and made several wrong attampts to log in - and got shut out for 30 minutes. I mean, WTF?
Passwords are useful in their place, sometimes with added password-type or other security when needed, sometimes not, Sometimes they are used in stupid ways - why does ITV Player need me to login with a password anyway?
Passwords cannot usually protect against coercive attacks, but for everyday use where they are used appropriately and monitored suitably, they are still the worst - apart from everything else.
The real problem is that people do not use them appropriately.
2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.
I wonder how many people are aware that biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used. Media should let this fact be known to the public lest consumers should be misguided.
I am really worried to see so many people being indifferent to the difference between AND/conjunction and OR/disjunction.
Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunctiion or (2) by OR/disjunction.
I would appreciate to hear if someone knows of a biometric product operated by (1). The users must have been notified that, when falsely rejected with the device finally locked, they would have to see the device get reset.
Like other biometric products, Apple's iPhones are operated by (2) so that users can unlock the phones by passcodes when falsely rejected, which means that the overall vulnerability is the sum of the vulnerability of biometrics and the vulnerability of a password. It is necessarily larger than the vulnerability of a password.
As for an additional vulnerability unique to biometrics, you may refer to
Needless to say, so-called 2-factor systems with a password as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience.
Perhaps I'm just old, I remember reading long ago, that the reason online banking was made available was nothing to do with customer service. It had everything to do with what could be called "plausible deniability" by the bank. If your account was missing funds and you had online access, then it was your fault, you must have given away the pin. I think it had something do to with insurance. It was 20 odd years ago I read this. I was a student at the time, I even remember the street I was walking down...
But I digress. Since then, I've never trusted online banking. In fact I've even gone so far as to get guarantees from a few banks, that they will never make my information available online. Got a written letter from the bank about my business account.
If it's online, it's vulnerable. You, (the dismal denizens of el' Reg) of all people should understand this, what else is the cynicism for?
TFA, which is amusingly, the same acronym as "The F***ing Article" is not a panacea. It's not even a very good idea. if you have TFA on your phone and you lose it. you can say goodbye to your account. Since where is the TFA text going to be sent. The more things you carry, the more things you lose or forget.
Technology is always vulnerable, if you lose sight of that, you will always be "shocked and stunned, Brian" when something adverse happens.
Caveat Emptor and all that.
You are going to upload it to "the cloud" THEN encrypt it? Guess what? It's already there and on backups in an unencrypted form.
The "cloud" is just a new buzzword for a very old idea (over 30 years). It simply means store your data on somebody elses servers, all under THEIR control.
If you work for a company or a government agency that has an internet connection, and your own servers, then you already have everything you need for your OWN cloud, completely under YOUR control.
As a Network engineer, I have my own servers running at home, and I can access the data from anyplace on earth.
Nobody is going to take it down without my knowledge or permission, and even if they could, I have hidden backups, and my data is heavily encrypted.
No warrant, no information, sorry governments.
No negotiation to all you corporations. Out of sight, out of reach, out of touch
Figure it out folks. If you use a cloud service, you are putting your privacy in other people's hands.
Biting the hand that feeds IT © 1998–2019