|
What about the recent cases where SIM cards were cloned (through social engineering) and the phone accounts captured? In that case, the phone still thinks it's the true phone, and Google Auth continues to merrily run? Or did I misinterpret what was going on?
|
# ? Sep 19, 2019 02:58 |
|
|
# ? Jun 1, 2024 00:00 |
|
Yes, that's not how it works for things not SMS.
|
# ? Sep 19, 2019 03:00 |
|
Arsenic Lupin posted:What about the recent cases where SIM cards were cloned (through social engineering) and the phone accounts captured? In that case, the phone still thinks it's the true phone, and Google Auth continues to merrily run? Or did I misinterpret what was going on? Cloning a sim card does not compromise the authenticator app running on your phone.
|
# ? Sep 19, 2019 03:00 |
|
Arsenic Lupin posted:What about the recent cases where SIM cards were cloned (through social engineering) and the phone accounts captured? In that case, the phone still thinks it's the true phone, and Google Auth continues to merrily run? Or did I misinterpret what was going on? This works because SIM cards are technically their own little realm, basically a tiny microcontroller, some even have their own little apps, which can let you hijack and clone the SIM and use it against SMS two factor. This has been a known issue for...what, at least half a decade? SMS Two factor was always considered risky, because even in the early days of SMS it was easy to spoof. However, 2FA applications are different, run at the user level, and required achieving root or system level to read out the database for the 2FA app. So not possibly by just cloning the SIM. Check out the DEFCON talk on SIM Cards: https://www.youtube.com/watch?v=31D94QOo2gY CommieGIR fucked around with this message at 03:26 on Sep 19, 2019 |
# ? Sep 19, 2019 03:08 |
|
CommieGIR posted:However, 2FA applications are different, run at the user level, and required achieving root to read out the database for the 2FA app. So not possibly by just cloning the SIM. I can't speak to Android phones, but at least on iOS anything stored in the enclave would still be protected. And at least the MS Authenticator app stores it's db there.
|
# ? Sep 19, 2019 03:13 |
|
The Fool posted:I can't speak to Android phones, but at least on iOS anything stored in the enclave would still be protected. And at least the MS Authenticator app stores it's db there. I know if you root your phone the db can be read to back it up, either way its way outside of what a SIM will be capable of doing or is allowed to talk to/access. CommieGIR fucked around with this message at 03:28 on Sep 19, 2019 |
# ? Sep 19, 2019 03:25 |
|
CommieGIR posted:This works because SIM cards are technically their own little realm, basically a tiny microcontroller, some even have their own little apps, which can let you hijack and clone the SIM and use it against SMS two factor. Cool! Thank you!
|
# ? Sep 19, 2019 04:01 |
|
The Fool posted:We have mandatory MFA for any logon outside of our primary network. Some of the more advanced systems will use GeoIP lookups relative from the previous logon to figure out if it needs to throw in a 2FA challenge or let you through without the extra step. It's pretty nice.
|
# ? Sep 19, 2019 14:30 |
|
BangersInMyKnickers posted:Some of the more advanced systems will use GeoIP lookups relative from the previous logon to figure out if it needs to throw in a 2FA challenge or let you through without the extra step. It's pretty nice. Sounds similar to one of the alerts in Microsoft Security Center called "impossible travel time" or something like that where it will do a GeoIP lookup and do an alert if it's be impossible for the user to log in in that time period in both places. It has a lot of false positives, but it's not like a 2FA challenge is the end of the world. That's interesting.
|
# ? Sep 19, 2019 14:34 |
|
Internet Explorer posted:Sounds similar to one of the alerts in Microsoft Security Center called "impossible travel time" or something like that where it will do a GeoIP lookup and do an alert if it's be impossible for the user to log in in that time period in both places. It has a lot of false positives, but it's not like a 2FA challenge is the end of the world. That's interesting. It mostly catches people using proxies which has become my reporting hell for the last month.
|
# ? Sep 19, 2019 14:36 |
|
Internet Explorer posted:Sounds similar to one of the alerts in Microsoft Security Center called "impossible travel time" or something like that where it will do a GeoIP lookup and do an alert if it's be impossible for the user to log in in that time period in both places. It has a lot of false positives, but it's not like a 2FA challenge is the end of the world. That's interesting. The problem we've run into with it is sometimes Microsoft's logon requests for O365 get bounced through IPs that are further than normal, which kicks the 'impossible travel' warning.
|
# ? Sep 19, 2019 14:36 |
|
Powered Descent posted:Yes, let's all tell the disabled person exactly what they can and can't do on account of their disability, of which we know nothing except the vague category that it falls into. I said disabled people can do the same/better job then the rest of us.
|
# ? Sep 19, 2019 18:20 |
|
Regarding 2FA, I saw it brought up elsewhere and made me curious. Why is the 2FA challenge (usually) only polled after a correct login with a password? That pretty much tells an attacking entity that the very least the password is correct, and might mark it for reuse on other sites. Why not just do 2FA on the same page as the main login? Or why not just fall through to the 2FA page regardless of a correct login or not, and only then fail if either is wrong?
|
# ? Sep 19, 2019 18:33 |
|
Combat Pretzel posted:Regarding 2FA, I saw it brought up elsewhere and made me curious. Why is the 2FA challenge (usually) only polled after a correct login with a password? That pretty much tells an attacking entity that the very least the password is correct, and might mark it for reuse on other sites. Why not just do 2FA on the same page as the main login? Or why not just fall through to the 2FA page regardless of a correct login or not, and only then fail if either is wrong? How would you prompt for 2FA before entering login information? Am I misunderstanding what you're asking?
|
# ? Sep 19, 2019 18:43 |
|
The Fool posted:I can't speak to Android phones, but at least on iOS anything stored in the enclave would still be protected. And at least the MS Authenticator app stores it's db there. I can , but it's a separate discussion. If you can compromise the OS that doesn't mean the enclave is un compromisable and all that data is safe. As an industry we think far too highly and rely on trusting opaque as hell enclaves with lots of C code and IPC mechanisms and surely nothing could go wrong (hint, it goes wrong). As a 2FA phones are great, there's a what you have that you carry with you anyways. SMS is not using your phone as a 2FA, SMS is using your phone number as a 2FA -- that's why it's lovely. Mobile networks and providers were not designed around phone number ownership being "hard".
|
# ? Sep 19, 2019 18:49 |
|
CLAM DOWN posted:How would you prompt for 2FA before entering login information? Am I misunderstanding what you're asking? --edit: Wait, I get it. If 2FA is optional, this is a problem. I suppose the site in question could check on the fly, as soon you entered the login handle, whether it's needed and add the field appropriately. To obfuscate checking for password validity, I guess. --edit2: Well, that, or just display the field anyway with a note a la "If you use 2FA, please fill in the code". Combat Pretzel fucked around with this message at 18:52 on Sep 19, 2019 |
# ? Sep 19, 2019 18:50 |
|
Combat Pretzel posted:If it's 2FA using an app like Authy, generating a code, you could just slap a third field asking for it straight on the login page. Ohh sorry, I see what you mean. One thing there, like you said, is that proper practice is not to give any indication to the user other than a generic authentication error if you enter a bad/missing/whatever username or password. This prevents guessing, and means we don't confirm to the user if the username exists or not. As for your edit2, that's essentially the same as a post-authentication prompt, isn't it? You're definitely hitting on some good points though! MFA is interesting.
|
# ? Sep 19, 2019 18:54 |
Not confirming whether a username exists only works when the username is different from the email, otherwise its possible for the attacker to use the email to check whether it exists or not, unless you also make that error message something like "If this user exists, a mail should arrive at some point" or something to that effect.
|
|
# ? Sep 19, 2019 19:18 |
|
EVIL Gibson posted:I said disabled people can do the same/better job then the rest of us.
|
# ? Sep 19, 2019 19:27 |
|
I'm pretty sure the AWS console will show the 2fa prompt screen even if the password is wrong. I've gotten a few users come to me with "It keeps prompting me to resync my token, I'm about ready to say gently caress mfa" but in reality they just got their password wrong. It does expose that the user does exist, and does have mfa though. I'm also not sure if it does it with yubikey auth instead of TOTP.
|
# ? Sep 19, 2019 19:46 |
|
CLAM DOWN posted:How would you prompt for 2FA before entering login information? Am I misunderstanding what you're asking? Mandatory MFA for all users and the field is just part of the login form
|
# ? Sep 19, 2019 20:28 |
|
Combat Pretzel posted:Regarding 2FA, I saw it brought up elsewhere and made me curious. Why is the 2FA challenge (usually) only polled after a correct login with a password? That pretty much tells an attacking entity that the very least the password is correct, and might mark it for reuse on other sites. Why not just do 2FA on the same page as the main login? Or why not just fall through to the 2FA page regardless of a correct login or not, and only then fail if either is wrong? Since most 2fa systems are a push topology now, you would effectively be entering a username you know about then swamping that poor sucker with sms codes/robocalls/softtoken push notifications
|
# ? Sep 19, 2019 20:49 |
|
MS is doing a thing where you can change your primary authentication method to mobile auth instead of a password. It's available for live accounts, azure ad and adfs. The user experience is provided through a paginated form, where you type in your username, submit, then are presented with your primary authentication method. I really like the mobile auth flow since you can get two factors (possession + biometric) off of the device and eliminate passwords entirely if your business will let you.
|
# ? Sep 19, 2019 21:20 |
|
I don't think that's really MFA. It's two things you are and one thing you have. Nothing you know.
|
# ? Sep 19, 2019 21:48 |
|
Cup Runneth Over posted:I don't think that's really MFA. It's two things you are and one thing you have. Nothing you know. It does throw in a lot of the Azure monitoring and behaviour analytics in there. Lots of checking is done from location to source to device to time-of-day profiling. I'm glad about phasing out passwords overall, they suck.
|
# ? Sep 19, 2019 22:06 |
|
Cup Runneth Over posted:I don't think that's really MFA. It's two things you are and one thing you have. Nothing you know. There’s an implication that you know how to unlock the phone, but that can repeat a factor. That said, 2FA seems like it’s MFA, unless that term moved around underneath me.
