D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] 2FA


On Thursday, 4 June 2020 13:13:19 BST Henry Bremridge wrote:
> I now have to implement 2FA for work. Does anyone have any opinions, I was
> thinking of either using authy or yubikey

No, because I don't know the threat or users.

I ended up writing a fairly long proposal on the relative merits of different 
2FA options for one web based system and implementing two different second 
factors to replace SMS (which was an awful choice I had to implement rather 
quickly as a like for like, make it happen NOW solution prior to that). Given 
the scope of that system "opinionated" wouldn't cut it :)

I'd suggest anything that doesn't end up with what would have been 4 or 5 
sides of A4 in a previous era, hasn't been thought through. Anything much 
longer than this is probably stuck in a bureaucracy, or can't use hyperlinks.

Reading the other thread - any solution (including Authy) will require account 
recovery process, and your security can't be stronger than the account 
recovery process. So yes people will lose hardware tokens (and software 
tokens), your process will have to allow for this, deal with it. 

Any solution that offers a backup of software tokens (like Authy) can't be 
stronger than their recovery process. I've deliberately blocked or disabled 
app backup for software 2FA for precisely this reason, SOMETIMES (rarely!) it 
is better to spend the time recovering accounts on losing a phone, than having 
people break in by recovering the backup. Risks vs usability / support cost.

People lose or reset mobile phones surprisingly frequently, I've reset my 
phone twice in a decade (once due to system admin work on phone security), but 
apparently I'm an outlier, and most people do this much more frequently than 
once a decade, budget once every two years if you don't know the users, 
similar for hardware tokens (at least will let you know if you need to charge 
a replacement fee), I know I've run their account recovery.

Yubikeys support U2F, which is a little old hat, but an open technology, if 
the front end is a web front end. U2F allows vendor's keys to be bought, so no 
vendor lock-in necessary with a reasonable hardware solution, although 
Yubikeys are probably your safe bet for an actual hardware vendor of U2F keys. 
You use to need to buy the ones with U2F support, probably all of them by now 
(but check, it has been a while).

Duo MFA is nice as a software solution for mobiles (they do mobile notification 
push), nicer than Authy last time I looked, I liked it also supported TOTP, so 
no need for a separate Google Authenticator App on the phone, and they do some 
basic checking people's mobiles are up to date, e.g. policy for authenticator 
devices. But it allows admin to misconfigure things, or rather the ability to 
allow some users to receive SMS, or other simpler second factors (voice 
calls), which flexibility is really useful in the real world if they change 
phone but keep number etc, but not beloved of security must come first folk 
like me (with my other hat on). Duo also did optional backup bits. We found 
stuff we didn't like in Duo and Authy, Duo fixed it ;)

The other thing which is tricky is phishing, it is really hard to mitigate 
phishing completely.  Some of the hardware tokens which create their own 
encrypted channel within or beside the web channel in theory avoid this (e.g. 
U2F), but unless they present something to the user about this channel (U2F 
noticeably chooses not to), it is very hard to be completely confident that it 
is fully mitigating a skilled phishing attack.  SMS, Google Authenticator all 
vulnerable. Duo pushes a bunch of information about the login attempt at the 
user to try and alert them to suspicious logins, at least they have a chance 
of spotting it, and Duo themselves may spot a change to a key field.

There is more that could be said, but more input needed.....

Personally think if you are having usernames and passwords for the web, stick 
them in the browser's password store, or a browser based password manager, so 
they complete on the correct site only, and this defeats phishing more 
effectively than most of the 2FA solutions. Of course that requires users who 
realise that if they ever have to cut and paste a password something has gone 
wrong. 2FA is still useful for sensitive sites, as sometimes the attacker is 
local or controls your browser, but when designing solutions you can't make 
everyone use a password manager and be sensible.....

The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq