Quote:
Originally Posted by BritTim
First, I am assuming that regular access, where possible, should be using U2F. I argue for OTP in the common case where those using computers on an ad hoc basis are unable to establish a session using U2F.
|
While I'll agree with that in principle, I think at this point the distinction between U2F and TOTP 2FA methods is pretty subtle for most users — at least compared to the magnitude of difference over a non-2FA world. Sure, everybody
should be using U2F in an ideal world, but I think that for the vast majority of users, a TOTP-based authentication method is more than secure enough for what they're trying to protect — especially in light of the steps FastMail is already taking to ensure the security of the sessions themselves.
Speaking for myself, for example, while I fully understand the technical security advantages of U2F, I've made a conscious decision that I'd rather rely on TOTP and use my browser of choice than be required to use Chrome just to gain what I consider to be an incremental security benefit for my own purposes. For example, I don't consider myself to be vulnerable to phishing attacks, I trust the steps FastMail has taken to prevent MitM attacks and session hijacking, and I rarely use computers that have a high probability of being compromised by malware (e.g., I might log in from a client's PC on a corporate network or a business centre in a reputable hotel, but I've never had reason to do so in a generic Internet cafe).
Ultimately, the problem is that these security issues right now are largely about preaching to the choir. If you're educated enough to understand the benefits of U2F
and go through a process of configuring a lower-security TOTP access strategy — and actually willing to go through the hassle of
using that methodology, then chances are you're aware enough of the security risks that the benefits provided by U2F really are quite incremental.
Obviously it's a different matter when you're talking about building solutions in business environments, but 20+ years of consulting experience in IT security and messaging systems tells me that this is an uphill battle as well unless you've got management that's ready to buy in and seriously enforce restrictions on their end users. Then again, maybe I've just been jaded by working with clients like law firms where the inmates are running the asylum
Quote:
|
Once U2F (or a common method which is equally secure) becomes ubiquitous, I accept that there is no need for time and function limited, alternative less secure authentication methods. My own sense is that this is not going to be true any time soon. As a practical matter, it cannot even be assumed that you will be allowed access to the USB port on computers that are not your own (for some good security reasons).
|
Yeah, the reality is that I don't expect U2F or anything like it to become mainstream in the near future for exactly those reasons. Lack of USB access is a key point, and frankly it's also a somewhat ironic trade-off..... a public terminal that
doesn't restrict USB access has a higher risk of being a compromised terminal — both directly as a result of that and secondarily as a sign that those operating the terminals aren't as security conscious as they should be.