Conversation
Notices
-
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Monday, 20-Feb-2023 01:10:56 JST silverwizard Most people are more likely to lose authenticator tokens (their phone, their yubikey) than be hacked by a sophisticated attacker
Password manager 2FA and SMS 2FA solves the threat model that most people live in
(Organizational security has a far different threat model)-
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Monday, 20-Feb-2023 01:56:10 JST silverwizard @hypolite Which is more likely: a second LastPass situation or me washing my Yubikey? -
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Monday, 20-Feb-2023 01:56:16 JST hypolite @silverwizard But cloud password managers are likely to be hacked as well ? silverwizard likes this. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Monday, 20-Feb-2023 02:06:58 JST silverwizard @hypolite Which is more likely - Becky losing her phone number or a second LastPass? -
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Monday, 20-Feb-2023 02:07:01 JST hypolite @silverwizard You are a terrible example. silverwizard likes this. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Monday, 20-Feb-2023 02:08:11 JST silverwizard @hypolite Also - I am a terrible example because I have a backup yubikey to sign up two tokens -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Monday, 20-Feb-2023 02:34:32 JST silverwizard @hypolite Oh, no - attacking SMS 2FA is easy to just SIM hijack
I am talking about getting locked out because you accidentally lost your auth app -
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Monday, 20-Feb-2023 02:34:34 JST hypolite @silverwizard A second LastPass, but some SMS 2FA attack vectors don’t require you to lose your phone number, so I’m partial. silverwizard likes this. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Monday, 20-Feb-2023 02:54:44 JST silverwizard @hypolite That's what I'm saying
You won't lose your phone number for SMS or password manager
Whereas losing a phone with an TOTP authenticator setup or losing a yubikey is pretty simple -
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Monday, 20-Feb-2023 02:54:47 JST hypolite @silverwizard Still LastPass, these days losing a *phone number* is pretty hard to do. silverwizard likes this. -
Embed this notice
⛅ w chance of bears (teejeh@mastodon.social)'s status on Monday, 20-Feb-2023 12:15:22 JST ⛅ w chance of bears @silverwizard Mostly I find myself weirded out by people acting like authenticator apps are high friction in comparison to SMS 2FA. The user experience of "hopefully the code arrives quickly" makes it just that bit unpleasant even when they often *do* come promptly. (Yubikeys have a very obvious $$ barrier to being the norm for individuals.)
silverwizard likes this. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Monday, 20-Feb-2023 12:15:22 JST silverwizard @teejeh Yeah, I just only have the option of Google TOTP which squicks me, or Yubico TOTP which needs a key, so uh, kinda fails the access test
But also - I am *far* more likely to lose a phone than by hit by SIM swapping (to be clear - only because I'm a dumbass) -
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Monday, 20-Feb-2023 12:17:04 JST hypolite @teejeh Although for authenticator apps, the high friction comes when the device where tokens are installed disappears for some reason (repairs, theft, replacement). Then the real uphill battle starts. silverwizard likes this. -
Embed this notice
⛅ w chance of bears (teejeh@mastodon.social)'s status on Monday, 20-Feb-2023 12:55:37 JST ⛅ w chance of bears @silverwizard Yeah, most of my TOTP tokens are mirrored across my Yubikeys largely to save headaches when changing phones. I have one on Entrust's app that I can't do that with and the couple of times I've had to move it were a pain finding the instructions again.
But using Yubico TOTP also basically primed me for "password manager TOTP is functionally the same as Google TOTP but with the convenience of device portability"
silverwizard likes this. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Monday, 20-Feb-2023 12:57:08 JST silverwizard @teejeh Well, the issue most people have with password manager TOTP is that then if your password manager is compromised, then your password is
And the answer to that is "it's complicated" - but yeah - in a perfect world we'd all have two security keys, and one is kept in a secure location and one is kept in a wallet/keychain - but that's not feasible (says the man with that) -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Tuesday, 21-Feb-2023 00:42:15 JST silverwizard @hypolite @bobjonkman Does KeePass do TOTO these days? -
Embed this notice
Bob Jonkman (bobjonkman@mastodon.sdf.org)'s status on Tuesday, 21-Feb-2023 00:42:16 JST Bob Jonkman So far, every service for which I've registered TOTP (Twitter, Facebook, Mastodon) has offered recovery codes in case I lose my TOTP device. Surely that mitigates @silverwizard 's loss model.
-
Embed this notice
Bob Jonkman (bobjonkman@mastodon.sdf.org)'s status on Tuesday, 21-Feb-2023 00:42:16 JST Bob Jonkman And I keep my paasword manager DB on several devices. Does that make me as weird as @silverwizard ?
-
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Tuesday, 21-Feb-2023 03:43:41 JST silverwizard @hypolite TOTO is a TOTP typo Steffen K9 ? likes this. -
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Tuesday, 21-Feb-2023 03:43:45 JST hypolite @silverwizard What's TOTO? I have a KeePass TOTP plugin that I use as the truth source for all my TOTP tokens. Based on the seed it can generate a QR code that token apps can read.
-
Embed this notice