snabelen.no er en av mange uavhengige Mastodon-servere du kan bruke for å delta i det desentraliserte sosiale nettet.
Ein norsk heimstad for den desentraliserte mikroblogge-plattformen.

Administrert av:

Serverstatistikk:

368
aktive brukere

#2fa

7 innlegg7 deltakereett innlegg i dag

On #HackerOne's rollout of mandatory 2FA:
➕ They'll soon require 2FA.
➖ They should've done it long ago.
➕ They don't allow SMS or email as primary 2FA.
➖ They allow SMS for 2FA "recovery," making that the weakest link and canceling out the choice not to allow it as primary.
➕ They require you to generate recovery codes.
➕ They make you enter both a recovery code and a TOTP code to prove you saved everything.
➖ They still don't support WebAuthn. Very much not OK!
#infosec #2FA #MFA

The UX of 2FA could be improved considerably, and security along with it, by using a circles of trust model.

Take the example of a code forge, hosting the canonical version of some crucial piece of kit like the Linux kernel, OpenSSL, or GnuPG. You would want a maintainer to be 100% authenticated before they can commit changes to these repositories. Basic security culture.

But ...

(1/2)

TIL all your #2FA's can hit at once.

"Hello, Browser, I'd like to log in."

🤖 "Great! Check your email. Also, you have 35 seconds to respond to this before I lock you out."

"Hi Email! Can I see my last message?"

🤖 "Um, you've been ignoring me lately so go get your tablet. Also, I have a decade of your email inside me so you better respond within 10 seconds before I nuke it all."

"Hey Tablet, I need to open you up now."

🤖 "Who dat? I'm going to need you to grab your phone..."

#itsec #humor?

An eInk, Wrist-Mounted, TOTP Generator

shkspr.mobi/blog/2023/07/an-ei

Behold! Thanks to the power of the Watchy development platform, I now have all my 2FA codes available at the flick of my wrist!

HOWTO

This uses Luca Dentella's TOTP-Arduino library.

You will need a pre-shared secret which is then converted into a Hex array. Use the OTP Tool for Arduino TOTP Library to get the Hex array, Base32 Encoded Key, and a QR Code to scan into your normal TOTP generator.

Add the Hex array into the code below.

To check that it is functioning correctly, either scan the QR code from the OTP Tool above, or use the Base32 Encoded Key with an online TOTP generator.

Here's how the code interfaces with the Watchy:

#include <Watchy.h> //include the Watchy library#include "settings.h"#include "sha1.h"#include "TOTP.h"class MyFirstWatchFace : public Watchy{ //inherit and extend Watchy class    public:        MyFirstWatchFace(const watchySettings& s) : Watchy(s) {}        void drawWatchFace(){          ...          RTC.read(currentTime);          time_t epoch = makeTime(currentTime) - 3600; // BST offset          // The shared secret - convert at https://www.lucadentella.it/OTP/          uint8_t hmacKey[] = {}; // e.g. {0x4d, 0x79, 0x4c, 0x65, 0x67, 0x6f, 0x44, 0x6f, 0x6f, 0x72};          int hmacKeyLength = sizeof(hmacKey) / sizeof(hmacKey[0]);          TOTP totp = TOTP(hmacKey, hmacKeyLength);          char* epochCode = totp.getCode( epoch );          display.print(  "TOTP Code Twitter: ");          display.println( epochCode );          ...

You can grab the full code from GitLab.

I'm not very good at C++ - so please let me know what terrible mistakes I've made.

Is this a good idea?

Well... Yes and no.

TOTP is a strong-ish form of Multi-Factor Authentication. It helps prevent attacks where someone already knows your username and password. Having a convenient way to get your TOTP codes may make you more likely to use them. It also prevents you from getting locked out of your accounts if your phone dies or is stolen.

Convenient security is good security.

But... Having them on your wrist for everyone to see? I've deliberately made the font as small as I can so it is only readable up close. However, if someone is shoulder-surfing your details, they may well see your wrist. The watch isn't encrypted - so even if you hid the codes behind a button press, anyone who steals your watch will have your codes. If they steal your phone, they need to get through your PIN / biometrics.

