back to article Got your NUDE SELFIES in the cloud? Two-factor auth's your best bet for securing them

Bill Gates in 2004 predicted the death of the password over time. “They just don’t meet the challenge for anything you really want to secure,” Gates said. Ten years on, passwords haven’t gone anywhere and as the recent nude-celeb-pics-on-iCloud proved, the medium is still not up to muster yet is in widespread use in scenarios …

  1. JimmyPage Silver badge
    FAIL

    So we'll all have

    a keyring with dozens of TFA token generators to carry around.

    I can see the improvement already.

    1. Velv Silver badge
      Go

      Re: So we'll all have

      Which is precisely why the FIDO Alliance is creating a Universal two factor standard (U2F).

      https://fidoalliance.org/

      Short term you're right, we'll probably all have a few separate tokens, but done properly it should be possible to have a single item that covers multiple services.

      1. Jan 0

        Re: So we'll all have

        > it should be possible to have a single item that covers multiple services.

        Yeah right, just like the way we only carry a single card in our slim wallets instead of the thick pile we used carry? Possibility is not the same as inevitability.

    2. DougS Silver badge

      Re: So we'll all have

      If Google and Apple get involved, most of us could get by with one, or maybe two if they don't interoperate well.

      The problem with using your phone is that you're screwed you if you don't have it, it is broken, the battery is dead, whatever. This might be about the only reason I could see for a smartwatch - you'd have a "backup" secure element.

      1. bep

        Re: So we'll all have

        or if you are travelling and you don't like wearing your phone company's roaming charges. I generally buy a local sim when travelling if I'm staying long enough to justify it, but of course that means you have a new mobile number, which leads to conversations like this:

        "Oh, you want to change your personal details. No problem, we'll just text you a one-time passcode and you'll be able to log in to you account...oh".

        1. Cliff

          Re: So we'll all have

          Just for clarity -

          Google's 2FA scheme has an installable app which does not use data roaming and does not require a connection once set up. For the times you don't have it installed, you can either have a code from a print and keep list of one-time codes in your wallet, or have it texted to you. Three ways not to get hit with roaming charges. And compared with risking your email account, incredibly easy.

          If you're truly paranoid about roaming charges and so don't even take a smartphone on travels, the paper and SMS options are still available if the number is registered - even a landline, alternative SIM number, or put your SIM into a £10 2003 Nokia

          1. Blacklight

            Re: So we'll all have

            Amen to that.

            Google provide 2FA for their entire suite of apps (behind the "Google Account") - they also provide printable one time codes in case you lose your phone/flat battery etc.

            Google Authenticator also allows other codes to be added from other apps. My Joomla installation and a NAS box (with PAM 2FA based auth) are sitting looking at me, under my Google Account.

            Facebook also provide 2FA, which pops up on your mobile if you try to login on a PC.

            Using the above has in no way been complicated, and it's reassuring knowing it's there.

    3. Daniel B.
      Boffin

      Re: So we'll all have

      a keyring with dozens of TFA token generators to carry around.

      I can see the improvement already.

      I carry *four* keyfobs. Each bank gives me one, so I have four of 'em. I'd rather carry those than have some numbnuts sweep my bank accounts clean.

  2. Velv Silver badge
    WTF?

    Way to go confusing the general public again. TFA? WTF!

    Why not stick to the industry standard acronym of 2FA, you know, the one most people recognise as security related. (don't believe me, google "TFA" - first mention of it being "two factor authentication is on the fifth page of results where 2FA is on page one)

    1. Cliff

      Twelve Factor Authentication

      Three, twenty, thousand?

      Use 2FA, it's more precise, same length, fewer collisions with other contractions, more memorable, etc.

      In fact the whole article read a bit like it wasn't originally written for tech press, but for Readers Digest or similar, to me at least.

  3. This post has been deleted by its author

  4. h3

    Got your NUDE SELFIES in the cloud? Anybody else wants them? You are stupid.

    1. GitMeMyShootinIrons

      If I put nude selfies up, any thief would be straight down the pshrinks with PTSD. They'd be that bad, they'd probably qualify as WMD.

      For that matter, I'd be ill if I saw my own (hypothetical) nude selfies....

  5. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    Predictable authentication codes?

    My bank issues a card reading device to produce an authentication code. By casual observation it would appear that it gives a particular 8 digit number at the same time each day. If this is indeed the case - then a key logger thief would be able to re-use the code if they did a transaction from elsewhere at that time of day.

    1. VinceH Silver badge

      Re: Predictable authentication codes?

      Yes, I think I've noticed that with the devices issued by HSBC. (I have three for three distinct account set ups).

      The three devices don't all generate the same code at the same time, though, so there is some other element involved - but I'm pretty sure I've seen the same code repeated on the same one when accessing the accounts at the same time on different days.

      1. Stoneshop Silver badge
        WTF?

        Re: Predictable authentication codes?

        With the ones I have (different Dutch banks) you need to enter a device PIN to activate it, then the 6..8 digit number the bank presents to you. From which the device generates a response code which you need to enter into the web page.

        Those apparently predictable codes look like someone's done a cheap version of an RSA token

  7. Brian Miller

    2FA, passwords, fingerprints

    I've had fingerprint readers on my past three notebooks. And I've used 2FA with a key fob device, for access to a corporate network.

    The first real level of security is, "don't put that there," and, "don't let it do that." Don't put embarrassing photos of yourself on the Internet, and don't let your bank transfer funds like that.

    The fingerprint idea is OK until you get an owie on your finger, and you need a Band-Aid. Even when it works right, it can take a few swipes before it recognizes your finger. The key fob is OK until it gets out of sync with the service, and then a re-sync needs to happen. The smart card and the key fob can also suffer from insufficient randomness or whatever other problem can crop up.

    It's really hard to protect people from themselves. My apartment manager's password is two very simple words, followed by repeating numbers, and he has problems remembering that, so no way is he going to remember v<#?rSK51_Rc,pt, which can still be broken by a rainbow table. Yes, he has called me up on occasion to find out what his password is.

    Sending a text message containing a second password to the phone is a good idea, though. Then the second password could be something random, like, "battery horse staple." Of course, for a MITM attack, that would restrict the attack to the current session. But depending on the data that the attackers want to access, that may be enough.

    1. Phil O'Sophical Silver badge

      Re: 2FA, passwords, fingerprints

      Sending a text message containing a second password to the phone is a good idea, though.

      It has additional advantages. My bank uses it to verify online purchases, checking that my credit card is being used by me. Some months ago I got 3 or 4 such passwords within 5 minutes, for purchase attempts I hadn't made. A check online showed that other purchases were being made on my clearly skimmed Visa card. A quick call to the card hotline to cancel the card saved me a lot of grief.

  8. returnmyjedi

    Whilst using "password1" our suchlike is rather silly and can put some of the blame for the iCloud "hack" at the door of said celebs, the fact that Apple's system permitted the perps to throw multiple access attempts at an account without a lockout is facepalmingly dozy.

  9. channel extended

    The next goal?

    The next to replace the password is the ten factor authentication which is a complete set of fingerprints.

    At least until the DNA reader is installed.

    1. LucreLout Silver badge

      Re: The next goal?

      "At least until the DNA reader is installed."

      That'll work wonders for identical twins.

  10. Anonymous Coward
    Anonymous Coward

    I'm beginning to wonder how secure cloud data is from those working on the inside of the cloud.

  11. storner
    Pint

    It's only Tuesday, so ...

    "finger pints" ?? I'll have the full size pint, thank you.

    Gotta get those priorities set in your chell specker.

  12. Anonymous Coward
    Anonymous Coward

    Would passphrases be better than passwords & 2FA?

    Surely some long sentence such as this would be more bits of entropy that some short password?

    1. Ole Juul Silver badge

      Re: Would passphrases be better than passwords & 2FA?

      The article is not about short or low entropy passwords vs. longer ones or more entropy. It is about passwords and phrases not being up to the task because they're a single factor. Hence 2FA.

  13. Tony W

    Pet password hates

    - companies that don't allow you to paste a password, and don't allow the entered password to be visible. So either you have to have a short one that's easy to remember and type accurately, or else you have to write it down.

    - companies that ask you for a memorable word that THEY specify: Like "favourite piece of music" (mine changes weekly) or "mother's maiden name" (my grandparents didn't speak much English and my mother's name was wrong on her birth certificate, so I know two versions.) Etc etc.

    - companies that reject passwords that don't comply with their rules, but they don't tell you what the rules are. Sometimes they don't even tell you that there ARE rules, you have to work out for yourself why your registration isn't accepted.

    I have hundreds of passwords, so I use KeePass with a long pass-phrase, including a number that hopefully I won't forget until I'm too old to care. The KeePass data file is synchronised to my mobile via DropBox so I can also use their mobile app. I don't feel that my security is too bad. But I think it would be better if more companies allowed pass-phrases with spaces.

    1. frank ly Silver badge

      Re: Pet password hates

      My mother's maiden name is "Correcthorsebatterystaple". I was lucky there.

