> Compare that to a U2F token where you can very reasonably remove the password entirely and still be just as safe
Yeah, and it requires me to use a U2F token, which I can loose, etc. You have to balance security and usability, and SMS as a second factor seems like a perfectly reasonable balance.
I witnessed so many people lose access to their accounts because they wiped their phone that had an authenticator app, or they lost their physical 2FA tool.
1. You increase the risk of losing your entire life (if 2FA is properly implemented and avoids all social engineering process risks)
or
2. The 2nd factor devolves into a 2nd way to get access to your account
You really can't have both security and convenience.
> wiped their phone that had an authenticator app
try this one: battery dies in an iPhone. iPhone won't boot until battery is replaced. Battery can only be replaced at an Apple store. 2FA: do you feel lucky, punk?
Services like Authy address some of the loss of device issue, and always a good idea to have a backup token (e.g., yubikey) physically escrowed somewhere like a safe-deposit box.
But it is a whole lot of extra work to set up and maintain long-term, even with the best intentions.
+1 for Authy. Just get a used cheap Android phone for like $30 and use it as the backup device for Authy and never fear about losing your 2FA device again.
Does Authy actually offer 2FA? It sounds like the security boils down to your encryption passcode used to encrypt the 2FA secret, so you aren't actually using 2FA at the end of the day.
For personal use it probably is a good compromise for services which don't implement 2FA properly (that is to say, services that don't allow you to register multiple 2FA devices.) But realistically you might want to just disable 2FA and rely on your password manager.
I'm not sure what you meant by this, Authy certainly provides TOTP, and the encryption password is only used when you need to sync the 2FA secret to other devices, which by the way also requires confirmation using SMS to your phone number as well.
I usually take 2FA to mean that you have to use two of (something you have, something you know, or something you are.) If the "2FA secret" (TOTP secret?) is stored on multiple devices it doesn't actually prove ownership of "something you have" it's effectively no different from a password stored within a password manager which is considered simply "something you know." So basically the TOTP secret is a second password with some obfuscation that protects the password. But software running on one of your devices could easily steal the secret.
It does seem like this is somewhat more secure, in some sense, but it weakens the security that TOTP is intended to provide.
TOTP has always been a second password (heck, it's in the name). If you know the secret and the algorithm you can do the maths yourself in theory without needing any hardware, so in theory it can always be considered "something you know", even without all the syncing stuffs from Authy.
In any case I don't see how the Authy password can weaken TOTP. It's not like there's a webpage out there where you can enter the Authy password and it will give you back the TOTP secret for a specific user. It's only used to decrypt the TOTP secret if you choose to sync that secret to another new device, which again requires SMS verification, PLUS confirmation from an existing device, PLUS you need to have the sync capability setting enabled (so you can always sync the TOTP to your backup device first then disable the sync setting to prevent additional devices being synced).
Or just copy your TOTP codes to a second device without going via the internet.
I'm annoyed Google Authenticator makes it so easy to transfer accounts to a new phone, how will you know if someone's cloned your TOTP private key while you were sleeping?
Password managers such as 1Password and Bitwarden can save and fill in TOTP codes. Maybe not perfect security but a big win for convenience and loss prevention.
I have received advice from way to many people to not use your password manager as a 2nd factor be ause 1) It's actually become the only point if failure (your pw getting hacked). 2) Both factors protected and saved on the same spot
1Password in particular encrypts your vault with your master password and importantly an additional 128 bit secret key that is meant to be kept somewhere physically (e.g. in your safe). This key is needed the first time your vault is decrypted (e.g. a new device)
An attacker would need to have access to all of the following:
a) your encrypted vault
b) your master password
c) an 128-bit secret key
in order for the fears you've outlaid to be realised.
Really the only attack vector I can see is a physically compromised device (brute forcing is out of the question). In which case, they'd still need to somehow know your Master password and you're no more vulnerable considering your OTP is likely to be in an application on your phone anyway.
Since your own computer will typically have the vault unlocked, you don't need a+b+c. You can suffice with a circa 2000s Sony Music cd. Or any driveby malware, or malvertisement, etc.
Using the 2nd factor on another device as the first means attackers need to either compromise 2 devices, or compromise a single point higher up in the hierarchy (e.g., your google account).
