Re: Authenticator apps

Mon, 05 Aug 2024 23:35:12 -0700 

On Tue, Aug 06, 2024 at 07:10:38AM +0200, Kevin Price wrote:
> Dear Mick, dear all:

[...]

So far, agreed.

> If I understand you correctly, Mick, you're considering to move your
> TOTP factor out of an independent device towards your local debian
> machine for convenience, so you'd be giving away the second
> authentication factor to anyone who's compromised your local account,
> that you were defending against in the first place. Please tell me
> you're not shooting yourself in the foot.

This is misleading. Still it will protect you from password leaking
(e.g. by a website impersonating the server you want to authenticate
against, or by a stupid service keeping your clear text password).

> It's your choice, Mick. Debian includes several programs that do TOTP.
> But for 2FA to have any meaningful effect, the factors need to be
> independent, or else you might as well ditch 2FA altogether.

...and here's the false conclusion.

Of course, if your manage your secrets, you should know what you are
trying to achieve (the "threat model").

If you want to be safe "at rest", encrypting your disk will be enough;
if you encrypt your OTP key, it's one layer more (i.e. while your particular
application is "at rest").

If the threat is that your application is taken over while it's running,
well... no "2FA" will protect you from that. The attacker will just surf
on your application's coattails after *you* have done the auth thing.

I would even argue to leave the smartphone out of the loop: in times
of Pegasus [1] et al, it's a security nightmare, anyway.

(A secure token is another thing: for myself I've decided it's not
worth the hassle, but it does offer a layer more. I wouldn't rely
on one which is not documented -- even better: strongly prefer open
hardware).

What finally gets me is when your bank urges (forces) you to do 2FA
with your smartphone, but then is fine with you doing your banking
with a browser *on the same phone*. That's what Bruce Schneier calls
"security theater".

cheers

[1] https://en.wikipedia.org/wiki/Pegasus_(spyware)
-- 
tomás

Attachment: signature.asc
Description: PGP signature

Reply via email to