Follow on to the Password Thread, Convince me about 2FA

Chances are small, and there are many cases where people do not see the need for better security until something does go wrong. Many people do seem lock their doors with several locks when leaving the house or going to bed, even if they never have been victim of a burglary.

I do agree that not every account needs to have MFA enabled if you use unique passwords for every account and if possible unique email addresses of login-names. For example for shopping accounts where you do not store you payment details in your account.

Your first few uses of a second step login (whether two factor or another password) probably aren’t worth the effort for a typical personal account. When you do it enough, though, and arrange a few things to make it more convenient, you cross a point after which each additional account is effectively no additional effort, which makes the minor security benefits for most personal accounts worth it. That also reduces the chance you won’t be slack about it when you have suddenly an account worth protecting (due to the service, value in the account, your newfound status as a public figure, quantum breakthrough, etc.)

That’s not to say you should, but hopefully it helps explain how others aren’t wasting as much effort on it as you might think as an irregular or non user of 2fa.

With most modern password managers it is easy to also add that second factor. Which in my case means I type in my loginname and copy/paste my password and copy/past my second factor. You could even let 1Password fill it in for you…

For my Microsoft, Apple, Google accounts I hardly ever have to login with the second factor because it knows my device and remembers my login. Every few months it will ask me to verify myself by using the second factor. This is a small security risk, but when someone would try to use my account in another country or on another computer they would be challenged for the second authentication factor.

There are many ways to use MFA without too much overhead.

If your phone is an iPhone it can be very secure. But security and convenience are two directions on the same axis. I’d imagine many Android phones (at least modern ones) can also be very secure.

I have a decently long passphrase on my iPhone and I hate when it won’t unlock with FaceID because I’m wearing a mask and the moon is in Scorpio, or whatever other reason there is it works sometimes and not others. So when it fails, I type it in. I swear while I’m doing it, but I type it in. No-one is going to guess it. It’s going to be pretty hard to shoulder-surf it (it’s nonsense). I treat my phone as secure. THEN I have 1Password on there which also most of the time unlocks with FaceID, but not always. And that password is substantially longer. Ain’t no-one guessing that one. Yeah, it’s an even bigger pain to type in, but I know the phone and 1Password passwords by heart so it’s not difficult just annoying.

I totally agree. Having the second factor in Authy or Microsoft Autenticator is really not much of a deal and gives you an extra layer of secret without much effort and with biometrics securing this apps it isn‘t a big thing to unlock Themen and copy the code. I use it everywhere possible. Even if you‘d enter your account and password on a public PC (for whatever reason you would do this) the second factor and rolling code would assure that it is mor or less useless for a hacker (sitting e.g. as man in the middle or haven’t a keylogger installed ) for future use as the code needed next time will be different.

The thing I’ve not seen here is that Information Security is always a WHEN something goes wrong rather than an IF.

I’d be amazed if there’s anyone using the web normally who’s on this forum who hasn’t had an account compromised. Put your email address into https://haveibeenpwned.com/ and you’ll likely find that some of your usernames and passwords are out there.

So don’t think that you won’t be affected because more than likely, you already have.

Let’s say I buy that I need to enable 2FA on every acount that has it as an option. (I still don’t but let’s make that assumption for sake of argument)

How in the world do you make it possible to use all the time WITHOUT using any cloud service and when you have siloed app use?

Yes it can’ be but no I don’t consder that it is. I have a very short passcode on my phone. Reason is that I have NEVER gotten face ID to work at all and I use an Otterbox case so there is no option for using a touch ID even if my fingerprints were readable. When I need to use my phone I often have 1 had full and need a quick 1 hand 1 finger way to open do somehting and close the device. So my assumption is that if my device is ever stolen it is an open book. The passwords are stored in Strongbox and are encrypted but I have no belief that even that encryption will keep a determined person out who has the physical device.

Expound please.

I don’t typically let any site remember either my username or leave me logged in. (MPU is an exception) So I already end up logging in deliberately for every single site that I go to. The financial sites that mandate it have 2 options for receiving the codes. email or text message. If it’s email and I am on my Mac I can get it. I don’t let email download automatically and I don’t keep email runnig so the process is boot up email and continualy say get messages until it comes in then copy and paste from the message. If I select text I don’t see any way to receive the message on my phone and then get that to my mac for the login without retyping the darned thing which almost alwys results in an error and I have to get a new code because if I screw it up once I’m not allowed to try again.

Conversely if I am on my phone I have similar problems made worse by I have no access to my email on my phone at all and I don’t see how to copy the code from a text message into a form in the browser on my phone. So I end up having to pull out a paper and pen, write th code down and try to get it typed into the web page before it expires.

Total PITA.

So… How do you use it that makes it seem so easy?

Constraints are:
No cloud service
No email on iPhone
No Microsoft Software at all
No 1Password
Pop EMAIL

Tools available include
Stock Apple mail on mac
Strongbox on Max and iOS synced only when I am at home via WebDAV
Safari browsers on both iPhone and iMac

Throw in the iPad too for grins.

Well, if certain kinds of 2FA are not working for you for very practical reasons like no email access on your mobile, that doesn‘t rule out the use of one-time passwords which renew every 30 seconds and are generated by an app like Authy, right? You‘ll only have to open the app, enter 6 digits, done. At least for securing the essentials (stuff like email, webhosting, banking, Paypal, Synology NAS etc.), I feel like that‘s very much worth the little additional effort.

Just make veeery sure that you have a backup. You can store your seeds in the cloud, password-protected, with Authy. You can store them in your Strongbox safe. You can use Yubikeys, or additional phones as backup.

Yes, 2FA does not result in 100% security. Nothing will. As has been pointed out, the idea is not to combine the same approach two times (i.e. „I have to different passwords which I‘ll have to enter, how is that better than having one super long password?“), but to provide a second factor which by its very nature required a different way of attacking you.

Your password can be intercepted or cracked in many different ways. Man in the middle-attack, keylogger, spearphishing and many more. But if your account is protected by 2FA, that password is going to be worthless.

Attackers would have to very specifically target that exact use case and find a way to grab your password while you‘re trying to login, grab your 2FA code, and then login with those credential while the 2FA code is still valid. Or they would need to separately intercept/crack your password and then additionally to crack your phone and authenticator app. If someone‘s after you so much, you might have a different problem. Or you might have a very unlucky day.

Remember: Your account security is not the average of your password and your 2FA code. So even if your using an unpatched Android phone for 2FA code generation (but hopefully not for your password safe), doing so will provide you with way more security than not using 2FA. You‘re more than multiplying the failure risk of both systems, because in most cases, the attacker intercepting/… your password will not even have access - remote or physical - to your network or phone in order to even TRY to hack it if he knew about.

edit: By the way, there‘s also the option to use physical TOTP generators, such as these: Authenticator - Chipkartenleser-Shop REINER SCT
Might be an option as a backup device, for less tech-savy people of for those who are really worried about storing 2FA seeds on their phone.

My first job was in retail. I was the kid that stocked the shelves, mopped the floor, and carried your groceries to your car. And from day one I was told that the “customer is always right”. With that in mind, and considering your constraints, I’d say you are doing about as good as you can. I couldn’t operate under your constraints and I doubt if many people could these days.

I use cloud services under the assumption that anything I put online, that is not highly encrypted, should be considered public knowledge. I use email on all my devices because I know unencrypted email cannot be made secure, so why worry about it. (I may be able to protect my copy of a message but I cannot protect the ones on everyone else’s computers)

Twenty two years ago, from what I’ve read, the NSA was operating with air gapped computers. A user may have a couple of terminals on their desk, each connected to a separate sensitive network, and also have a Windows NT computer attached to the Internet. And even back then they were working with VMWare trying to come up with a way to run everything in virtual machines on one computer running a secure version of Linux. Keeping everything separate was a major inconvenience.

AFAIK the results of this project were never made public. But today the NSA, like the CIA, is using cloud services for . . . something.

As you know mobile has changed everything. And at some point you may have to make a decision to relax some of your constraints. But I’m not telling you anything you don’t already know.

Oogie - you can’t do what you’ve described. 2FA exists to secure cloud services that you have are forced to use.

Example:

• Email - even if just POP3 server, is still a cloud service
• Domain Name Server - your DNS is your identity, an attacker taking over your DNS has become “you”
• Banking - …

I use 2FA anywhere that a service could be compromised.

I can’t avoid the cloud so I use 2FA to lessen the risks involved.

You don’t need to use 2FA, just be aware of the tradeoffs.
- Mark

And that’s part of the problem. Many of these accounts use “trusted devices” as the second factor, and never bother to ask users to keep their secondary verification methods up to date. And most of them don’t EVER prompt you to create those bypass / recovery / whatever keys, so almost nobody has them.

Which means that when the “trusted device” you keep using and verifying to get you in gets lost / destroyed, you can be left with a phone number or email address from a decade ago that no longer exists because you were only ever asked about it when you created the account.

It almost encourages users to get complacent, and sets them up for failure.

Should users know this stuff, and keep it up-to-date? Probably. But do they? No. And I’d suggest that especially as 2FA is now required by some companies, the tech companies should make it at least a bit more “in your face”. Whenever they re-test your trusted device, for example, they could say “your emergency recovery phone number / email address is xxxxxxx. Let’s test that by sending you a message with a code” or something like that.