If there’s malware on your PC that has complete access to your system memory you are screwed in every single way possible. I’m perfectly comfortable with having my OTP coupled with my passwords given this is the only real attack vector and requires an actively unlocked vault to expose secrets.
If this is the case, what’s stopping the malware from adding a key logger and MITMing your input to your bank’s website, Gmail or Coinbase?
> I also photograph the 2FA code or QR code and print it to a safe place.
This is really great advice.
I do something similar. I have a copy of the recovery codes (where possible) in an encrypted volume with multiple copies. Also printouts. The printouts have saved me once already.
Also, don't underestimate the utility of carrying around an encrypted SD card with things you want to retain access to!
And the site has to support U2F. U2F is a great standard but almost none of the businesses I interact with support it. There are maybe 3 banks in the US that support it, but not mine.
I don't understand why banks and businesses don't outsource the whole authentication business to someone that does nothing else, and then does proper 2FA (maybe with a choice of security levels), and supports as many standardised solutions as possible.
One of the problems here is that few sites support U2F, and even fewer support it properly.
Proper support would mean allowing multiple tokens, so that you can have one permanently on your keychain, one permanently in your computer at home, and an off site backup pair that you rotate (enroll the one that is at home, then swap and enroll the other one).
On desktop, touching a U2F token is a lot easier than typing numbers from a SMS, and it actually protects against one of the biggest threats, phishing (the SMS does not - if the phisher bothers to ask for it, the user, who thinks that they're logging into the legit web site, will enter it).
You can also "loose, etc" the phone so it is equally weak on that front. Except the SIM can be hijacked, so SMS is strictly worse and never better.
Best compromise between usability, access and recovery is to always use TOTP but be sure to always securely back up the secret offline. Don't ever just scan it into a single device, as then you're back to being able to lose it and be locked out.
The advantage with the phone is that the web site operator can pawn off the difficult recovery part on your mobile provider (go there, show ID, get a new SIM).
IMO both the mobile provider and the web site operator should be jointly liable for damages resulting from SMS 2FA abuse. The mobile operator for giving access to your phone number to an unauthorized person, the web site operator for using a known insecure technique.
Both the number of successful hijackings and companies using SMS 2FA would drop drastically.
Its generally not "second factor authentication" but 2-factor authentication. The idea is that you have 2 separate authentication factors. Preferably both with decent security.
Besides, I don't believe coinbase does SMS only account recovery. So here SMS really did fail as a second factor. Since it seems attackers must have had a password and SMS. (I am not 100% on the coinbase account recovery process)
No, it sounds like coinbase used email recovery, but his email provider used SMS recovery.
So the hacker only needed to hijack his SMS.... with that, they gained access to his email, and then with that gained access to coinbase. No password required.
SMS is better than nothing, but you have a bunch of other better fallback alternatives before you should rely on it. You can support the enrollment of multiple hardware tokens (i.e., you keep one at home, and one on your person). You can have online push login approvals. You can have a TOTP code generator.
TOTP is the one that makes the least sense to me. It is also weak to phishing (extremely common) but adds protection against SIM-swapping (comparatively very rare). It also has almost all of the downsides of U2F (a pain in the ass if you lose your device).
TOTP has the downsides of U2F, but those downsides are comparatively easier to mitigate.
Put a plan together for the "house burns down" scenario.
With U2F I need to enroll multiple tokens and keep some off-site. So what does this entail? I keep maybe 3 tokens, two on-site that I add the new account to, then on a regular schedule I rotate one off-site and bring the third one on-site and go back through and add it to any accounts I've created in the meantime? The whole process is a pain in the ass, and not all sites allow multiple devices to be registered (e.g., AWS). And new accounts are still vulnerable during the time between registering and rotating the third key on-site.
With TOTP you can... just sync your TOTP database. Some apps such as Microsoft Authenticator do this on their own. Personally, I put all my TOTP secrets into a Keepass database and sync it off-site with Nextcloud. There is no way for the site to limit how many devices I enroll so it's easy enough to create as many backup devices as you need. If you're really old school, you can print the secrets and put them in a fire safe.
FWIW, I have several yubikeys. I primarily use them as a secure store for TOTP secrets and to store a SSH key (generated off-device and backed up), not for webauthn. It's just too annoying to deal with in a way that ensures I don't lock myself out of an account.
