|
@Vance, apparently you have not used google authenticator?
Yes, software tokens are more susceptible to certain kinds of attack. Unless you want to carry around a dedicated RSA or similar hardware token generator for linode, and the expense of the hardware is worth it, there is no other option. OATH is not perfect. The security of the device the secrets are stored on is weaker than a separate offline hardware token like an RSA token. That's irrelevant, unless you are willing to pay for and carry around separate hardware token generators for each of your accounts.
Let's walk through what happens when you set up 2-factor for some site using TOTP w/ google authenticator on an android or iphone device. The website or service gives you the secret. Often it's in the form of a QR code. In the case of google accounts, you can optionally chose to display it as a 16 character lowercase alphanumeric string (log(36^16)/log(2) = approximately 82 bits of entropy). Using the QR code means you don't have to type anything in manually.
The secret is stored in application-private storage, and you never need to deal with it again. If you lose your device, that's what one-time passwords are for, or a service might offer some other out of band reset procedure.
Yes, anything with root access on your handheld device can read the secret, I assume. If your handheld device is compromised, the malware has root, and you use the same device both to generate tokens and to log into services (e.g. websites) that use 2-factor auth, then you gain nothing over normal auth. That's also the case with SMS tokens, 3rd party auth like Duo Security, or anything else that doesn't rely on offline hardware.
There are a variety of ways to prevent that. You can avoid accessing OATH accounts from the same device you use to generate the OATH tokens, for example. You could also use a phone to generate the tokens and a tablet to access the service, or vice versa. It's still possible to compromise both the token-generating device (to get the OATH secret) and a normal computer (to get the password), but it's more difficult, and correlating the password with the secret would take some serious effort.
If you think that sort of two-device malware attack is just as likely as typical desktop malware that compromise passwords, you have a different threat model than I do. Arguably, if someone does not go crazy installing apps, handheld devices might be more secure than desktops/laptops/netbooks. Mobile device 2-factor isn't perfect security. It's better security than password-only auth in many attack scenarios, without the cost of dedicated hardware tokens.
I agree with you that the different factor categories are largely crap. It's a lot more complicated than "what you have" vs "what you know", because what you know is stored and can be intercepted on devices, so it becomes just another thing the attacker needs to have to compromise an account. Same with biometrics. Once you have the retinal vein, iris, fingerprint, handprint, or whatever other kind of bio pattern the device uses, unless the biometric device itself implements some sort of temporal one-time hashing before passing the digitized pattern to software, it becomes yet another thing you have, rather than something you are. Hardware tokens are the gold standard, but if you can carry hardware tokens around for financial accounts, google, aws, linode, and every other major service you use, you have larger pockets than I do.
Last edited by loxosceles on Sun Jul 15, 2012 3:46 am, edited 1 time in total.
|
FAQ
Search
Members
Register
Login [ Anonymous ]
