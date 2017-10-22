With Rising Database Breaches, Two-Factor Authentication Also At Risk (hackaday.com) 8
Two-factor authentication "protects from an attacker listening in right now," writes Slashdot reader szczys, "but in many case a database breach will negate the protections of two-factor." Hackaday reports: To fake an app-based 2FA query, someone has to know your TOTP password. That's all, and that's relatively easy. And in the event that the TOTP-key database gets compromised, the bad hackers will know everyone's TOTP keys.
How did this come to pass? In the old days, there was a physical dongle made by RSA that generated pseudorandom numbers in hardware. The secret key was stored in the dongle's flash memory, and the device was shipped with it installed. This was pretty plausibly "something you had" even though it was based on a secret number embedded in silicon. (More like "something you don't know?") The app authenticators are doing something very similar, even though it's all on your computer and the secret is stored somewhere on your hard drive or in your cell phone. The ease of finding this secret pushes it across the plausibility border into "something I know", at least for me. The original submission calls two-factor authentication "an enhancement to password security, but good password practices are far and away still the most important of security protocols." (Meaning complex and frequently-changed passwords.)
Youâ(TM)re making some assumptions when you say that the system only requires a OTP to function. In a business co text thereâ(TM)s typically a device registration process as well, separate to BaU password usage, to prevent exactly this sort of compromise - you essentially enable a device-level certificate thatâ(TM)s used in combination with your OTP.
At the consumer level, this is less common, granted.
Security has infinite bypasses. As soon as a new layer is added another method appears to circumvent. Life, uh, finds a way.
One big problem with 2FA is that they can phished. U2F is the neat solution in this space (I'm not not affiliated with them, just impressed with it). It's a little hardware key that...
-not fooled by phishing
.... Apple is a no-show thus far.
-each site just gets a big random number at registration, so no user tracking from U2F
-integrates SSL to resist MITM
-it's a free standard and the devices are cheap
-Chrome supports it, Firefox is now in beta. Microsoft has made noises about support.
Apple is
"...good password practices are far and away still the most important of security protocols." (Meaning complex and frequently-changed passwords.)"
Frequently changed?
That has been proposed for security repeatedly, but I don't see this as a big help.
(If I had to list one thing, it would be "not re-used for other platforms.")
https://www.schneier.com/blog/... [schneier.com]
NIST recently published its four-volume SP800-63b Digital Identity Guidelines [nist.gov]. Among other things, it makes three important suggestions when it comes to passwords: