The end of password authentication?

[cheeto]

Hey guys,

I've read that Yahoo is trying to adopt a new 2 step authentication process.

As a Yahoo user, I find it relativity annoying.

Could this be the beginning of the end for Passwords as we know it?

Take a look:

http://www.theverge.com/2015/3/15/8219529/yahoo-on-demand-passwords-and-end-to-end-email-sxsw-2015

[Rkiver]

You say it like two factor is a bad thing. Anything that encourages the average user to improve their security can only be a good thing.

[cheeto]

Frankly the average user has become comfortable just using 2 or 3 passwords these days. (I know, lazy and insecure)

Adding an additional step may not be in the interest of all.

side note, what will happen to captive portals that require credentials in order to access? (like Evil portal)

Anyway, I wouldn't be surprised if other sites follow suit.

My bank requires that I access with a digital token. That's not very convenient to have to carry a token everywhere you go.

I think this new process will be a hard sell.

[cooper]

My bank lets me view my banking info via a simple username/password prompt, but when you want to change anything (transfer funds etc) they text you a random 6-digit code which you need to provide on the website. Works great.

They also have an app. Here that specific device is first authorized by you to work with your account (requiring another 6-digit code). You need to set a 5-digit code to start the app and repeat that 5-digit code for any change (transfer..) you make through it. If anything, this would be the weak spot as I would've expected them to text another 6-digit code here and ask you to enter it. On the one hand the code should arrive on the same device, so what are you trying to prove? On the other you could be using this app from a tablet in which case the text could provide further proof you're you. Finally, if anything that 5-digit change code for the app should be something different from the one to start the app, but I'm guessing people felt that was too complicated.

I've got passwordless authentication set up pretty much everywhere so at least the problem of using shitty weak passwords isn't one of mine.

[i8igmac]

Years ago Traffic was 100% insecure ... all your data was viewable by anyone on the wire capable...

my opinion, ever since snowdin went public, social media has brought this information to hole new level...

Hackers will adapt!

My old projects were all about hijacking traffic injecting meterpreters... not fun anymore with this new secure standards.

[cheeto]

The problem with digital tokens is that you need to carry them around with you if you wish to access/transfer funds etc...

What is rather interesting and I would assume safe is that my bank as an Android App that requires no tokens or anything of that nature. A simple user/pass is all that is needed. I think mobile phone apps are by far the safest way to go.

I totally agree i8igmac, Hackers will adapt to these changes.

Right now however , I think they have the upper hand.

[digip]

Do we really trust our phones more than our home built machines? Not that I really trust any device and network, my own or others regardless...

Apps on your phone are more convenient than security in my opinion. A one time SMS message sent in the clear is more secure than a native app since most apps store a single token on the phone and can be copied to another device easily. or in the case of some apps, sniff the URL used to authenticate the token and just reply what it asks for. I would rather have some two/three or more factor mechanisms in place and mandatory for certain things, like my bank access via the internet, vs an all my eggs in one basket approach, but that's just me. Sure, more layers is a PITA, but that's also more the reason to use more layers. You want to "try" at a minimum to prove who is logging in, but there is never 100% security when it comes to computers.

Kos demoed his otg attacks on phones and tablets many moons ago, and how Google reused tokens from the phone to re-authenticate with their services, which could be copied to a URL directly to another system to mimic you. Mirroring your phone, would also allow someone else to login as you if they acquired data off your phone. Phones are probably the last place I'd want to login to something like my bank from though, but many people use their phones and tablets/mobile devices as CC gateways too, so you're at the mercy of your setup and what you choose to run with I guess.

If you aren't always forced to interact and reply though, then you'd be none the wiser if someone stole your digital token or in the case of many who like using key pairs with no passwords for SSH(how many people have them on their HDD in the PuTTy directory right now vs on a seperate USB drive or device?), if someone did manage to get your copy of your key, then you better have something in place to audit/notify you every time you login. On my sites, I make them email me when someone logs into WordPress not only when I login to the sites, but also when someone tries to brute force the logins and for real users. I don't use key pairs on my domains even though I can set it up, but I also don't have access to the logs since it's on a shared host so I can only see info such as my last IP and login date each time I login, which I do look at, but would be too late in the event of a break in.

Everything has their pros and cons when it comes to convenience vs security, but I'd rather have an OCD oppressive login process with monitoring notifications and multiple layers on top of one another vs a single point of failure, which in my eyes is today's single password sign-on and keypair process. I think anything that adds more hoops to jump through is a step in the right direction.

[overwraith]

You can never truly trust anything computerized, I have heard that there have been hardware hacks imposed on some products on the market, not necessarily from the NSA. China likes to do this too. As a computer programmer with a newly minted bachelors degree in Computer Information Systems I can tell you that computers are absolutely stupid, and will act on whatever garbage data they are given if the programmer doesn't explicitly set safeguards. Buffer overflows etc, are good examples, you are redirecting program flow via shellcode(machine code) in a buffer that the length is not checked. You also have to take into account that cell phones rely on a public infrastructure owned by company conglomerates. Some of these companies have better track records than others, for instance, did you catch that article on Ars Technica a while back that was talking about how Apple was making it so that not even they could recover phone passwords once they were assigned? By doing this, they are essentially making it more difficult for government organizations such as the NSA to gain access to one's phone files (not impossible, just not practical to hack everybody's). Each of the phones is crypto locked. I would by far trust Apple more than Google, or other companies. As far as PC's being more reliable, I have had instances where my computer was pwned, and I literally saw the mouse cursor move on my screen out of my control, and started doing things. Wanna bet what that did for my sense security? Of course that was a while back and has been resolved via a rebuild. Phones are new, which is a con for using them for your personal security token, but on the other hand they are also portable, so theoretically if the NSA or someone more nefarious raids your house while you are gone, your security token is theoretically still sound. If it gets stolen out of your back pocket, then your security is breached. I read an article once about how people black hats were putting their tools and such on live USB keys, and I have heard some forensics students (they probably had experience with this at work) complaining that they couldn't get the bad guy's data or pwn his box because there was no operating system there to pwn. Portability does have it's own value. Of course you shouldn't do any black hat stuff anyway, just a discussion.

Edited March 18, 2015 by overwraith

[digip]

If the government wanted you, they could track you via your phone, so that's not so much the issue as it's one of the weakest places I can think of to store my data that matters to me. Unless its turned off with a battery pull, its literally a walking homing device tracking you while also having access to the internet pretty much 24/7 over your data plan, not to mention that fact that

If it gets stolen out of your back pocket, then your security is breached.

which it doesn't even have to be stolen to get the data in most cases. Just a few seconds of physical access and you would be none the wiser for loss of your token or access to the device.

If you recieved an SMS of just a series of letters and numbers, but didn't know where to use it, most people seeing it wouldn't know what to do with it without sniffing your traffic for which the government can already do anyway. Two factor keys usually expire relative quickly since they are only meant to be used one time. If someone intercepted and logged in before you, when you go to use it, it should(or would hope) is then invalid, for which if you kept running into that issues, should set off a few red flags.

[overwraith]

You're absolutely right about the whole homing device thing, one of the things I most hate about modern cell phone technology. I learned in one of my intro forensics classes that there are, or there have been sites which you could literally track people via their phone numbers of their cell phones. It preformed the triangulation. The thing about a lot of our modern computers is that they use public infrastructure. There is no way around this really, and it is unfortunate. The internet is not built to be anonymous, or at least it isn't now. Phones do have another thing going for them though, I heard that they change IP addresses every time they boot up, which could be a good thing.

[cooper]

The thing about a lot of our modern computers is that they use public infrastructure.

I like the way you word this since it highlights a critical feature. "Public infrastructure" and not "government infrastructure". Why is it that the government thinks it can commandeer this infrastructure? The government, being a body elected by the people and supposedly held accountable for its actions by those same people should act as representatives for those people. Walk through a busy mall one day and ask anybody you can find if they would be cool with the government listening on their personal communications. Not just the private bits, everything. See how many will tell you "yeah, I'm totally cool with that".

People nowadays put up with it because they think they're not being targeted. That it's to stop terrists[sic] and criminals and thugs. But when some unpopular piece of legislation is up for a vote and you decide to join the protest rally to voice your discontent on that item there's a great chance your name is in a government database somewhere as a dissenting member of the public. For the vast majority of people it won't make a lick of difference - it won't affect their lives in any way, shape or form. But if the government decides to lash out against its dissenters (and some would argue this has already begun) this has the potential to be misused in a rather vile manner.

Judge: "This is the case of malfunctioning citizen 51135453433549773 vs The State. How do you plead?"

You: "Not guilty, your honor."

Judge: "Care to elaborate?"

You: "A law was passed that would allow the state to run a nuclear powerplant literally in the plot adjacent my back yard. I'm not comfortable with that so I joined a rally to protest that decision."

Judge: "By your own admission here in court you dissented against this great state, admitting your guilt in this case. You are hereby sentenced to 3 years hard labor in Alaska. NEXT!"

[cheeto]

Our rights to privacy are practically gone.

Thanks to Homeland security. (as well as other Governing bodies around the world)

OK, I agree that it's important to have "some" security but to infringe on our rights of privacy?

That's pretty expensive if you ask me.

After 911, Our rights were lost and there is no going back too.