(Tweet & Tell Them To Support 2FA)
October 26, 2014 9:51 AM   Subscribe

twofactorauth.org is a site that catalogs digital services based on whether or not they support two factor authentication.
posted by Going To Maine (29 comments total) 8 users marked this as a favorite
 
As much as I'm a fan of two factor authentication, I'm not sure I want a world where everything requires TFA to log in. It can be a pain in the ass. I'd prefer to reserve TFA just for high value accounts like my email and my bank account. If someone really wants to steal my TeemoRules login on Twitch and post chat comments as me, well, OK.

My preference is TFA for important accounts combined with federated login so there's no login for less important sites. Let sites like Twitch and Metafilter delegate the task of me proving who i am to a strong TFA-protected identity provider like Google or Facebook.
posted by Nelson at 10:40 AM on October 26, 2014 [7 favorites]


Yeah, 2FA certainly is no silver bullet, but one thing that's nice about the site is that it includes lists of banks and whether or not they support 2FA -and those are services that I really *do* want to see providing support for it.
posted by Going To Maine at 10:44 AM on October 26, 2014


It's sad how many of the non-compliant companies on that list are banks and other financial institutions. I guess that it's great that no one can break into my Box.com account to steal the pitctures that I post for homework in my photography class but I'm really more worried about my PNC account.
posted by octothorpe at 10:58 AM on October 26, 2014 [1 favorite]


I want a world where everything allows me to turn on 2FA. There are definitely sites where I wouldn't want it to be forced on, but I wish it were the norm that it's at least available as an option.
posted by primethyme at 10:58 AM on October 26, 2014 [3 favorites]


Let sites like Twitch and Metafilter delegate the task of me proving who i am to a strong TFA-protected identity provider like Google or Facebook.

Permit me a hearty "fuck that" to the notion that I would need a Facebook account to participate in MetaFilter.
posted by Horace Rumpole at 11:04 AM on October 26, 2014 [12 favorites]


Permit me a hearty "fuck that" to the notion that I would need a Facebook account to participate in MetaFilter.

No shit. I've stopped participating at sites that moved their authentication to a Facebook (or Google) login. Metafilter adopting such a scheme would surely be the true sign of the Apocalypse.
posted by Thorzdad at 11:08 AM on October 26, 2014 [6 favorites]


Let sites like Twitch and Metafilter delegate the task of me proving who i am to a strong TFA-protected identity provider like Google or Facebook.

Yeah, because I love having Google and Facebook knowing exactly what sites I log into and when I do so. There's no way they'd abuse that for gain, not at all, no sirree. Who could *possibly* be willing to pay …

HAVE YOU TRIED PEPSI BLUE, YOU SHOULD, NOW THAT YOU'VE LOGGED INTO THE BLUE THREE DAYS IN A ROW this message brought to you by facebook

… for that? Plus, I love, love, love the idea of a federated login provider deciding that, no, really, I don't need to log into that site.

The moment MetaFilter announces that this is required would be the moment I change my profile to why and hit the big red button.
posted by eriko at 11:11 AM on October 26, 2014 [4 favorites]


And there would go the last great large, free, broad-based, no-strings-attached, erudite web community. Unthinkable!
posted by zagyzebra at 11:13 AM on October 26, 2014


Maybe an OPIE (S/Key) third option? That seemed like a simple solution to at least being able to type your next password via an unsecured terminal or public wifi or something. Seems like almost the same thing as 2FA, except that the next N challenge answers are knowable in advance.

I mean, I guess the situation where I have the ability to access my login screen and do business, but not the ability to complete my 2FA protocol on my end sounds rare, but it actually happens. (I can't have my cell phone at work, and I can't install any applications on the computers.)
posted by ctmf at 11:14 AM on October 26, 2014


Yes, fuck Facebook, I agree. But what if providing login services was a legitimate product category, and there was a marketplace where you could choose a login provider? One that didn't use the data to sell you out to advertisers, one you paid directly for the service? The engineering to do this is all a solved problem already (OpenID, etc); the main drawback historically has been the awkward login design for the product.

Where we are right now is a world where we don't take login seriously. So instead we have crappy security, pain in the ass 2FA, and Facebook becoming the de facto login provider while they hoover up yet more details with no protection for you. As you said, fuck that. Let's make authentication a real first class service provided separately, with the user's choice of provider.
posted by Nelson at 11:15 AM on October 26, 2014 [6 favorites]


I mean, I guess the situation where I have the ability to access my login screen and do business, but not the ability to complete my 2FA protocol on my end sounds rare, but it actually happens.