In this situation:

• TOTP codes stored in Strongbox. Once you’ve set one up, it only needs to WebDAV sync once, and then the code will always be the same on the phone and the Mac so limited sync won’t factor
• It sounds like you would get any SMS codes just fine
• Emailed codes forwarded to your carrier’s SMS email address (e.g. number@vztext.com for verizon) using your Mac mail automation tool of choice.

I’m totally stupid but how does that really work? Sure I can create a bunch of one time passwords but the places that want that stuff always send things TO me I don’t get to choose what it is. Yes they expire but how is some app that picks out numberson my device going to help when I can’t control what the receiver wants to see?

As I said I totally don’t get 2FA and how it is implemented at all so I am clearly missing something that is obvious to the rest of you.

Can someone run through a really really simple case of how the 2FA actually works? It flat does not make sense to me.

Perhaps by starting out with what the heck is an authenticator app? No site that evre has asked me to set up 2FA talks about that at all.

“Handwave handwave cryptography handwave”. If you really want to read about it, check out https://en.wikipedia.org/wiki/Time-based_one-time_password as mentioned by @rob in post #6 above.

Basically a hardware key or a software authenticator uses some algorithm that generates rotating codes, and the server does the same thing. The two things don’t have to be connected in any data-transmitting way. It’s weird, but it works.

For the most stupid-simple please-don’t-ever-use-this-in-the-real-world type of example, imagine both you and the server know the date / time. Now XOR the date / time against a secret key, turn that into a code, and you type that in. You both know the secret key, you both know the time, and therefore you can verify whether the other person is legit without having to send any other info across.

An actual app? ‎Google Authenticator on the App Store

And basically a service that uses Google stuff for sign-in can use the authenticator as a “second factor” to verify your login.

FWIW I’m still hesitant to trust those things because…drum roll…guess what happens if you lose your unique device with the authenticator? Unless you have multiple authenticated devices, you’re screwed.

I’m not surprised. My wife does some spinning but usually finer wools and not for long periods. A few years ago we were remodeling our house and I was doing a bunch of tile work and cabinet refinishing. Between the cements and the sandpaper my fingerprints got really messed up. Had to reprogram my TouchID a couple of times to get it to recognize.

Before I retired for remote access to our company’s network we used SecurID cards. Credit card side device that generated a new 6 digit code every minute. To login I needed my userid, password, and code. That just gave me access to the network. Any server connection required me to further authenticate. While fairly secure there was a different version that had a keypad where you entered your PIN and it used that as a salt to encrypt the code so it was never sent as clear text.

The system allowed the previous, current, and next codes to work in case there was some clock drift or you were slow typing it in.

Quick example of an authenticator app and a TOTP code using Strongbox, which you have:

You have a site/service with an existing username/password identity and you want to enable two factor. When you log into that service, it’ll give you the code you need to set this up, usually with a convenient QR code URL (blanked because the URL from this example service contains some private information), and just the code which you can manually paste.

0 - code on screen1042×1030 62.2 KB

You go into your authenticator app, which in your Strongbox case is where you already keep the username and password, but you can use a dedicated authenticator app like Google/Authy that does nothing but store these codes. You choose one of the entry versions (I choose manual)

1 - existing identity890×1310 83.1 KB

If choosing manual, you paste in the code

2 - code entry852×1160 88 KB

Now you will see the six digit rotating number generated by the TOTP code

3 - after entry874×1386 52.1 KB

After 30 seconds the code rolls over. This happens at the same time on every device that has this code saved

4 - after code rolls over878×1372 52.3 KB

After confirming the save, this is what you’d be looking at when looking up the credentials and TOTP number when your login requests it. You’d see the same six digit number on every device once Strongbox synced the code you saved.

5 - strongbox lookup screen578×1046 54.5 KB

I use 2FA on all my key accounts. I wouldn’t bother with, say, a forum although I use long, unique passwords across the board. Email, along with your bank, is particularly important to protect. It’s not so much people sending as you but the ability to receive. You can reset the password on virtually any other web-based account if you gain access to email. Especially if the owner isn’t using 2FA.

It’s rarely an inconvenience. On my gmail account I get asked to confirm my two factor every few months. On PayPal I’ve chosen to use 2FA with every transaction, but I don’t have to. I use text messages there which automatically appear on my Mac ready to enter with one click. Either way, if somehow my password was compromised there would still be no way for an attacker to gain access to my account without my phone.*

Even if you have a long password, it could still be potentially compromised by a hacked website, errant browser extension or text expander app. 2FA protects against them all for very minor effort. I use Authy which provides a backup of the codes; a small potential loss of security for convenience.

• I know SMS is theoretically lower security, but I don’t deal with state secrets and the effort to spoof my number will not be worth the reward!

I don’t think I agree with this. POP is a client-server protocol and predates cloud by a wide margin.

EDIT: Removed incorrect info referring to iCloud Mail, thanks @WayneG.