Thoughts on Twitter's new Two-Factor Authentication(blog.authy.com) |
Thoughts on Twitter's new Two-Factor Authentication(blog.authy.com) |
The author cites two "flaws":
1. Your phone is offline sometimes.
Twitter has a backup code mechanism that covers this case. They talk about it, right in the post.
2. An attacker can send verification requests that look exactly like yours.
The sole use case for this mechanism is to verify login attempts by the phone's owner in real-time. If a verification request comes in and you're not actually trying to log into Twitter, or if you see more than one, you know you're being attacked.
It's true if you share a login among multiple coworkers then you're vulnerable to being tricked. But that's a bad practice to begin with, and this 2-factor system is still a massive improvement in security even for that scenario.
Imagine you're at work, logging in to a two-factor system. Now imagine your attacker is sitting 15 feet away from you. All the attacker needs to do is wait for you to attempt to login to the system before attempting to login himself.
When we have penetration tests run against us, this is exactly what is happening. We give the penetration tester a desk, a connection to the internal corporate network, and the same bare level of access we would give to a temporary contract employee.
For example, here's an hardware token implementing the protocol: https://www.safenet-inc.com/products/data-protection/two-fac...
I explain the phone 'rooting' problem and it isn't perceived as a real issue yet (although perhaps it is getting there). In the mean time I have it on my shelf of "things I could build that at least 10 people I know would buy one of." :-)
1. I sign into Twitter with my browser
2. My phone receives a push notification saying that I have a pending auth request.
3. So I click it and load the Twitter iOS app, and I see "You have no login requests" for that account, no matter how much I refresh it (it has been 10 minutes now).
4. Now I can't get into my Twitter account on the browser.
The urge to disable it is certainly strong..
We want to secure with 2 factor here in our offices, but it involves giving 10 people the app and possibly getting spammed every time someone logs in. I realize they went for this approach rather than have your average user type in numbers but I can't help but feel confused by this move.
Why doesn't Twitter (and YouTube, also a terrible offender), simply allow multiple accounts to manage a corporate channel? Like Facebook does with Pages, or Google Analytics with profiles?
Instead we have to either share a single password among multiple people (not secure) or use third party apps like HootSuite (and now your security totally depends on that app, not Twitter).
Puzzling.
OTPs are great and all but in the end you keep the damn unhashed secret on all machines that have to accept the OTP.
For me, it is more about asking yourself what approach will increase the overall security of a system. User adoption is a critical consideration. That is where Twitter's approach shines. It's something that is super easy to adopt, no numbers to type in, which means literally millions more users may adopt it. Authy is undervaluing that consideration.
Yes, this is vulnerable to a) foolish users who approve duplicate requests and b) have an attacker looking over their shoulder.
Pretty good tradeoff IMHO.
Certainly I would be pissed beyond belief if I tried to login to my bank (assuming they ever pull their heads out of their asses to support 2FA) and couldn't because I don't have cellular service in addition to Internet.