NearlyFreeSpeech lets you pre-generate a number of disposable two-factor codes, so you can log in &/or turn off 2FA if you no longer have the device. It's a good idea.
posted by Going To Maine at 11:18 AM on October 26, 2014 [2 favorites]


Comcast ID. Sounds awesome.
posted by ctmf at 11:18 AM on October 26, 2014


I work (as of a few weeks ago) for a company that provides two factor authentication services.

Having looked at the code and talked with people about the problem, I think that some places don't provide it as they don't want to get into the morass that providing TFA ends up being (if you can't send a text message, can you call them with a voice call that gives them the number - can you do it in lots of languages and across multiple country codes...)

But so many of the recent hacks were just outside the channels that TFA protects. No amount of TFA will protect you if one of the admins on the site uses "password" as their password, or if the passwords are stored unencrypted, or hashed without a salt ...

And, as stated above, some sites just don't need that extra security (especially if you don't reuse passwords - USE A PASSWORD MANAGER!).
posted by Death and Gravity at 11:29 AM on October 26, 2014 [3 favorites]


Let's make authentication a real first class service provided separately, with the user's choice of provider.

This this this this this this this
posted by wemayfreeze at 11:38 AM on October 26, 2014 [1 favorite]


I use five factor. I'm perfectly safe because I've never successfully logged in.
posted by blue_beetle at 11:41 AM on October 26, 2014 [3 favorites]


or if the passwords are stored unencrypted

This is what makes me side-eye my work applications when they periodically make me change my password and say "your new password must be different by at least 4 characters." And how would you know that, unless you were saving my password somewhere, hmm?
posted by ctmf at 11:45 AM on October 26, 2014 [2 favorites]


I use five factor. I'm perfectly safe because I've never successfully logged in.

I use drive factor authentication. When I want to log in I ram a semi through my laptop screen. Very safe, but also expensive.
posted by Going To Maine at 11:51 AM on October 26, 2014


Let's make authentication a real first class service provided separately, with the user's choice of provider.
The problem with this is that then I would have to remember which authentication provider I need use to login to which website. Different websites will no doubt support different choices of authentication providers, so you still have to juggle multiple accounts. Also using an external authentication provider does not magically make the rest of the website secure once you have actually logged in.
posted by Lanark at 11:55 AM on October 26, 2014


And how would you know that, unless you were saving my password somewhere, hmm?

They save the last N hashes.
posted by odinsdream at 12:27 PM on October 26, 2014 [1 favorite]


Odinsdream: a properly implemented hash wouldn't allow you to spot the last four characters being identical.
posted by edd at 12:49 PM on October 26, 2014 [2 favorites]


Or rather spot the similarity at all - obviously the above case wasn't actually the last four characters.
posted by edd at 12:51 PM on October 26, 2014


It doesn't know how many characters are actually different, it just knows it's an exact match and that is not allowed. If you do run into a system that does accurately count how many characters are wrong, then it probably does suck, or maybe is creating a few hashes if your password for example is just alpha + digits. "Bob123" gets a hash for "Bob" and "123" and "Bob123," the latter for exact match (auth) and the others for detecting digit-bumpers.
posted by aydeejones at 12:53 PM on October 26, 2014


> one thing that's nice about the site is that it includes lists of banks and whether or not they support 2FA -and those are services that I really *do* want to see providing support for it.

No shit, I'm still required by my employer to keep vital financial and health information locked away behind my insurer's and retirement manager's fucking 12-character-limited passwords. Even with passwords as random as I can muster (considering they also only permit a limited palette of possible characters), it's still bad.

Forget 2FA, you'll have to campaign hard just to get the financial industry to quit thinking that they can manage hundreds of billions of dollars in customer assets but data storage costs whole dollars per megabyte like it did in the mid-1990s, and that's too much damage to their bottom line.
posted by at by at 12:55 PM on October 26, 2014 [2 favorites]


I realize what I said above implies the system is "bluffing" unless it creates separate hashes which could potentially weaken the security of the stored hashes...I think there is some conflation with the number "four" here. With typical Windows authentication settings for example, a typical "your password sucks" error does not give you any specifics, but the number "4" might come up:

"Your password must contain characters from 3 of the following 4 character groups: uppercase letters, lowercase, numbers, and symbols. It must not match any of your previous 4 passwords and may not contain your name, or user name."

Ssomething like that -- never have run into a system that keeps track of the variance of your password but it is a classic "engineer's disease" thing for developers to weaken security in the effort to reinvent a slick system that does stuff. I do like systems that check for sequences in PINs and such, or checking common "weak and stupid" password lists.
posted by aydeejones at 12:59 PM on October 26, 2014


Speaking of which, here's a fun thing I run into in healthcare, where confidentiality is a Big Thing.

