|
Junior Member
Join Date: Feb 2017
Posts: 21
|
Quote:
Originally Posted by ChinaLamb
TL  R Ditch everything else, and start the new year out with FIDO
Authenticator codes are now broken and offer little real security:From: https://mashable.com/article/hackers.../#K6LfewCAGOql
Unfortunately, 2 factor "authenticator" codes from Google Authenticator and similar tools are phishable, through man in the middle attacks.
The scam works like this. A malicious site sets up a Fastmail (or Google) login, or worse, redirects you from fastmail's (or Google's) login to their login, and uses SSL, with an approved SSL Certificate. As you type in your username and password, the automated site immediately enters this data into fast mail or Google. The automated site checks if an Authenticator code is requested from the site you are trying to reach, and either asks fast mail or Google to send you an SMS code, or for you to enter in your Authenticator code from the app on your phone. You give the middle web page the code and it passes it to fast mail or Google, giving **them** access to your account.
This effectively lets the man in the middle, to gain access. The malicious site, then automatically sets up a "App Password" (outlook, applemail, etc. non-2-factor password) and collects the password, and then gives themselves PERMANENT access to your account.
Additionally, IF someone gains access to your phone, all they have to do is look at your authenticator app, none of which I know to have additional passwords to be able to access, and see what accounts (email, bank, etc.) that you have. I personally don't like having a list of all my secure accounts, so easily accessed on my phone.
In short, future Phishing schemes will likely all include automated attempts to both get your password, and to get your security code, and in an automated method, gain access to your account.
Unfortunately SMS Codes are likewise woefully inadequate: From: https://www.entrepreneur.com/article/317830
Also, multiple other documents: https://www.makeuseof.com/tag/two-fa...tion-sms-apps/
First off, SMS codes fall prey to the exact same problem as the man-in-the-middle attack above. There is NOTHING stopping someone from getting you to try and enter in a SMS code, legitimately generated by fast mail or Google, but triggered by an automated attack such as the one detailed above which then uses the password and code, before the code expires.
Reddit, and multiple other users have detailed how their SMS second factor codes were intercepted, or cell phone numbers were redirected, or cell accounts were transferred to malicious agents, etc. etc. etc. This should also be a significant concern to anyone living in a country that practices excessive surveillance on anyone within their borders.
Bottom line, SMS is not secure either, and potentially much less secure than an authenticator code depending where you live...
The only significant answer right now, seems to be FIDO U2FFrom: https://www.yubico.com/2017/10/creat...-security-key/
The answer is something called "Origin Bound Keys" that is, creating a key, that is BOUND to the receiver. That means, only the "Real" site is able to authenticate the key. U2F mints a cryptographic pair foe each service. Enhanced by token binding, where the key is bound to the secure TLS connection, that only works with the intended website. If someone tries to spoof Fastmail, they cannot do it. They won't get the code, nor can they get a code from you... The two ends of the key won't work together if someone tries to stand in the middle, and pretends to be Fastmail. The key ONLY fits into the slot created by Fastmail, and it only unlocks the lock which Fastmail sets up.
What results, is a theoretically unphishable security key.
FIDO DevicesIF you use a mobile device, you'll need SOMETHING more than a simple USB device. Your phone needs to be authenticated to use Fastmail. That leaves you with either a Bluetooth or a NFC Based FIDO U2F compliant device. You should NOT authenticate your phone with Authenticator codes or SMS codes due to the issues above.
Google's new Titan key pair is FIDO compliant. It is based upon FeiTian, a Chinese company, but Google rewrote the firmware themselves, to ensure that the devices do not leak any information to the Chinese government. Google claims they've had no successful phishing attempts since enabling these devices across Google. Source: https://krebsonsecurity.com/2018/07/...oyee-phishing/
Unfortunately, TITAN is $50, but you get two keys. One Bluetooth and one NFC/USB
Yubikey also provides multiple FIDO compliant keys, unfortunately, as stated, you need a NFC device, and Yubikey's cheapest NFC capable device is $45 (Series 5 keys, EXCEPT the Nano).
Also note, that the orignial Yubikey devices were NOT FIDO compliant. That is, a Non-Fido Yubikey will not protect you from the above issues. If you currently rely on Yubikey, you should check if your current key IS or IS NOT Fido compliant.
There is, of course, the Feitian keys on Amazon. These can be purchased separately, starting at about $17. The problem is, the Feitian keys seem to have more issues than the Google version, and you are stuck with Chinese firmware, which may have vulnerabilities, and have poorly written documentation etc.
Unfortunately, I do not know of any other NFC or Bluetooth Capable FIDO devices currently on the market. his means your minimum cost to get rolling with FIDO is about $45.
And, I strongly suggest having a backup. One of my Yubikeys failed on me, and if I didn't have a spare, I'd be out of luck. Google sends two keys, Bluetooth/USB and NFC/USB for $50. With Yubikey that'll set you back at least $90... /cl |
Nothing is “broken”. The codes still work fine. Your statement implies their architecture had been breached. It hasn’t. |