Every modern TOTP app is cloud-synced, so I'm not sure why people are saying it's "a pain in the ass if you lose your device."
Heck, most modern password managers (e.g. 1Password, LastPass, etc.) are also TOTP, and help you fill the TOTP token (usually by putting in on your clipboard) at the same time they autofill the password.
> It is also weak to phishing (extremely common) but adds protection against SIM-swapping (comparatively very rare).
Sufficient paranoia / user training is enough to protect against phishing. (Especially for services where the only "users" are the extremely-paranoid IT admins themselves.) But nothing can really protect you from SIM-swapping, save for not allowing services that use single-factor SMS recovery to ever know your phone number in the first place.
(PITA, I know, but running little auth gateways like this is part-and-parcel of doing security for an org.)
> Considering how easily actual factual professional security engineers fall for phishing, I don't believe you.
It's almost always the service's fault for being designed in such a way that its real async user interactions are indistinguishable from phishing. You can't train a user to distinguish X from X.
• It's hard to train users to not forward TOTP tokens sent to them to someone else, if the real service will text or push-notifies the user their TOTP token "at random" (i.e. because the attacker tried to log in.) But if the service never does that — if you always have to go and fetch the token from your TOTP app — then you can just tell the user that the only time they are to go do that, is right after they've typed their username and password as part of logging in themselves; and that anything else is a phishing attempt.
• It's hard to train users to not type their username+password into phishing login pages, if the services you use constantly send you emails containing deep links. But if the service never does that — if the service always tells you to go your browser and navigate to the site yourself — then it's easy to teach users to never trust a login initiated through an email.
Security, in this case, is less about "good security hygiene", and more about priming/expectations. And because of that, the practice of being an IT admin for such an org, is a practice of picking services, or negotiating with services, to ensure that the service is following secure workflows when dealing with your users, so that your users can be trained.
I do use a similar approach to backup the Symantec secret - but what percentage of users do you think are capable of doing this? 0.1%?
> It's hard to train users to not forward TOTP tokens sent to them to someone else, if the real service will text or push-notifies the user their TOTP token "at random" (i.e. because the attacker tried to log in.) But if the service never does that — if you always have to go and fetch the token from your TOTP app — then you can just tell the user that the only time they are to go do that, is right after they've typed their username and password as part of logging in themselves; and that anything else is a phishing attempt.
A phishing attempt will do precisely this. You get a fake login page, type in your creds, and then you get a fake TOTP page.
> It's hard to train users to not type their username+password into phishing login pages, if the services you use constantly send you emails containing deep links. But if the service never does that — if the service always tells you to go your browser and navigate to the site yourself — then it's easy to teach users to never trust a login initiated through an email.
In a prior life I did some research on phishing. It is embarrassingly easy to fool even professional security researchers. Nobody is capable of consistently preventing phishing by using their own eyes and brain.
If you can manage a 100% policy of using no services that ever require users to do X, then you can also just disable doing X entirely through MDM. Phishing emails can't get your users if your users' email clients don't open links other than to whitelisted domains. :)
TOTP is an improvement over SMS in that identity is not tied to a phone number, which has been proven over and over again to be a terrible indicator of identity.
> You can support the enrollment of multiple hardware tokens (i.e., you keep one at home, and one on your person).
How many services do that today? And since so few people have fallbacks what is their recovery process like? Because the hackers will find the weaknesses.
WebAuthn explicitly tells Relying Parties (ie web sites) to all do this. All the services I use which offer WebAuthn or its predecessor U2F support multiple named hardware tokens and I enroll at least my Yubico branded device and one more at such sites. For those I use from a phone, the phone itself is enrolled.
AWS is the counter-example which will be (indeed already has been in this HN comment tree) cited as proof sites don't all do this, I've tried asking if there are literally any others, and never received any ideas. I don't currently have an employer and I don't use AWS for personal projects.
It's pretty common for sites that actually care about authenticating you (so, Google but not your Bank, GitHub but not your mortgage lender) to provide you with single use bypass codes which they tell you to write down and keep somewhere safe.
What about an authentication app? Google Authenticator or something similar can be installed on the phone which is necessary for SMS, improves the security more than SMS, and doesn't suffer from the problem of losing it, at least not more than SMS auth does.
When your phone is lost or stolen, you buy a new phone and go to your telco provider to get a new SIM with your number. SMS 2FA continues to work. Your Authenticator secrets are gone with the phone, and you're locked out.