Many systems will use Windows servers to handle their authentication, and their web servers also do "single sign-on," allowing someone to log into a hospital's web portal with a single password, and then open a bunch of remote "mainframe" (usually Citrix) applications, many of which are dated and have arcane password and PIN requirements. So the single-sign on handles all of that for you, most of the time.

But now you have to hope that whoever developed that system knows what they're doing. What you'll find is that a company like mine that uses Citrix's built-in web portal technology is able to handle a password reset request easily: I can make your new password whatever I want to give to you (ideally not the same thing every time!) and set it to expire when you first log in, and force you to change it.

But some of these systems use the single-sign software to manage the web portal experience, and they often do not handle password expiration well. Administrators are able to override the "you've used this password n times" rule, and the password reset tools in these portals can be very cumbersome to use, and your account simply stops working if you don't change it manually.

So what happens? Introduce the human element and you end up with administrators giving everyone a password like "Welcome1," the same password any time a new account is provisioned, or when a user requests it. Since you aren't forced to change it and the process is cumbersome, people prefer to simply remember "Welcome1" and then call to complain every 90 days when it stops working, at which point it gets reset...to "Welcome1."

The main hospital that was doing this has stopped but I've found a new pattern to discuss with another major group.
posted by aydeejones at 1:07 PM on October 26, 2014 [1 favorite]


Last one: I ran into a situation once where I needed an account reinstated (120 days is a common "automatic account expire" rule if you don't log in, which is a pretty wide time gap but not uncommon if you access lots of disparate systems). The guy said "I can make your password [foo] and you can change it when you get in, but not for 3 days, you have to wait 3 days and then change it (where "foo" is a "Welcome1" style gimme password), or just tell me what you want it to be."

Two scenarios, both bad:

1) You get the standard "Welcome1" password but can't change it for three days, because to protect their local network from "password digit bumpers" who would otherwise change their password "n" times in one day to override the "password re-use" rule, they create a "wait x days" rule. So people just don't change it, and simply call every 90 days to have the counter reset...

2) You give someone your password over the phone...which is a HIPAA problem because they know you aren't going to go and change that password (most likely) and now they have the means to log in as you. "But administrators can log in as whoever they want!" Not without creating red flags on a decent system. They either have to know your password, or create noticeable, audit-ready events like changing your password (so you have to call and have it reset, and might suspect foul play) and log entries showing that someone reset your password without a help desk ticket and then "you" immediately logged in at 3AM.
posted by aydeejones at 1:14 PM on October 26, 2014 [1 favorite]


Several of mine at work (also ancient Citrix apps, but we don't get to use single sign-on) will reject the change attempt if you try to make Password1 into Password2 or even 1passWord.

Now that I think about it, it's probably validation code in the form itself before sending the data to the server. It asks the standard 'old password, new password, new password again' so it could just compare at that time without looking anything up. But these old apps don't even do their primary functions well enough for me to assume that for sure, ha.
posted by ctmf at 1:16 PM on October 26, 2014


In all fairness I haven't used Citrix's single-sign on and their standard portal is pretty solid, so the system I'm talking about that forces various absurd choices upon IT is probably some other third-party add-on that is cheaper than using Citrix SSO. The technology has come along quite a ways, but if often adds up to some dudes whipping up some ASPX pages and hacking around the limitations of Windows, often with bad results -- like if they were trying to helpfully remember your last "n" passwords in clear text, to detect variance between passwords because they decided that was important without really understanding the statistical risk in making that decision, knowing whether it's an informed decision based on human behavior, and how to implement it...they just like the idea of knowing how much variance there is and they're "adding security."

More likely they know better, so their "reversible encrypted" passwords are using bad secret decoder ring James Bond homemade wannabe encryption, or super amaze-balls encryption with the key sitting inside the application in clear text, or with the application's object model exposed and non-obfuscated so you can just ask it to let you in with Visual Studio, or plug it into a free .NET decompiler and search for "Encryption" in the source.
posted by aydeejones at 1:25 PM on October 26, 2014


The Fastmail implementation does not conform to what we think of as 2 factor. It obfuscates your password when you use it (by combining a different password with the generated number) but it is never required for logging in.
posted by ridogi at 4:09 PM on October 26, 2014


« Older The Forest Man of India   |   Once outsold Dickens - now called "the other... Newer »


This thread has been archived and is closed to new comments