Who are your adversaries? If you are trying to evade state-level actors, thieves specifically targeting you for your crypto-holdings, or an untrustworthy spouse - this probably isn't a great idea. If you don't use 2FA because you don't keep your phone with you - this will probably increase your security posture.

Ultimately, all security measures are a trade-off between convenience and control.

A chunky wristwatch showing the time and a selection of 6 digit codes and their corresponding entities.
Terence Eden’s Blog · An eInk, Wrist-Mounted, TOTP Generator
Mer fra Terence Eden

My credit union uses SMS for two-factor authentication. Instead of sending a code via text, it sends a single text with two codes. The two codes go into a single form with two fields. I'm not sure why they do that. Anyone know what the strategy might be? How does sending two codes help with security? #2FA

🔐 Ein starkes Passwort reicht nicht: Zwei-Faktor-Authentifizierung (2FA) schützt Konten auch dann, wenn Passwörter kompromittiert wurden. Besonders sicher & flexibel: TOTP-Apps – lokal, quelloffen, ohne Tracking. Empfehlungen jetzt in der Empfehlungsecke 👇

kuketz-blog.de/empfehlungsecke

www.kuketz-blog.deEmpfehlungseckeEmpfehlungsecke des Kuketz-Blogs: Tools, Dienste und Tipps für digitale Souveränität • IT-Sicherheit, Datenschutz und digitale Selbstverteidigung
Replied in thread

@tychotithonus : thank you for responding. I'm not trying to be aggressive but to make the internet safer.

In your original toot, you wrote: "It's comforting to know that I'm significantly protected from these attempts" while showing phishing messages.

From blog.talosintelligence.com/how (a year ago):
"In the latest Cisco Talos Incident Response Quarterly Trends report, instances related to multi-factor authentication (MFA) were involved in nearly half of all security incidents that our team responded to in the first quarter of 2024".

From my own research I know that the number of phishing-sites is exploding. PhaaS makes it easy to take over accounts where weak MFA is used.

The more people use weak MFA, the more of these sort of attacks we'll be seeing. IOW, the security of weak MFA (TOTP, SMS, number matching) will decrease over time (it does since Alex Weinert wrote this in 2019: techcommunity.microsoft.com/bl).

Furthermore, from the page referenced by you, meta.wikimedia.org/wiki/Stewar:
"Testing this service may result in the loss of your access and is not recommended for inexperienced users."

TOTP effectively means a unique strong (server supplied) password per account that people can impossibly remember. A TOTP app simply is a disguised password manager.

There have been lots of incidents where people lost access to multiple MFA-proteced accounts because they lost access to the shared secrets on their phones. Nobody tells people to make sure that backups are made of such secrets, let alone in a secure and privacy-respecting manner.

Note: a lot of TOTP apps had serious security issues a couple of years ago, as documented by Conor Gilsenan et al. in usenix.org/conference/usenixse (source: infosec.exchange/@conorgil/109). I doubt that things have significantly improved (Authy was really bad, and at the time, Google's app blocked backups of the shared secrets).

Here's an, IMO, way better advice: use a password manager that checks the domain name. Use it to generate long random passwords, and make sure that it's (encrypted) database is backed up after every change you make.

I wrote about the caveats of password managers in, for example, infosec.exchange/@ErikvanStrat.

Recommending people to use TOTP because they use weak passwords is a bad idea IMO: you effectively make them use a password manager (which a TOTP app is, while it does not check domain names) instead of solving the primary problem: weak passwords.

@conorgil

Cisco Talos Blog · How are attackers trying to bypass MFA?Exploring trends on how attackers are trying to manipulate and bypass MFA, as well as when/how attackers will try their 'push-spray' MFA attacks

Going through a load of accounts with Proton Pass this morning and getting it to autofill stupidly complex new passwords and add 2FA where needed.

It's weird handing control over to a password manager - wasn't happy letting Google do it before.

But I do have a warm, fuzzy, ultra-secure feeling as I do it.