Hacker News new | past | comments | ask | show | jobs | submit login

You could take over an authy account, but does that give you the ability to decrypt the encrypted blob with the TOTP secrets in it? Authy says no: https://support.authy.com/hc/en-us/articles/115001950787-Bac...



Haven’t you lost all your 2fa keys at that point though? Decryption aside, that seems incredibly inconvenient.


Well, maybe? If the SMS takeover attack results in the permanent loss of your phone number, then yes, you have lost everything. However, in most SMS takeover attacks, the attack only lasts some hours, where the attacker has control over your phone number and uses that to pivot into other accounts. With the Authy-style 2FA, they get your phone number, can then recover your Authy account, and get a copy of your encrypted blob, but they can't do anything with it. Any time they try to pivot to a different account, they don't have the 2FA and get blocked (ignoring account recovery attacks that bypass 2FA, that's out of scope). Eventually, you'd recover your SMS/phone account, and be able to download the blob, decrypt it, and have your keys. That's the model I'm seeing.

One protection that Authy should include is not letting someone who has recently performed an account recovery perform a blob deletion. That should require a delay.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: