ARoseByAnyOtherName wrote: ↑
Wed Nov 27, 2019 7:58 pm
dboeger1 wrote: ↑
Wed Nov 27, 2019 4:06 pm
I very consciously DO NOT use TOTP in my personal life. I almost locked myself out of a valuable account when trading in a phone once because of it, and thankfully was able to find my recovery codes which I had written down (itself a security risk) years prior. I also don't secure my phone all that well because I frequently share it with my wife, especially when traveling out in public. Therefore, I trust the nowadays fairly prevalent email encryption between major email providers far more than my phone as an authentication factor. So yes, if I were a better user of TOTP, I suppose the security would be superior, but for my use case, I am not willing to trade the conveniences I regularly make use of for the extra security. And yes, I know about SIM-swapping. It's a pretty nasty attack. But I trust that mobile service providers will crack down on that before it affects me, considering that's really a security flaw on their end, not the users. In the end, SMS is still just a 2nd factor, and good passwords will still be sufficient for most accounts and responsible users.
This is really horrible, horrible security practice.
Not securing your phone is really bad. I assume you have email on there? Your personal email I imagine? Maybe your work email too? And that's just the tip of the iceberg. There's an easy solution - just put a passcode on it and tell your wife your passcode. Problem solved.
And trusting that mobile service providers will crack down on that before it affects you.... well I have a bridge to sell you.
Security is almost always a tradeoff with convenience but in my opinion the above goes way, way too far in service of convince. I hope nobody else takes this as advice.
I posted a list of good security practices here:
I just want to clarify my position, because 1) I believe you misunderstood me, and disagree with your assessment as a result, and 2) I believe others subsequently misunderstood me in ways which do in fact result in horrible security practices.
I do have a pattern on my phone. To be fair, I didn't explicitly detail how my phone was secured, but I also did not say I don't secure it at all. I absolutely do secure it. I just don't treat it as part of my own being. To me, my accounts are supposed to be an extension of me as a person. Nobody else should be (ab)using them. They are strictly mine, and security measures should work to keep it that way. I don't see my phone that way. I see it like I see my PC at home or work. It's just a machine that can do work. Now, there is a design difference, in that smartphones today are more or less tied to a single user-account. They're not designed to work well as multi-user shared devices, unlike a typical desktop or game console OS. That's personally a design bandwagon that I never really wanted to hop on, but it is what it is. So to me, my phone can be replaced, but yes, I want to protect the data that it has access to when I use it. So please, nobody misunderstand me and think I was saying you shouldn't have some form of PIN or password or whatever. All I'm really saying is that if my phone spontaneously explodes, I'd like to be able to access my accounts still, because the phone is essentially disposable, but the accounts represent my personal life, including finances.
Fundamentally, all security measures are based on a set of assumptions which aren't necessarily universally true. For example, passwords are based on only the account owner knowing them. 2FA is based on the account owner having multiple factors in order to increase security. OTP is based on an even stronger assumption that a particular device belongs to the account owner. Biometrics are based on the assumption that attackers can't easily reproduce biometric signatures of the account owner. But any of those assumptions can become invalid. Imagine if you could clone me such that my clone would be an exact copy with all my memories and biometric signatures intact. Well, all of those listed mechanisms would become pretty terrible, and you'd need to supplement them with some sort of brain microchipping or geography-based authentication mechanism. That may sound contrived, but SIM-swapping is a very real recent example. It used to be considered secure to use your phone number as an authentication factor, until a fairly trivial vulnerability was discovered. Until security experts can somehow manage to plug directly into your soul and/or individual consciousness (neither of which are concepts humans currently understand on a deep-enough scientific level), there's always going to be some distance between you as a person and your authentication factors, and so the best any security mechanism can hope to do is make good assumptions about when to trust that you are in fact who you say you are. This is true of every single authentication mechanism, regardless of whether it's the soup du jour or not. Don't let current best practices fool you into believing they are fundamentally any different in this regard. If someone can fake being you under the assumptions of your authentication mechanism, they can access your accounts as if they are you. This is a universal truth.
OTP is absolutely one of the most effective forms of 2FA today. It is certainly capable of preventing several kinds of attacks that prior methods could not, such as SIM-swapping. However, it does so BECAUSE of its VERY STRONG assumption that a mobile device is under the sole possession and control of the account owner. When that assumption fails, so does the mechanism. The only reason people are going around insisting that it's superior to SMS-based 2FA is that it is currently significantly easier to compromise phone numbers than it is phones themselves. Had someone created a virus that was able to extract account secrets from OTP apps, or otherwise come up with some social engineering scheme to get them from unsuspecting victims, instead of discovering how vulnerable mobile carriers were to SIM-swapping, the headlines would be very different. But they're not, so OTP is currently good practice. I'm not arguing against that.
My main point was that the tradeoff in security is a very different beast than it was for using strong passwords. Passwords have been used since long before computers existed because they manage to give a great deal of security for very little inconvenience, and in a very intuitive way. And while computers did exacerbate problems like brute-force, dictionary attacks, common passwords, etc., they also resulted in many enhancements behind the scenes, such as salts, hashes, encryption, password managers, password rotation and complexity policies, etc. Eventually, SMS/email-based 2FA increased security by a substantial margin without much additional hassle. Biometrics are also becoming more common and adding to security without trading away much convenience. And last but not least, many enterprises are using hard tokens for 2FA with systems that allow them to centrally manage access in case one is stolen, broken, lost, etc. Basically, all of those things are relatively easy and intuitive, but help to secure accounts against most attacks that we have some degree of control of as users (obviously, we can't be responsible for securing an account provider's back end infrastructure, for instance).
Schemes such as OTP are, in my opinion, the first time that an authentication mechanism has gone mainstream DESPITE demanding a level of technical knowledge and understanding which is beyond the average user's grasp. That's because it's not obvious to most people that they run the risk of locking themselves out of their accounts when they set the system up, and in return, they only get marginal security benefits. In other words, it's a wolf in sheep's clothing. It's a much more difficult-to-swallow tradeoff. That's not to say people shouldn't make it. When used properly, it is more secure than SMS 2FA. I would contend that the vast majority of users don't understand it enough to use it properly, and it's only a matter of time before enough people get screwed by it that they decide to move onto something else. Hopefully biometrics will be better and more widespread by then.
I'm a software engineer for a living. I've actually worked on projects related to authentication and authorization. I also did not realize I might get locked out of a valuable account for failing to disable 2FA when trading in my phone. I simply used Google Authenticator because another service suggested it, without understanding the details of OTP. Thank goodness I had my recovery codes. I promise you, beyond a shadow of a doubt, that people like my mother-in-law, who constantly got viruses on her PC when I was growing up and needed me to pave her systems on almost a monthly basis, no matter how many antivirus programs I tried, do not intuitively understand the implications of OTP. It's much easier to start using it and lock yourself out of an account than it is to understand how it works. And for what? You stop a certain class of relatively advanced attacks against SMS/email-based 2FA which has only gotten much attention recently because of downright irresponsible behavior by mobile carriers. That's not that big of a deal, and by the time the average user can understand how they might lock themselves out of an account by misplacing their phone, the mobile carriers really should be able to stop letting attackers simply call in and ask for a SIM swap. That's basically what happened with email. Before email-based 2FA even became that widespread, major email providers had already begun work on encrypting email traffic behind the scenes, without requiring any additional effort on the part of users. Today, the vast majority of email is encrypted in transit, so unless you're going out of your way to use some no-name provider who doesn't do it, then email is fairly safe in transit.
In real life, probabilities often matter as much as precise vulnerabilities. You deal with the things that are most likely to affect you. I don't think phones are inherently as tied to their owners as people think. I mean, if someone was really serious about accessing your data, all they'd have to do is knock you out while you're using your phone in public, and bam, they have it. If you've ever done something as common as open your phone during an Uber ride to give a tip or review, you've put your phone at risk. If you've ever traded a phone, had it with you at a bar when you were drinking, shared it with your spouse, taken it on a cruise, or any number of common behaviors, then your phone was at a fairly significant risk. The idea of then making such a strong assumption that the phone is tied to you as a person that you're willing to lock yourself out of your accounts with only a few one-time-use codes which you may have stored years ago as your recovery options just doesn't make sense to me in a world where all these behaviors are common. I personally would make the jump if it was some sort of trusted biometric scanner or a microchip or other signature implanted directly into my body, but my phone? You may as well use my dog or my shoes as an authentication factor, if you ask me.
It's like when you teach your high school kids to drive. Do you put them in a Corolla or a Corvette? For the sake of the thought exercise, let's assume everything but speed and acceleration are equal, including safety ratings and features. The security expert might say, "Well, the Corvette is obviously the better option. In the event of an angry road rager attempting to run your child off the road, the Corvette can likely get away! Vulnerability plugged!". But virtually every parent knows a teen learning to drive in a Corvette is a bad idea, because they're likely to be a bigger threat to themselves than attackers are. I don't see how OTP is any different. It's the Corvette of 2FA. Sure, I see how it's better, but maybe I don't trust myself in it just yet. My car analogy might seem silly and contrived, but believe it or not, the exploding-phone one is not. Wasn't there a whole controversy about Samsung Galaxy phones spontaneously burning several years back due to a battery issue, and they were banned from planes? Who's to say a newer phone can't have a design flaw which causes it to burst into flames? I sure hope you have your recovery codes then.
To summarize, I'm not advocating that people don't secure their devices, or that they don't use OTP. I am 100% advocating that you understand and adapt to the implications of OTP before using it. I don't know how I can make it any clearer than my personal experience. I'm a relatively technologically-minded person, and I almost fell into a trap that could have locked me out of an account I had spent hundreds of dollars on. So I most definitely would not recommend my grandparents to use OTP on their retirement accounts which they're currently drawing from in their old age. Absolutely no way. It doesn't fit their lifestyle, level of knowledge, or risk profile. I made the conscious decision to switch away from OTP because I nearly screwed up with it. It doesn't mean it's bad, but if I were to take the time to switch my accounts back to using it, I would at the very least make sure I had a safer and more reliable way of storing the recovery codes than the piece of paper that I found in a pile of junk years after I had written them down, which somehow managed to move with us into our new apartment. And no, having it in some sort of computer note app would not be enough, because it's easy to accidentally delete them. I'd want read-only copies accessible from multiple password-protected accounts, which ironically sort of defeats the purpose of OTP, because it's just shifting the vulnerability from one account to another.
I hope I've made my position clear. If you disagree with me and consider it bad advice, well, that's fine I suppose. Just be careful is all I can say.