    2. TeeCee Gold badge
      Meh

      Re: Pet password hates

      The KeePass data file is synchronised to my mobile via DropBox

      So, to summarise:

      Keeping your nude selfies in the cloud = Bad.

      Keeping all your passwords in the cloud = Good.

      Really?

    3. Badvok

      Re: Pet password hates

      Hmm, hundreds of passwords? Why?

      I use the same brief password for all those online crap sites that expect me to register but I couldn't really give a <bleep> <bleep> whether anyone accesses their site with my credentials. I therefore have only a few 'proper' passwords to remember.

      For example, is your identity on 'The Register' so sacred that you'd be really upset if someone posted something as you? Perhaps for some. Or is it really important that someone else can log into BuyAnyOldTat.com and have it automatically populate the address details with yours or perhaps see what you bought last time? (Though obviously there may be some sites where you really don't want people knowing what you've been buying - naughty, naughty.) I even don't mind if someone logs onto my energy supplier and pays the bill on my behalf.

      So long as there is no harm that can be done to you why bother going to much length to protect the access? Assess the risks, the possible consequences and choose a password appropriately.

  14. Allan George Dyer Silver badge
    Joke

    NUDE SELFIES + 2FA

    I'm proposing the nipple as a biometric. It has obvious advantages over other biometrics - you leave fingerprints on everything you touch, and every CCTV catches your face, but the nipple is far less exposed.

    I'll need funding for an in-depth study into whether nipples are unique and unchanging, using online resources and selected focus groups.

    1. TeeCee Gold badge
      Gimp

      Re: NUDE SELFIES + 2FA

      An ideal approach for masochists.

      When some scrote cracks your security, you get a cast iron excuse to saw your nipples off and staple on new ones!

  15. Anonymous Coward
    Anonymous Coward

    I don't understand their statements about cost?

    OTP is an RFC defined tech, so anyone can write their own implementation. As much as I dislike Google, their standalone authenticator *works* (time based OTP), and has already got some reference implementations in the form of plugings for Joomla and Wordpress so it really isn't difficult to do.

    Why Yet Another Setup trying to fix what isn't broken?

  16. xj650t

    The password is dead long live the password

    Not in any way involved or trying to push the technology, but Steve Gibson at grc.com is working on an authentication system based on qr codes that'll work on nearly all platforms and seems really neat.

    Time for an article El Red?

  17. Crisp Silver badge

    £25 to £60 for a key?

    Blizzard sold me a key for £5. What are these other companies making their keys out of?

  18. theblackhand

    While you're offering advice...

    I'm unable to save my nude selfies to the cloud.

    My cat pictures save OK but all my nudies are rejected?

    Do I not meet the clouds standards?

    I've tried different phones and have also received a cease and desist letter from the NSA.

    1. Joe Harrison Silver badge

      Re: While you're offering advice...

      Maybe join a gym and cut down on the cakes?

  19. Anonymous Coward
    Anonymous Coward

    My Amazon, Facebook, Google, Microsoft (and a few more) accounts are all secured with 2FA using the same authenticator app (Microsoft one on Windows Phone in my case). Having a unified platform supported across these companies gives me hope that sometimes, the tech industry can do things right on occasion.

  20. TeeCee Gold badge
    Alert

    Here's the problem.

    In order to keep your naughty pics safe, the lads responsible for maintaining whichever service you've put 'em on need to get it right 100% of the time. That's every update checked up down back and sideways. Every third-party software change audited and tested to hell and back. Every call-centre grunt able to spot the difference between a customer with lost access credentials and someone pretending to be such with 100% accuracy. Etc ad nauseum.

    The miscreants only have to get it right once......

    I'm afraid that Ricky Gervais was absolutely right. Trouble is that with cloud processing and storage being such huge business right now and soooo convenient, nobody wants to hear it and its preferable to shoot the messenger rather than run the gravy train into the buffers.

  21. Jim 59

    iCloud

    "The Cloud" is basically a stranger's computer ans should be treated as such.

  22. Grikath Silver badge

    There's a couple of places....

    I'd keep any putative nude selfies of me.. Or any other sensitive private information for that matter.

    "the Cloud" most definitely isn't one of them.

  23. Peter Fairbrother 1

    2FA- solving the wrong problem

    AFAICT, the recent Apple cloud leaks were caused by a password-guessing attack. In order to guess a password, the script tried 500 or so passwords for each username.

    Now if Apple had been monitoring failed password attempts, and stopped repeated failed attempts, especialy when a whole bunch of them for different usernames came from one IP location, this would not have worked. Apple were not using passwords in the right way.

    AFAICS, Apple have now started to do this, which is why and how the attack has stopped.

    Another method to defeat such attacks might be for the login username to be different from the public username, making it hard for an attacker to guess a login username.

    More, if Apple had emailed the celebs saying that there had been several failed password login attempts, especially those from unusual IP addresses, and the celebs had said "I didn't do that" then Apple could have been on an especial watch (and could probably have caught the attackers).

    Don't get me wrong, password are a totally shit method of identification, and a really bad method of authentication. But my banks use them online, along with other methods: one (Lloyds) sensibly, one (Tesco) in an overly paranoid manner which actually detracts from security.

    And like PIN passwords for debit and credit cards, if used correctly online passwords seem to work well enough for money.

    If I make repeated failed password login attempts to my banks they lock me out, and want me to contact them. Very sensible, if annoying. However yesterday I forgot my itv player password, and made several wrong attampts to log in - and got shut out for 30 minutes. I mean, WTF?

    Passwords are useful in their place, sometimes with added password-type or other security when needed, sometimes not, Sometimes they are used in stupid ways - why does ITV Player need me to login with a password anyway?

    Passwords cannot usually protect against coercive attacks, but for everyday use where they are used appropriately and monitored suitably, they are still the worst - apart from everything else.

    The real problem is that people do not use them appropriately.

  24. Jin

    2-factors: Operated by AND/Conjunction or by OR/Disjunction?

    2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

    I wonder how many people are aware that biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used. Media should let this fact be known to the public lest consumers should be misguided.

    I am really worried to see so many people being indifferent to the difference between AND/conjunction and OR/disjunction.

    Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunctiion or (2) by OR/disjunction.

    I would appreciate to hear if someone knows of a biometric product operated by (1). The users must have been notified that, when falsely rejected with the device finally locked, they would have to see the device get reset.

    Like other biometric products, Apple's iPhones are operated by (2) so that users can unlock the phones by passcodes when falsely rejected, which means that the overall vulnerability is the sum of the vulnerability of biometrics and the vulnerability of a password. It is necessarily larger than the vulnerability of a password.

    As for an additional vulnerability unique to biometrics, you may refer to

    http://mashable.com/2013/09/11/girl-fingerprint-scanner/

    Needless to say, so-called 2-factor systems with a password as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience.

  25. Anonymous Coward
    Anonymous Coward

    Booby-Trap The Cloud?

    I suggest we all do like the "A-List" and upload nude selfies and amateur Pr0n to various cloud services with weak passwords; most of those cannot be unseen .... which will hurt the spooks and the hackers.

  26. praxis22

    Never trust anything you want to keep to a computer

    Perhaps I'm just old, I remember reading long ago, that the reason online banking was made available was nothing to do with customer service. It had everything to do with what could be called "plausible deniability" by the bank. If your account was missing funds and you had online access, then it was your fault, you must have given away the pin. I think it had something do to with insurance. It was 20 odd years ago I read this. I was a student at the time, I even remember the street I was walking down...

    But I digress. Since then, I've never trusted online banking. In fact I've even gone so far as to get guarantees from a few banks, that they will never make my information available online. Got a written letter from the bank about my business account.

    If it's online, it's vulnerable. You, (the dismal denizens of el' Reg) of all people should understand this, what else is the cynicism for?

    TFA, which is amusingly, the same acronym as "The F***ing Article" is not a panacea. It's not even a very good idea. if you have TFA on your phone and you lose it. you can say goodbye to your account. Since where is the TFA text going to be sent. The more things you carry, the more things you lose or forget.

    Technology is always vulnerable, if you lose sight of that, you will always be "shocked and stunned, Brian" when something adverse happens.

    Caveat Emptor and all that.

  27. Daniel B.
    Boffin

    2FA is good, but...

    I think that 2FA is missing the point here. What should really be done is to have the uploaded files encrypted client-side, then uploaded, and have your crypto key stay with you.

  28. kellerr13

    WRONG!

    You are going to upload it to "the cloud" THEN encrypt it? Guess what? It's already there and on backups in an unencrypted form.

    The "cloud" is just a new buzzword for a very old idea (over 30 years). It simply means store your data on somebody elses servers, all under THEIR control.

    If you work for a company or a government agency that has an internet connection, and your own servers, then you already have everything you need for your OWN cloud, completely under YOUR control.

    As a Network engineer, I have my own servers running at home, and I can access the data from anyplace on earth.

    Nobody is going to take it down without my knowledge or permission, and even if they could, I have hidden backups, and my data is heavily encrypted.

    No warrant, no information, sorry governments.

    No negotiation to all you corporations. Out of sight, out of reach, out of touch

    Figure it out folks. If you use a cloud service, you are putting your privacy in other people's hands.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019