|
# ? Sep 19, 2019 22:14 |
|
Cup Runneth Over posted:I don't think that's really MFA. It's two things you are and one thing you have. Nothing you know. Yeah, as Subjunctive pointed out, two factors are still multiple factors.
|
# ? Sep 19, 2019 22:20 |
|
EssOEss posted:Yeah, as Subjunctive pointed out, two factors are still multiple factors. Okay, true, but only in the sense that a username and password is MFA, which most people would not describe it as. Subjunctive posted:There’s an implication that you know how to unlock the phone, but that can repeat a factor. I suppose that's not THAT different from a password manager.
|
# ? Sep 19, 2019 22:26 |
|
No, username is never considered and authentication factor, it is for identification only. Your two factors are: Thing you have (your phone) Thing your are OR thing you know (biometric or pin)
|
# ? Sep 19, 2019 22:28 |
|
Arsenic Lupin posted:It all depends on the disability. You don't know my life, you don't know how my particular disability changes it. Some disabled people genuinely cannot work, and it's frustrating to have those who can held up as role models. For those who worried about my having a hobby, I'm working on a novel. Okay everyone, I am going to stop being positive and assume everyone in here is an idiot and incapable of doing things. I am sorry for saying nice things! EVIL Gibson fucked around with this message at 23:08 on Sep 19, 2019 |
# ? Sep 19, 2019 22:37 |
|
How happy are you, as security professionals, with fingerprint recognition unlocking phones? I've heard they're easy to spoof, and Google at Android 10 is moving toward using it as the primary unlock for e.g. LastPass. (Yes, I know about LastPass, my husband prefers it to 1Password, it's not a battle I feel like fighting.)
|
# ? Sep 19, 2019 22:57 |
|
From a practical point of view: random rear end in a top hat that steals my phone isn't going to be able to do anything with it From a theoretical point of view: law enforcement can compel you to unlock your phone with biometrics but can't compel you to give up a password. Any other scenario is irrelevant
|
# ? Sep 19, 2019 23:03 |
Arsenic Lupin posted:How happy are you, as security professionals, with fingerprint recognition unlocking phones? I've heard they're easy to spoof, and Google at Android 10 is moving toward using it as the primary unlock for e.g. LastPass. (Yes, I know about LastPass, my husband prefers it to 1Password, it's not a battle I feel like fighting.) It took a while to get used to, but it seems to make best use of the passcode for security and fingerprint for convenience. One of the biggest things I've learned over the years is that security cannot completely compromise convenience, otherwise security will get circumvented in ways that completely defeat the security (writing passwords on post-it notes attached to monitors at work, and other dubious ideas of that nature).
|
|
# ? Sep 19, 2019 23:07 |
|
Arsenic Lupin posted:How happy are you, as security professionals, with fingerprint recognition unlocking phones? I've heard they're easy to spoof, and Google at Android 10 is moving toward using it as the primary unlock for e.g. LastPass. (Yes, I know about LastPass, my husband prefers it to 1Password, it's not a battle I feel like fighting.) They can be spoofed, but are not "easy to spoof". I feel just fine with them. Android, like iPhone, now has the "lockdown" mode to require a password when tapped. Fingerprints for mobile devices are a good balance of practicality and security. I'm uninformed on facial unlock, when it comes to Apple's Face ID or the upcoming Pixel one. D. Ebdrup posted:One of the biggest things I've learned over the years is that security cannot completely compromise convenience, otherwise security will get circumvented in ways that completely defeat the security (writing passwords on post-it notes attached to monitors at work, and other dubious ideas of that nature). Yup totally.
|
# ? Sep 19, 2019 23:23 |
|
The Fool posted:No, username is never considered and authentication factor, it is for identification only. Then... you only have one factor with username and phone authentication. It's only two if your phone requires a password/PIN/biometric to unlock, which is not at all guaranteed or mandatory. Also there is clearly some disagreement on this, because I've been told in the past that a username is a thing you are (as it is traditionally immutable once created and is used to identify you).
|
# ? Sep 20, 2019 00:02 |
|
If I see your username in a leak, I assume that the password is also compromised. Its semi-protected information, but not strictly dangerous.
|
# ? Sep 20, 2019 00:26 |
|
Cup Runneth Over posted:Then... you only have one factor with username and phone authentication. It's only two if your phone requires a password/PIN/biometric to unlock, which is not at all guaranteed or mandatory. In the context of an admin deploying MFA to their users you absolutely can guarantee that. quote:
Yes, it is used to identify you only and is not a good authentication factor.
|
# ? Sep 20, 2019 00:31 |
|
Scrolling though this, I keep thinking "holy gently caress, good riddance"
|
# ? Sep 20, 2019 02:26 |
|
Potato Salad posted:Scrolling though this, I keep thinking "holy gently caress, good riddance" Reader was good, tho?
|
# ? Sep 20, 2019 02:40 |
|
|
# ? Jun 1, 2024 00:00 |
|
agreed
|
# ? Sep 20, 2019 04:56 |