(Unless you use a solution like Authy with multiple devices, which strikes me as the most sensible solution.)
It blows my mind that Google Authenticator still doesn't have a multi-device sync feature (or even a "recover from backup" feature on iOS for that app, because I think they added it recently to Android; just "recover from backup" alone would have been sufficient to convince me not to switch).
All of that made me switch to Microsoft Authenticator, as they do have both multi-device sync and "recover from backup" feature as well, so now I don't need to be stressed about my phone getting lost. Kind of sad, given that I've been a user of Google Authenticator for quite many years until that point.
I really wish that web browsers had worked on the UI for generating certificate signing requests and importing certificates and that websites had 2FA via username/password along with client-side TLS certificate for authentication.
This is more portable than U2F tokens since client-side certificates are part of the TLS standard and should be supported regardless of the application protocol used. Adding other devices could be done by sending a CSR along with the username and password and authorizing the second device from first device that's already logged into the account.
But Mozilla, and Google double teamed to sink it in W3C to push their own bicycle reinvention attempts, which after 10+ years, multiple incompatible versions, and errata ridden revisions are still not there.
Yes! This was a very good solution. Built right into the browser, very convenient. We built a related CA product back in the 90s and were issuing client certs on smarts cards via the browser. Plug in smartcard and browser could automatically authenticate to all services. Take it out and go home.
I used an SSL CA (Startcom / StartSSL) that used Client certs as its (only?) method of authentication. It was a terrible experience if you ever had to log in from another browser.
> Yeah, and it requires me to use a U2F token, which I can loose, etc.
In which case there are much safer recovery mechanisms available. For example, a second U2F token, or handwritten backup codes.
> and SMS as a second factor seems like a perfectly reasonable balance.
My point is that it isn't. Unfortunately, today, identity is a true privilege - it pretty much requires purchasing multiple U2F tokens, and that's super shitty. That doesn't mean that SMS 2FA is a good idea - the fact that it can actually reduce your security is very problematic.
But that is my entire point. SMS as a second factor is purely additive. It cannot reduce security.
There is pretty much no form of second factor that users are worse at passing than backup codes. Even if people print them out (few do), they won't find them when the emergency happens. You need some form of trust that can be bootstrapped again from scratch.
For most of the world, SMS is it. The Nordic countries have the bank if system. But the market is too small. Hopefully the EU-wide identity verification systems solve the scale problem.
> Some form of trust that can be bootstrapped again from scratch.
This is not using it as a second factor. It is using it as the only factor.
Having SMS as the only factor is not purely additive. As such it can (and obviously does) reduce security.
Account recovery is hard, SMS is quite usable there, but way to insecure to be the only basis for bootstrapping account recovery.
I don't really understand why you think I'm advocating for SMS as the only factor, when I very clearly wrote the exact opposite.
Let's say that you remember your password, but your house just burned down. You cannot replace the U2F keys and backup codes that were lost in flames. But you almost certainly can bootstrap your real life identity far enough to get a replacement SIM.
Which, in combination with your password, should be enough to get your digital identity back.
Except in practice, most providers (even those that should know better, like Google) allow use of SMS, ostensibly set up as a “second factor,” to be used for account recovery without knowing the password. Making it, in practice, 1FA.
Confusion about the word bootstrapping. I read "bootstrapping trust" as regaining trust based solely on SMS.
But indeed, sms as a second factor is much easier to recover in catastrophic situations than some other second factors. That is a fair point, and an advantage of sms over other common second factors.
> SMS as a second factor is purely additive. It cannot reduce security.
You are forgetting social engineering. Humans find it reassuring that the security process happened as usual, even if in fact the apparently "usual" process was them being being phished. This can mean they're actually less alert than they would be otherwise.
You get an urgent message from your bank about an unexpected $500 transaction, you follow the link & you need to enter your password as usual of course, and then it tells you that you'll get an SMS and to type in the code so you do so. Phew! Disaster averted! Right? This must have been real, you even got an SMS from the bank.
Alas the SMS was from your bank, and the bad guys didn't have a way to intercept it, but they didn't need one because you typed it into their phishing website. That unexpected $500 transaction wasn't real, but their emptying of your bank account will be.
"You get an urgent message from your bank about an unexpected $500 transaction, you follow the link & you need to enter your password as usual of course. It was a phishing website. Your bank account will be emptied."
But in your revised story I don't receive reassurance that everything is going as planned. That's what I'm getting at, the SMS step is reassuring even though it actually shouldn't be.
If there is no 2FA, not being asked for a confirmation code is things going as normal. Also, it's totally irrelevant whether the user gets cold feet since in the password-only world they've just handed away the keys to the kingdom.
> But that is my entire point. SMS as a second factor is purely additive. It cannot reduce security.
It most certainly can reduce security, that's the point. If I don't have a phone number on my account (which I almost universally don't) then no amount of SMS hijacking will ever matter.
If some provider forces me to put a phone number in, now I may be vulnerable to a weakness I didn't want to be vulnerable to. Maaybe today that particular provider uses SMS in a stricly additive sense. Maybe. Just as likely next month they'll redesign their site to be "easier" and add back the vulnerability.
Same with recovery questions. They make the security stricly worse for most people since they are password-equivalents with far lower entropy. Although personally my best friend from high school was named D3ho9WvylJkws1zfAKUxZjdYuCsS.
They specifically said "SMS as a second factor." What you're discussing here is a completely different different use of SMS that nobody is arguing in favor of.
As I mentioned, there is no guarantee any site is going to never allow use of that phone, once it's on file, to bypass authentication. Even if they don't right now. So adding a phone to an account increases your risk in a way you can't control. The only guaranteed way to avoid it is to never have a phone# on file.
> SMS as a second factor is purely additive. It cannot reduce security.
I responded to this in another post.
> There is pretty much no form of second factor that users are worse at passing than backup codes.
Agreed, I also mentioned backup U2F. At this point modern smart phones package TPMs that can also do attestation, so we're really not too far away from being in a situation where the vast majority of people have a U2F token in their pocket.
> In which case there are much safer recovery mechanisms available. For example, a second U2F token, or handwritten backup codes.
Which have either higher costs or "administrative burden" or both which will lead them to failure for a big chunk of non tech-savvy people. Educating a casual user that they need to print out recovery codes and store them in a safe place it's not exactly top notch usability.
Yes, as I've said, availability is the problem to solve. We should be shipping U2F tokens wherever we can. I'd like to see schools that require students to use GSuite and other U2F supporting sites giving students tokens for free. I'd like to see banks giving their customers tokens. I'd like to see companies giving them to employees.
IMO the problem is not "let's get some kind of 2FA" it's "let's get U2F in the hands of as many people as we can".
> The only way it can ever actively reduce your security is if it's used as a single factor, as it was for the OP.
I don't believe this is true. If I have your SMS I am considerably more likely to be able to phish a recovery, even if recovery also involves something else. Every piece of information the attacker can get is valuable for forging auth.
What SMS is good at is being available. At this point cell phones are distributed to a massive portion of the world. But at this point smartphones can also act as U2F devices, I believe, so I'm not sure that benefit is so meaningful anymore.
Instead of companies wasting time on SMS 2FA they should be figuring out how to help their customers set up U2F.
I'd like to avoid being in a situation in 10 years where we have great options for end users available but 2FA SMS is still supported for legacy reasons, and unwitting users end up using it because it seems easier and they don't understand the risks.
> I don't believe this is true. If I have your SMS I am considerably more likely to be able to phish a recovery, even if recovery also involves something else.
So it's better to not consider that information at all?
What is better? (1) Requiring a password to login or (2) Requiring a password and a code sent via SMS?
The problem you're describing is that services accept SMS in leu of other forms of verification, such as an actual password. Personally, I would very much like it if I could turn off any and all forms of "I forgot my password" flows. There should at minimum be a one-week waiting period or similar.
> So it's better to not consider that information at all?
Exactly
> What is better? (1) Requiring a password to login or (2) Requiring a password and a code sent via SMS?
They're equivalent in my mind - SMS is such a weak 2FA mechanism, and it's so easy to get wrong and have it decrease your overall security, any benefit is lost. Rather than pushing SMS because it's what we have we should make greater efforts to leverage technology that we know is considerably better in every regard except availability today - IMO that is the problem to solve.
Yeah, and it requires me to use a U2F token, which I can loose, etc. You have to balance security and usability, and SMS as a second factor seems like a perfectly reasonable balance.